Some recently published statements regarding the Canadian Firearms Centre's online database, made by a former webmaster, have rightly earned a lot of attention: Mr. Hicks, an Orillia-area computer consultant, claims that he has identified several prior -- and possibly still remaining -- security gaps in the firearms registry. Gaps that allow(ed) very sensitive information to be queried by anyone with a home computer and an internet connection.
If this is true, it betrays tremendous negligence in the creation and maintenance of this system, and while a lot of the attention is coming from the politically motivated, using it to further a pre-existing agenda, it doesn't diminish the seriousness of this event occurring in the first place.
No specifics are given, however the likely vulnerability relates to SQL-injection vulnerabilities.
More importantly, do people still call themselves "webmasters"? Is that really still a title?
While Mr.Hicks refers to the system as a "$15 million dollar system" in the linked article, its history is convoluted, and much more expensive (perhaps a digit was lost in editing). After purportedly giving EDS $151 million dollars to make a working system, the government gave up and turned it over to a consortium of CGI, BDP, and Resolve Corp, giving them an estimated $100 million dollars thus far.
This is to create a system to register 1.9 million gun owners with a combined seven million guns.
Accounting for extensive security and auditing -- of course mandatory for a system of this nature -- eforms, correspondence, web services, feeds for police stations, integration with legacy systems, web reporting and secure access, and so on, it still doesn't strike me as an overly complex project. The scope and capacity of data I've heard could be handled on a modern four-way SQL Server box with a half decent SAN. Add in a cluster backup, and you're still talking about less than $200,000 (with all software licenses). The actual custom software itself should be straightforward, given that data entry, data reporting, and data security are some of the most known, proven design elements in this business.
This is largely wizard-type stuff, for which they've purportedly paid $251 million thus far.
If an article in the National Post today ("A one-stop shop for gun thieves") is to be believed, the system crashed 90 times on the first day of testing, requiring their hardware to be completely reset 30 times that day -- an event that is unseen with the reliable platform stack we have nowadays. They called off the test and sent it back to development, sending all of the expensively flown-in testers back home.
Of course we don't know all of the obscure details of this project, and it is a certainty that trying to build a system for a rapidly changing government, with enormous changes in the root requirements, is more difficult than an average project, but I find it hard to fathom that it's $251 million dollars different. I do appreciate that software developers often underestimate the tasks of other software developers and systems designers -- often with a foolish cowboy "I could do that on a weekend!" bravado -- but in this case I've designed and worked on systems of a similar scale, and I feel fairly confident in my assessment.
Given the very limited details that I've heard, I would have armchair estimated this as a less-than-$1 million dollar project, hardware in. I would never imagine that it would pass a quarter-of-a-billion dollars.