Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Disaster Strikes Norwegian Government Web Portal

samzenpus posted more than 2 years ago | from the norwegian-blues dept.

Security 176

An anonymous reader writes "Altinn.no is a web service run by the Norwegian government, on which citizens can find, fill out and deliver forms electronically. Every year Norwegian citizens can also log in to check their tax results. This year, as every year, the site was unable to cope with the traffic generated from everyone wanting to check their taxes at the same time. New this year, however, was that once people were finally able to log in, a significant amount of people were logged in as someone else. Users then had access to all financial data of this unfortunate person over two years back in time, in addition to the financial information of his wife and the company he worked for. Altinn shut down some 15 minutes later, and has been down since."

cancel ×

176 comments

Sorry! There are no comments related to the filter you selected.

Online tax information (0, Troll)

Anonymous Coward | more than 2 years ago | (#39437989)

It seems like a handy thing to be able to check your tax results online, but what say you?

Taxes, are they good or are they whack?

Remember how they file their taxes (3, Informative)

mjensen (118105) | more than 2 years ago | (#39437991)

by the government sending them a letter saying how much is owed.

The government does all the calculations.

Re:Remember how they file their taxes (5, Insightful)

ThatsMyNick (2004126) | more than 2 years ago | (#39438145)

Which is good, right? For 90% of citizens, govt calculation is good enough. The only reason it is not being implemented in the US is because of the lobbying of Tax processing services.

Re:Remember how they file their taxes (0)

wvmarle (1070040) | more than 2 years ago | (#39438179)

And I suppose the US government will re-calculate everything? Otherwise fraud will get really easy.

Re:Remember how they file their taxes (4, Informative)

txoof (553270) | more than 2 years ago | (#39438557)

The Norwegian government had to recalculate my taxes and my wife's taxes no less than three times. They have the power to deposit money and withdraw it from my bank account. I tried to work out their calculations, but not being a native Norwegian speaker, I struggled to understand how they were doing things. I just have to trust that things are correct.

The Norwegian government always seems to do what they say they will, they just do it in their own time and usually with six or eight tries to do it right...

Future possibilities by automated taxes (3, Interesting)

KjetilK (186133) | more than 2 years ago | (#39438559)

It is certainly very convenient, when it works. It feels kinda strange to trust every financial detail of my life to the government, so whether it is good in a real sense is a question I'm very open to debate. It does allow some very useful applications to be developed, with a very nice potential for streamlining interaction between government, citizens and private sector. This is actually very high on the government's agenda, which I'm happy about, because the bureaucracy is sometimes both heavy and heavy handed. If it is done well, it could potentially enable citizens to simulate possible choices in their lives before they make a decision: "If I do $that, the taxes will be $this". It would also enable an improved public debate: now it is a lot of bickering of the style "if you raise $that_tax, it will adversly effect $that_group" "no, it won't, but not doing it is required by $that_group". They're just making things up, of course, the debate is usually completely devoid of facts. Soon, it might be possible to simulate those scenarios on a regular basis, so we get real facts on the table before making a decision. Unfortunately, there's a long way from good ideas to actual implementations. I've been in meetings with the people who actually order these systems, and what can I say... Heads gotta roll to go anywhere... They're easily blinded by suits, and they have no idea what makes a robust system. So, for now, I'm not too confident it will happen, even though there are some very interesting ideas around.

Re:Remember how they file their taxes (0)

wvmarle (1070040) | more than 2 years ago | (#39438175)

And that's the easiest way for citizens, imho. And the government can centralise all calculations, and do this relatively cheap. Even if the tax payers do it, the government will anyway have to do the calculations again just to verify the totals.

I'm used to do it that way. The tax software would calculate for you to let you know the preliminary result (then at least you know what to expect); not official but usually the exact same as the final, official calculation. As it should be, of course.

Re:Remember how they file their taxes (5, Informative)

neyla (2455118) | more than 2 years ago | (#39438261)

That's not entirely true. What happens is this:

The government sends you a form for filing taxes, the form is pre-filled with those values that have already been reported by other entities, but next to every one of these values there is a field for correcting the value if it is somehow wrong. (this happens if, for example, you've got private debts, or if your employer makes a mistake in reporting)

You thus get a pre-filled form, but you should nevertheless check that the values on the form look correct before filing it.

And yes, the form also contains calculations on taxes, thus it says: "assuming we got it correct, here's what your tax will be", but that part, offcourse, will change if you add or change anything on the form.

