Australia's Census Fail Goes Into Overdrive -- A Complete And Utter Debacle

from the at-least-maybe-people-will-realize-that-e-voting-is-bad dept

Thu, Aug 11th 2016 10:47am — Mike Masnick

Earlier this week, we wrote about how the Australian census was looking like a complete mess, with the government deciding that it was going to retain all the personal info that it was collecting, including linkages to other data, rather than destroying it after it got the aggregate census numbers. There were lots of concerns about privacy and security -- and we highlighted some ridiculous statements from people in the Australia Bureau of Statistics (ABS) who are running the census, insisting their security was "the best security" while at the same time they were storing passwords as plaintext.

Little did we know that the disaster that many expected was underestimating the actual disaster. You see, once the census website launched on Tuesday, the site immediately got hit by a series of denial of service attacks which took the entire system offline. In fact, it ended up remaining entirely offline for nearly 48 hours, and while the ABS says it's back, many people are still reporting problems. Perhaps that's because the ABS seems to be taking extreme and ridiculous measures to try to block more denial of service attacks, including blocking anyone who's using a VPN or a third-party DNS provider such as Google's DNS offering. For a system that talks up how secure and private it is -- to then push people to drop their use of VPNs and/or more secure DNS providers raises all sorts of questions -- none of them very good.

Meanwhile, as people are realizing that this is making Australia look like a global joke, the government seems unwilling to shoulder any of the blame -- with most of the finger-pointing directed at IBM, the company who built the web-based census system.

Meanwhile, the ABS folks in charge of the census held an apparently pointless "press conference" where they refused to take any questions, and after a few apologies insisted that everything was fine and everyone should go ahead and fill out their census entries. Of course, now people are turning up old clips of the ABS joyfully explaining just how much money they were saving with this system.

Can't get enough of this ABS Senate Estimates exchange. pic.twitter.com/GmP1H6zhP0
— alex (@mramclaren) August 11, 2016

Perhaps they shouldn't have skimped on basic cybersecurity protections.

About the only good thing that seems likely to come out of all of this is that it may slow down a push for internet voting. People are realizing that if this is how poorly things work when it's "only" the census, then perhaps Australia shouldn't be rushing to implement online voting. If the census can be taken down for two days due to a denial of service attack, just imagine what would happen to an election voting website...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: asb, australia, census, denial of service attack, privacy, security

33 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 11 Aug 2016 @ 10:57am

DDoS vs mass surveillance. This is certainly an interesting year.
[ link to this | view in chronology ]
pegr, 11 Aug 2016 @ 10:57am

Tell me again?
Tell me again how a web app can detect you used Google's DNS? It's TechDirt. Let's get the tech part right.
[ link to this | view in chronology ]
- Doug D, 11 Aug 2016 @ 11:04am
  
  Re: Tell me again?
  You can tell if someone is using "third-party DNS *like* Google's" by using a split horizon DNS configuration. The most common way that's done is geographically for CDNs, but it's not the only way to do it..
  
  You pick the DNS servers you "like" and you give them one set of data, and you give the DNS servers you "don't like", and you give them other data. The names will actually resolve differently, and it's trivial to make some work and others not work.
  [ link to this | view in chronology ]
  - BentFranklin (profile), 11 Aug 2016 @ 12:30pm
    
    Re: Re: Tell me again?
    Thanks for explaining that. I was also surprised. But:
    
    Don't all the DNS providers sync up over time?
    Why would anyone care how you get your DNS?
    [ link to this | view in chronology ]
    - Anonymous Coward, 11 Aug 2016 @ 1:50pm
      
      Re: Re: Re: Tell me again?
      To answer your questions:
      1. DNS providers sync up, usually within 24 hours, but it's a top-down chain: Google just knows to check IP blah for information about domain foo. If the government owns IP blah, they can feed different results to people coming via Google than they do to people coming via Telstra. Google and Telstra have perfectly resolving DNS info -- but the final result handed to the end user by server blah will be different.
      
      2. It's about control and data mining. If everyone uses Telstra DNS to access the census, and Telstra will only allow their subscribers to use their DNS, then only people living in Australia can access the census website... unless they use a VPN through a Telstra system. So the census website also blocks VPNs, likely by doing signal delay checks (ping times via VPNs will be significantly longer than ping times to local endpoints).
      
