Australia's Census Fail Goes Into Overdrive -- A Complete And Utter Debacle
from the at-least-maybe-people-will-realize-that-e-voting-is-bad dept
Earlier this week, we wrote about how the Australian census was looking like a complete mess, with the government deciding that it was going to retain all the personal info that it was collecting, including linkages to other data, rather than destroying it after it got the aggregate census numbers. There were lots of concerns about privacy and security -- and we highlighted some ridiculous statements from people in the Australia Bureau of Statistics (ABS) who are running the census, insisting their security was "the best security" while at the same time they were storing passwords as plaintext.Little did we know that the disaster that many expected was underestimating the actual disaster. You see, once the census website launched on Tuesday, the site immediately got hit by a series of denial of service attacks which took the entire system offline. In fact, it ended up remaining entirely offline for nearly 48 hours, and while the ABS says it's back, many people are still reporting problems. Perhaps that's because the ABS seems to be taking extreme and ridiculous measures to try to block more denial of service attacks, including blocking anyone who's using a VPN or a third-party DNS provider such as Google's DNS offering. For a system that talks up how secure and private it is -- to then push people to drop their use of VPNs and/or more secure DNS providers raises all sorts of questions -- none of them very good.
Meanwhile, as people are realizing that this is making Australia look like a global joke, the government seems unwilling to shoulder any of the blame -- with most of the finger-pointing directed at IBM, the company who built the web-based census system.
Meanwhile, the ABS folks in charge of the census held an apparently pointless "press conference" where they refused to take any questions, and after a few apologies insisted that everything was fine and everyone should go ahead and fill out their census entries. Of course, now people are turning up old clips of the ABS joyfully explaining just how much money they were saving with this system.
Can't get enough of this ABS Senate Estimates exchange. pic.twitter.com/GmP1H6zhP0
— alex (@mramclaren) August 11, 2016
About the only good thing that seems likely to come out of all of this is that it may slow down a push for internet voting. People are realizing that if this is how poorly things work when it's "only" the census, then perhaps Australia shouldn't be rushing to implement online voting. If the census can be taken down for two days due to a denial of service attack, just imagine what would happen to an election voting website...
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: asb, australia, census, denial of service attack, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Tell me again?
[ link to this | view in chronology ]
Re: Tell me again?
You pick the DNS servers you "like" and you give them one set of data, and you give the DNS servers you "don't like", and you give them other data. The names will actually resolve differently, and it's trivial to make some work and others not work.
[ link to this | view in chronology ]
Re: Re: Tell me again?
Don't all the DNS providers sync up over time?
Why would anyone care how you get your DNS?
[ link to this | view in chronology ]
Re: Re: Re: Tell me again?
1. DNS providers sync up, usually within 24 hours, but it's a top-down chain: Google just knows to check IP blah for information about domain foo. If the government owns IP blah, they can feed different results to people coming via Google than they do to people coming via Telstra. Google and Telstra have perfectly resolving DNS info -- but the final result handed to the end user by server blah will be different.
2. It's about control and data mining. If everyone uses Telstra DNS to access the census, and Telstra will only allow their subscribers to use their DNS, then only people living in Australia can access the census website... unless they use a VPN through a Telstra system. So the census website also blocks VPNs, likely by doing signal delay checks (ping times via VPNs will be significantly longer than ping times to local endpoints).
You didn't think that Google was providing a DNS service out of the goodness of their hearts did you? They get a rich collection of what IPs are looking to resolve what domains. Likewise, repressive governments usually turn to local DNS servers to block services they don't want their citizens to see. Third party DNS routes around that (among other things).
[ link to this | view in chronology ]
Re: Re: Tell me again?
[ link to this | view in chronology ]
I propose techdirt also warn against sites that refuse to load without cookies and/or javascript in addition to those that are paywalled.
[ link to this | view in chronology ]
Forbes Warning
Would it be possible to mark all links to Forbes and other Ad-Blocker unfriendly websites with some sort of warning?
I appreciate that you can't always steer clear of those websites, but feel that we as a community should take pro-active measures to discourage annoying behavior.
Sincerely,
Arthur
[ link to this | view in chronology ]
Re: Grow your Business with UserGrow
Flagged as link spam.
[ link to this | view in chronology ]
Re: Re: Grow your Business with UserGrow
[ link to this | view in chronology ]
Online voting
But I haven't yet seen anyone describe a concrete implementation strategy that was satisfactory. If votes aren't verifiable after they're made, then they're vulnerable to tampering; if they *are* verifiable after they're made, then they're vulnerable to privacy violations. And that's before we get into this article's observation that trusting the basic machinery of democracy to a system that can be taken offline by something as simple and unsophisticated as a DDoS attack is folly.
I continue to support increasing access to voting. But I'm afraid online voting isn't an acceptable solution, as much as I'd like it to be.
