So what is it? "It was a DDOS" or "There was no DDOS"? I'd bet 2:1 that the person lying is the politician.
Australian prime minister Malcolm Turnbull says the reason for the failure of the nation's census is that systems put in place by IBM did not include adequate protection against denial of service (DoS) attacks. In an interview with conservative radio personality Alan Jones, embedded below, Turnbull said “My advice is that the …
Thursday 11th August 2016 01:03 GMT Diogenes
Thursday 11th August 2016 01:07 GMT dan1980
This is another case of the answer being much the same, regardless of the specifics.
That answer is that the ABS cannot honestly assure us of the security of our data which, under their decision will now be far more valuable to hackers* and far more dangerous to us if misappropriated or misused.
It is up to the ABS to ensure that the systems in place are up to the task, regardless of whether they are in house or outsourced to a third-party. The buck stops with them and hanging the blame of the third-party contractor, after the fact, does not magically wind back the clock and stop an attack from happening.
If a breach occurs and data is lost then all the rolling heads in the world won't undo the damage.
It should be noted that the root cause for all of this was the decision that the ABS made - on its own - to make this Census a primarily online submission, rather than paper-based. Regardless of the justifications for this, the fact remains that the ABS did not and does not have the internal capabilities to build or run such a system.
Once you involve a third-party, you can no longer say 'trust' us, because you have left parts of the process in the hands of a someone that the public might not trust. And when you're talking about that third-party being IBM . . .
The absolutely BEST way to imagine this, for the sake of the ABS, is that they did everything they could to make sure it was up-to-snuff and specified very clearly - and technically - exactly how the DoS protection should work and hired external people to test it and independently verified that IBM had built the system to spec and it was working as required.
If that was the case, and I do not believe for a second that it was, then the take-away is that no matter how trust-worthy and well meaning the ABS is, they still cannot ensure the level of security that is absolutely required for the creation, processing and storage of this data.
That's at best. The far more likely scenario is that the ABS did not do enough to either specify the required level of protection or simply palmed that off to IBM and stuck their heads in the sand. Given the tone of their responses to the legitimate, factually-based concerns and questions from journalists, politicians (thank heaven for those few making a big deal of this), privacy advocates and former heads of the ABS, it is no great leap to imagine how such self-righteous arrogance and refusal to listen to others could easily lead to them pushing ahead in the blind belief that they are right.
It should also be remembered that when the ABS's plans were trounced by an independent assessment (not to mention every previous assessment), they simply did an internal one and, surprise, they agreed with themselves.
I.e.: they ignored anyone who disagreed with them and pushed ahead with their own agenda regardless. Can't see how that could possibly backfire when it comes to security . . .
* - As well as police and government agencies. That legislation prevents then getting access now gives NO guarantee that future legislation won't blast that wide open.
Thursday 11th August 2016 04:30 GMT Dagg
That's at best. The far more likely scenario is that the ABS did not do enough to either specify the required level of protection or simply palmed that off to IBM and stuck their heads in the sand.
The IBM approach:
Customer: I would like to buy a car.
IBM: Certainly, $xxxx please
IBM: here is your car
Customer: Where are the tyres and there is no engine!!
IBM: Oh, you never asked for them, they are extra.
Thursday 11th August 2016 06:10 GMT dan1980
Indeed, I would dare to say that it is the way Indian outsourcing works. I mean no disrespect to Indian technicians as some of the brightest techs I know (in Australia) are Indian. What I mean is that when you offshore to cheap Indian firms, you often get exactly what you ask for, without any attempt to understand what it really is you need.
I had a client who engaged an Indian firm to build an ecommerce portal, reasoning that, as they had engaged consultants and designers to make sure all the creative parts were nailed down, the back-end coding could be considered a commodity and farmed out to any old mob.
When they got the finished (or penultimate) site, they were fuming that there was no real ecommerce functionality. when it came down to it, however, they never exactly specified what they wanted in that area so it was considered completely out of scope.
That's what you get when you treat IT like a commodity - a commodity answer that may fail to meet your needs.