      You didn't think that Google was providing a DNS service out of the goodness of their hearts did you? They get a rich collection of what IPs are looking to resolve what domains. Likewise, repressive governments usually turn to local DNS servers to block services they don't want their citizens to see. Third party DNS routes around that (among other things).
      [ link to this | view in chronology ]
  - pegr, 11 Aug 2016 @ 4:48pm
    
    Re: Re: Tell me again?
    Very obvious in practice, but you don't see anything you don't look for. Thanks.
    [ link to this | view in chronology ]
Anonymous Coward, 11 Aug 2016 @ 10:59am

"To use this website, cookies must be enabled in your browser."

I propose techdirt also warn against sites that refuse to load without cookies and/or javascript in addition to those that are paywalled.
[ link to this | view in chronology ]
Arthur Moore (profile), 11 Aug 2016 @ 11:14am

Forbes Warning
Hello,

Would it be possible to mark all links to Forbes and other Ad-Blocker unfriendly websites with some sort of warning?

I appreciate that you can't always steer clear of those websites, but feel that we as a community should take pro-active measures to discourage annoying behavior.

Sincerely,
Arthur
[ link to this | view in chronology ]
Gwiz (profile), 11 Aug 2016 @ 11:43am

Re: Grow your Business with UserGrow
Which has absolutely nothing to do with this article.

Flagged as link spam.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Aug 2016 @ 2:32pm
  
  Re: Re: Grow your Business with UserGrow
  I'm sure that bot will be very upset to hear that.
  [ link to this | view in chronology ]
Thad, 11 Aug 2016 @ 12:13pm

Online voting
Online voting is one of those things I desperately *want* to be viable, because I believe voting should be as easy as possible for as many people as possible.

But I haven't yet seen anyone describe a concrete implementation strategy that was satisfactory. If votes aren't verifiable after they're made, then they're vulnerable to tampering; if they *are* verifiable after they're made, then they're vulnerable to privacy violations. And that's before we get into this article's observation that trusting the basic machinery of democracy to a system that can be taken offline by something as simple and unsophisticated as a DDoS attack is folly.

I continue to support increasing access to voting. But I'm afraid online voting isn't an acceptable solution, as much as I'd like it to be.

Solutions I do support:
Voting by mail
Filling in a mail-in ballot and then dropping it off directly at the polls (and I should add that I don't support my state's recent ban on third parties submitting other people's sealed ballots; there is no evidence that any voter fraud has ever occurred through this means and every indication that it is merely a partisan voter suppression effort)
Early in-person voting
Same-day registration
Making election day a paid holiday

None of these things is free, of course, but I think the goal of increased voter turnout (and an end to disenfranchisement) is worth the cost.
[ link to this | view in chronology ]
- Tiny humungas, 11 Aug 2016 @ 12:56pm
  
  Re: Online voting
  What about a confirmation system where the vote is done online and then printed at the polling station using some serialized number so as to maintain anonymity, then all you do is check in and confirm that the ballot is correct, takes minutes allows polling stations to be set up almost anywhere with an internet connection and printer, if the ballot is wrong it can be voided and you can go fill it out again, gives people time to understand the ballot(no more confusing ballot problems) gives you a paper ballot to recount and allows polling stations to be very local and convenient
  [ link to this | view in chronology ]
  - Anonymous Coward, 11 Aug 2016 @ 3:06pm
    
    Re: Re: Online voting
    I have great trust in proper software and believe it can be used for a lot of good things. Votibg is not, and might never be one if those. Tom scotts video on youtube make a good summary why it is a bad idea. An election is simply just to important. Just think about stuxnet, or the recently discovered malware that has been sitting undetected in government and telco servers for FIVE YEARS. And that was for snooping/spying. How much effort would you think someone could spend in order to make sure "the right people" win?
    
    Video: https://youtu.be/CaqKuWwYusU
    [ link to this | view in chronology ]
    - Anonymous Coward, 11 Aug 2016 @ 4:34pm
      
      Re: Re: Re: Online voting
      The video : Why Electronic Voting is a BAD Idea - Computerphile https://www.youtube.com/watch?v=w3_0x6oaDmI
      [ link to this | view in chronology ]
  - nasch (profile), 11 Aug 2016 @ 5:39pm
    
    Re: Re: Online voting
    What about a confirmation system where the vote is done online and then printed at the polling station using some serialized number so as to maintain anonymity, then all you do is check in and confirm that the ballot is correct
    
    How do you prevent vote buying with that system?
    [ link to this | view in chronology ]
Anonymous Coward, 11 Aug 2016 @ 12:59pm

Was it a DDOS, or is that a convenient excuse because somebody underestimated the number of people in Australia?
[ link to this | view in chronology ]
- That One Guy (profile), 11 Aug 2016 @ 1:18pm
  
  Re:
  I ran across another comment elsewhere saying roughly the same, claiming that the DDOS 'attack' was actually just due to people trying to use the system and it not being able to handle the load.
  
