

Norwegian government tax portal security scandal - roschdal
http://www.theinquirer.net/inquirer/news/2162411/norwegian-government-tax-portal-logs-users-kenneth

======
JeanPierre
I really hope this change how our politicians view computer applications and
electronic data. Last year, they decided to implement the data retention
directive (<http://en.wikipedia.org/wiki/Data_Retention_Directive>), arguing
that the odds of a security hole was close to zero due because "technology
development" has removed those holes.

~~~
khafra
> that the odds of a security hole was close to zero due because "technology
> development" has removed those holes.

I really wish there were a legally sanctioned way to remove the authority to
make meaningful decisions ever again from people who make decisions with that
astronomical level of stupidity.

------
plebu
This article is very misleading. They neglected to mention that in Norway your
taxes are public information. The tax list is published in the newspapers and
online. Anyone can see what everybody else earned and paid in taxes.

Update: 2011 Norwegian Tax List <http://skattelister.no/skatt/>

~~~
flexd
That does not change the fact that Altinn (the website) is a portal for over
700 forms, ranging from changing your home address, signing student loan
contracts and applying for social services.

Taxes aren't everything and I really do not care if people see how much money
I make, but when something like this happens this easily (this is not the
first case of problems with Altinn, although not so severe before) you begin
to worry, is accepting the lowest bidding contractor really is the best option
for a website that holds the information for nearly every citizen of Norway
the best idea?

But on the other hand if the website was run by the private sector the company
would have faced bankruptcy a long time ago and we would all be filing our
taxes on paper :-/

I do not know what is worse, I would prefer they at least separated different
systems so that we did not have a SSO solution for everything. I would much
rather have one for taxes, one for forms and documents and one for whatever
else, separated by the level of severity if they were to be broken into, or in
the case something like this were to happen.

~~~
plebu
Agreed.

------
atlbeer
Practical example of a famous quote

There are only two hard things in Computer Science: cache invalidation and
naming things.

\-- Phil Karlton

~~~
mikeash
Unfortunately, he's not quite right. There are actually _two_ hard things in
CS: cache invalidation, naming, and fencepost errors.

~~~
atlbeer
And regex

------
chrislloyd
I've used Altinn in the past and it's was fantastic. I'd take my chances of
being a "Kenneth" than deal with the IRS.

This news may sound sour, but Norway is still light years ahead of anywhere
else.

------
kristofferR
The most outragous thing is not the cache/session error, but the fact that
they've spent over 170 million USD on a broken system that can't even handle a
couple of hundred thousands of users a day.

------
qw
From what I have read from other sources, the actual forms were not available.
It was also not possible to perform any actions as this user.

The users were sent to his profile page and was restricted to that page. The
only sensitive information that was displayed was his name and social security
number (which is bad enough in my opinion)

------
calibwam
I read another place that there were around 400 000 who tried to enter the
system, but anyway. They implemented a "queue", where you had to manually
refresh the browser to be able to log in. The whole thing is just crazy, the
government has used above 170 million USD to create a system that don't
support hits at level similar to not so popular sites. 400 000 views is a
ridiculous small amount.

~~~
flexd
The problem is that they have fairly normal visit rates all year, and when the
tax reports get sent out they have the entire population of Norway (in reality
less) trying to visit the website at the same time.

It wouldn't be financially beneficial to have a website that supports 2-3
million concurrent users on a permanent basis when they only see such numbers
within a limited timespan.

I do however think that for 170 million USD they could afford to do so, that
is a ridiculous sum of money.

------
swah
How would you prevent this?

~~~
sleepyhead
Well you could start with not letting Accenture do the development.

------
cab_codespring
It was really funny that the major norwegian newsite vg.no published a screen
shot of the bad page when they broke the story, with the guys "ssn" (they have
something else there) and full name. Somebody must have pointed it out because
later they blurred it out. Kenneth is getting his 15 minutes of fame out of
this.

------
mattiask
Little Bobby Tables apparently has a norwegian cousin

