The platform seemed to be based on some weird 'forms' based application builder when it was released ten years ago. It is flakey as hell. Ugly I can deal with, we have ebay and it still works fine, but even the most basic things you would expect, for example when you press tab the cursor to follow the order of forms on the page, does not work. Often when you submit a form the focus ends up on some text field.
The integration with other services, such as Medicare, barely work. I have spent endless calls on the phone to near useless support staff trying to get emails reset for old mother. The support staff are friendly but don't seem to have any ability to do anything but reset things that take several hours to complete.
The tax and business functionality is completely senseless. They got the paper forms designed in the 50s for batch mainframes and coded them into web forms. You have to do things like copy the same value into multiple fields marker T8 and T2. The instructions say just that: "Copy the value from T8 to T2". If you don't it fails.
The article mentions the huge problem with them having no in-house expertise so they bring in consultants. I work here in Sydney and I know, from first hand experience working with them, these large consulting companies have the same or less technical expertise. What they do have is huge sales teams and even larger teams of project managers. The odd technical person they have is spread across so many projects they are pretty much useless. They employ hordes of off-shore developers that are managed people with little or no clue about anything.
Your mileage may vary, some team in the gov are doing some wonderful things like service nsw which has been creating component libraries available for most popular framework and mock tools: https://www.digital.nsw.gov.au/delivery/digital-service-tool... Unfortunatly the internal politics make it we can't use any of the stuff they do in the part I'm involved with
This is correct. Consulting is 100% marketing. It appears the problem is, how does a team of actually skilled engineers who wants to get a start in this business compete with these sales companies? The people hiring them have no clue, hence why the marketing is the most important thing, and many of these companies have inertia from a bunch of previous projects they can use in their marketing.
I feel like actually good engineers have the least social contacts, and it is these social contacts that provide all of the opportunities to start building a client-base. This seems to be the case with society in general. Everything is decided by social relationships, and the best engineers are the worst at creating these relationships, or are actively excluded from them as some sort of defence mechanism for social people to maintain power. Hence why we end up with a bunch of terrible products and software. It is all bundled up in a cocoon of social contracts.
You don't. There's an inverse effect where you don't really want the clients that go for these big consulting companies because there's just as much crap on their end and they'll drown your skilled team in bureaucratic nonsense. You want the smaller clients where your technical skills complement their domain knowledge. There's still a lot of marketing and management, but the people that actually do things can talk to each other.
This observation is absolutely spot on. An ignored element of meritocracy is visibility -- and, perhaps, as you suggest, inertia. And then we end up back at the black hole of designing the 'right' incentive schemes...
sigh
Just so we're all clear here, this is by design.
The UK central gov is a notable exception, (if you exclude the corruption with track and trace) why might that be?
Not for government contracts. This fuck-up is true blue 100% Made in Australia.
You can quibble over what needs cutting/pasting or whatever on the ATO forms but the system it replaced (the execrable desktop app), the ATO MyGov interface is so far ahead it isn't even funny.
However, I've never had to deal with their helpdesk.
Nope. Had to nuke the whole account and start again. Had to relink all services. Lost all communications in the "inbox".
I had to laugh. The alternative was too frightening.
So, they got exactly the thing they insisted on. And now they are blaming the consultants. Bureaucracies work like this: they are full of useless people defending their existence by participating in endless meetings that will find creative ways to deflect any form of responsibility and accountability. So, bonus points for meetings with consultants. The more expensive the better.
Pass it up the chain to the politicians who will be long gone by the time the whole thing blows up. They absolutely love that; do what the expensive consultant says. Which is of course echoing what they were told by the incompetent bureaucrats. The bigger the egos in the room, the dumber the plans get. Usually these projects start off fine and then some moron pulls rank and derails the whole thing by insisting on adding their own requirements to the pile. Big expensive projects attract that kind of behavior; it's almost inevitable. And then some politician signs off on it. Job well done.
The consultants bill by the hour so they don't mind the endless bullshit and they take notes. And then they do as they are told to take the money regardless of whether that makes any sense. There's almost no way for a happy end in such a situation. Don't blame the consultants; blame the career bureaucrats and the politicians for being absolute idiots, again. This outcome was 100% predictable 20 years ago.
