Usagi Yojimbo |
Usagi Yojimbo wrote:Show me your proof that security vulnerabilities don't exist in the ACA system.
There are so many problems with ACA that are real, do we really need to invent ones that don't exist?
Certainly!
Once you:
A) Read all the other comments about how silly this idea is, and
B) Show us your proof that pink elephants do not exist.
We'll all be waiting.
Justin Rocket |
Justin Rocket wrote:Usagi Yojimbo wrote:Show me your proof that security vulnerabilities don't exist in the ACA system.
There are so many problems with ACA that are real, do we really need to invent ones that don't exist?Certainly!
Once you:
A) Read all the other comments about how silly this idea is, and
B) Show us your proof that pink elephants do not exist.We'll all be waiting.
You're comparing software vulnerabilities to pink elephants, but we know that software vulnerabilities have existed in nearly every program ever written.
thejeff |
Krensky wrote:
What you're suggesting is like saying someone could hack into Orbitz and cause a plane crash.What I'm suggesting is that a hacker could potentially use an exploit on the ACA server and use the ACA server as a launching point to connect to servers the ACA server is connected to. That may include insurance provider servers.
Is the system architecture for the ACA online? You couldn't make your assertion unless you've seen it and I'd love to review it.
The system architecture is pretty irrelevant. It's the connection to the other systems that would be the concern under your scenario.
Look, for the sake of argument, I'll concede something like that is theoretically possible. Wildly unlikely, requiring serious flaws not only in the ACA site, but in the very structure of the insurance companies systems as well.
Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered.
Meanwhile, if you delayed for these theoretical concerns, actual people continue to not get care because they can't get insurance. Compare the death toll, even making wildly bad assumptions for your scenario.
thunderspirit |
Krensky wrote:What I'm suggesting is that a hacker could potentially use an exploit on the ACA server and use the ACA server as a launching point to connect to servers the ACA server is connected to. That may include insurance provider servers.
What you're suggesting is like saying someone could hack into Orbitz and cause a plane crash.
No, what you're suggesting is that the ACA server is as vulnerable as any server is. Which is true.
And that the ACA server is automatically less reliable than, say, any other server because it's the server for ACA. Which is not.
And that the ACA server, since it is automatically less reliable than, say, any other server based on the fact that it's the ACA server, everyone who might use it would put their life at risk to do so. Which is preposterous.
Justin Rocket |
The system architecture is pretty irrelevant. It's the connection to the other systems that would be the concern under your scenario.
How parts are organized and connected is architecture. That's pretty much the definition of architecture.
Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered.
If you have a copy of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
Meanwhile, if you delayed for these theoretical concerns, actual people continue to not get care because they can't get insurance. Compare the death toll, even making wildly bad assumptions for your scenario.
This is an attempt at a risk assessment, but the right people need to make it.
Krensky |
By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse.
Wrong!
Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing.
Justin Rocket |
No, what you're suggesting is that the ACA server is as vulnerable as any server is. Which is true.
No, its not true. All else being equal, a server which has only popular COTS software at least three years old, but not discontinued is going to be less vulnerable than a server running custom code which hasn't been through a good code review.
thejeff |
thejeff wrote:Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered.If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.With greater ease than they do now, when the insurance company is actually trying to deny care.
Justin Rocket |
Justin Rocket wrote:By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse.Wrong!
Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing.
Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone.
Justin Rocket |
Justin Rocket wrote:thejeff wrote:Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered.If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.
With greater ease than they do now, when the insurance company is actually trying to deny care.
You're fixated on that one type of attack I mentioned and you are ignoring my more important statement that we do not know what risks are involved in this application until a thorough risk assessment is done.
Krensky |
Krensky wrote:Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone.Justin Rocket wrote:By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse.Wrong!
Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing.
Strike two.
That was the total spent on all aspects of the federal exchanges. Most of which has nothing to do with the website.
Usagi Yojimbo |
Justin Rocket wrote:Krensky wrote:Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone.Justin Rocket wrote:By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. (Snip)Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing.
Strike two.
That was the total spent on all aspects of the federal exchanges. Most of which has nothing to do with the website.
Ummm- did you notice that you are contradicting yourself now?
">$600M" != "$394M"
Justin Rocket |
Most of which has nothing to do with the website.
the figure I provided is for HealthCare.gov. Consequently, it includes the cost of the data hub, etc.
The highest volume of obligations
related to the development of information technology systems for the
FFEs.
it does not, however, include salaries nor admin costs
Justin Rocket |
Krensky wrote:Justin Rocket wrote:Krensky wrote:Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone.Justin Rocket wrote:By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. (Snip)Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing.
Strike two.
That was the total spent on all aspects of the federal exchanges. Most of which has nothing to do with the website.
