Experts Warn Healthcare.gov So Big And So Riddled With Security Flaws It Should Be Shut Down, Rebuilt From Scratch

Tyler Durden's picture

While the abysmal rollout of Obamacare hardly needs any additional debacles, a recent hearing by technology experts in Congress added yet another, quite major, wrinkle to an already insurmountable problem: healthcare.gov is so fraught with security flaws, and so bloated with code, that it may easily expose the personal data of millions (we are being generous here) of users - it collects user names, birth dates, social security numbers, email addresses and much more - to even the least experienced of hackers.

It gets worse: when asked "Do any of you think today that the site is secure?" the answer from the experts, which included two academics and two private sector technical researchers, was a unanimous "no."

And worse when the experts were asked "would you recommend today that this site be shut down until it is?" three of the experts said "yes," while a fourth said he did not have enough information to make the call.

But the worst news of the day the experts said the site needed to be completely rebuilt to run more efficiently, making it easier to protect. They said HealthCare.gov runs on 500 million lines of code, or 25 times the size of Facebook, one of the world's busiest sites.

Well... "Obama built that"

More from Reuters:

David Kennedy, head of computer security consulting firm TrustedSec LLC and a former U.S. Marine Corps cyber-intelligence analyst, gave lawmakers a 17-page report that highlights the problems with the site and warned that some of them remain live.

 

The site lets people know invalid user names when logging in, allowing hackers to identify user IDs, according to the report, which also warns of other security bugs.

 

Avi Rubin, director of the Information Security Institute at Johns Hopkins University and an expert on health and medical security, said he needed more data before calling for a shutdown of the site.

 

"Bringing down the site is a very drastic response," he told Reuters after the hearing.

 

But he would not use it because he is concerned about security bugs that have been made public, he said.

The White House spin was prepared and ready to go:

"The privacy and security of consumers' personal information are a top priority," White House spokesman Jay Carney said after the hearing.

"When consumers fill out their online marketplace applications they can trust that the information that they are providing is protected by stringent security standards."

Perhaps what he meant is that since the NSA already knows all the private information on every American there is no need to be concerned.

Finally, should Obama finally do the right thing and scrap the three year project and start from scratch, "in written testimony, Kennedy said it would take a minimum of seven to 12 months to fix the problems with the site shut down, given the site's complexity and size."

As a reminder, this is how "big" healthcare.gov is:

 

 

Perhaps it is not all bad news: it may be time to test the broken website falacy - just think of the GDP boost that would be created if Obama were to hire 1,000,000 inexperienced programmers coding randomly for three years (again).

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
drchris's picture

I bet the integration with NSA servers is the only part working flawlessly.

Skateboarder's picture

With python/django or ruby/rails, you can condense the physical number of lines of code to something so incredibly small and powerful that it's impressive and stuff.

Obviously they used .NET and windoze or someshit like that.

Boris Alatovkrap's picture

Python is rocks! Favorite is part for Trojan Rabbit.

Dear Infinity's picture

This thing was built in .NET and is running on IIS 7.5 .... what do you expect

outamyeffinway's picture

Attorney's should have a field day when the multitudes have to fight the system to get their identities back. The ramifications of this colossal failure will be felt for years and years.

fonestar's picture

500 million lines of code?!?!?!

 

I know what some people are going to be doing tonight....

ExpendableOne's picture

It sounds like a massive cut and paste job.  I know they didn't write 500 million lines of anything in 3 years.  It's a bunch of "glue logic" to link thousands of legacy systems running all sorts of stuff.  Probably 2-3 real programmers and 100's of politically connected "managers".  With the thousands of pages of regulations and the whole federal register of other regs to deal with, I would rate it a special level of hell for any techy to find themselves in.

fonestar's picture

What I thought, they must have included every single library and repo of every single dependent system to get that number.

James-Morrison's picture

This is government work.

if

they 

put 

each 

token

on

a

line

it

grows

exponentially.

angryBuddhist's picture

Seriously, no "real" programmer would even consider working on such a project. Too much beaurocracy and redtape and muddle management interference - a "real" programmers worst nightmare! No, the only people working on this project were people who essentially are the welfare handout end of those who call themselves IT proferssionals but couldn't code their way our of a paper bag.

Saro's picture

I think you mean:

((((Real men program in LISP))))

markovchainey's picture

Thanks Say What Again...I've been waiting for a LISP reference for weeks!

MSimon's picture

Really BIG MEN program in Forth.

MSimon's picture

: PROGRAM FORTH DO BIG MEN IN UNTIL LOOP ;

TalkToLind's picture

asp.net = asp.nyet.  Did you like that, Boris?

Boris Alatovkrap's picture

Da! You are very smart funny!

Vampyroteuthis infernalis's picture

Here is how the website got so screwed up.

