“When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time,” said David Kennedy, a so-called “white hat” hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.

“It’s really hard to go back and fix the security around it because security wasn’t built into it,” said Kennedy, chief executive of TrustedSec. “We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself.”

According to the Department of Health and Human Services, which oversaw the implementation of the website, the components used to build the site are compliant with standards set by Federal security authorities.

“The privacy and security of consumers’ personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” said the spokesperson.

Another online security expert—who spoke at last week’s House hearing and then on CNBC—said the federal Obamacare website needs to be shut down and rebuilt from scratch. Morgan Wright, CEO of Crowd Sourced Investigations said: “There’s not a plan to fix this that meets the sniff test of being reasonable.”

  1. pedro says:

    And I bet you the law has been written with the same level of care towards the constituent’s best interest as the web page’s code.

  2. Dallas says:

    Now I’m newly outraged.

    During brunch today my friends and I were celebrating the end of the website sign up crisis. We were reflecting on where we were when the crisis broke . Now this security thing which doesn’t sound like a good thing.


  3. ECA says:

    Lets see now…

    taking bids to build the site, AS THEY ARE SUPPOSED TO..

    they HIRE 2 crony companies to THROW something together..
    ITS a piece of crap, that cant even figure out what it supposed to do..
    THEY FIX IT(same 2 companies that ARE SUPPOSED to know how this works)
    AND its STILL CRAP..

    I mentioned before, that MOST states have setup sites already to deal with MEDICAID..(state run soc. sec.) and have been doing it for years..

    WHO would you call to setup a GREAt web site with HEAVY HEAVY security? Amazon? NEW EGG? EBAY??
    and those sites are SOOOO LARGE…they need GOOD security..
    And for what WE’ PAID for this…I want my money back..

    • ECA says:

      for what they were PAID…everyone in the USA, would probably get $100 back..

      NOW you night THINK about who is feeding our PEOPLE IN WASHINGTON DC, BS info on how the net works..
      ANd how the NET FAILS..

      • Dipity DooDoo says:

        Think that’s something? Try reading a competent history book on the history of the Internet (although good luck finding one not written in extreme geek speak).

        Your tax dollars helped build what we now call the Internet. It was morphed from the old ARPANET (decommissioned in 1990) and NSFNET (decommissioned in 1995). So perhaps you’d like to ask why everyone now has to pay a PRIVATE ISP company to access it. Because it would seem that if our government had even an inkling of an idea how it all works we might have all been given some sort of free access to to it (although probably limited access).

        Now, go sign up SLAVE!

  4. pedro says:

    You’d think tat the internet, being a government-sponsored project, would have a lot of specialist working in the government.

    I guess you’d be wrong. I wonder what else the government people should in theory know about is actually way out of their league.

  5. deegee says:

    Whether the web site has any security issues or not, there will always be some “security specialist” who comes forward stating that the site is not secure, simply because they are anti-ObamaCare or anti-Obama or anti-government or just want to get their face splashed all over the news like so many other wannabe posers out there.

    • pedro says:

      Dayum! Kudos for your fierce fight against reality.

      • deegee says:

        Hey, I didn’t say that the obamacare website doesn’t have issues.
        Only that even if the site were near-perfect, some people would still complain.
        It has become like the global warming debate, the gun debate, and so many other similar divided camps.

        • Ginomous Kloosterfookin says:

          So once again, the ObamaCare debacle is nobody’s fault? No accountability.

          Other than being a low-level sacrificial lamb, what does a government servant in a high-visibility position of responsibility have to do to get fired?

          • pedro says:

            See? To the liberuls in here you just crossed the race line

          • Ginomous Kloosterfookin says:

            But wait, there’s more…

            Since there’s no way to get premium dollars from the ObamaCare website to the Insurance Companies, the government and knucklehead POTUS have just decided to pay up based on estimated payments and “true up” things later.

            What could go wrong?

          • pedro says:

            And they thought the housing bubble was the worst that could happen to the US economy.

            What I don’t get is why if the EU is going to the crapper in a silver plate, the US wants to follow suit?

  6. MikeN says:

    They don’t care if you are forced to submit to TSA invasion of privacy. Why should they care what you do here? The whole point of the system is to bankrupt insurance companies so they can push for you to submit to even more government control. Having privacy violations is a feature not a bug.

  7. MikeN says:

    Obama couldn’t write his own book within the 18 month deadline, kept making up excuses until the publisher asked for their $125000 advance back. After not paying back the first publisher, he then got another publisher to pay him more money saying he would get it done. Finally turned to terrorist bomber Bill Ayers to finish his book.

    Why wait years, Mr President. Call Bill Ayers now and have him fix the website.