Learn from the Experts, ye tax-boggled folks! (5, Interesting)

OKK77 (683209) | more than 2 years ago | (#39438497)

It is done similarly in über-effective, ultra-efficient Singapore:

1) Let's say I'm employed by company C. Company C will send to taxman my identity card number and the amount they have paid me for the tax year.
2) Taxman will do the calculation of tax. Taxman will also consider the recurring tax claims/rebates I am likely to have (spouse/parents-related rebates, for example).
4) Taxman sends me a reminder to confirm their calculations on their website.
5) I will adjust the calculations if needed and submit the final figure.
6) Taxman sends me the final amount of tax I need to pay with payment options including a 12-month instalment plan deducted from my bank account.
7) If I'm audited, I will have to provide documents for the claims/rebates.

Total time spent: about 1 hour (including claims for private insurance, education expenses, donations)
Total $$$ spent: ZERO, ZILCH, NADA!

Re:Learn from the Experts, ye tax-boggled folks! (1)

Ihmhi (1206036) | more than 2 years ago | (#39438911)

I am surprisingly ignorant of the tax codes of the world. I thought things like the UK's VAT were way, way more common than filling out tax forms (albeit in a much easier manner than is the nightmare of the United States). Why don't more places use some sort of flat tax?

Re:Learn from the Experts, ye tax-boggled folks! (4, Insightful)

Randle_Revar (229304) | more than 2 years ago | (#39439149)

Because most places know that a flat tax is horribly regressive. Anyway, it isn't the stepped rates that make the tax code complicated, it is all the loopholes, exceptions and deductions.

Re:Remember how they file their taxes (0)

Anonymous Coward | more than 2 years ago | (#39438715)

It is the same in the Netherlands.
I kind of like it, as it saves a lot of typing of numbers.

Re:Remember how they file their taxes (4, Interesting)

cbope (130292) | more than 2 years ago | (#39438909)

Basically the same here in Finland. You get a pre-filled tax form in the mail. "Doing my taxes" every year takes no more than 5-10 minutes; checking the values are correct on the form, logging into the tax authority website, making corrections if needed (never needed to), adding deductions as needed, and then submitting it electronically. I even know when I will get my refund way ahead of time. The refund goes straight into my bank account automatically, I don't need to do anything. It's all very easy and simple to understand, even for a layperson without a finance degree.

I don't need a paper record, it's all on file electronically. I only need receipts if I have significant, large deductions.

It is FAR better than the system in the US, where a complete racket has been built up in the form of "tax services", and making the tax laws so complicated and full of loopholes that the average EDUCATED person cannot figure it out in 10 minutes or less. There is a serious problem when you need professional tax services or an accountant to do your personal taxes. I say this as an American living abroad for the past 12 years, so I have much experience with both systems.

Back to the OP, wow... it looks like the tax authority really screwed this up. However, that doesn't change my view that it's still the best way to handle taxes. Mistakes can and do happen in any system. Luckily the issue was discovered rather quickly and they made the correct decision and took the system offline.

erm... whoops? (0, Redundant)

Tastecicles (1153671) | more than 2 years ago | (#39438025)

This is what happens when login credentials are based on the SSN, which is a serialised integer system. One wrong digit doesn't throw an error - it fuckin' logs you in as someone else!

Re:erm... whoops? (5, Informative)

Anonymous Coward | more than 2 years ago | (#39438065)

It's been very briefly reported that this was related to a caching error. This guy's information was apparently cached and then served to everyone.

Re:erm... whoops? (1)

Tastecicles (1153671) | more than 2 years ago | (#39438073)

wait, what?? I don't even get how that happens. Someone care to enlighten this rock?

Re:erm... whoops? (0)

Anonymous Coward | more than 2 years ago | (#39438141)

In NZ at least, we hardly ever have to fill in tax returns or even think about it. For most people, it's calculated by your employer and taken out of your pay directly - you just have to provide your employer with a tax code. It's called PAYE.

They send you a "Personal Tax Summary" outlining how much you paid, and if they've found anything wrong, how much you owe. After you get that, you might have to declare any extra income if it was above a certain threshold, any charitable donations etc and they finalise the bill or refund. If you do it online, you tend to get instant feedback.

Sales taxes are included in prices, so that's all automatic as well.

Usually you don't have to even think about it.

Re:erm... whoops? (2)

Narcocide (102829) | more than 2 years ago | (#39438157)

Oh we do that here in the US too, for most salaried jobs. But then we *also* tax your property, your spending, your savings and then every year we also make you fill out forms that tax you more.

Re:erm... whoops? (1)

Lumpy (12016) | more than 2 years ago | (#39438703)

Mostly because whiny rich people will start screaming about a 45% tax rate. so it's spread out across things.

we are taxed as heavily as many Europeans, but we dont get the good healthcare or infrastructure that works well.

Re:erm... whoops? (2, Funny)

Anonymous Coward | more than 2 years ago | (#39438773)

As part of the military-industrial complex I just want to say, "Thanks for forking over all that money!" Oh, the Gulf Arab states and Israel also owe the US taxpayer big time, but they're too arrogant to say "Thank you".

