Disaster Strikes Norwegian Government Web Portal

An anonymous reader writes "Altinn.no is a web service run by the Norwegian government, on which citizens can find, fill out and deliver forms electronically. Every year Norwegian citizens can also log in to check their tax results. This year, as every year, the site was unable to cope with the traffic generated from everyone wanting to check their taxes at the same time. New this year, however, was that once people were finally able to log in, a significant amount of people were logged in as someone else. Users then had access to all financial data of this unfortunate person over two years back in time, in addition to the financial information of his wife and the company he worked for. Altinn shut down some 15 minutes later, and has been down since."

Remember how they file their taxes

[mjensen]

by the government sending them a letter saying how much is owed.

The government does all the calculations.

Re:erm... whoops?

[Anonymous Coward]

It's been very briefly reported that this was related to a caching error. This guy's information was apparently cached and then served to everyone.

Some key points

[Anonymous Coward]

* The government has spent on the order of $200 millions on this system
* Accenture is the main developer
* Every year the systems go down because it doesn't scale
* This year a queueing system was put in place to "fix" scalability
* From an outsider's view at least, it would seem like some cowboy decided to put up a Varnish-type frontend cache as a desperate measure to handle traffic with no thought given to sessions
* An independent report basically slaughtered most of the systems with criticism of flaws last year, which was kept secret until a week ago
* Also yesterday someone found several flaws which allowed any website to grab a json(?) script and steal userinfo if the browser had a valid session

Re:I hope Kenneth collects on this

[FireFury03]

I foresee a large lawsuit settlement in his future

This isn't the USA

Re:erm... whoops?

[AK Marc]

It's simple. They got slashdotted last year. So, this year they did all they could to end the problem. Likely, they used SSL for security. And for anything high-traffic, you put an SSL proxy in front of the servers. Servers, be they Linux or otherwise, take a much bigger hit with encryption than dedicated security boxes, like F5. So they had some proxy in front of the servers. I've put similar in place in New Zealand for the IRD, and I'd expect that the IRS uses F5 in front of their secure web sites. And dedicated proxy devices, like Blue Coat, also do SSL offload. So, mis-configuring a proxy used for SSL offload would easily serve a cached page, after all, that's its primary purpose, the SSL offload was an afterthought.

That's what happens when you have a problem one year and throw money at it to fix it without a full understanding of the problem and the fix. I'd bet it was outsourced. And I bet they outsource it again next year. I could do better for a lower cost, wouldn't be hard to do better than their performance the last two years.

Re:Remember how they file their taxes

[neyla]

That's not entirely true. What happens is this:

The government sends you a form for filing taxes, the form is pre-filled with those values that have already been reported by other entities, but next to every one of these values there is a field for correcting the value if it is somehow wrong. (this happens if, for example, you've got private debts, or if your employer makes a mistake in reporting)

You thus get a pre-filled form, but you should nevertheless check that the values on the form look correct before filing it.

And yes, the form also contains calculations on taxes, thus it says: "assuming we got it correct, here's what your tax will be", but that part, offcourse, will change if you add or change anything on the form.

Re:'private' financial data

[Anonymous Coward]

Ok - so the deal is this: For everyone in Norway, you can check 3 vital numbers: Amount earned, amount taxed and amount owned of every year. The number are skewed somewhat since they do not cover the full value of your house, it is after certain deductions on your salary, it is with your loans deducted from what you own, etc, but in essence it can give you a ballpark on how much money someone earns.

So, why is this? One of the major reasons is to ostracize anyone that pay little tax as compared to what they earn/own. So you would not need to ask your presidential candidate for his tax record - it is already online: http://skatt.bt.no/skattelister/9397621/Jens%20%20Stoltenberg *. You would also at once see it if your palace-owning neighbour had millions in earnings but payed nothing in taxes.

* This number is from 2009, you now have to login to a governmental site to be able to look up taxes for people. This is to stop malicious use of the numbers.

Re:Public Data

[KjetilK]

That's not correct. Only the final sums are/were published after the affected person has had a chance to verify and correct the information. Here all his details were published, which is a severe violation of his privacy.

Re:erm... whoops?

[semi-extrinsic]

Mod parent Informative. They are actually using F5's Big Ip solution, from my snooping before it went down. And it was outsourced, to Accenture, who has such a good track record [computerworld.com] producing stable, efficient, Microsoft-based solutions.

What is even more funny, just last week, a report leaked in the Norwegian press about this very system being hastily implemented, poorly tested and perhaps insecure.

Re:Some key points

[Terrasque]

This is actually a huge system, with many govt departments using it daily, and most of the time it works well. It's just that each year, when the rest of Norway also tries to log in, things go kaboom (That has happened several years in a row, I might add). The name, Altinn can be translated to all-in - it's basically THE portal between govt and citizens on many points. For example accountants use it daily (and every year they complain that they can't do anything at all for several days when this happens)

So, most of the time it works (and works well, some might say), but a few days every year it's massively underscaled. This year, they apparently tried some half-baked emergency caching, which failed spectacularly.

Re:Remember how they file their taxes

[txoof]

The Norwegian government had to recalculate my taxes and my wife's taxes no less than three times. They have the power to deposit money and withdraw it from my bank account. I tried to work out their calculations, but not being a native Norwegian speaker, I struggled to understand how they were doing things. I just have to trust that things are correct.

The Norwegian government always seems to do what they say they will, they just do it in their own time and usually with six or eight tries to do it right...

Re:erm... whoops?

[Vintermann]

> your property

Norway taxes that too [wikipedia.org], on the municipal level.

> your spending

Norway taxes this too: a sales tax (VAT) on the national level, at 25%. No, there is no decimal point missing there.

> your savings

Yup. [wikipedia.org]

Silly Americans complaining about taxes, you haven't seen nothing!

(But actually, I don't think the overall taxation level in Norway is too high, though some of it is pretty regressive, e.g. the VAT)