Solutions I do support:
Voting by mail
Filling in a mail-in ballot and then dropping it off directly at the polls (and I should add that I don't support my state's recent ban on third parties submitting other people's sealed ballots; there is no evidence that any voter fraud has ever occurred through this means and every indication that it is merely a partisan voter suppression effort)
Early in-person voting
Same-day registration
Making election day a paid holiday
None of these things is free, of course, but I think the goal of increased voter turnout (and an end to disenfranchisement) is worth the cost.
[ link to this | view in chronology ]
Re: Online voting
[ link to this | view in chronology ]
Re: Re: Online voting
Video: https://youtu.be/CaqKuWwYusU
[ link to this | view in chronology ]
Re: Re: Re: Online voting
[ link to this | view in chronology ]
Re: Re: Online voting
How do you prevent vote buying with that system?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Given how shoddy the rest has been it wouldn't surprise me in the least if that was what actually happened, and those running it and defending it are just trying to save face by claiming it was an attack that took the system down.
[ link to this | view in chronology ]
Re: Likely Not DoS, just badly dimensioned
So the DoS was rather to be expected usage.
And don't get me started on the collection of names etc this time around, which is just appalling for privacy. (Can you say massive hack target by both foreign governments [NSA] and bad acting crackers/hackers)
[ link to this | view in chronology ]
Re: Re:
http://thenewdaily.com.au/news/national/2016/08/11/census-fail-kalisch/
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"...we expect to save AU$100M.."
I know why they got it wrong: it appears to be the most guaranteed, 100% sure way to enjoy financial and political success in this age.
http://www.commondreams.org/views/2015/03/10/want-succeed-establishment-policy-circles-just-be-a ggressively-and-consistently
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
They are all as bad as one another.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
As far as our current government and major opposition parties are concerned, they are functionally no different. We are screwed by all four of them.
Here in Victoria, we have a government that is just plain criminal. This is the state of affairs for the entire nation. None of them represent the population, all of them claim mandate on bare majorities.
As a nation, we have no leadership that actually has a care for the citizens of this nation or the future well-being of the nation as a whole.
If you were to scrape through all the policies of every party, one might be able to find a small portion that would actually be of benefit to the nation as a whole. But don't get your hopes up.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
The only DDoS that is likely to have occurred is that more than 1million people tried to access the server that was only rated for a load of 750,000 per hr (there are over 5million households in Aust) and even then it was continuosly failing under stress testing previously.
IBM is somewhat to blame here, but mostly the blame goes immediately and squarely at the feet of the idiots in the ABS and the current Federal Govt who thatoght this was a good idea.
Don't get me started on the identification privacy issues. I am refusing to give name, address and birth date for anyone in my household at the time the snapshot is required. They can, like a few thousand (actually more ..much more than that) of us who have refused come play the game with us in court if they so wish to prosecute. The Act(s) in question are very specific on what is and what isn't needed in a census. Identifying information are Not part of it.
[ link to this | view in chronology ]
Re:
The only way they could know this is by cross-matching data between the various government departments now.
So anything they say about security and privacy is already down the tube. The fact that you have to deal with medicare, the tax office and centrelink on a yearly basis means that the data linkages are already there and accessible to the ABS and every other government department.
What is problematic is their use of public infrastructure to transmit this information.
[ link to this | view in chronology ]
Not doing it online
[ link to this | view in chronology ]
Australia's new Prime Minister via online voting
[ link to this | view in chronology ]
If the election was held when it was due to be held sometime later this year, then this clustefruck would have caused the voters to completely give up on what so far has been the worst Federal government in living memory.
We may yet have the Liberals copy the "Most Evil & must be destroyed at all costs Union-controlled Labor Party" in giving Australia 3 Prime Ministers in 3 years & "Do a Rudd" with the recently dumped ex-PM Abbott arise from the dead & taking back his old job.
It's an exciting time for the current Prime Minister for Goldmann Sachs, Malcolm Turnbull.
We too have batshit crazy politics, surely a podium is deserved for all their (lack of) effort.
[ link to this | view in chronology ]
And ..'Opt out' Health records..
To opt out, of course, you need to provide them with proof of identity, etc. Then your records would need to be flagged as such, so .. no point, really.
I can attest that few people I've talked to here have any idea that this is happening. The risks are quite extreme, given the complete lack of any cohesive defensive security framework and obvious bureaucratic incompetence. I wonder if these health records (which could be useful for blackmail, insurance companies etc) are intended for cross-referencing with Census data. I can't seem to discern whether this is true. ;-)
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/privacy-statement
http://www.new s.com.au/national/your-personal-health-information-is-about-to-go-online-but-you-can-stop-it/news-st ory/d4b2c671fd2041e8b8e160b630fe310b
[ link to this | view in chronology ]