Re:erm... whoops? (1)

kj_kabaje (1241696) | more than 2 years ago | (#39438871)

They would be up in arms about 45%... currently they pay around 35% if they have bad accountants.  Some rich people brag about paying less in taxes than their employees and are screaming and kicking about restoring their tax rate to what it was under Bush (39ish%).

Re:erm... whoops? (4, Informative)

Vintermann (400722) | more than 2 years ago | (#39438765)

> your property

Norway taxes that too [wikipedia.org] , on the municipal level.

> your spending

Norway taxes this too: a sales tax (VAT) on the national level, at 25%. No, there is no decimal point missing there.

> your savings

Yup. [wikipedia.org]

Silly Americans complaining about taxes, you haven't seen nothing!

(But actually, I don't think the overall taxation level in Norway is too high, though some of it is pretty regressive, e.g. the VAT)

Re:erm... whoops? (0)

Anonymous Coward | more than 2 years ago | (#39438199)

Apparently in Singapore you are unlikely to get any refunds.
http://www.iras.gov.sg/irasHome/page_ektid1526.aspx [iras.gov.sg]

Income tax is assessed based on a preceding year basis. For example, for Year of Assessment (YA) 2012, you will be taxed on the income earned in year 2011.

You declare your deductions, extra income, etc. So they know exactly how much to deduct from your salary and thus shouldn't need as many people and as much resources to deal with the differences. They get the tax money one year later though.

Wish my country did the same thing.

Re:erm... whoops? (1)

Anonymous Coward | more than 2 years ago | (#39438239)

That's not entirely accurate, at least not for foreigners working in Singapore like myself. We don't get taxed at all from our normal paychecks, but instead receive a consolidated tax bill around this time of year (I'm waiting for mine) based on our company's reporting of our income earned. Once you receive your bill you can elect to pay it all at once or allow the government to automatically deduct a portion from your account on a monthly basis. This system works quite well IMO, especially considering the taxation in Singapore is considerably less than that in the US. Unfortunately, as a US citizen you're required to pay taxes back to our money-hungry government as well. Luckily with some creative book keeping and the Foreign Tax Credit, that tax is slim to none. I haven't had to pay a dime to the US govt for 3 years, and am taxed only on roughly 15% of my income in Singapore.

Re:erm... whoops? (2)

justforgetme (1814588) | more than 2 years ago | (#39438435)

LoL and to imagine some countries (like Greece for example) are actually collecting your next years
tax as a sort of down payment. Yep, when paying taxes in 2012 the Greeks are asking taxpayers to pay
upfront for what they are going to earn untill the end of the year.

No wonder that country is head first into debt.

Re:erm... whoops? (5, Informative)

AK Marc (707885) | more than 2 years ago | (#39438151)

It's simple. They got slashdotted last year. So, this year they did all they could to end the problem. Likely, they used SSL for security. And for anything high-traffic, you put an SSL proxy in front of the servers. Servers, be they Linux or otherwise, take a much bigger hit with encryption than dedicated security boxes, like F5. So they had some proxy in front of the servers. I've put similar in place in New Zealand for the IRD, and I'd expect that the IRS uses F5 in front of their secure web sites. And dedicated proxy devices, like Blue Coat, also do SSL offload. So, mis-configuring a proxy used for SSL offload would easily serve a cached page, after all, that's its primary purpose, the SSL offload was an afterthought.

That's what happens when you have a problem one year and throw money at it to fix it without a full understanding of the problem and the fix. I'd bet it was outsourced. And I bet they outsource it again next year. I could do better for a lower cost, wouldn't be hard to do better than their performance the last two years.

Re:erm... whoops? (5, Informative)

semi-extrinsic (1997002) | more than 2 years ago | (#39438489)

Mod parent Informative. They are actually using F5's Big Ip solution, from my snooping before it went down. And it was outsourced, to Accenture, who has such a good track record [computerworld.com] producing stable, efficient, Microsoft-based solutions.

What is even more funny, just last week, a report leaked in the Norwegian press about this very system being hastily implemented, poorly tested and perhaps insecure.

Re:erm... whoops? (3, Funny)

toriver (11308) | more than 2 years ago | (#39438575)

Accidenture living up to its nickname.

Re:erm... whoops? (1)

Skapare (16644) | more than 2 years ago | (#39438077)

This kind of thing doesn't need a server side cache system. This isn't Facebook.

Re:erm... whoops? (0)

Anonymous Coward | more than 2 years ago | (#39438081)

by 'caching' you mean static variable...

Re:erm... whoops? (0)

Anonymous Coward | more than 2 years ago | (#39438105)

From the people in charge: "This person visited 18:17 and checked his tax return, and for some reason or another there was an error in the system, and this page entered the so-called cache memory of our servers, where it doesn't belong". You can try to decipher from that what you will.