The politicians promote the staff who tell them what they want to hear, and independent advice has been lost.
They are not willing to invest in quality dev/product/project managers instead they pay below market rates (see jobs on seek) yet there are endless budgets for consultants and outsourcing.
Being an Australian who worked in America for a bit, I felt like there was a facade of exceptionalism that was in fact just the same "she'll be right" attitude in different words. Everything was always "the best thing ever" or an "awesome job" even when it really wasn't. Different term but same outcome.
Mundane releases and improvements were presented with huge enthusiasm and fanfare.
It's hard for me to mention concrete examples now (it's been a while), but I felt a general lack of wanting things to be better which felt really weird.
As an Australian, I struggle at times with Europeans et al who attach so much importance and stress to such insignificant things. Hence, she'll be right mate.
I don't think "she'll be right" is hemmed in in complacency, it's just an acknowledgement that there are more important things to worry about.
Uptight foreigners (usually American or European) are incensed by the attitude.
And to be honest, there are far worse corporate behaviours and attitudes in Australia than "she'll be right"
If your bathroom faucet is leaking but it’s a drop an hour, she’ll be right.
If it’s bushfire season and you haven’t prepared for your house getting burned down, but it hasn’t happened in the last five years, she’ll be right.
Cynically, it’s shirking responsibility. Optimistically, it’s playing the odds.
- “It’ll be OK, don’t worry about it”, which leads to a more relaxed, less bureaucratic way of life.
- On the other hand, “it’ll do, don’t bother fixing/improving it”, which leads to things like New Zealand’s appalling housing quality.
It's also well-known as 差不多 (cha bu duo) in the Chinese-speaking world.
We were renovating an old 1920s house and wanted to replicate the timber/wood/plaster look on a wall that needed replacing. The timber was cut to a certain profile.
Went to the local builder supplies and asked about getting some timber cut to the profile of my sample. The guy behind the desk says:
"Whaddya wanna do that for? Just chuck a bit of gyppie up mate, she'll be right!"
Translation: Cover the wall with gyprock (sheet rock for Americans). Don't worry about making it look the same.
It's an attitude, an instruction and a lifestyle rolled into one thing. I got the timber cut somewhere else.
Often used when some issue is raised and no one thinks it's important. "This bridge has cracks in it..." "She'll be right!"
It isn't really an issue in the workplace though, depends on the company but most everywhere I have worked cared very deeply.
Doing the bare minimum, with not a lot of TLC.
It makes for excellent work environments if you derive your joy and fulfilment from activities outside of work, but can be immensely frustrating if you want to deliver on quality (or expect quality delivered).
These places have some of the worst-run IT departments on the planet. I can say this with more than a little evidence. As a consultant, I've worked on over a hundred customer sites, all the way from tiny private companies up to federal government, including all three of those agencies. I've seen how IT is done at just about every state government office in my state, and two dozen in other states.
There just is no comparison. Centrelink especially is so fucked up that people think that I made up my stories about my experience there. It's crazy beyond belief.
The sheer scale of it is amazing. They have over 1K IT staff in one building, and spent $2B on a single software upgrade project! They have huge teams for obscure tasks that other large enterprises might have just one or two people doing. There are Big Name consultants everywhere. Direct vendor support, often flown in from the US, which is otherwise rare around here.
Despite all these people, money, and support, nothing works. Nothing. It's all broken. Everything. Every part. It's a sight to behold.
I wrote a report for them about a key security system where I pointed out that out of something like 50 settings, 47 were incorrectly configured. The only reason it "worked" is because the errors cancelled out. That is, it was incorrectly rejecting valid access, but another error meant that the rejection was being ignored. And so on.
Similarly, their core authentication system was supposed to be distributed and highly available, but the main architect put all of the servers into one rack, one on top of another. He said with a straight face that a product that is well known in the industry for its efficient wide-scale replication is "bad at replication" and only works if the "network cables are really short". He meant 30cm, not 3000km. A power outage took out all three "redundant" controllers, and so something like 80K staff spent several days staring at login prompts on their monitors for a few days.