1) Put out bids for work

2) Give it to the lowest bidder

3) Make sure this bidder is incompetant (i.e. minority owned crony)

4) Underfund the project and demand unrealistic goals

5) Demand no accountability

 

Welcome to the US gov't!

krispkritter's picture

I think it was:

1) Call up your old college pal.

2) Give them a no bid contract.

3) Make sure they had failed in previous tech projects.

4) Back up an armored car with a shit ton of money in it and drop it at their door.

5) When they completely screw the pooch on the project, pay them more money.

6) Demand no accounting so no one really knows how much was spent.

7) Simples.gov

Apostate2's picture

You forgot #8--campaign kickback.

dryam's picture

No.

It's more like this.  Give the contract to the company where one of the top executives is the former college roommate of Michelle Obama.

James-Morrison's picture

I think there was a bug in the headline.  Corrected version:

Experts Warn .gov so Big and Riddled with Security Flaws it Should Be Shut Down, Rebuilt From Scratch.

alangreedspank's picture

Sure, but then again bad python code is bad code.

whatthecurtains's picture

The front end of Healthcare.gov runs Linux http://searchdns.netcraft.com/?host=healthcare.gov&x=7&y=5

So I doubt any backend servers would be running .NET.    

 

 

 

alangreedspank's picture

They are probably running servers with assorted OS's and versions, which is probably where it got complicated. I don't know if Linux based system can easily consume .NET ASMX or WCF web services...

whatthecurtains's picture

CGI's website has job listings mostly for non-M$FT related development  like Oracle, Java and Websphere.

 

I don't think these guys made anything using IIS or Windows... at least not in the USA if you read their website right.  

ZeroHour's picture

WCF services can be consumed using SOAP over HTTP or TCP, so I wouldn't think that would be a problem.

whatthecurtains's picture

According to this story http://www.reuters.com/article/2013/10/05/us-usa-healthcare-technology-analysis-idUSBRE99407T20131005 one of the main problems is that "The site basically DDOS'd itself,".

 

MayIMommaDogFace2theBananaPatch's picture

I don't know if Linux based system can easily consume .NET ASMX or WCF web services...

At that level it is largely agnostic...

NotApplicable's picture

I doubt that there's a single linux box in the system, as nobody gets paid big bucks for it.

It's also likely not NSA sponsored.

ExpendableOne's picture

linux, windoze, zos (IBM big iron), COBOL, cp/m (just kidding) it all talks on the web.  But, there's a good chance the systems are swapping lots of xml back and forth.  Lots of time spent parsing, reparsing and constructing that xml.  Please don't disparage an OS just because it was unlucky enough to get sucked into this vortex....

MSimon's picture

DOS is more or less cp/m so you aren't far off.

Unprepared's picture

Even if the law was good (which according to many, it isn't), what these statist bureaucrats don't understand is that you cannot build an extremely complex and dynamic system (I'm not talking about the website only) from scratch and in one shot without giving it opportunity to grow, get real feedback, learn from mistakes, capitalize on it and self-integrate. No amount of "test cases" dream-up by developers and analyst can shortcut this natural need to grow.

 

Probably the only reason why healthcare systems in other countries (even with strong socialist/bureaucratic regime) are some more successful is that they have a very long and progressive history behind them.

 

No one is that good. Exept Obama of course/

Watauga's picture

So, do we get our money back from CGI?

And who goes to jail?  Sibelius? 

robertsgt40's picture

I agree with the "shut down" part, Not the "rebuilt"

robertsgt40's picture

Keep in mind Obummer's "buds" built this POS.  The emperor is desperately looking for some clothes.

Ignatius's picture

I'd rather it stay the inefficient pile of shit that it is.

g speed's picture

I have no doubt you will get your wish----this POS is with us till the end of gov't as we know it.  YYYEEEEHHHHAAAAA

Colonel Klink's picture

They should have stopped at "shut down".  No need to rebuild it.  It's a bad law from the beginning.  Rife with fraud and graft.

James-Morrison's picture

Agreed.  The MSM seems to think the technology is only bad.

The techonology is the BEST part.  It's the law that really STINKS.

John_Coltrane's picture

Like the black hole it is, it will suffer a heat death as it evaporates to a zero size event horizon.  Hey, entropy is a bitch.  May the farce be with it!

CharliePrince's picture

cant moochele , talk to her  website college friend

 

for another  large chunk of change   fix it

etresoi's picture

Be aware that moochelle lost her license to practice law because of her involvement in insurance fraud.  One wonders if her college friend was working with moochelle, at that time.

RacerX's picture

The real issue isn't the website tho; it's the frigging LAW that needs to be struck down.

Boris Alatovkrap's picture

Dysfunctional website is natural compliment for inoperable legislation. Good as luck with that, Amerika!