The key to leveraging the cost savings of out-sourcing is to ensure you have competent people in-house who understand which parts can be farmed out and which need special attention. Those people are, with the help of a technically-savvy project manager, able to break a system or delivery into discreet parts with well understood functions and connections so that it all fits back together.
My point about the failures of ABS is that I strongly suspect that they did not do that.
Thursday 11th August 2016 12:15 GMT CrazyOldCatMan
Thursday 11th August 2016 06:47 GMT Disgusted of Cheltenham
Thursday 11th August 2016 08:27 GMT Poe
It is genuinely hard to believe we're legally required to trust them.
I can only hope there was at least one person in these meetings that put their hand up and said "what we're doing is dumb" and was shouted down... It means they might have someone to ask how to fix this. If no one saw this coming or even objected it shows a staggering void of critical thinkers.
I hope it's not another herd of yes men and a naked emperor... But based on the current tide of emperors, this one will almost certainly be an agile scrum master with an 'extensive' background in cloud and devops.
Thursday 11th August 2016 01:30 GMT bep
Thursday 11th August 2016 01:43 GMT Simon Sharwood, Reg APAC Editor
Thursday 11th August 2016 02:06 GMT dan1980
Re: Yeah but
I've no love for Michael McCormack, MP and homophobe, but it is unfair to pin this on him. From the sounds of it, it seems the ABS barely consulted cabinet - if at all. McCormack could well be the least to blame of all the cast.
But yes, when you cut their budget so heavily, what choice but a third-party, online solution? At least Malcolm 'Cloud' Turnbull will be glad they're not 'box huggers' . . .
Thursday 11th August 2016 02:23 GMT Anonymous Coward
Thursday 11th August 2016 08:45 GMT lglethal
Re: Yeah but
@AC: Australia is nowhere near as backwards and right wing as the US. What your saying is just hyperbole.
Australia takes far more refugees on a per capita basis then the US. That it sends boat people to PNG and Nauru is to try and discourage people from dying by taking the boat route. Those that come in by plane tend to be accepted.
Also the whole black face thing, it's hardly encouraged and it is beginning to be viewed as unacceptable but it is worth remembering that Australia does not have the history where using black face was a way of humiliating black people. That was never part of our history or culture, so we have no hang ups about it. A few years ago, KFC got hugely bad press in the US because it showed an advert in Australia to do with the cricket which showed a West Indian family (so Carribeans in other words) and an Aussie family sharing some KFC chicken. It was funny and there was no problems in Australia, but Americans got all up in arms because showing the West Indians loving to eat KFC was apparently racist stereotyping. Since we don't have that racist stereotype in Australia, it wasn't racist here. As another example, in Australia the Pakistan cricket team are known as the Pakis. Just the shortened form of the name Pakistan. However, you would NEVER call someone a Paki in the UK as there is a historical context there which is highly racist.
Different cultures have different considerations for what is racist or discriminatory. You would do well to remember that....
Thursday 11th August 2016 15:33 GMT Anonymous Coward
Friday 12th August 2016 00:28 GMT dan1980
Re: Yeah but
Oh absolutely - the ongoing mistreatment of Indigenous people is a national shame that a great portion of the country are rightly outraged about, as is the treatment of people on Nauru and, formerly, Christmas Island.
Australia is not immune to these things as, like the US, we are a country composed of many people with many different views and cultures that is governed predominantly by older, white, Christian men.
It's pointless to go back and forth on this - in both the US and Australia, the majority of the public are good, ordinary, respectful, well-meaning people who are appalled when their elected leaders and appointed law enforcement agencies behave in this way.
We keep cycling our lizards but change happens slowly.
Thursday 11th August 2016 03:03 GMT Diogenes
Re: Yeah but , what budget cut ?
What Budget cut ?
From Perfessor Sinclair Davidson (RMIT) ...
One of the arguments going around is that we shouldn’t blame the ABS for last nights shemozzle as they had had their budget cut. This is a very sneaky “blame the Coalition” tactic. Of course this tactic will have some traction because it is widely believed that the Abbott government slashed spending in its first budget.
Now it is true that Joe Hockey cut funding to the ABS by some $7 million in his first budget. Not as much as the $19 million Wayne Swan cut from the ABS in his first budget.
