Experts Warn Healthcare.gov So Big And So Riddled With Security Flaws It Should Be Shut Down, Rebuilt From Scratch

Tyler Durden's picture




 

While the abysmal rollout of Obamacare hardly needs any additional debacles, a recent hearing by technology experts in Congress added yet another, quite major, wrinkle to an already insurmountable problem: healthcare.gov is so fraught with security flaws, and so bloated with code, that it may easily expose the personal data of millions (we are being generous here) of users - it collects user names, birth dates, social security numbers, email addresses and much more - to even the least experienced of hackers.

It gets worse: when asked "Do any of you think today that the site is secure?" the answer from the experts, which included two academics and two private sector technical researchers, was a unanimous "no."

And worse when the experts were asked "would you recommend today that this site be shut down until it is?" three of the experts said "yes," while a fourth said he did not have enough information to make the call.

But the worst news of the day the experts said the site needed to be completely rebuilt to run more efficiently, making it easier to protect. They said HealthCare.gov runs on 500 million lines of code, or 25 times the size of Facebook, one of the world's busiest sites.

Well... "Obama built that"

More from Reuters:

David Kennedy, head of computer security consulting firm TrustedSec LLC and a former U.S. Marine Corps cyber-intelligence analyst, gave lawmakers a 17-page report that highlights the problems with the site and warned that some of them remain live.

 

The site lets people know invalid user names when logging in, allowing hackers to identify user IDs, according to the report, which also warns of other security bugs.

 

Avi Rubin, director of the Information Security Institute at Johns Hopkins University and an expert on health and medical security, said he needed more data before calling for a shutdown of the site.

 

"Bringing down the site is a very drastic response," he told Reuters after the hearing.

 

But he would not use it because he is concerned about security bugs that have been made public, he said.

The White House spin was prepared and ready to go:

"The privacy and security of consumers' personal information are a top priority," White House spokesman Jay Carney said after the hearing.

"When consumers fill out their online marketplace applications they can trust that the information that they are providing is protected by stringent security standards."

Perhaps what he meant is that since the NSA already knows all the private information on every American there is no need to be concerned.

Finally, should Obama finally do the right thing and scrap the three year project and start from scratch, "in written testimony, Kennedy said it would take a minimum of seven to 12 months to fix the problems with the site shut down, given the site's complexity and size."

As a reminder, this is how "big" healthcare.gov is:

 

 

Perhaps it is not all bad news: it may be time to test the broken website falacy - just think of the GDP boost that would be created if Obama were to hire 1,000,000 inexperienced programmers coding randomly for three years (again).

0
Your rating: None
 

- advertisements -

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Thu, 11/21/2013 - 13:09 | 4177757 drchris
drchris's picture

I bet the integration with NSA servers is the only part working flawlessly.

Thu, 11/21/2013 - 13:09 | 4177762 LawsofPhysics
LawsofPhysics's picture

Correct.  By design.

Thu, 11/21/2013 - 13:15 | 4177794 Skateboarder
Skateboarder's picture

With python/django or ruby/rails, you can condense the physical number of lines of code to something so incredibly small and powerful that it's impressive and stuff.

Obviously they used .NET and windoze or someshit like that.

Thu, 11/21/2013 - 13:19 | 4177824 Boris Alatovkrap
Boris Alatovkrap's picture

Python is rocks! Favorite is part for Trojan Rabbit.

Thu, 11/21/2013 - 13:22 | 4177847 Unprepared
Unprepared's picture

I rate that joke C++

Thu, 11/21/2013 - 13:26 | 4177881 Dear Infinity
Dear Infinity's picture

This thing was built in .NET and is running on IIS 7.5 .... what do you expect

Thu, 11/21/2013 - 13:37 | 4177939 Say What Again
Say What Again's picture

Real men program in LISP.

Thu, 11/21/2013 - 13:47 | 4178004 outamyeffinway
outamyeffinway's picture

Attorney's should have a field day when the multitudes have to fight the system to get their identities back. The ramifications of this colossal failure will be felt for years and years.

Thu, 11/21/2013 - 14:39 | 4178253 fonestar
fonestar's picture

500 million lines of code?!?!?!

 

I know what some people are going to be doing tonight....

Thu, 11/21/2013 - 15:12 | 4178445 ExpendableOne
ExpendableOne's picture

It sounds like a massive cut and paste job.  I know they didn't write 500 million lines of anything in 3 years.  It's a bunch of "glue logic" to link thousands of legacy systems running all sorts of stuff.  Probably 2-3 real programmers and 100's of politically connected "managers".  With the thousands of pages of regulations and the whole federal register of other regs to deal with, I would rate it a special level of hell for any techy to find themselves in.