Source: http://www.vg.no/nyheter/innenriks/artikkel.php?artid=10079573

Re:erm... whoops? (1)

Skapare (16644) | more than 2 years ago | (#39438129)

"This person visited 18:17 and checked his tax return, and for some reason or another we had a caching system hooked up to this site, which didn't belong there".

There, fixed it for 'em.

Re:erm... whoops? (3, Insightful)

93 Escort Wagon (326346) | more than 2 years ago | (#39438131)

From the people in charge: "This person visited 18:17 and checked his tax return, and for some reason or another there was an error in the system, and this page entered the so-called cache memory of our servers, where it doesn't belong". You can try to decipher from that what you will.

In other words, either the person who wrote that didn't know what he/she was doing, or else a manager got involved in the software design decisions and forced the programmer to incorporate a blazingly stupid idea.

In either case, someone probably said something vague about "saving cycles" and everyone else nodded.

Re:erm... whoops? (1)

Skapare (16644) | more than 2 years ago | (#39438135)

Or maybe left hand vs. right hand?

Re:erm... whoops? (2)

Serious Callers Only (1022605) | more than 2 years ago | (#39438357)

From the people in charge: "This person visited 18:17 and checked his tax return, and for some reason or another there was an error in the system, and this page entered the so-called cache memory of our servers, where it doesn't belong". You can try to decipher from that what you will.

This is quite easy to interpret. They turned on caching to speed up page loads, but without disabling it for logged in users or sensitive pages, so one user logs in, visits /my_account or whatever, and the page is cached, then when the next 100,000 users visit /my_account the cached page (containing the first user's details) is served without authentication (!). Page caching works great for public pages like / which are served the same to everyone, and doesn't work so great for pages which require authentication.

It's the sort of mistake you wouldn't normally see on a site this size as it's a rookie error and ANY sort of testing of caching would catch it, but apparently that's what they did. Probably they only intended to cache public pages or something and managed to extend it to private pages by mistake. Their server could be properly configured and secure but then this mistake triggered by one small change to their caching config by someone who didn't know the implications.

Re:erm... whoops? (2)

JWSmythe (446288) | more than 2 years ago | (#39438425)

    I'd be willing to bet that it was something turned on, because they needed to lighten the load on the servers. IT could have been a front end caching machine, or on the web server itself in code. In either case, it clearly wasn't tested as well as it should have been.

    You *can* cache authenticated pages. Really, the /my_account (your example) only needs to be generated once a year. If that happens to be the main page to view from, you'll keep ending up back on it, to go to other pages. Generating it once is a whole lot more efficient than generating it 15 to 30 times. You'd have to get a bit creative with how you ensure no user can look at another users results. For example, if you happened to save the page as /cache/my_account_[userid].tmp, that's all fine and dandy, unless the code forgets to actually populate [userid]. :)

    So may ways to screw this up, and they all should have been caught in testing.

Re:erm... whoops? (2)

Vintermann (400722) | more than 2 years ago | (#39438553)

Altinn has had problems handling the load on these dates (when people do their taxes) for years.

My guess it's that a caching solution has been hurriedly pushed onto a system poorly set up for it, and accidentally set up to cache login credentials. When the credentials storage method is the right(wrong) type, a single-character typo in Varnish can be enough to do that, causing disaster.

Re:erm... whoops? (2)

toriver (11308) | more than 2 years ago | (#39438583)

Yes, it seems the project audit by Veritas found insufficient testing as one of the criticisms raised. Does .Net/Sharepoint have any serious tools for systems testing, like you have a plethora of for Java?

Re:erm... whoops? (1)

Anonymous Coward | more than 2 years ago | (#39438075)

If you had read the summary you would have seen that this wasn't the case, everyone was logged in as the same person, not as someone with a similiar SSN. (SSN isn't really correct, but there isn't really a suitable word in the English language here.)
The system they have in use also requires a personal password (According to TFA) so the scenario you are suggest couldn't happen here.

From your post it seems like you think it is normal with login-systems without passwords, please tell me that you don't program anything network-related.

Re:erm... whoops? (3, Insightful)

Skapare (16644) | more than 2 years ago | (#39438087)

threaded app server + global who_is_logged_in variable = big mess

Re:erm... whoops? (0)

Anonymous Coward | more than 2 years ago | (#39438169)

concurrency ftw!

Session ID aliasing? (1)

skandalfo (623756) | more than 2 years ago | (#39438227)

A 16 bit session id should be enough for everyone...

Re:erm... whoops? (1)

Tastecicles (1153671) | more than 2 years ago | (#39438205)

I used to build HPCs. Doesn't require secured logins from the nodes, does when I incorporate remote admin for the head node, but that's to named accounts with passwords from the off. Those admin accounts are created locally from a Master account which is specifically excluded from remote access.