But as the graph below shows (data taken from the Budget Papers) it is simply not true to suggest that the ABS had had its budget cut. There is a clear pattern in the data – ABS funding ramps up dramatically in the year before and the year of a census and then falls back again. The Australian government (of either persuasion) is funding the ABS to undertake the census.
I am reminded that in 2015 the federal government invested $250 million to upgrade ABS infrastructure, systems and processes.
Thursday 11th August 2016 01:49 GMT Phil Kingston
Thursday 11th August 2016 04:25 GMT Anonymous Coward
No way IBM will comment
Like all contracts with the Fed. Govt, the supplier is forbidden to make any public comment or statement unless approved by the Department. And the Department wont approve IBM releasing a statement or rebuttal while the PM is busy smashing them.
AC as I negotiate a lot of fed govt contracts.
Thursday 11th August 2016 07:08 GMT Lee D
Thursday 11th August 2016 07:09 GMT Pascal Monett
"systems put in place by IBM did not include adequate protection against [..] (DoS) attacks"
I have one question : where is it stated that ABS required such protection in the specifications ?
IBM may well be a lumbering behemoth that whose right hand doesn't know what the left hand is doing, but from my experience its consultants are very procedural and tend to want to include absolutely everything in the specifications to max out all possible chances of revenue. To me, that means that it is very likely that IBM offered DOS protection measures, and ABS said no to the cost, so the measures were taken out of the offer before signature and go-ahead.
I simply cannot believe that IBM got handed the project and "forgot" to implement DOS protection measures. If IBM didn't implement it, I think it's because ABS said no. Probably because they thought the risk was insignificant ("who would DOS a census ?"). Now that the risk has revealed itself to be much more important, ABS wants to deflect the blame on the supplier. Typical coward's response.
So which is it ? Can somebody shed some light on this ?
Thursday 11th August 2016 11:41 GMT Anonymous Coward
Re: "systems put in place by IBM did not include adequate protection against [..] (DoS) attacks"
I think you'll find IBM is copping the flack for its telecommunications subcontractor here, which is fair enough as far as contractural responsibility is concerned. Can you guess who the major telecommunications provider, who owns the layer within which DDoS protection would reside, might be?
Thursday 11th August 2016 08:28 GMT trashsilo
The critical 2009 CFA 'bushfire alert' website was another IBM implemented website that dramatically failed when really needed :
"For several hours, amid the hottest and most dangerous conditions since the deadly February 7 fires, Victorians could not call up CFA web pages giving vital information about the status and progress of fires."
That website cost >1.1m AUD according to parliament.vic.gov.au accounts for that year
"IBM AUSTRALIA LIMITED Bushfire Preparedness 1,136,521.49 N/A Welfare Programs"
Sorry, can not find El Reg link for that other outrage
"But today, war [and the NBN] is too important to be left to politicians." General Jack D. Ripper.
Thursday 11th August 2016 15:21 GMT Anonymous Coward
Has the Aust census data been stipulated as "must be kept in Australia?"
As a general question, does anyone know if the Aust census data is one of those "must be kept in Australia at all times, and never transferred outside the country" things?
Asking because when I used to work at IBM with various Gov data sources, some of them had requirements like this.
That never stopped IBM from giving access to the data by remote (non-Aust located) operations staff though. IBM never seems to have been called out of this.
Perhaps this is an opportunity for such practises to be discovered, and finally dealt with as well?
Thursday 11th August 2016 23:32 GMT J. Cook
"The Register has attempted to contact IBM, locally and at its US headquarters, for 36 hours. The only reply we have received was to refer us to different people inside IBM, who have also not answered questions."
After trying to get support on an obscure IBM branded software product (encryption key management for an LTO tape vault) I suffered the same exact thing; the few people who did respond to me refused to do anything unless I had some obscure contract number (which I didn't have recorded anywhere) nor were they willing to help me divine that information. I managed to grease the wheels via our VAR and get some actual help on the software, but it was a bit aggravating. Unfortunately, the software product is obscure enough that Big Blur is the only vendor for it- no one else seems to want to make a competing product.