healthcare.gov vulnerability?

jim bell jamesdbell9 at yahoo.com
Thu Apr 10 21:05:12 PDT 2014 

>From: "dan at geer.org" <dan at geer.org>
>To: jim bell <jamesdbell9 at yahoo.com
 
>Jim,
>And I wonder how all the tax preparation sites plus irs.gov are
>waltzing with Heartbleed just now.  April 15 is Tuesday...
>--dan

Yes, it's amazing how much security on the Internet is constructed on foundations of sand, 23 years (for example) after the writing of PGP.  Organizations such as the NSA and CIA should be required to show that they are pulling their own weight, by discovering and fixing these kinds of bugs.  After all, ostensibly they exist for the benefit of the citizenry of America, right?  I would question the raison d'etre of the NSA if it found itself more interested in maintaining the existence of security bugs, than of closing them.  The NSA can't claim that nobody else could find them or exploit them.

As for my idea about healthcare.gov vulnerability:  I thought of this many months ago, but I decided not to post it until the deadline had virtually expired.  (Although, it wasn't like I thought I was the only one who could imagine such a thing!).   I was amazed by the lack of discussion in the lamestream media about the potential vulnerabilities of people's personal data.  But, even more obvious to me was the fact that healthcare.gov virtually invited people to enter false data: It refused to provide people information about health care plans until they had entered their own personal information.  A person would be motivated to enter a mostly-fake set of data, solely for the purpose of getting access to the plans.
And, there was a potential 'innocent reason':  Systems like this might get 'stuck', making it difficult to correct data, and people might be tempted to initiate a new account, solely for the purpose of abandoning old data.    I realized that depending on how well healthcare.gov had been written, a cracker with a script could upload thousands or even over a million accounts, presumably for the purpose of making the account-numbers look good.
            Jim Bell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3009 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20140410/6c11dc93/attachment-0001.txt>

More information about the cypherpunks mailing list