Re:erm... whoops? (1)

Serious Callers Only (1022605) | more than 2 years ago | (#39438231)

This is what happens when login credentials are based on the SSN, which is a serialised integer system. One wrong digit doesn't throw an error - it fuckin' logs you in as someone else!

If they didn't have a password, this might possibly do what you have suggested above. I highly doubt access was given without a password, so there's no way one wrong digit would do anything other than 'throw an error'. The problem here does not lie in using integers as user keys.

If it was a caching issue, possibly a page was cached when it shouldn't have been (including someone's account details), and the server returned that single person's page to everyone requesting /my_account or whatever, regardless of their logged in status - that's more likely, and actually quite an easy mistake to make if they turned on caching without properly checking the implications and disabling it for logged in users.

What they would want to do with caching is cache all public pages for everyone (which is fine, as they contain nothing but public information), and it sounds like they also cached a few (or one) private page, and served that instead of the individual private pages for logged in users as intended. I'm sure the details will come out in time.

Re:erm... whoops? (1)

Skapare (16644) | more than 2 years ago | (#39438399)

Improper caching could have happened if the URLs were not unique. But caching in this case is just so wrong. And rarely is it even right. Static data can simply be preloaded in a server as streamlined as a cache would be, and those get delivered at cache speeds. Dynamic data should not be cached except in the browser, and even that with a short expire (5 minutes max).

Re:erm... whoops? (1)

Serious Callers Only (1022605) | more than 2 years ago | (#39438815)

Improper caching could have happened if the URLs were not unique. But caching in this case is just so wrong. And rarely is it even right. Static data can simply be preloaded in a server as streamlined as a cache would be, and those get delivered at cache speeds. Dynamic data should not be cached except in the browser, and even that with a short expire (5 minutes max).

Most pages now are not static in any meaningful sense - consider the homepage on almost every website. They have some dynamic data like news, but don't change every second, but may do every few minutes, and thus are cached, and often even on dynamic pages you can cache fragments if not the whole page. Server-side caching is almost always the right thing to do (in conjunction with browser-side caching), if it's done correctly and massively reduces the load on the server, so not sure why you feel it is wrong?

Re:erm... whoops? (2)

neyla (2455118) | more than 2 years ago | (#39438293)

That's not true. There's a checksum on our SSNs, and the checksum is constructed in such a way that the two most common mistakes in entering SSNs (double one digit, forget another, and transpose two digits) always results in a invalid SSN.

But yes, it's still possible to hit someone elses SSN by accident, but it takes more than one digit wrong. (it takes multiple wrong digits in such a way that the new SSN happens to pass the checksum-test, *and* match an actually used SSN)

Re:erm... whoops? (1)

Chatterton (228704) | more than 2 years ago | (#39438347)

You are completely wrong. SSN like credit card number have control checksums [wikipedia.org] . Up to 2 errors in the SSN could be detected with 100% accuracy, more errors could still be detected with a good probability.

Re:erm... whoops? (2)

SwedishPenguin (1035756) | more than 2 years ago | (#39438395)

I believe Norway has similar identification numbers as Sweden, i.e. birthdate, a few other digits and a control digit, if you throw some of the other digits off, it likely won't be a valid number. Besides, these numbers are not secret and you usually need some other form of authentication than just the number, electronic identification, number printed on tax form, etc.

Staggered ticket system (2)

macraig (621737) | more than 2 years ago | (#39438031)

Really they need a staggered ticket system to distribute the load over time. Issue each citizen a ticket that indicates a period when they can log in to check data, both a soonest and latest date (stragglers not tolerated). This is no different than physical scenarios where people are grouped by first letter of last name, etc. in a crowded office and then each group served sequentially to lighten the load.

Re:Staggered ticket system (1)

reve_etrange (2377702) | more than 2 years ago | (#39438201)

Reminds me of registration time at a California State University campus.

Re:Staggered ticket system (1)

semi-extrinsic (1997002) | more than 2 years ago | (#39438511)

They don't even need to do it that advanced. Just keep the existing system, and tell people "County $x can log in today to see their tax returns, county $y can log in tomorrow, etc." Even if they didn't actually have a system blocking a person in county $y from logging in today, it would fix most of the traffic problem. People mainly do as they are told.

Scalability - Government style (2)

cheaphomemadeacid (881971) | more than 2 years ago | (#39438041)

Wanna guess how the norwegian government decided how traffic shoul be scaled? Come on, guess They made a limit of 300 000 logins, before making the main web page redirect to a page saying "sorry the lines are full pleas pick a number" - it, apparantly , seemed more logical than scaling the hardware :P

Re:Scalability - Government style (0)

Anonymous Coward | more than 2 years ago | (#39438107)

Well, if the funding is static then it would make sense to limit the logins to amount of hardware at hand which is static then also...