Thu, 11/21/2013 - 15:22 | 4178490 fonestar
fonestar's picture

What I thought, they must have included every single library and repo of every single dependent system to get that number.

Thu, 11/21/2013 - 16:23 | 4178713 James-Morrison
James-Morrison's picture

This is government work.

if

they 

put 

each 

token

on

a

line

it

grows

exponentially.

Thu, 11/21/2013 - 19:17 | 4179243 angryBuddhist
angryBuddhist's picture

Seriously, no "real" programmer would even consider working on such a project. Too much beaurocracy and redtape and muddle management interference - a "real" programmers worst nightmare! No, the only people working on this project were people who essentially are the welfare handout end of those who call themselves IT proferssionals but couldn't code their way our of a paper bag.

Thu, 11/21/2013 - 14:52 | 4178312 Saro
Saro's picture

I think you mean:

((((Real men program in LISP))))

Thu, 11/21/2013 - 15:08 | 4178408 markovchainey
markovchainey's picture

Thanks Say What Again...I've been waiting for a LISP reference for weeks!

Thu, 11/21/2013 - 16:06 | 4178652 MSimon
MSimon's picture

Really BIG MEN program in Forth.

Thu, 11/21/2013 - 16:09 | 4178662 MSimon
MSimon's picture

: PROGRAM FORTH DO BIG MEN IN UNTIL LOOP ;

Thu, 11/21/2013 - 13:47 | 4178001 whatthecurtains
whatthecurtains's picture

Netcraft sez it is linux bitches   http://searchdns.netcraft.com/?host=healthcare.gov&x=7&y=5

Thu, 11/21/2013 - 13:47 | 4178005 TalkToLind
TalkToLind's picture

asp.net = asp.nyet.  Did you like that, Boris?

Thu, 11/21/2013 - 20:26 | 4179438 Boris Alatovkrap
Boris Alatovkrap's picture

Da! You are very smart funny!

Thu, 11/21/2013 - 13:19 | 4177826 Vampyroteuthis ...
Vampyroteuthis infernalis's picture

Here is how the website got so screwed up.

1) Put out bids for work

2) Give it to the lowest bidder

3) Make sure this bidder is incompetant (i.e. minority owned crony)

4) Underfund the project and demand unrealistic goals

5) Demand no accountability

 

Welcome to the US gov't!

Thu, 11/21/2013 - 13:25 | 4177860 krispkritter
krispkritter's picture

I think it was:

1) Call up your old college pal.

2) Give them a no bid contract.

3) Make sure they had failed in previous tech projects.

4) Back up an armored car with a shit ton of money in it and drop it at their door.

5) When they completely screw the pooch on the project, pay them more money.

6) Demand no accounting so no one really knows how much was spent.

7) Simples.gov

Thu, 11/21/2013 - 17:53 | 4179021 Apostate2
Apostate2's picture

You forgot #8--campaign kickback.

Thu, 11/21/2013 - 13:25 | 4177876 dryam
dryam's picture

No.

It's more like this.  Give the contract to the company where one of the top executives is the former college roommate of Michelle Obama.

Thu, 11/21/2013 - 14:10 | 4178114 Watauga
Watauga's picture

Bids?  Seriously?

Thu, 11/21/2013 - 16:53 | 4178826 James-Morrison
James-Morrison's picture

I think there was a bug in the headline.  Corrected version:

Experts Warn .gov so Big and Riddled with Security Flaws it Should Be Shut Down, Rebuilt From Scratch.

Thu, 11/21/2013 - 13:42 | 4177977 alangreedspank
alangreedspank's picture

Sure, but then again bad python code is bad code.

Thu, 11/21/2013 - 13:45 | 4177995 whatthecurtains
whatthecurtains's picture

The front end of Healthcare.gov runs Linux http://searchdns.netcraft.com/?host=healthcare.gov&x=7&y=5

So I doubt any backend servers would be running .NET.    

 

 

 

Thu, 11/21/2013 - 13:53 | 4178025 alangreedspank
alangreedspank's picture

They are probably running servers with assorted OS's and versions, which is probably where it got complicated. I don't know if Linux based system can easily consume .NET ASMX or WCF web services...

Thu, 11/21/2013 - 14:10 | 4178110 whatthecurtains
whatthecurtains's picture

CGI's website has job listings mostly for non-M$FT related development  like Oracle, Java and Websphere.

 

I don't think these guys made anything using IIS or Windows... at least not in the USA if you read their website right.  

Thu, 11/21/2013 - 14:13 | 4178130 ZeroHour
ZeroHour's picture

WCF services can be consumed using SOAP over HTTP or TCP, so I wouldn't think that would be a problem.