I could go on, and on, and on. I have a whole collection of stories like that.
The most amazing part is that I was only there for a couple of months, yet this short time period yielded 8 of my top 10 horror stories from the field.
It's also the only workplace setting where I had ever seen a man cry. For work related reasons. Several men, on several occasions.
The sheer amount of technical debt, legacy systems, dysfunctional team processes and culture. Not to mention the sheer motive inertia needed to change anything in that environment. Moving in any direction will have 1000 other things breaking/popping up to steal momentum. A Gordian knot impossible to untangle.
Some update reverted system, and IT was unhappy when staff asked for the feature back. Team asked me to help, I said if IT has said no I dare not.
So back they went to their old solution, which was to send someone 2x per day to a local copy shop and FAX at $3/page stuff they needed electronically in the computer, because they had a digital fax service they set up.
I kid you not, this is the only in govt type thing. They ban scan to USB / scan to network etc, but then demand stuff be uploaded electronically to some new system - what are folks supposed to do. 90% its left hand right hand stuff. IT security folks don't talk to anyone and lock systems to nth degree (no scanning, no USB). Then someone else NEEDS paper available electronically for some reason (upload to a new system).
The more money spent the worse it is because you can't actually talk to anyone. Once its $100M+ staff are just not in room there are so many layers.
Most good devops book tells you how to do that. You scan for people who have the right skills and who actually care, as opposed to people who are at the other end of the spectrum who think that if it ain't broken don't fix it and "why change it we will have to support this stuff later".
Then you go commando and secretly pick projects with low cost and high return that would not normally get the go ahead. People copying Excel sheets full time? Automatate their job away. Full time sysadmin setting up one server a day? Would be a real shame that you have a docker container ready to use when he has an emergency and doesn't have time. Bonus success points if you do things that also help your fellow devs.
In a government settings, and in any large organizations, you will need to have upper leadership support otherwise this will always fail and all of your efforts will be undermined and suppressed. Be sure to leave an employee review on your way out and name names to HR.
I know this is just an anecdote, but a guy I met who works at the DHS told me that, the online forms that people fill in are "printed" to PDF then manually entered into a database system from the 1980s.
The reason they don't update to a newer database with a proper API is because that would require taking the system offline for maintenance.
To interact with our database we had a custom JDBC driver which used a VT100 terminal emulator to connect to what had at one point been a user-facing mainframe application. When a query was executed, the driver would:
- Emulate a user entering a series of key-presses in the terminal to navigate to the correct screen in the application.
- Tab to the query input field, enter the query, then send a return key-press to run the query.
- Read 20 rows of output, then send a key-press to show the next page of results, rinse and repeat.
- Parse the array of rows-represented-as-strings into properly types objects.
- Repeatedly "press" escape to get back to the main screen so that the application state would be ready for the next query.
One of my first tasks was to make this driver work with a column type that stored binary data.
I kind of admired the ingenuity.
You can add Australia Post to that list as well. Even though it is now technically a corporation, it still carries the stench of its public service roots.
I witnessed an operator in the distribution centre wait a solid thirty minutes for a key lookup in their database. I timed it with my phone. I had time to get get lunch and come back.
A key lookup. Literally the consignment number.
I grilled him a bit on the details, and it turns out that all single-row lookups take that much time. Name, phone number, or any other details all take about half an hour to produce a result.
There are parcel delivery services that can deliver door-to-door faster than their IT systems can look up a record.
It's a flabbergasting level of incompetence, but I'm told it's been like that for years, and that they were told not to fix it because during the merger they were to "put tools down" and not spend time and money on anything that Australia Post will fix anyway.
I suspect it's still just as broken.
The vast majority of companies who promise to get back to me never do, yet Aust Post called me twice to investigate and resolve.
I think you just don't understand security through obscurity bro.
Reminds me of when the ATO didn't configure their SAN properly and lost... 1PB of data.
PS: I worked at another department where they similarly misconfigured a SAN and made it highly vulnerable to multi-week outages due to even a single failed drive. I insisted they fix it, and my reward for this was seething hatred.
"You're just making us do extra work!"
"It's not a problem right now!"