Re:Scalability - Government style (2)

Anonymus (2267354) | more than 2 years ago | (#39438355)

They have a population of less than 5 million, so limiting to 300000 concurrent logins (6% of the total population) doesn't sound too crazy. Worst case, everyone wakes up on tax morning and goes to check online, and not everybody gets in until the end of the day.

They probably had a fixed budget, with limited hardware, and/or didn't have the time to make it scalable.

Re:Scalability - Government style (2)

Anonymus (2267354) | more than 2 years ago | (#39438361)

Nevermind, it sounds like they've spent $200 million on this system since its inception and the site goes down due to traffic every year... that's some extreme incompetence at work.

I hope Kenneth collects on this (1)

Eightbitgnosis (1571875) | more than 2 years ago | (#39438053)

I foresee a large lawsuit settlement in his future

Re:I hope Kenneth collects on this (3, Informative)

FireFury03 (653718) | more than 2 years ago | (#39438125)

I foresee a large lawsuit settlement in his future

This isn't the USA

Re:I hope Kenneth collects on this (1)

Eightbitgnosis (1571875) | more than 2 years ago | (#39438155)

Really? They've made tort law quite weak?

I'll take your word, but do you happen to have some articles to back this up?

Re:I hope Kenneth collects on this (1)

kjetil_r (751644) | more than 2 years ago | (#39438297)

There is no such thing as punitive damages in Norway; Kenneth will only be able to sue for actual damages.

Re:I hope Kenneth collects on this (1)

Eightbitgnosis (1571875) | more than 2 years ago | (#39438373)

I'd imagine the stress he and his family must be feeling along with all the legal fees he'll need to protect himself in this situation both constitute actual damages.

Re:I hope Kenneth collects on this (1)

Cimexus (1355033) | more than 2 years ago | (#39438345)

Well torts, or civil wrongs, as we know them are a common law concept (relying on precedent). Most of continental Europe does not use common law; rather they have a codified system. Norway may or may not have legislated an law under which this person could claim, I don't know, but it wouldn't really fall under tort law either way.

Re:I hope Kenneth collects on this (2)

K. S. Kyosuke (729550) | more than 2 years ago | (#39438309)

This being Norway, you should have written "I smell pagan shouting and blood and entrails in his future."

Some key points (5, Informative)

Anonymous Coward | more than 2 years ago | (#39438121)

* The government has spent on the order of $200 millions on this system
* Accenture is the main developer
* Every year the systems go down because it doesn't scale
* This year a queueing system was put in place to "fix" scalability
* From an outsider's view at least, it would seem like some cowboy decided to put up a Varnish-type frontend cache as a desperate measure to handle traffic with no thought given to sessions
* An independent report basically slaughtered most of the systems with criticism of flaws last year, which was kept secret until a week ago
* Also yesterday someone found several flaws which allowed any website to grab a json(?) script and steal userinfo if the browser had a valid session

Re:Some key points (2)

Anonymous Coward | more than 2 years ago | (#39438177)

And why did the Norwegian Government accept the system, if it was this buggy?

Re:Some key points (2)

Skapare (16644) | more than 2 years ago | (#39438187)

Hopefully, they have not done so, yet.

Re:Some key points (0)

Anonymous Coward | more than 2 years ago | (#39438339)

Uh... it had gone into production, if you didn't notice....

Re:Some key points (1)

Skapare (16644) | more than 2 years ago | (#39438407)

That doesn't necessarily mean final acceptance and payment tendered. Maybe that is the case. But in many contracts like this, there's a live test phase clause, too.

Re:Some key points (0)

Anonymous Coward | more than 2 years ago | (#39438847)

That's not how government contracts work. Accenture will get another $400 million to fix the bugs.

Re:Some key points (4, Interesting)

rmstar (114746) | more than 2 years ago | (#39438465)

And why did the Norwegian Government accept the system, if it was this buggy?

That's anyones guess, but if it goes like everywhere else, the guys that were contracted for this work wore the nicest suits and made their clients feel visionary. The guys that knew their IT kept behaving improperly and had suits that didn't really fit them well. Also, they talked all the time of risks and danger. So it was a no-brainer, quite literally.

Re:Some key points (5, Informative)

Terrasque (796014) | more than 2 years ago | (#39438521)

This is actually a huge system, with many govt departments using it daily, and most of the time it works well. It's just that each year, when the rest of Norway also tries to log in, things go kaboom (That has happened several years in a row, I might add). The name, Altinn can be translated to all-in - it's basically THE portal between govt and citizens on many points. For example accountants use it daily (and every year they complain that they can't do anything at all for several days when this happens)

So, most of the time it works (and works well, some might say), but a few days every year it's massively underscaled. This year, they apparently tried some half-baked emergency caching, which failed spectacularly.

