An Embarrassing DDoS Fail for Australian Census 2016

Ruth

The Living Force
I completely forgot about Census night, so it's probably just as well that the whole thing went 'wheels up'. At least I won't get fined. They are trying to say that it was hacked by China, but some computer geeks have a different take.

From here:
http://www.news.com.au/technology/online/hacking/expert-analysis-how-did-the-abs-get-the-digital-census-so-wrong/news-story/9894dba08a75d689c52d75d4cf52163c

OPINION THE failure of the National Census comes as no great surprise to many experts.
It survived online mere minutes before flailing and bursting into flames.
If you look towards the past, we’ve seen variations of all of these problems before. For example the Click Frenzy promotion, aiming to recreate the success of Cyber Monday in the United States, crashed within minutes of launching.
The real surprise is that we’re not learning from these mistakes. It’s not even the first time this particular IT contractor has come up short.
The Queensland government has a ban in place on any new contracts with IBM due to their part in a $1.2 billion health payroll debacle.
Given all of these warning signs, we still somehow ended up outsourcing the digital census to IBM, which predictably crashed within minutes of launch.
To be fair, running a website that will receive millions of hits in a few hours comes with many challenges. But those challenges are remarkably well understood.
The first is that we know Census night is a distributed denial of service (DDoS) by design.
WHAT IS A DISTRIBUTED DENIAL OF SERVICE?

A distributed denial of service is when a resource such as a website is hit by an excessively large number of requests from a variety of sources such that the resource becomes unusually slow.
Think of it as the bathroom queue at the end of a movie marathon when every second movie goer had a large frozen coke going in.
As a dutiful Australian, you may well have contributed to the DDoS that brought down the digital census. But it’s certainly not your fault.
With good estimates and sound preparation, the digital Census should not have had a problem.
Unfortunately, only hours before its spectacular failure, ABS employees were gloating via Twitter that “The online Census form can handle 1,000,000 form submissions every hour. That’s twice the capacity we expect to need.”
Given there are 24 million Australians, with 15 million expected to participate in the Census, even the most trivial of calculations would tell you that a million submissions an hour seems low.
The second possibility is that a DDoS attack launched by black hat hackers took the site down.
While this is what was originally being claimed by the ABS there is little evidence for a substantial DDoS attack.
Large scale DDoS attacks are obvious in even trivial network analysis and can even be visualised in real time.
Either no DDoS attack occurred or, more worryingly, a tiny and entirely anticipated DDoS took out the site.
While it is too late to do anything for the Census, we should be asking ourselves how to avoid this in the future.
When the US government launched Healthcare.gov, the health insurance exchange website for “Obamacare”, it was a disaster.
The day it was launched, only six people had been able to sign up for health insurance. The site was then inaccessible for two hours a day on average.
All of this after the budget had blown out from $93.7 million to $292 million before launch.
This visible and extreme failure led to Obama promising a “tech surge” to rescue Healthcare.gov. While this might sound like a grandiose vision, in reality it involved a handful of Silicon Valley engineers adopting the tactics of start-ups.
At the end of their tenure, the small team had pulled Healthcare.gov back from the brink of death to a fully functioning website.
WHY PURSUE START-UP ENGINEERS?
These are the standard challenges a start-up engineer faces. Given a small amount of cash, an array of adversaries, and limited resources, they have to come up with a solution to existing problems.
Start-ups have scaled to millions of concurrent users with far less funding than this contract was worth.
If your start-up received funding in the amount paid to IBM for the census — $9,606,725 — you’d likely make a few headlines even in Silicon Valley.
Competent start-ups are also able to juggle millions of users per engineer, usually leveraging cloud services such as Amazon Web Services or Google Cloud Engine.
When Instagram was acquired by Facebook, just three engineers handled 30 million users posting hundreds of millions of photos per month thanks to Amazon Web Services.
WhatsApp, an exception to the rule, used raw hardware to famously support more than 900 million users with only 50 engineers.
Since Healthcare.gov, the US government created the US Digital Service, who literally bill themselves as “a start-up at the White House”. The United States is learning from its mistakes and architecting towards the future.
WHY AREN’T WE?
Even with dropping enrolment rates in computer science and a mass brain drain to the States, Australia still has talented engineers and deep start-up knowledge that we could be utilising instead of remaining in the era of dinosaur consultancies.
Malcolm Turnbull’s ‘innovation nation’ isn't turning out as planned.
Malcolm Turnbull’s ‘innovation nation’ isn't turning out as planned.Source:Supplied
Sadly, even with “Innovation Nation” being the Prime Minister’s tagline, I don’t expect to see a change.
Regardless of the exact causes, the digital Census stands as just another in a long list of black marks when it comes to the digital readiness of Australia.
Stephen Merity is an Australian Harvard graduate working as an artificial intelligence researcher in San Francisco.
 
Did you receive the activation code in the mail Ruth?

Interestingly enough, I've spoken to many people who have not received the activation code to use the website. Not too sure what they expected from all of this. Half of the nation didn't receive the code & from the article you provided they also clearly didn't have the capacity for us to access the Census even if we did have the code.

8 hours ago an update was put out from the ABC news.

http://www.abc.net.au/news/2016-08-10/australian-bureau-of-statistics-says-census-website-hacked/7712216

Notably, various Greens politicians are refusing to put their names on the Census.

Earlier this week, crossbench Senator Nick Xenophon announced he would not put his name on the form due to privacy concerns.

Greens senators Scott Ludlam, Janet Rice, Sarah Hanson-Young, Lee Rhiannon and Larissa Waters also said they would not be providing their names.

Senator Xenophon had been accused of "tinfoil hat" politics by Coalition frontbencher Christopher Pyne over his concerns.

He told the ABC this morning that he was not sure "who should be wearing that hat today".

"Look, there are real concerns," Senator Xenophon said.

"The census, the ABS, has had five years to get this right.

Also to note:

People officially have until September 23 to complete the census online, and the ABS has said people will not be fined for not completing the forms on census night.

"There will be no fines for completing the census after August 9. There's still plenty of time to complete the census. Thanks for your patience," the ABS said in a statement.

I would think surely there would be no fines at all after a stuff up this big.
 
FWIW, Joanna Nova wrote about the census - The Australian ABS Big Gov Big Fail — Census night crashes

When is an attack, not a hack, not an attack, and possibly not even a Denial of Service (DDOS) – when 5 million people try to obey the government?

Matthew Hackling, a cybersecurity expert, said on Twitter today that there was no evidence of a DDOS attack, with international data maps showing no suspicious activity in Australia in that time.

— Matthew Hackling (@mhackling) August 9, 2016

Census fail: ABS says hackers attacked website despite denials, after nearly $500,000 was spent on load testing servers, by Rod Chester.
 
Back
Top Bottom