"We have other priorities!"
Etc...
They literally refused to touch anything that's not on fire. Merely smouldering is "fine".
There's also a sort of "rocket equation" to bureaucracy where additional staff begets more staff. Or overheads beget more overheads to deal with the overheads. And just like how with rockets the key thing is to have a fuel with good specific power, scaling an org depends very heavily (nonlinearly!) on the efficiency of each person. Conversely, if you have inefficient, incompetent, and unmotivated staff but try to scale up, the inevitable consequence is that you end up in an exponential cycle of compounding inefficiency without limit.
At this place I could not get a single VM deployed to PRD despite three months of focused effort. It just could not be done!
Hence the comments about the hilarious 90 day sprints. Well... yes. That's the fastest pace at which they could possibly move! Some manager probably patted himself on the back for a job well done! That's an "agile" project relative to the multi-year monstrosities they normally give birth to in that place...
The usual cycle goes like this:
- "We need to decrease costs in public organisation A because $reason"
- "Hey look, public org has growing wait times and growing infrastructure issues. We should reduce their budget because they're not doing their job!"
Rinse & repeat until you're left with Centrelink's current state. They don't have enough money to make the changes needed to clean up legacy systems AND process the work loads they have now AND maintain the current systems, so a choice is made by people in a sinking ship. Around 2014 the amount spent on "admin" was gutted by half with the election of the Liberal party (small govt party in AU), with funding only recovering to the previous levels during 2017.
edit: formatting (bullet point lists and newlines are hard)
The hard part of the MyGov platform is the inter-department stuff, and I don't think that's a software issue, that's bureaucracy.
MyGov isn't perfect, but it's fine.
this problem should be solved by making it not-hard to build the teams etc, not by throwing 10s of millions of dollars at vampiric consultants
it seems it is far less risky to bleed money than it is to make any kind of meaningful change to the way gov depts are run
Usually gov IT is not a sexy place for smart political people to land. That is the key talent you need. You can always get smart technical people. Big 5 consultancies will deliver, but you need to always keep them afraid, and that’s a political problem.
To be honest, my interactions with the Australian government websites + apps has mostly been positive. There are some truly horrendous websites from other nations' governments out there.
Minimal bullshit filling out parental leave, getting our daughter a Medicare card and filing our taxes.
Worlds better than the old e-tax system, and significantly better than the UK's online portal too.
Sure. But then why have they spent tens of millions of dollars trying to build a new version - https://beta.my.gov.au - that works the same or worse?
MyGov just seems like a portal containing bookmarks to various other services anyway, right? It consolidates your records for Medicare, ATO, and if applicable, NDIS, Centrelink etc. Seems kind of basic. Although I understand there's a lot of hidden complexity underneath these things, especially surrounding ID verification. But even so, I couldn't tell you the difference between the old mygov and the beta version.
Nk it's not - if we are talking about ordinary 1x develooers making ordinary web services, this is a normal job. Uk government has them.
No reason they couldn't put some money into fixing it - they're absolutely flush with cash from charging every company in the country an annual review/audit fee every year and then doing very little actual auditing... It's basically a $280 (and increasing) fee every year for them to just send you a letter with your company's name, registered address and list of directors. It's a massive scam.
Australia has a population of 26 million, so that's like $1.50 per capita, once, to create a new system that will reduce the amount of bureaucracy and bullshit in our lives.
I'd gladly pay 50x that amount if they could get VicRoads on board.
Personal tax is via mygov which is SMS 2FA.
Business tax (which I thankfully haven't had to do for a while) has always been "difficult", it was an awful Java applet for a while there.
Edit: I think I realise now my mistake, the new beta/govid looks to be following that path. So iOS/Android only. Old IDs still work for the moment though.
I don't think anyone really expects a new government from either side to spend political capital on one, especially given the focus on cost of living/inflation at the moment. (There's a federal election in just over 2 weeks time.)
This. How can companies/governments still think that you can "outsource" IT, when technology is not only tightly integrated into the fabric of what a modern company is, but nowadays a solid technology capability sets the high performers apart from the laggards. It's just as ludicrous as outsourcing the HR, sales team or the executive office.
