"O-Care" site built with no security

[Sailor]

No security ever built into Obamacare site: Hacker

It could take a year to secure the risk of "high exposures" of personal information on the federal Obamacare online exchange, a cybersecurity expert told CNBC on Monday.


"When you develop a website, you develop it with security in mind. And it doesn't appear to have happened this time," said David Kennedy, a so-called "white hat" hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.

"It's really hard to go back and fix the security around it because security wasn't built into it," said Kennedy, chief executive of TrustedSec. "We're talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself."

Much more here:
www.cnbc.com/id/101225308

Obviously if you don't absolutely HAVE to go to this site ... DON'T. That's the advice of several "white hat hackers" I've heard over the last couple of days after they've had a look at how the site works without actually trying to break it or break into it. Mr Kennedy was one of those whose interview I heard this afternoon.

On top of every other problem with it, if this site is as vulnerable as they say then it may be in violation of the federal HIPAA law which is intended to safeguard patient information. I'm subject to it since I work in the healthcare field, violations can bring down all kinds of nasty repercussions including fines and jail depending the severity and nature of the offense.

[101ABN]

Oh SHIT!

You want SECURITY TOO?

The NOIVA some people!

[Sailor]

After listening to Mr Kennedy and other top software designers and "white hat hackers" over the course of several interviews I am left drawing the following conclusion:

This is your typical government program costing 10 times the money to develop, taking 10 times as much time to develop and not functioning as intended in comparison to a comparable non-government program or business.

At least one comparable software system was put together within 3 months by a university IT department, theirs works and the only reason it took 3 months is it was not their top priority and they did it on a shoestring.

The most expensive non-government alternative to "healthcare.gov" is estimated to cost no more than $60 million, including not only the software development and testing but also the dedicated server farm it would need. And those packages would be designed from the ground up with security of customer information at or near the top of functionality requirements. "Healthcare.gov," not at all.

HHS would be happy with an 80% success rate with "healthcare.gov." If an internet business managed only an 80% success rate, i.e. a 20% error order rate it would be out of business that afternoon.

There are several giant internet businesses who depend on their reputation for reliability and security.

When was the last time you heard of Amazon.com screwing up? Not very damned often.

When was the last time you heard of Amazon.com or Ebay being hacked for customer ID information? Me neither.

If you want something done right, go to the marketplace. If you want it totally and completely hosed ... depend on government.

[101ABN]

In any private company, you'd have to dodge the rolling heads just to get to the water cooler.

[Sailor]

Yup.

[101ABN]

If you like your security, you can keep your security.

[Sailor]

Dec 19, 2013 6:53:52 GMT -8 101ABN said:

If you like your security, you can keep your security.

"If you like your identity, you can keep your identity"

[tankcommander]

Dec 19, 2013 10:04:54 GMT -8 Sailor said:

"If you like your identity, you can keep your identity"

And if I like your identity......... ;D