Ummm- did you notice that you are contradicting yourself now?
">$600M" != "$394M"
Did you see the part where I wrote, "through March '13"? Where I live, it is November.
Krensky |
Krensky wrote:Most of which has nothing to do with the website.the figure I provided is for HealthCare.gov. Consequently, it includes the cost of the data hub, etc.
Quote:it does not, however, include salaries nor admin costsThe highest volume of obligations
related to the development of information technology systems for the
FFEs.
And you're out.
Pick an exit strategy and bow out now since everything you've said is a misrepresentation or fabrication.
http://m.washingtonpost.com/blogs/fact-checker/wp/2013/10/24/how-much-did-h ealthcare-gov-cost/
thejeff |
thejeff wrote:You're fixated on that one type of attack I mentioned and you are ignoring my more important statement that we do not know what risks are involved in this application until a thorough risk assessment is done.Justin Rocket wrote:thejeff wrote:Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered.If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.
With greater ease than they do now, when the insurance company is actually trying to deny care.
That's because it's the only thing you've suggested that would be "putting everyone's life at risk". I'll freely admit there are privacy and identity theft concerns.
I deal with software test too, though on a very different level. I know the difference between life or safety critical code and lower risk code. This is very definitely not life critical code. Pretending it is because of theoretical hacks is just fearmongering.
Justin Rocket |
Justin Rocket wrote:thejeff wrote:You're fixated on that one type of attack I mentioned and you are ignoring my more important statement that we do not know what risks are involved in this application until a thorough risk assessment is done.Justin Rocket wrote:thejeff wrote:Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered.If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.
With greater ease than they do now, when the insurance company is actually trying to deny care.That's because it's the only thing you've suggested that would be "putting everyone's life at risk". I'll freely admit there are privacy and identity theft concerns.
I deal with software test too, though on a very different level. I know the difference between life or safety critical code and lower risk code. This is very definitely not life critical code. Pretending it is because of theoretical hacks is just fearmongering.
pretending that serious vulnerabilities can't exist on a complex piece of software which has been rushed into production is sticking one's head in the sand.
Justin Rocket |
Justin Rocket wrote:Oh so you didn't read it. Gotcha.Krensky wrote:They very clearly don't. the article you posted is about someone who guessed what the total was.Which both say the same thing.
This is just embarrassing now.
Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million.
Krensky |
meatrace wrote:Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million.Justin Rocket wrote:Oh so you didn't read it. Gotcha.Krensky wrote:They very clearly don't. the article you posted is about someone who guessed what the total was.Which both say the same thing.
This is just embarrassing now.
Keep reading, then apologize.
meatrace |
Justin Rocket wrote:Keep reading, then apologize.meatrace wrote:Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million.Justin Rocket wrote:Oh so you didn't read it. Gotcha.Krensky wrote:They very clearly don't. the article you posted is about someone who guessed what the total was.Which both say the same thing.
This is just embarrassing now.
Yeah really.
Justin Rocket |
Justin Rocket wrote:Keep reading, then apologize.meatrace wrote:Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million.Justin Rocket wrote:Oh so you didn't read it. Gotcha.Krensky wrote:They very clearly don't. the article you posted is about someone who guessed what the total was.Which both say the same thing.
This is just embarrassing now.
Are you refering to the place they cherry pick numbers out of the GAO report (essentially ignoring the report's big numbers while cherry picking the report's low numbers?
Rubber Ducky guy |
At the end of the article for those who don't want to follow the link
update, Oct. 30: In testimony on Capitol Hill, Health and Human Services Secretary Kathleen Sebelius said, in response to a direct question: "Congresswoman, we have spent about $118 million on the website itself, and about $56 million has been expended on other IT to support the web."
That adds up to $174 million.
meatrace |
Are you refering to the place they cherry pick numbers out of the GAO report (essentially ignoring the report's big numbers while cherry picking the report's low numbers?
What? No. They quote the 394m figure, but note that it includes a wide swath of contracts not related to the website.
Regardless, I think the 394 million amount, directly from the GAO, is the best figure we have, not some phantom 600 million that you asserted.
bugleyman |
2 people marked this as a favorite. |
So...
Healthcare.gov is complex software. Check.
Complicated software has vulnerabilities. Check.
Therefore Healtcare.gov likely has some vulnerabilities. Check.
Ergo, the ACA is bad. Wait...what?
And Justin, you're demanding detailed design docs on the Internet (the existence of which would be a huge security breach) to prove the software is secure? Do you even understand how ludicrous you sound?
Usagi Yojimbo |
So...
Healthcare.gov is complex software. Check.
Complicated software has vulnerabilities. Check.