Thu, 11/21/2013 - 14:49 | 4178294 whatthecurtains
whatthecurtains's picture

According to this story http://www.reuters.com/article/2013/10/05/us-usa-healthcare-technology-analysis-idUSBRE99407T20131005 one of the main problems is that "The site basically DDOS'd itself,".

 

Thu, 11/21/2013 - 14:57 | 4178343 MayIMommaDogFac...
MayIMommaDogFace2theBananaPatch's picture

I don't know if Linux based system can easily consume .NET ASMX or WCF web services...

At that level it is largely agnostic...

Thu, 11/21/2013 - 15:10 | 4178428 NotApplicable
NotApplicable's picture

I doubt that there's a single linux box in the system, as nobody gets paid big bucks for it.

It's also likely not NSA sponsored.

Thu, 11/21/2013 - 15:16 | 4178456 ExpendableOne
ExpendableOne's picture

linux, windoze, zos (IBM big iron), COBOL, cp/m (just kidding) it all talks on the web.  But, there's a good chance the systems are swapping lots of xml back and forth.  Lots of time spent parsing, reparsing and constructing that xml.  Please don't disparage an OS just because it was unlucky enough to get sucked into this vortex....

Thu, 11/21/2013 - 16:13 | 4178685 MSimon
MSimon's picture

DOS is more or less cp/m so you aren't far off.

Thu, 11/21/2013 - 13:20 | 4177837 Unprepared
Unprepared's picture

Even if the law was good (which according to many, it isn't), what these statist bureaucrats don't understand is that you cannot build an extremely complex and dynamic system (I'm not talking about the website only) from scratch and in one shot without giving it opportunity to grow, get real feedback, learn from mistakes, capitalize on it and self-integrate. No amount of "test cases" dream-up by developers and analyst can shortcut this natural need to grow.

 

Probably the only reason why healthcare systems in other countries (even with strong socialist/bureaucratic regime) are some more successful is that they have a very long and progressive history behind them.

 

No one is that good. Exept Obama of course/

Thu, 11/21/2013 - 14:15 | 4178137 Watauga
Watauga's picture

So, do we get our money back from CGI?

And who goes to jail?  Sibelius? 

Thu, 11/21/2013 - 17:25 | 4178929 robertsgt40
robertsgt40's picture

I agree with the "shut down" part, Not the "rebuilt"

Thu, 11/21/2013 - 17:35 | 4178974 robertsgt40
robertsgt40's picture

Keep in mind Obummer's "buds" built this POS.  The emperor is desperately looking for some clothes.

Thu, 11/21/2013 - 13:09 | 4177758 Ignatius
Ignatius's picture

I'd rather it stay the inefficient pile of shit that it is.

Thu, 11/21/2013 - 13:25 | 4177877 g speed
g speed's picture

I have no doubt you will get your wish----this POS is with us till the end of gov't as we know it.  YYYEEEEHHHHAAAAA

Thu, 11/21/2013 - 14:01 | 4178067 Colonel Klink
Colonel Klink's picture

They should have stopped at "shut down".  No need to rebuild it.  It's a bad law from the beginning.  Rife with fraud and graft.

Thu, 11/21/2013 - 14:27 | 4178194 Ignatius
Ignatius's picture

You understand perfectly.

Thu, 11/21/2013 - 16:32 | 4178743 James-Morrison
James-Morrison's picture

Agreed.  The MSM seems to think the technology is only bad.

The techonology is the BEST part.  It's the law that really STINKS.

Thu, 11/21/2013 - 22:09 | 4179735 John_Coltrane
John_Coltrane's picture

Like the black hole it is, it will suffer a heat death as it evaporates to a zero size event horizon.  Hey, entropy is a bitch.  May the farce be with it!

Thu, 11/21/2013 - 13:12 | 4177773 CharliePrince
CharliePrince's picture

cant moochele , talk to her  website college friend

 

for another  large chunk of change   fix it

Thu, 11/21/2013 - 13:20 | 4177835 etresoi
etresoi's picture

Be aware that moochelle lost her license to practice law because of her involvement in insurance fraud.  One wonders if her college friend was working with moochelle, at that time.

Thu, 11/21/2013 - 13:13 | 4177781 RacerX
RacerX's picture

The real issue isn't the website tho; it's the frigging LAW that needs to be struck down.

Thu, 11/21/2013 - 13:20 | 4177834 Boris Alatovkrap
Boris Alatovkrap's picture

Dysfunctional website is natural compliment for inoperable legislation. Good as luck with that, Amerika!

Do NOT follow this link or you will be banned from the site!