  Given how shoddy the rest has been it wouldn't surprise me in the least if that was what actually happened, and those running it and defending it are just trying to save face by claiming it was an attack that took the system down.
  [ link to this | view in chronology ]
  - John, 11 Aug 2016 @ 7:12pm
    
    Re: Likely Not DoS, just badly dimensioned
    As an Australian, this is very embarrassing. I saw an early report that stated they had dimensioned for 100K connections per hour. With >15 Million households, all being told to fill it in the Tuesday evening (which is not true) by a gov. TV campaign, it should have been dimensioned for 10M connections in 15 minutes.
    So the DoS was rather to be expected usage.
    And don't get me started on the collection of names etc this time around, which is just appalling for privacy. (Can you say massive hack target by both foreign governments [NSA] and bad acting crackers/hackers)
    [ link to this | view in chronology ]
  - john, 11 Aug 2016 @ 7:25pm
    
    Re: Re:
    And here is some references for "they just messed up & ignored proper advice"
    
    http://thenewdaily.com.au/news/national/2016/08/11/census-fail-kalisch/
    [ link to this | view in chronology ]
- Anonymous Coward, 11 Aug 2016 @ 6:23pm
  
  Re:
  The census had 61 questions, but answers provided for each member of the household. If you did either the paper or online census you would need 60 minutes + 15 to 30 miniutes per additional members of the household. I am not suprised the online system failed. You need to stay inline for so long. The online system needs to handle lots of people after work after dinner doing one last thing for the day befor going to bed
  [ link to this | view in chronology ]
Paul Renault (profile), 11 Aug 2016 @ 1:23pm

"...we expect to save AU$100M.."
I hope alex @mramclaren will alert us when an ABS Senate Estimates committee let's us all know how they got it so wrong.

I know why they got it wrong: it appears to be the most guaranteed, 100% sure way to enjoy financial and political success in this age.
http://www.commondreams.org/views/2015/03/10/want-succeed-establishment-policy-circles-just-be-a ggressively-and-consistently
[ link to this | view in chronology ]
Kronomex, 11 Aug 2016 @ 3:36pm

I still believe that it was a giant stuff up by a combination of the government, ABS and IBM. But being the LNP, who feel they rule by divine right, can never, never, never do any wrong. It's always someone else's fault. Actually I'm surprised they haven't blamed Labor for their negative waves to paraphrase Oddball) causing the crash.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Aug 2016 @ 3:55pm
  
  Re:
  I believe the Treasurer has already done so in his press conference on halting the sale of that NSW power company to the Chinese for National Security Purposes. If I heard correctly his answer to a reporters question on the census debacle.
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Aug 2016 @ 4:09pm
  
  Re:
  I know you are a labour or greens boy, but all of the political parties have the "divine right" view of their respective rules.
  
  They are all as bad as one another.
  [ link to this | view in chronology ]
  - Anonymous Coward, 11 Aug 2016 @ 9:13pm
    
    Re: Re:
    The bad as one another Is a excuse of the ruling party to avoid loosing government
    [ link to this | view in chronology ]
    - Anonymous Coward, 11 Aug 2016 @ 9:30pm
      
      Re: Re: Re:
      Not really, it just means that that you can't vote for None of the Above and have it count.
      
      As far as our current government and major opposition parties are concerned, they are functionally no different. We are screwed by all four of them.
      
      Here in Victoria, we have a government that is just plain criminal. This is the state of affairs for the entire nation. None of them represent the population, all of them claim mandate on bare majorities.
      
      As a nation, we have no leadership that actually has a care for the citizens of this nation or the future well-being of the nation as a whole.
      
      If you were to scrape through all the policies of every party, one might be able to find a small portion that would actually be of benefit to the nation as a whole. But don't get your hopes up.
      [ link to this | view in chronology ]
  - Kronomex, 12 Aug 2016 @ 12:50am
    
    Re: Re:
    I agree with them being as bad as each other but the LNP has a sense that THEY are the natural rulers with much input from their donours and corporate masters.
    [ link to this | view in chronology ]
G Thompson (profile), 11 Aug 2016 @ 3:43pm

No matter the spin our Government and ABS idiots are trying to state. There is currently NO evidence whatsoever of any DDoS attacks occurring into Australia in regards to the census site on the day in question.