Unfortunately unlike in the real world where these companies will become uncompetitive and dissolve, we are stuck with our government and their outdated operating models...
The irony is, it's nearly exactly backwards.
I have literally never seen effective use of consultants and outsourced work like this except in one situation: where you DO have the internal skills. Pretty much the only way to get any value is when you have highly knowledgeable and skilled people with strong engineering background managing the process.
Of course, convincing highly skilled engineers that it's a valuable use of their skills and time to simply manage a bunch of outsourced consultants when they could be directly managing a team somewhere else is a challenge in itself.
1. A small team needs to integrate with an external data source. They figure out it's better to keep own engineers focused on the business logic and bring external folk for the (hopefully) one-off task of figuring out the idiosyncrasies of the thing.
2. A large company needs to push the edges. They hire someone with a PhD in the general area, who then points at the exact professors needed on board to get the edges pushed.
But order when IT naive organisation orders new IT system from a third party and you usually get a cluster fuck. And the tribal claims here it's because "gobermant bad" notwithstanding, it's universally true, meaning it happens just as often to private organisations as it does government ones.
It does make you scratch your head and wonder why IT is different.
Regardless of whether it's a bridge or a IT system, there will be a consultant's marketing team spinning a very attractive vision of smoothly delivered sunshine and unicorns to someone who needs sunshine and unicorns to get a lift up the org chart. The only hope an organisation has against that is someone the leadership trusts, someone who can say "That beautiful and convincing power point presentation is like someone promising to delivery nuclear powered cars - they either have no idea what it would take, or are outright lying. If you fall for it you won't get a promotion, they will get you fired". And the people who count believe them. (We had a high profile politician in Australia who was sold a vision of nuclear powered cars - https://www.facebook.com/watch/?v=216653896514005.)
My favoured theory at the moment is IT is too new for software engineers to earned that level of trust. An engineer's career lasts 40 or 50 years. 40 or 50 years ago, Uni's were churning out civil engineers, mining engineers, every conceivable sort of engineer except - software engineers. And worse, right now, we need a _lot_ of them. Not every org wants to build a road, or a bridge, but it really is true software is eating the world, so every org's beyond a certain size wins really does need a custom IT system to support their magic operational sauce. As a consequence, we are seeing IT salaries going through the roof.
It's a great time to be a software engineer, not a great time to be needing one.
They'd nod their heads in agreement, pat me on the back for the sage advice and themselves on the back for bringing in that sage advice, excited about things that would clearly bring in billions in revenue.
Which then never actually happened.
But you could have the crappiest most conartisty 3rd party offering at a ridiculous price tag that they'd gleefully throw money down the drain with, and then the next year I'd get brought in I'd be met with reluctance to work on whatever I was proposing because "oh, we tried that."
No, no you didn't.
Eventually I got tired of being a professional Cassandra and left the industry.
becuase they have the budget and others do not. It really is that simple.
I can only imagine how colossal the undertaking must have been. MyGov ties together our largest, most bureaucratic organisations. Imagine being tasked with such an project, building the web application is the easy part, you also need to convince a country's largest organisations to change how they operate.
Considering this, I'm actually surprised how good MyGov is.
Edit: the problem here of course is that if you make a phone call you can expect to wait in a queue for many hours.
The new goal was to provide a unified front – users would navigate through MyGov based on their needs and goals and be sent directly to the relevant forms and info from all departments.
EG – instead of going to Centrelink and seeing only JobSeeker, or going to the ATO and seeing only JobKeeper; you’d go to 'COVID relief payments' and see a clear explanation of both, and you’d be able to apply for either one directly.
But in the beta… it’s basically just Centrelink. In the entire 'Health' section, the only medicare service mentioned is the proof of COVID-19 vaccination.
The end result is that https://beta.my.gov.au/en/myaccount/dashboard/ is basically the old mygov, and the rest of the site is a mirror of https://servicesaustralia.gov.au .
I believe the project actually ran on pretty standard 2 or 3 week sprints.
I think I see the problem.
They bought AEM didn't they?