Therefore Healtcare.gov likely has some vulnerabilities. Check.
Ergo, the ACA is bad. Wait...what?
Actually, I think the logic continues from '...has some vulnerabilities' (sure, as you say)
to: therefore, people will die, because Obama
And then pick back up with 'Ergo, the ACA is bad'
If you can't follow that, you must be willfully blind!
Scott Betts |
By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse.
I already posted a link to data explaining that the ACA website involves about 1000% of the amount of code that Windows Vista uses.
So, I mean, you'd better hope that we consider your argument ridiculous (we do), or else you'd be forced to acknowledge that, by your own logic, the ACA website was a steal. We paid less than $200 million for a system with a level of complexity that would have cost Microsoft $10 billion to put together.
Of course, amount of code isn't the same as the complexity of the product, but it's certainly less preposterous of a premise than the one you're throwing around.
Usagi Yojimbo |
They must have cut down quite substantially on the testing then. :-)
[Shaking fist] No, you are wron... Well, yeah. Sigh. :(
If the number I've seen bandied about (I do not vouch for this) of two weeks of testing is correct? That is not the amount of testing that those of us in the field would call "not insane".
Let us hope that it is as accurate as the $600M figure cited above. ;)
Usagi Yojimbo |
(snip)
I already posted a link to data explaining that the ACA website involves about 1000% of the amount of code that Windows Vista uses.
(snip)
Of course, amount of code isn't the same as the complexity of the product, but it's certainly less preposterous of a premise than the one you're throwing around.
I didn't see that link, do you still have it handy?
I'm trying to wrap my head around 10x as much code (however defined) for a glorified website. Huh.
Samnell |
6 people marked this as a favorite. |
bugleyman wrote:So...
Healthcare.gov is complex software. Check.
Complicated software has vulnerabilities. Check.
Therefore Healtcare.gov likely has some vulnerabilities. Check.
Ergo, the ACA is bad. Wait...what?Actually, I think the logic continues from '...has some vulnerabilities' (sure, as you say)
to: therefore, people will die, because Obama
And then pick back up with 'Ergo, the ACA is bad'
If you can't follow that, you must be willfully blind!
You guys, Barack Obama was just here. He grabbed me by the neck and lifted me out of my chair and slammed me down on my bed. I tried to explain that, while I'm sure he's an accomplished lover, he is not my type.
Obama would hear none of it. He pressed his fingers together, like he was going to make a karate chop, and then just slammed them into my abdomen, fingertips first. Before I could even process what happened, Obama pulled out, my appendix in hand. I'll never forget what he said next, hand dripping with my blood as he stood over me:
"North Korea hacked healthcare.gov and gave you appendicitis. Put a band-aid on that, drink some Robitussin, and take two aspirin. You'll be fine. And get a haircut, hippie."
Then Obama threw the bloody appendix in my face and climbed out my window into a flying bidet that, as I understand it, became Air Force One as soon as he mounted the thing and blasted off. I got up to get the band-aid and realized that he took my Lego C-3PO on the way out.
Gotta call dick move on the 3PO, Obama.
thejeff |
Sissyl wrote:They must have cut down quite substantially on the testing then. :-)[Shaking fist] No, you are wron... Well, yeah. Sigh. :(
If the number I've seen bandied about (I do not vouch for this) of two weeks of testing is correct? That is not the amount of testing that those of us in the field would call "not insane".
Let us hope that it is as accurate as the $600M figure cited above. ;)
Two weeks of full scale integration test. How all the pieces work together. That says nothing about the testing the individual pieces got.
It's still way too low, but not as ridiculous.
thejeff |
Scott Betts wrote:(snip)
I already posted a link to data explaining that the ACA website involves about 1000% of the amount of code that Windows Vista uses.
(snip)
Of course, amount of code isn't the same as the complexity of the product, but it's certainly less preposterous of a premise than the one you're throwing around.I didn't see that link, do you still have it handy?
I'm trying to wrap my head around 10x as much code (however defined) for a glorified website. Huh.
I saw one link Scott posted that compared the supposed amount of code with other things, but I've never seen any good source for the numbers that are being thrown around for lines of code.
I suspect they're crap. Or, at the most generous, include all the library code and all the generated html and similar autogenerated code.
Doug's Workshop |
Maybe in your circles. I've talked with a WHOLE lot of people who identify as anarcho-capitalists. AnCap is the new, even more radical version of libertarianism and has the same sort of allure to young, financially stable, white men.Especially on the internet. It's so prevalent on YouTube and especially in the deep web.
We've seen people extoll the virtues of anarcho-capitalism on these boards, using that very term.
You'll have to forgive me for not following Internet memes. LOLcats had a disturbingly negative effect on me.