>From: "dan@geer.org" <dan@geer.org>
>To: jim bell <jamesdbell9@yahoo.com
>Jim,
>And I wonder how all the tax preparation sites plus irs.gov are
>waltzing with Heartbleed just now. April 15 is Tuesday...
>--dan
Yes, it's amazing how much security on the Internet is constructed on foundations of sand, 23 years
(for example) after the writing of PGP. Organizations such as the NSA and CIA should be required to show that they are pulling their own weight, by discovering and fixing these kinds of bugs. After all, ostensibly they exist for the benefit of the citizenry of America, right? I would question the raison d'etre of the NSA if it found itself more interested in maintaining the existence of security bugs, than of closing them. The NSA can't claim that nobody else could find them or exploit them.
As for my idea about healthcare.gov vulnerability: I thought of this many months ago, but I decided not to post it until the deadline had virtually expired. (Although, it wasn't like I thought I was the only one who could imagine such a thing!). I was amazed by the lack of discussion in the lamestream media about the potential vulnerabilities of
people's personal data. But, even more obvious to me was the fact that healthcare.gov virtually invited people to enter false data: It refused to provide people information about health care plans until they had entered their own personal information. A person would be motivated to enter a mostly-fake set of data, solely for the purpose of getting access to the plans.
And, there was a potential 'innocent reason': Systems like this might get 'stuck', making it difficult to correct data, and people might be tempted to initiate a new account, solely for the purpose of abandoning old data. I realized that depending on how well healthcare.gov had been written, a cracker with a script could upload thousands or even over a million accounts, presumably for the purpose of making the account-numbers look good.
Jim Bell