Re:Some key points (1)

Skapare (16644) | more than 2 years ago | (#39438185)

Summary: overly pricey poorly developed unreliable unscalable stupidly managed bloat.

This could have been done for less than $5 million.

Accidenture (1, Redundant)

z0M6 (1103593) | more than 2 years ago | (#39438523)

Seems relevant http://accidenture.com/ [accidenture.com]

Re:Some key points (0)

Anonymous Coward | more than 2 years ago | (#39438579)

* From an outsider's view at least, it would seem like some cowboy decided to put up a Varnish-type frontend cache as a desperate measure to handle traffic with no thought given to sessions

I've been involved in a project where a single character typo in VCL caused login credentials to be cached. It's basically as easy as making an error in a regex. Yes, testing should catch this; however in the project I was involved the error was caught and corrected, but reintroduced during a botched backup. The person who technically made the error I consider an extremely experienced sysadmin.

In brief, these things can happen to the best when trying to hot-fix a scalability problem under time pressure.

Re:Some key points (1)

Afty0r (263037) | more than 2 years ago | (#39438919)

* Accenture is the main developer

Found your problem. Right there.

Amen (1)

Viol8 (599362) | more than 2 years ago | (#39438975)

Bunch of useless egotistical idiots the lot of them. The know-nothings they hire seem to think they're gods gift because they work for this piss poor company , but most of them are clueless. Many a time I've had to sort out the mess they've created.

Re:Some key points (0)

Anonymous Coward | more than 2 years ago | (#39438969)

* Accenture is the main developer

That's all we need to know!

'private' financial data (0)

Anonymous Coward | more than 2 years ago | (#39438159)

One of those Scandinavian countries publishes the income of every citizen in the paper and online annually. Is that Norway or some other romper room country?

Re:'private' financial data (0)

andyteleco (1090569) | more than 2 years ago | (#39438189)

It is Norway. There is a website (I don't know which one exactly since it's in Norwegian) where you can type in a person's name and see how much he/she earns and how much money he/she has in the bank.

So, I don't see any big scandal in this issue.

Re:'private' financial data (0)

wmbetts (1306001) | more than 2 years ago | (#39438249)

WTF... Why would anyone think that it's okay to publish someones account balance publicly?

Re:'private' financial data (5, Informative)

Anonymous Coward | more than 2 years ago | (#39438343)

Ok - so the deal is this: For everyone in Norway, you can check 3 vital numbers: Amount earned, amount taxed and amount owned of every year. The number are skewed somewhat since they do not cover the full value of your house, it is after certain deductions on your salary, it is with your loans deducted from what you own, etc, but in essence it can give you a ballpark on how much money someone earns.

So, why is this? One of the major reasons is to ostracize anyone that pay little tax as compared to what they earn/own. So you would not need to ask your presidential candidate for his tax record - it is already online: http://skatt.bt.no/skattelister/9397621/Jens%20%20Stoltenberg *. You would also at once see it if your palace-owning neighbour had millions in earnings but payed nothing in taxes.

* This number is from 2009, you now have to login to a governmental site to be able to look up taxes for people. This is to stop malicious use of the numbers.

Re:'private' financial data (2)

Gavagai80 (1275204) | more than 2 years ago | (#39438831)

No doubt saves time on renting an apartment or getting a loan too -- they can verify your income without a pile of bank statement and tax form printouts.

Re:'private' financial data (1)

Anonymous Coward | more than 2 years ago | (#39438307)

It used to be like that, but the tax records are not available on the internet like it used to be anymore.

You can still check other peoples tax record, but not anonymously.

I'm intrigued (1)

Hognoxious (631665) | more than 2 years ago | (#39438195)

How, from a technical POV can this even happen? Dirty cache? Corrupted pointers?

Re:I'm intrigued (1)

SuricouRaven (1897204) | more than 2 years ago | (#39438245)

The official statement, though dumbed-down to the point it's hard to figure out what was going on exactly, indicates it was a dirty cache. Most likely in a proxy used for SSL offload.

Re:I'm intrigued (1)

outsider007 (115534) | more than 2 years ago | (#39438313)

Cookies going down the wrong tube?

Re:I'm intrigued (2)

Skapare (16644) | more than 2 years ago | (#39438415)

All the URLs look alike because the login ID is in cookies, and the cache wasn't set to figure in the cookie state.

Business model (0)

Skapare (16644) | more than 2 years ago | (#39438197)

Slap together some web system pieces without considering what goes with what, and charge a naive socialist government $200 million for it.

Similar in Denmark previously (0)

Tukz (664339) | more than 2 years ago | (#39438269)

We have had the same problem in Denmark previously (site not being able to cope, not the wrong identity problem).
This year they introduced a new queue system, which actually seemed to work.

