What happened yesterday, the first day on which it was possible to request the bonus that the state assigned to self-employed workers for the covid-19 emergency, is unbelievable. It was foreseen (unpredictable, but widely expected!) That all those entitled would immediately try to complete the application by connecting simultaneously to the INPS portal. Whoever manages an e-commerce portal knows well, indeed it is his objective, that by announcing offers on some products he will have to face numerous requests for simultaneous access by potential customers. And it takes the necessary countermeasures, both temporarily increasing the site's reception capacity, which is feasible today if you have a distributed or "cloud" architecture, and by acquiring a sort of "code eliminator" that allows access to a maximum number of subjects at the same time, asking the surpluses to try again later. In these days when we are all at home, many will have happened to want to do the shopping Online and to find the supermarket site fully operational but unavailable for the maximum number of customers that can be served simultaneously.
We are not talking about expensive or particularly innovative technologies. Let's talk about the common sense that applies in daily life, also used by Poste this week to avoid the crowds at the counters for the provision of pensions: they staggered access based on the letter of the surname. Today, similar measures were (finally!) Also adopted for access to the INPS site.
Now, the total lack of a basic policy for the management of access to the site such as that shown yesterday in a forecasted peak of access, has raised questions about the quality of a central information system for the life of Italians as a pension manager and social support. We then went to see what is just below the surface of the Institute's website, analyzing the programs that build the pages that we display in our browser. This is public code because it is what our computer receives when it connects to any website, code that is processed locally and that results in the graphic aspect of the page.
What appears to the eyes of a programmer is a sloppy system. If a high school or first year university student presented a program in that state, he would be immediately rejected because he did not respect the minimum criteria of order, rigor and professionalism in writing code.
Let's see some examples.
The code of one of the pages contains a variable, that is a 'container' of values whose elaboration determines either the successive phases of a procedure or the graphic aspect of the page, whose name is "Foo". Now, in a colloquial exchange we can refer to Disney characters similarly to the italics "Tizio", "Caio", and "Sempronio". But in a program the name of the variables must always be such as to allow us to understand what the role is in the program. A professional would never release a program whose names are imaginative and not assigned in order to have a precise reference to the processing flow for which they were entered.
To some it may seem an aesthetic habit, but the lack of attention to all aspects of a program that allow to verify the correctness and consistency of a program can be an indicator of other more serious shortcomings. This sloppiness is also shown in the presence of slang comments like "Skippa" which frankly we would never like to have seen in those pages. And in fact, in other pages there are still numerous comments in Italian which indicate all the changes made with an indication of the reasons, sometimes linked to the resolution of "problems". Here, if you want to tickle the curiosity of a "hacker" there is nothing better than to communicate directly and sincerely that there are problems.
On other pages, there are still comments explaining the effect of the functions that follow. A programming language is precisely a language, and those who have mastered it do not need comments to understand its meaning. Usually the development of a program is preceded by a project phase where it is explained in natural language what it will have to do, while the programming language specifies how, without mixing the two plans. Not to mention that comments can involuntarily reveal weaknesses in the system that can be exploited to violate a site.
Going deeper into the technician, on another page there is an access key to content that is shown in clear text. Regardless of the type of content and the level of secrecy of that key, it is a bad programming practice and therefore those who are used to not publicly exposing access keys do not do it for any type of resource. The session variables, those that allow our browser to continue browsing the pages according to our user profile, are also managed superficially, giving visibility to the outside.
This brief analysis is certainly not intended to issue an overall judgment on the institute's IT system, as it has not had access to internal procedures but only to those that are immediately visible to anyone who navigates the site. However, it is unacceptable to see in 2020 that the site code of one of the most important public administration institutes was developed in an unprofessional way, regardless of the guidelines that are taught in schools and universities to develop quality, robust and resistant to attacks.
Photo: Twitter
