[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

healthcare.gov vulnerability?

To: "[email protected]" <[email protected]>
Subject: healthcare.gov vulnerability?
From: [email protected] (jim bell)
Date: Thu, 10 Apr 2014 21:05:12 -0700 (PDT)
Cc: "[email protected]" <[email protected]>
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

>From: "[email protected]" <[email protected]>
>To: jim bell <[email protected]
 
>Jim,
>And I wonder how all the tax preparation sites plus irs.gov are
>waltzing with Heartbleed just now.Â  April 15 is Tuesday...
>--dan

Yes, it's amazing how much security on the Internet is constructed on foundations of sand, 23 years (for example) after the writing of PGP. Â Organizations such as the NSA and CIA should be required to show that they are pulling their own weight, by discovering and fixing these kinds of bugs. Â After all, ostensibly they exist for the benefit of the citizenry of America, right? Â I would question the raison d'etre of the NSA if it found itself more interested in maintaining the existence of security bugs, than of closing them. Â The NSA can't claim that nobody else could find them or exploit them.

As for my idea about healthcare.gov vulnerability: Â I thought of this many months ago, but I decided not to post it until the deadline had virtually expired. Â (Although, it wasn't like I thought I was the only one who could imagine such a thing!). Â  I was amazed by the lack of discussion in the lamestream media about the potential vulnerabilities of people's personal data. Â But, even more obvious to me was the fact that healthcare.gov virtually invited people to enter false data: It refused to provide people information about health care plans until they had entered their own personal information. Â A person would be motivated to enter a mostly-fake set of data, solely for the purpose of getting access to the plans.
And, there was a potential 'innocent reason': Â Systems like this might get 'stuck', making it difficult to correct data, and people might be tempted to initiate a new account, solely for the purpose of abandoning old data. Â  Â I realized that depending on how well healthcare.gov had been written, a cracker with a script could upload thousands or even over a million accounts, presumably for the purpose of making the account-numbers look good.
Â  Â  Â  Â  Â  Â  Jim Bell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20140410/6c11dc93/attachment.html>

Follow-Ups:
- healthcare.gov vulnerability?
  - From: [email protected] (Odinn Cyberguerrilla)

References:
- healthcare.gov vulnerability?
  - From: [email protected] (jim bell)
- healthcare.gov vulnerability?
  - From: [email protected] ([email protected])

Prev by Date: healthcare.gov vulnerability?
Next by Date: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Previous by thread: healthcare.gov vulnerability?
Next by thread: healthcare.gov vulnerability?
Index(es):
- Date
- Thread