  8. MikeN says:

    Venezuela’s government set price controls on automobiles, and are blaming others for sabotaging their plans. Production is at one third of capacity and Ford is selling 70,000 cars this year down from over 100k last year. Now Venezuela is considering setting up a public option and selling their own cars directly.

    Why do I bring this up? Well apparently the website for buying your own car direct from the government is a security nightmare.

    • pedro says:

      On cars only? That one’s the latest

      On consumer electronics they forced all prices down 70% or be seized by the government. A “Black Friday” (hope I won’t be labeled as racist for that one) that lasted almost 2 weeks until all inventory was sold. Some stores were outright looted. There was military & police control of all stores that allowed people to take what they wanted… after they themselves had taken (not paying) what they “needed” for xmas.

      The same thing is being done in everything: rented house, commercial rent, etc.

      And from now on, is the government the one that will make all imports (not only cars).

      Just to make it clear, these were not things made by the venezuelan government since there’s no government there, just a cuban proxy so all these “edicts’ came from havana.

      The most hilarious image of the thing? cuban military personnel in civilian clothes taking back home by plane all the home electronics they could pack at the cubana de aviacion’s booth in the airport.

      venezuela: The new Haiti

    • pedro says:

      “Why do I bring this up? Well apparently the website for buying your own car direct from the government is a security nightmare.”

      Oh, that’s hilarious.

      It was not a security nightmare. The government allowed “friends” to set-up these so-called cheap government car registry so some of those friends just made fraudulent pages where they not only got all the info from the “innocent” idiots that wanted their gubment-subsidized car, but also asked them to pay the car in advanced. The sheep where all scammed & robbed.

      That web page? Was in a Lithuanian server
      The cars? Where all cheap chinese Cheri cars built in a newly built buddy-system built factory between the venezuelan & chinese gubments. They did the same deal with the Iranians some years ago and not only did they make very little cars, but most where just abandoned and never given to their buyers but without the direct gubment sale scam. That Iranian plant has closed

  9. pedro says:

    Also to file in the “What liberuls would do in order to rule” Dept, here’s the latest from Germany:

    In their desperation to be part of the Merkel government coalition and to push their agenda about immigration & social monetary benefits, the lefty SPD is holding an internal election. This election needs at least 20% of their members to vote, so they invited the foreigners & minors that are registered in the party to vote.

    So bad are things in Germany that constitutionalists are saying that allowing the vote of minors & foreigners is the lesser of the problems with that internal referendum http://www.welt.de/politik/deutschland/article122525059/Mitgliedervotum-im-Konflikt-mit-dem-freien-Mandat.html

    I’ll expect the push from US liberuls for illegal & minos vote in the not so distant future

  10. Seth Griffin says:

    It’s horendous to me that my entire career as a software developer I’ve worked with teams of people who produce shoddy garbage like the healthcare website but not because we wanted to.

    This shit is just normal to me. Maybe I’ve worked for some really bad companies but I couldn’t get anyone to give a flying fuck at the moon about security concerns let alone get them to allocate time for us to fix problems we knew about.

    Hell, once I was hassled over whether or not an ssl cert was needed…by the Product Development Manager!

    My point is that this just shows that the government is equally corrupt and incompetent as any company out there.

    • Tim says:

      Ah. Hemm. Dallas? Give Seth a hug for me?

    • Dallas says:

      Don’t mean to be crude but you must really suck as a SW developer or have awful bad luck if this is normal to you.

      Back in the day, I wrote amazing TCAS software at Allied Signal/Bendix and it had to be ironclad secure with lots of hassling Prod Dev managers. Since then, the cert process is even more stringent, yet easier to comply with at the vast majority of SW outfits – which do the vast majority work for our amazing, yet bloated, government.

      Trivia: Pres Obama has REDUCED gov employment >2.6 percent over the last three years which is a record..

      • ± says:

        Trivia: Pres Obama has REDUCED gov employment >2.6 percent over the last three years which is a record..

        If this is true, then no doubt it is because the use of outside contractors increased 5.2%.

        • Dallas says:

          Why are you for big government and against private enterprise?

          Take your headset off and listen to all the great things happening because of President Obama (two term President).

          50% reduction in deficit, smaller government, killed Osama. I can go on but you get my point.

          • pedro says:

            You’re just parroting what you heard Obama say while he was ridding on an unicorn.

  11. sargasso_c says:

    Take an assurance from a vested security expert in a suit with a very big pinch of salt.

  12. Robert James Randolph III says:


    Here’s the actual report his company put together. I can’t comment on their ‘Undisclosed Exposures’, but most of the rest of it is bullshit. They only identified a couple of legit concerns (such as the password reset issue and the username enumeration) and those have already been fixed.

    There could actually be real security holes, but it’s going to take access to the source code or somebody much smarter than this bozo to find them.