healthcare.gov vulnerability?
It occurred to me that I haven't heard much on the news about deliberate attacks on the healthcare.gov website, even though it is reputed to be extremely weak. Might somebody (potentially a supporter of Obama and/or Obamacare) have deliberately 'spammed' it with fake signups, simply to get the number of such signups increased? How vulnerable would it be to 'invented' names/addresses? How 'valid' would these names/addresses have to be to keep the system from finding out until some arbitrary stage in the process? If such an attack had been done, would the public ever find out, and when? Jim Bell
On Wed, Apr 9, 2014 at 2:36 AM, jim bell <jamesdbell9@yahoo.com> wrote:
Might somebody (potentially a supporter of Obama and/or Obamacare) have deliberately 'spammed' it with fake signups, simply to get the number of such signups increased?
Possible, I suppose, but why bother? They could just make up numbers and they'd be repeated as gospel by the lapdogs, lickspittles, and fellow travellers. ref practically every other number coming from the US federal and state governments. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209
From: Steve Furlong <demonfighter@gmail.com> On Wed, Apr 9, 2014 at 2:36 AM, jim bell <jamesdbell9@yahoo.com>wrote:
Might somebody (potentially a supporter of Obama and/or Obamacare) have deliberately 'spammed' it with fake signups, simply to get the number of such signups increased? Possible, I suppose, but why bother? They could just make up numbers and they'd be repeated as gospel by the l>apdogs, lickspittles, and fellow travellers. ref practically every other number coming from the US federal and >state governments.
True, but I think they'd prefer to (later on) be able to blame some unknown-named and unidentifiable 'hacker-types' than to implicate themselves. ("I'm shocked, shocked to find that gambling is going on in here!") This tactic wouldn't be useful at all if follow-on data (like actually-paid accounts) were released. Probably this explains why those numbers remain elusive even today. Jim Bell
If they at some later stage got found out to have massaged the data they would just blame it on some office intern who would then be fired and claim it was a statistical fault, politicians only get the where they are by lying, blaming others for their failures, being able to gaslight the public and being able to perform a complete u-turn on a subject and flat out deny it to your face they had done so. Many people forget that politicians have no spine, morals or inclination to tell the truth, especially when the opposite with assist their position. I have no experience of the system, but is it possible to sign a family up with one session, because I can see them easily adjusting it so instead of one signup they've got 5 etc From: cypherpunks [mailto:cypherpunks-bounces@cpunks.org] On Behalf Of jim bell Sent: Wednesday, April 09, 2014 6:29 PM To: Steve Furlong Cc: cypherpunks@cpunks.org Subject: Re: healthcare.gov vulnerability? From: Steve Furlong <demonfighter@gmail.com> On Wed, Apr 9, 2014 at 2:36 AM, jim bell <jamesdbell9@yahoo.com> wrote:
Might somebody (potentially a supporter of Obama and/or Obamacare) have
deliberately 'spammed' it with fake signups, simply to get the number of
such signups increased?
Possible, I suppose, but why bother? They could just make up numbers and they'd be repeated as gospel by the l>apdogs, lickspittles, and fellow travellers. ref practically every other number coming from the US federal and >state governments.
True, but I think they'd prefer to (later on) be able to blame some unknown-named and unidentifiable 'hacker-types' than to implicate themselves. ("I'm shocked, shocked to find that gambling is going on in here!") This tactic wouldn't be useful at all if follow-on data (like actually-paid accounts) were released. Probably this explains why those numbers remain elusive even today. Jim Bell
Jim, And I wonder how all the tax preparation sites plus irs.gov are waltzing with Heartbleed just now. April 15 is Tuesday... --dan
From: "dan@geer.org" <dan@geer.org> To: jim bell <jamesdbell9@yahoo.com
Jim, And I wonder how all the tax preparation sites plus irs.gov are waltzing with Heartbleed just now. April 15 is Tuesday... --dan
Yes, it's amazing how much security on the Internet is constructed on foundations of sand, 23 years (for example) after the writing of PGP. Organizations such as the NSA and CIA should be required to show that they are pulling their own weight, by discovering and fixing these kinds of bugs. After all, ostensibly they exist for the benefit of the citizenry of America, right? I would question the raison d'etre of the NSA if it found itself more interested in maintaining the existence of security bugs, than of closing them. The NSA can't claim that nobody else could find them or exploit them. As for my idea about healthcare.gov vulnerability: I thought of this many months ago, but I decided not to post it until the deadline had virtually expired. (Although, it wasn't like I thought I was the only one who could imagine such a thing!). I was amazed by the lack of discussion in the lamestream media about the potential vulnerabilities of people's personal data. But, even more obvious to me was the fact that healthcare.gov virtually invited people to enter false data: It refused to provide people information about health care plans until they had entered their own personal information. A person would be motivated to enter a mostly-fake set of data, solely for the purpose of getting access to the plans. And, there was a potential 'innocent reason': Systems like this might get 'stuck', making it difficult to correct data, and people might be tempted to initiate a new account, solely for the purpose of abandoning old data. I realized that depending on how well healthcare.gov had been written, a cracker with a script could upload thousands or even over a million accounts, presumably for the purpose of making the account-numbers look good. Jim Bell
Healthcare.gov used to have some very bad vulnerabilities. Some of which still are laying around in wait, but --> https://www.ssllabs.com/ssltest/index.html they've fixed it up since a while back. However, that doesn't necessarily mean anything. One of the biggest providers, Anthem (anthem.com) fails. (servers: openroadfromanthem (cert not even valid), deploy.static.akamaitechnologies.com... 'F' grades, ssltest) Supposedly people are getting connected to these health insurance companies through healthcare.gov ~ real reassuring, right?
From: "dan@geer.org" <dan@geer.org> To: jim bell <jamesdbell9@yahoo.com
Jim, And I wonder how all the tax preparation sites plus irs.gov are waltzing with Heartbleed just now. April 15 is Tuesday... --dan
Yes, it's amazing how much security on the Internet is constructed on foundations of sand, 23 years (for example) after the writing of PGP. Organizations such as the NSA and CIA should be required to show that they are pulling their own weight, by discovering and fixing these kinds of bugs. After all, ostensibly they exist for the benefit of the citizenry of America, right? I would question the raison d'etre of the NSA if it found itself more interested in maintaining the existence of security bugs, than of closing them. The NSA can't claim that nobody else could find them or exploit them.
As for my idea about healthcare.gov vulnerability: I thought of this many months ago, but I decided not to post it until the deadline had virtually expired. (Although, it wasn't like I thought I was the only one who could imagine such a thing!). I was amazed by the lack of discussion in the lamestream media about the potential vulnerabilities of people's personal data. But, even more obvious to me was the fact that healthcare.gov virtually invited people to enter false data: It refused to provide people information about health care plans until they had entered their own personal information. A person would be motivated to enter a mostly-fake set of data, solely for the purpose of getting access to the plans. And, there was a potential 'innocent reason': Systems like this might get 'stuck', making it difficult to correct data, and people might be tempted to initiate a new account, solely for the purpose of abandoning old data. I realized that depending on how well healthcare.gov had been written, a cracker with a script could upload thousands or even over a million accounts, presumably for the purpose of making the account-numbers look good. Jim Bell
participants (5)
-
dan@geer.org -
jim bell -
Odinn Cyberguerrilla -
Silent1 -
Steve Furlong