Patrick Gray, described by CSO Magazine as a “respected information security journalist and podcaster” has put forward an account of the Census crash that varies from the official version.
His “sources” told him that the DDoS (distributed denial of service) attack experienced at 7.30pm came from inside Australia, not from the United States as claimed.
He says IBM and the ABS were offered DDoS prevention services from their upstream provider, NextGen Networks, but said they didn’t need it. Their plan was to just ask NextGen to geoblock all traffic outside of Australia in the event of an attack.
When the attack came from inside Australia, they had no defence.
The second part of the official story was that a router failed. Gray’s version has a stuff-up with the firewall(s) which is too technical for me to summarise.
The third element of the official story was that some unauthorised data activity was noticed inside the system. Since a DDoS attack is often used as cover for data exfiltration (stealing), they pulled the plug.
Gray says what happened is that the IBM alerts were actually “offshore-bound system information/logs”.
We’ve never been told officially what these alerts were, just that no data had been stolen, altered or destroyed.
The first and the third parts of this sad tale sound entirely plausible. The second, I wouldn’t know, but if equipment/system failure at this particular time was innocent, then it was an amazing coincidence.
We can only hope that the truth will out.
When governments outsource sometimes they don’t have enough residual internal expertise to properly manage the project. In this case when things went pear-shaped the Australian Signals Directorate, part of the Department of Defence, was called in.
If they don’t have the requisite expertise we are in big trouble.
Earlier post: Census crash
Thanks for the summary, Brian.
The story of data exfiltration doesn’t pass the sniff test.
Surely if you were targeting the data being collected by the Census you would wait until collection was substantially complete. Why would you launch an attack just as the data started to flow into the system?
The ABS tweeted that they planned for 500,000 lodgements each hour and the system in place could handle twice that load. In the event it fell over at 540,000 lodgements per hour (150 per second).
The system was not set up to handle the surge of citizens from Victoria, New South Wales and Queensland all trying to do their duty at the same time – which would look a lot like a denial of service attack from inside Australia.
Thanks once again, Brian.
Zoot, I think it’s a fair point that a surge of people genuinely trying to get on would be indistinguishable from a DDoS attack.
Sites that monitor DDoS activity say there was nothing that registered on the Richter scale that day.
Either way it wouldn’t have taken much to bring the site down.
I might be missing something Brian but the questions being asked by the census hardly seem like particularly valuable stuff even if it was linked to people’s names.
I also think that the ABS did the right thing when they took the site down when there were signs that someone may have been stealing data. They should have been commended for that instead of having to put up threats from Turnbull to roll heads. What Turnbull said was dangerous because next time someone may be tempted to cross their fingers and keep going to reduce the threat of being sacked. Turning an investigation into a gotcha exercise is not a good way of finding out what really happened. May be relevant when the government is doing things where crashes and data stealing are far more important than this case.
We also need to understand that what some of the critics are really saying is “you should have paid for my expertise.”
Sorry but my bullshit detector keeps rattling when i read about the so called “census disaster.”
John, like you when filling out the census I did wonder about the relevance/value of some of the information, for example religious affiliation.
I think some questions are included because they always have been, so continuity of data is provided to demographers and other social researchers with an interest.
Information such as age, income, work participation etc is said to be important in public policy planning. I don’t have the knowledge and expertise to provide a critique on this, so I’m willing to accept the word of those who are better informed.
For the whole thing to be useful, though, it is said that the threshold is 95% participation providing accurate information. If that’s the benchmark then “disaster” would appear an appropriate descriptor, and like Quiggin I doubt the project can be salvaged.
I agree, though, that threats from Turnbull will compromise finding out what really happened.