I think we need a name for this supergroup as well ;)
However, my birth certificate is from a small country hospital and in a non-standard format that it doesn't recognize, and now that myGov is the standard channel, it's so difficult to apply for anything. And I can't just .. be re-born at a different hospital .. so that the system will accept my application to become a chartered engineer.
Bear in mind that it's mainly (only?) a portal to other departments (ATO, Centrelink, Medicare?).
I don't actually see why we're bothering to "upgrade" it at all, the mention of not being able to deploy a styling change, who gives a toss honestly, styling is way down my list for something like this.
When I had to get a MyGov ID for my son, it did the facial recognition off his passport (no idea if it would have allowed someone else...) fine, set it all up just fine in Covid lockdown so that's a +.
My main gripe is that unless you want their crappy app installed, the only MFA option is SMS, which as this audience knows is just not secure.
You can't install the myGov Code Generator app without an Australian phone number either.
I haven't tried the myGovId app, which seems the best bet, as I'm scared it will fail and block what access I have to myGov now.
Also, for a long time the only way to change your myGov email was to set up a new myGov account. Ditto if you had the Code Generator app and lost your phone - though with the myGovId app you now have another avenue for recovery - provided of course that it doesn't crash, accepts your scanned documents and you actually have enough such documents to keep it happy.
If you've never worked in or with government in Australia, I highly recommend checking it out. Then remember that the real thing is worse.
[1] https://en.wikipedia.org/wiki/Utopia_(Australian_TV_series)
While I didn't work directly on myGov, I knew quite a few people on the team that did (at all levels) and had a fair number of depressing pub sessions with them lamenting the entire project. This article doesn't say much that the people working on it weren't saying throughout the entire delivery.
I'm not going to defend the ludicrous cost of the project; we all know that outsourcing to private consultants to save money is a neoliberal pipe-dream up there with "trickle-down" economics. Many of the contractors for government agencies are former public sector workers who have been driven out by the laughably uncompetitive wages and the government's hostile attitude towards the APS.
And can you blame someone for leaving a job where they aren't supported and are mocked by the governing party in the media, when they can do essentially the same job with less bureaucratic oversight and twice the pay as a consultant or contractor? Why would they stay? A sense of civic duty? That's called "being a gullible c*nt" here in Australia.
The article even points this out:
> "Agencies are somewhat compromised by no longer having lots of these skills in-house."
No shit. Who knew systematically de-funding your own public service meant it would lose efficacy? Starve the beast[1] is a toxic political strategy that never should have made it across the pacific.
So that's why myGov is expensive; we're paying to support an entire ecosystem of middlemen. But if you want to know why it's a shit-show these quotes from the article point to (imo) the biggest cause:
> Responsibility for the "enhancement" of myGov was transferred from the DTA (Digital Transformation Agency) to Services Australia (formerly Department of Human Services/Department of Social Security) in late 2020
> "Individual agencies continue to do their own thing [...]"
MyGov was meant to integrate government services, but none of the agencies would actually expose a single endpoint for the myGov team to integrate. Months and months were spent just trying to get agencies to accept that for an integrated platform to work they would need to support a common authentication system. Doesn't leave much to do except polish the UI, does it?
This quote from the article literally made me laugh out loud:
> "What's so hard about making these improvements? I don't understand why it has taken that long and cost so much money to do that."
> The main goal of myGov was to integrate a range of government services from different departments seamlessly on the one platform. But the new beta version of the platform still doesn't do that effectively
The problem wasn't technical, it was institutional. The Australian tax payer just spent millions of dollars hiring consultants to try and herd cats. They weren't outsourcing for developers as much as they were outsourcing for mediators.
The DTA was meant to be the solution to digital integration of government agencies in Australia by setting up an internal government digital agency. But the large entrenched agencies (such as Services Australia) had no real incentive to listen to a word it said and every incentive to resist relinquishing control to it.
The agency is for all intents-and-purposes now dead. It's only remaining responsibilities are "advisory". Even the official design system inspired by the highly praised GOV.UK one was decommissioned practically before it got off the ground [2]
The myGov and DTA story isn't some simplistic private vs public sector issue. This is a fundamental culture issue within Australia (and it seems the whole anglosphere at the moment). No one is happy except the ministers and executives rorting record amounts of cash out of the system.