You were put in queue for a few mins, and no one seemed to have problems with site not responding and the likes.
Sure, you might have to wait a few mins in queue, but at least you knew you're turn were up soon, as opposed to not knowing when the site is ready to handle the traffic.

Very positive development! (-1)

Anonymous Coward | more than 2 years ago | (#39438279)

What's the problem? The only solution to tax trickery is to make all tax filings public, so you can check if your BMW+Merc+horseranch+swimming pool neigbour is officially living off the legal minimum wage and so help him find the way to the county jail. Tax fraud is as seroius a crime as murder, just remember why Al Capone was cuffed eventually. A person who avoids paying legal taxes is the worst enemy of the society and must be hit hardest.

Cautionary tale about digital cash (3, Insightful)

Compaqt (1758360) | more than 2 years ago | (#39438283)

When everybody's money is 'stored' in a government computer somewhere saying how much money you have, imagine what happens when there's a glitch putting your money in someone else's account.

Yeah, I know, bank accounts.

But, glitches happen there, too. At least you have a little cash to get to and from the bank to pursue the matter. When it's digital all the way down, what will you do?

Re:Cautionary tale about digital cash (1)

del_diablo (1747634) | more than 2 years ago | (#39438999)

This already happens once in a while with banks. Basically all transfers by accident gets sent to the same account. So after a few hours, that person is quite rich.
Of course, they have routines for catching this, because they know it will happen, so when they catch it after a few hours, and correct it.

Example: Norwegian man was Norways richest man for about 1 hour. [dagbladet.no] , Google translated version [google.no]

Re:Cautionary tale about digital cash (1)

Tim C (15259) | more than 2 years ago | (#39439051)

Do I have cash? Or do I not discover the problem until I'm stood in front of the ATM, cursing at it for not dispensing any?

It's a moot point anyway, as in either situation my first recourse would be to phone the bank, not visit it.

Not just the login error (3, Interesting)

skurk (78980) | more than 2 years ago | (#39438449)

I normally wouldn't care about this, but since the Norwegian government (i.e. the people, myself included) paid 1 billion NOK for this solution, I expect it to WORK. Mind you, this is not the first time we've had problems with Altinn, this has been a recurring drama the past few years. As the article states; every year they claim to be prepared, and every year they are unable to deliver.

We're not *that* many people in Norway (recently hit the 5 million mark), and certainly not that many adults checking their tax returns online. Guesstimate: 1 million? And how many checks it simultaneously? Let's be generous and say half.

So how the hell can a 175 million USD project not be able to deal with 500k visitors? It's a fucking joke.

Re:Not just the login error (1)

Anonymous Coward | more than 2 years ago | (#39438841)

Please go get yourself some perspective.

Altinn is much more than meets the eye for a guy like you. Long story short, its a reporting portal for organisations and businesses which allows them to save significant amounts of time (and thereby money). Measured in ROI, this solution is arguably one of the best investments ever made by the Norwegian government.
http://www.tu.no/it/2011/01/20/altinn-gevinst-pa-9-milliarder-kroner

Although recent events are totally unforgivable, the question should rather be if such a simply thing as checking your tax status should happen through such a vast solution as Altinn. Scaling independent vertical with a read-only check-your-tax-status alongside Altinn would be a much more efficient use of our tax money than scaling this huge Altinn-solution for all 5million (or 500 000 of us) to check at once.

Public Data (1)

mikeplokta (223052) | more than 2 years ago | (#39438471)

All Norwegian tax returns are published publicly on the Internet, so Kenneth's information was already available to anyone who cared to check it. There's been no privacy violation here that I can see.

Re:Public Data (3, Informative)

KjetilK (186133) | more than 2 years ago | (#39438487)

That's not correct. Only the final sums are/were published after the affected person has had a chance to verify and correct the information. Here all his details were published, which is a severe violation of his privacy.

Submitter not entirely accurate (1)

Anonymous Coward | more than 2 years ago | (#39438549)

What the submitter wrote is not entirely accurate. All this person's financial data were not available. What was made available was his inbox, containing the full names and personal number (SSN) of this guy and his wife, and some information on a company he was working for.

The officials say that while they do not consider the information that was revealed to be sensitive, they take any information leak very seriously, and therefore the site will stay down until they find the error and correct it.

Norwegian Chicks (-1)

Anonymous Coward | more than 2 years ago | (#39438677)

are hot!

This is what happens.. (0)

Anonymous Coward | more than 2 years ago | (#39438983)

..when you pay Accidenture 400 NOK (~70M USD) to put all your eggs in one MS-based web application basket.

The solution does what it's supposed to, but it will never scale because it's designed by people with shirts, ties and certifications on their laptops, and then handed over to a hosting partner which is supposed to make sure it works 24/7.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>