The only DDoS that is likely to have occurred is that more than 1million people tried to access the server that was only rated for a load of 750,000 per hr (there are over 5million households in Aust) and even then it was continuosly failing under stress testing previously.

IBM is somewhat to blame here, but mostly the blame goes immediately and squarely at the feet of the idiots in the ABS and the current Federal Govt who thatoght this was a good idea.

Don't get me started on the identification privacy issues. I am refusing to give name, address and birth date for anyone in my household at the time the snapshot is required. They can, like a few thousand (actually more ..much more than that) of us who have refused come play the game with us in court if they so wish to prosecute. The Act(s) in question are very specific on what is and what isn't needed in a census. Identifying information are Not part of it.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Aug 2016 @ 4:06pm
  
  Re:
  It doesn't matter, they already have a good idea of who was there based on what I received for the paper census. We have 7 residents in our household (covered by two families) and the result of asking for the paper census was the receipt of 7 items to fill out.
  
  The only way they could know this is by cross-matching data between the various government departments now.
  
  So anything they say about security and privacy is already down the tube. The fact that you have to deal with medicare, the tax office and centrelink on a yearly basis means that the data linkages are already there and accessible to the ABS and every other government department.
  
  What is problematic is their use of public infrastructure to transmit this information.
  [ link to this | view in chronology ]
Rabbit, 12 Aug 2016 @ 3:24am

Not doing it online
The great census fail has unfortunately destroyed any trust anyone can put in the government's ability to deal with confidential date online or offline. I for one will not be doing it online - I still haven't got a letter with login number for one thing. I will wait for a census flunky to come around and give me a paper form, which I will fill out as best I remember what I was doing back on census night, to post back. All the turkeys had to do to get cooperation was repeal the decision to data match personal data with other departments. They refuse to back down, so I and hundreds of thousands, maybe a couple of million, others are passively resisting. The government threaten fines. Well, I've got till sometime in September to do it without getting fined as I'm not refusing to do it. But I'm not going to waste my time calling for a form either. I made one call and got the recording. So now it's up to them. I'll fill it out when I get it.
[ link to this | view in chronology ]
Almost Anonymous (profile), 12 Aug 2016 @ 10:31am

Australia's new Prime Minister via online voting
Please congratulate Australia's new Prime Minister! Let's welcome "mARBLE CAKE ALSO THE GAME" to the podium!
[ link to this | view in chronology ]
Anonymous Coward, 14 Aug 2016 @ 6:04pm

Calling an early election with the double dissolution of parliament last month is now paying big dividends to the far right Liberal/National/CLP/LNP coalition.

If the election was held when it was due to be held sometime later this year, then this clustefruck would have caused the voters to completely give up on what so far has been the worst Federal government in living memory.

We may yet have the Liberals copy the "Most Evil & must be destroyed at all costs Union-controlled Labor Party" in giving Australia 3 Prime Ministers in 3 years & "Do a Rudd" with the recently dumped ex-PM Abbott arise from the dead & taking back his old job.

It's an exciting time for the current Prime Minister for Goldmann Sachs, Malcolm Turnbull.

We too have batshit crazy politics, surely a podium is deserved for all their (lack of) effort.
[ link to this | view in chronology ]
eloquentloser (profile), 14 Aug 2016 @ 9:30pm

And ..'Opt out' Health records..
None of the media here seem to have picked up on the additional fact that health records in Australia are being added to an online system which was previously 'opt-in', but is being progressively phased to 'opt-out' (because virtually no-one joined).

To opt out, of course, you need to provide them with proof of identity, etc. Then your records would need to be flagged as such, so .. no point, really.

I can attest that few people I've talked to here have any idea that this is happening. The risks are quite extreme, given the complete lack of any cohesive defensive security framework and obvious bureaucratic incompetence. I wonder if these health records (which could be useful for blackmail, insurance companies etc) are intended for cross-referencing with Census data. I can't seem to discern whether this is true. ;-)

https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/privacy-statement

http://www.new s.com.au/national/your-personal-health-information-is-about-to-go-online-but-you-can-stop-it/news-st ory/d4b2c671fd2041e8b8e160b630fe310b
[ link to this | view in chronology ]