to show up on CNBC...and, he testified? Who called him in? Issa?

I would rather hear from somebody else.

He answers to somebody.

Keep people afraid and ignorant. It should be the Republican motto.

No matter what he does, or whether his ideas work.

or should it just get massively hacked before anyone tries to fix it?

He offers services in IT security to businesses

to make the ACA fail? Geez. So much energy wasted bringing it down. Don't they have better things to do?

Granted, the system requires a secure site but, since you no longer have to submit your medical history to get insurance, I'm not as worried.

Can we please just let the thing get its sea legs and before we decide it can never work and demolish it?

buying his expert opinion. The real question should be who asked him.

The guy is a paid con hired to make a speech to titillate the unthinking. I'm sure there are those gullible enough to take it hook line and sinker. I'm also sure there are weak places; there are weak places in most computers on the planet and all the computers in Internet land, but this guy wreaks of payola.

The only people I trust less than Internet crooks are Internet security company front men. BS!

But I know quite a bit about IT security, so I cannot fathom how the premise of this story can simply be bullshit. Web applications with a decade of development history deal with exploits quite commonly.

He posted a screenshot of some python scripts (which could do nothing but echo out content) that supposedly interface with the provider web services to extract user data:



I've mined data off government websites (public data mind you) by coming up with the proper requests and plugging in automatically incrementing id's (instead of hashes) to extract data quickly, up to millions of records. If their webservices did not require authentication and were using SOAP protocol (likely), he could easily have requested info if an increment id was the sole request parameter.

I am also in IT, and agree with this.

Speaking as someone who spent a large part of his career writing software for the government as a consultant, I've seen some real horror stories. Generally speaking, web services (such as the one this guy is citing) tend to be the biggest problem across the board. I've seen sites that bend over backwards to secure the web frontend site (the part everyone sees), which then leave the backend services clear. I was once called in to rewrite and secure a SOAP architecture that actually allowed anyone to query ANYTHING about a user based on their social security number. A simple script could have iterated through all 1.1 billion social security numbers in only a few days time, extracting everything from tax records to financial data (the site dealt with unemployment insurance, and had all sorts of valuable data in it). There was no authentication for the web service whatsoever, and no encryption on the connection once it was established. The original writers simply assumed that nobody would ever find it.

Part of the problem is that enterprise web technology has fully embraced SOA, and yet a LOT of developers still don't know how to properly secure and authenticate SOAP and REST calls between the presentation layer and the transactional servers. They started programming in a world where you did the processing on your web server directly and security between the layers usually wasn't a consideration. For many of those developers, it's still a bit of an afterthought.

It sounds like the guy in the OP found the Healthcare.Gov site doing the same thing. It's not a slight against this site in particular, but is simply indicative of the kinds of problems we often see in government sites (and hurriedly built SOA sites in general).

And by the way, it's "reeks," not "wreaks."

Doesn't mean I can't learn something but at this point I stand by my statement. And that's a s far as I'm going with it.

The word is wreaks... as in wreak havoc... I wasn't referring to smells.

Unless he has visited the actual code, especially the claim that the fix of a security bug in the password reset remains vulnerable. Also the source, CNBC, is suspect. Encrypting key data like Social Security number surely wouldn't take anything like a year to fix. Indeed, this kind of security is so obvious I would think it would have been part of what was installed over the last two months. Indeed, I have little use for experts making wild claims without being hands-on. How much did CNBC pay this "expert" to say these things?

'My special decoder ring, however, could see right through their sinister machinations.'

Somebody call Buck Rogers! His publicist is on the teevee! Wait, that's him! Only he can help save us from Fu Manbama!

God this shit is boring. Boring Boring Boring BORING. Stupid. Boring.

So I guess this is the next talking point.I've never seen so much interest in a website failing

repukes do.

it's kind of you to attribute it to people merely being naive, but it's pretty clear that that's not it.

... and I have good reason to believe the private corporation that built the website wanted it to fail.

He's well known for SET, the Social Engineering Toolkit and a hacker convention called DerbyCon.

But he has a huge blind spot; he leans very right and hates Obama. So that he's hanging out with the Republics and sowing FUD (fear, uncertainty and doubt) is not surprising at all.

He is correct that you want to have security as an overriding design goal, beyond best practices in coding, from day one but that rarely happens from day one in the real world. Especially with a gov contract made up of the lowest bidders.

As of this point I haven't heard any stories of a breech of healthcare.gov or the exchange sites. Given all the attention surely someone on the planet with skills has done a recon and tried....

Fox began having all kinds of security experts express concern on multiple shows. They are running out of ACA bad news they can sell 24/7, so this is it. This is the current focus.

It may very well be that the website isn't as secure as could be. How many websites are? What kind of information is at risk that isn't already at risk a hundred times over?

Somewhere along the way, I hope more and more people realize that if if it's on FOX it's automatically questionable.

IMO all security is breached anyway. Most secure network I know of right now is the sneaker-net. Or paper & ink.

I'm positive that there are security issues with healthcare.gov but there's holes everywhere. The Wordpress site I run has a plugin that alerts me to any possible breaches (usually plugin updates). And that's just my little ol' site!

I and a family member got caught up in the Adobe hack. I'm sure that site was designed "with security in mind." Didn't make a helluva difference.

The OP proves that point.

when all of the quick fixes were being made over the last month or so. It takes time to test websites, especially for security.

The thing that would absolutely kill Healthcare.gov is if public trust in it is destroyed. Our reich-wing enemies would celebrate if they saw stories of identity and bank fraud from the ACA website.

unless you plan to drop dead in the next few months,

I would suggest waiting until
the security issues are investigated.
You can see a lot just by looking.