29 comments

[ 3.1 ms ] story [ 49.9 ms ] thread
How would you prevent this?
Well you could start with not letting Accenture do the development.
(comment deleted)
Proper cache invalidation, which isn't just hard but, damn hard sometimes.
A site like this doesn't need a cache, though.
I really hope this change how our politicians view computer applications and electronic data. Last year, they decided to implement the data retention directive (http://en.wikipedia.org/wiki/Data_Retention_Directive), arguing that the odds of a security hole was close to zero due because "technology development" has removed those holes.
> that the odds of a security hole was close to zero due because "technology development" has removed those holes.

I really wish there were a legally sanctioned way to remove the authority to make meaningful decisions ever again from people who make decisions with that astronomical level of stupidity.

This article is very misleading. They neglected to mention that in Norway your taxes are public information. The tax list is published in the newspapers and online. Anyone can see what everybody else earned and paid in taxes.

Update: 2011 Norwegian Tax List http://skattelister.no/skatt/

That does not change the fact that Altinn (the website) is a portal for over 700 forms, ranging from changing your home address, signing student loan contracts and applying for social services.

Taxes aren't everything and I really do not care if people see how much money I make, but when something like this happens this easily (this is not the first case of problems with Altinn, although not so severe before) you begin to worry, is accepting the lowest bidding contractor really is the best option for a website that holds the information for nearly every citizen of Norway the best idea?

But on the other hand if the website was run by the private sector the company would have faced bankruptcy a long time ago and we would all be filing our taxes on paper :-/

I do not know what is worse, I would prefer they at least separated different systems so that we did not have a SSO solution for everything. I would much rather have one for taxes, one for forms and documents and one for whatever else, separated by the level of severity if they were to be broken into, or in the case something like this were to happen.

The totals are public, but not your entire tax report. And since this guy could represent his company, all the tax details of his company was also available.

I think the biggest issue is that this bug raises serious questions about the whole implementation of the site.

This posting is very misleading. It neglects to mention that in Norway, your tax return is not public. Only your income, your net worth and what you paid in taxes.
Didn't mean to mislead you. I just stated that anyone can see what you earned and paid in taxes.
That's not quite true either. The public figures are tax paid and net worth; the income numbers that you see are reverse-engineered from tax paid and the code, and may be inaccurate.
(comment deleted)
Practical example of a famous quote

There are only two hard things in Computer Science: cache invalidation and naming things.

-- Phil Karlton

Kenneth ain't such a bad name...
Unfortunately, he's not quite right. There are actually two hard things in CS: cache invalidation, naming, and fencepost errors.
Little Bobby Tables apparently has a norwegian cousin
I read another place that there were around 400 000 who tried to enter the system, but anyway. They implemented a "queue", where you had to manually refresh the browser to be able to log in. The whole thing is just crazy, the government has used above 170 million USD to create a system that don't support hits at level similar to not so popular sites. 400 000 views is a ridiculous small amount.
The problem is that they have fairly normal visit rates all year, and when the tax reports get sent out they have the entire population of Norway (in reality less) trying to visit the website at the same time.

It wouldn't be financially beneficial to have a website that supports 2-3 million concurrent users on a permanent basis when they only see such numbers within a limited timespan.

I do however think that for 170 million USD they could afford to do so, that is a ridiculous sum of money.

I'm guessing that the bottleneck isn't the website, but pulling in records from the no doubt dozens of ancient database systems where things like tax records, student loan information, pensions and everything else is stored. And given that during normal times these databases get probably a few thousands hits a day, it's probably not worth spending money on scaling them up.
From what I have read from other sources, the actual forms were not available. It was also not possible to perform any actions as this user.

The users were sent to his profile page and was restricted to that page. The only sensitive information that was displayed was his name and social security number (which is bad enough in my opinion)

The most outragous thing is not the cache/session error, but the fact that they've spent over 170 million USD on a broken system that can't even handle a couple of hundred thousands of users a day.
(comment deleted)
It was really funny that the major norwegian newsite vg.no published a screen shot of the bad page when they broke the story, with the guys "ssn" (they have something else there) and full name. Somebody must have pointed it out because later they blurred it out. Kenneth is getting his 15 minutes of fame out of this.
I've used Altinn in the past and it's was fantastic. I'd take my chances of being a "Kenneth" than deal with the IRS.

This news may sound sour, but Norway is still light years ahead of anywhere else.

(comment deleted)