Some recentlypublished statements regarding the Canadian Firearms Centre’sonline database, made by a former webmaster, have rightlyearned a lot of attention: Mr. Hicks, an Orillia-area computerconsultant, claims that he has identified several prior — andpossibly still remaining — security gaps in the firearms registry.Gaps that allow(ed) very sensitive information to be queriedby anyone with a home computer and an internet connection.
If this is true, it betrays tremendous negligence in thecreation and maintenance of this system, and while a lot of theattention is coming from the politically motivated, using it tofurther a pre-existing agenda, it doesn’t diminish the seriousnessof this event occurring in the first place.
No specifics are given, however the likely vulnerability relatesto SQL-injectionvulnerabilities.
More importantly, do people still call themselves “webmasters”?Is that really still a title?
While Mr.Hicks refers to the system as a “$15 million dollarsystem” in the linked article, its history is convoluted, andmuch more expensive (perhaps a digit was lost in editing).After purportedly giving EDS $151 million dollarsto make a working system, the government gave up and turned it overto a consortium of CGI, BDP, and Resolve Corp, giving them anestimated $100 million dollars thusfar.
This is to create a system to register 1.9 million gun ownerswith a combined seven million guns.
Accounting for extensive security and auditing — of coursemandatory for a system of this nature — eforms, correspondence,web services, feeds for police stations, integration with legacysystems, web reporting and secure access, and so on, it stilldoesn’t strike me as an overly complex project. The scope andcapacity of data I’ve heard could be handled on a modern four-waySQL Server box with a half decent SAN. Add in a cluster backup, andyou’re still talking about less than $200,000 (with all softwarelicenses). The actual custom software itself should bestraightforward, given that data entry, data reporting, and datasecurity are some of the most known, proven design elements in thisbusiness.
This is largely wizard-type stuff, for which they’ve purportedlypaid $251 million thus far.
If an article in the National Post today (“A one-stop shop forgun thieves”) is to be believed, the system crashed 90times on the first day of testing, requiring their hardware to becompletely reset 30 times that day — an event that isunseen with the reliable platform stackwe have nowadays. They called off the test and sent it back todevelopment, sending all of the expensively flown-in testers backhome.
Of course we don’t know all of the obscure details of thisproject, and it is a certainty that trying to build a system for arapidly changing government, with enormous changes in the rootrequirements, is more difficult than an average project, but I findit hard to fathom that it’s $251 million dollars different. I doappreciate that software developers often underestimate the tasksof other software developers and systems designers — often with afoolish cowboy “I could do that on a weekend!” bravado — but inthis case I’ve designed and worked on systems of a similar scale,and I feel fairly confident in my assessment.
Given the very limited details that I’ve heard, I would havearmchair estimated this as a less-than-$1 million dollar project,hardware in. I would never imagine that it would pass aquarter-of-a-billion dollars.