[1] https://en.wikipedia.org/wiki/Starve_the_beast [2] https://designsystem.gov.au/
Maybe having to queue up for 3h in the cold to be greeted by a grouchy underpaid public servant that would have you queue up again next week (the Greek experience) until you have to call some person you know to do basic things like renewing your passport has lowered the bar too much for me.
Let’s not forget software is hard in the best of environments and archaic governmental offices and processes aren’t exactly conducive to development velocity and quality
Last I checked, there's still no way for me to lodge a corporate tax return electronically, it needs to be via paper or an agent. SASIC failed to notify me - by either physical mail or e-mail - that an annual fee was due, slugged me with a late penalty, then refused to reverse it when I complained and showed that their own online system had no trace of an invoice. MyGovID (or whatever its latest incarnation is) literally took an hour to validate a passport scan. My mother just returned from overseas and was required to download an (Android/iOS only) app, create an account and fill out a whole range of personal details simply for a health declaration.
It truly feels like public service management keep handing blank cheques to (probably Big 4) 'digital transformation consultants' to charge millions for project after shitty half-baked project, with no regard for whether actual improvements are being made.
Especially when there's breaking changes [1] every two months or so.
[0] https://consumerdatastandardsaustralia.github.io/standards
[1] https://consumerdatastandardsaustralia.github.io/standards/#...
There's no real leadership or technical ownership of the product, and I've found that the PMs will often just quickly blame the user for not using the software correctly rather than actually reflecting on why they may be getting that feedback.
The consultants may have fucked up, but they were only able to because the people in charge fucked up first.
"We’re supposed to be adopting an agile development methodology"
Ah yes the classic agile setup 2 week sprints where at the end of each sprint you rotate companies.
Thinking Cybersecurity – A/Prof. Vanessa Teague (ANU) : https://www.thinkingcybersecurity.com
blogs and code on github : https://github.com/vteague
Twitter @VTeagueAus
[1]: www.turkiye.gov.tr
Except they apparently decided that the standard TOTP apps like Google Authenticator weren't good enough for them. Moah bits better, or some such. Anyway, although it is a time-based token it isn't that time-based token and you have to install their app.
OK, we'll do that then. Carefully navigating past the almost identically named app with a similar icon that is for proving your identity to them, and trying not to think about all the user reviews saying myGov Code Generator doesn't work, we get it on our iPhone. Now, it doesn't work like any other TOTP app and read a QR code or have you enter a number. Instead, you have to enter your username and password into the app. [1] At this point, for me it just hung with a white screen. Exactly the same behaviour is described in the top listed review, from 2020, in the App Store, with no response from the developer [2].
This was a little scary: am I now locked out of my account? They won't help you get back in; you have to create a new one.
They also have you create a backup 2FA method (SMS) after you've logged in with the time-based token. This would be a little late if you got locked out after something went wrong on your first outing with the Code Generator app.
The linked video seems to have been improved since I tangled with the app. I don't remember at the time knowing it was possible to have both the SMS and app enabled for 2FA. It seems it's still not possible to have two apps enabled, on two different phones, for example to replace your phone. Bear in mind that there are residences in Australia with no mobile reception at all.
No doubt they had meetings in which they congratulated each other in devising a time-based one-time password scheme which is theoretically more secure than the usual TOTP. Never mind that both are adequate for the job, and the alternative is SMS. I wouldn't be surprised if someone got a conference paper out of it. I guess if the system is actually built by someone else, you can only get promotion and a pay rise by adding knobs to the specification. If the incentives valued robustness, they would have simply used the standard TOTP.
I think the biggest failing is that this problem has been all over social media, and is mentioned in the App Store reviews, but nothing has been addressed. According to the revision history at the App Store, it last got bug fixes in December 2017, with only edits to help text since then. The developers were nowhere to be seen in the Whirlpool thread or at the App Store.
In my opinion this crosses the line from incompetence to misconduct.
[1] https://www.youtube.com/watch?v=m-gf448FDFA [2] https://apps.apple.com/au/app/mygov-code-generator/id1305497...
