Justin Rocket wrote: Usagi Yojimbo wrote:
There are so many problems with ACA that are real, do we really need to invent ones that don't exist?
Show me your proof that security vulnerabilities don't exist in the ACA system. Certainly!
Once you:
A) Read all the other comments about how silly this idea is, and
B) Show us your proof that pink elephants do not exist.
We'll all be waiting.
Usagi Yojimbo wrote: Justin Rocket wrote: Usagi Yojimbo wrote:
There are so many problems with ACA that are real, do we really need to invent ones that don't exist?
Show me your proof that security vulnerabilities don't exist in the ACA system. Certainly!
Once you:
A) Read all the other comments about how silly this idea is, and
B) Show us your proof that pink elephants do not exist.
We'll all be waiting. You're comparing software vulnerabilities to pink elephants, but we know that software vulnerabilities have existed in nearly every program ever written.
Justin Rocket wrote:
You're comparing software vulnerabilities to pink elephants, but we know that software vulnerabilities have existed in nearly every program ever written.
No, I was commenting on the fact that you requested proof of a negative. I assume the problems with that are clear.
Justin Rocket wrote: Krensky wrote:
What you're suggesting is like saying someone could hack into Orbitz and cause a plane crash.
What I'm suggesting is that a hacker could potentially use an exploit on the ACA server and use the ACA server as a launching point to connect to servers the ACA server is connected to. That may include insurance provider servers.
Is the system architecture for the ACA online? You couldn't make your assertion unless you've seen it and I'd love to review it. The system architecture is pretty irrelevant. It's the connection to the other systems that would be the concern under your scenario.
Look, for the sake of argument, I'll concede something like that is theoretically possible. Wildly unlikely, requiring serious flaws not only in the ACA site, but in the very structure of the insurance companies systems as well.
Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered.
Meanwhile, if you delayed for these theoretical concerns, actual people continue to not get care because they can't get insurance. Compare the death toll, even making wildly bad assumptions for your scenario.
|
1 person marked this as a favorite.
|
Justin Rocket wrote: Show me your proof that security vulnerabilities don't exist in the ACA system. Did you seriously just ask for this?
This is, like, the definition of concern trolling.
Pathfinder Adventure, Adventure Path, Lost Omens Subscriber
Justin Rocket wrote: Krensky wrote:
What you're suggesting is like saying someone could hack into Orbitz and cause a plane crash.
What I'm suggesting is that a hacker could potentially use an exploit on the ACA server and use the ACA server as a launching point to connect to servers the ACA server is connected to. That may include insurance provider servers. No, what you're suggesting is that the ACA server is as vulnerable as any server is. Which is true.
And that the ACA server is automatically less reliable than, say, any other server because it's the server for ACA. Which is not.
And that the ACA server, since it is automatically less reliable than, say, any other server based on the fact that it's the ACA server, everyone who might use it would put their life at risk to do so. Which is preposterous.
By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse.
Considering that you have shown PHB levels of knowledge about network security and its history and you're the one making wild, improbable, ridiculous claims about hypothetical security flaws involving things that healthcare.gov doesn't do...
Why are we discussing this with you again?
Pathfinder Adventure, Rulebook Subscriber
Vista was also a single in-house system with previous examples available, and didn't have fifty other variable systems in flux.
thejeff wrote: The system architecture is pretty irrelevant. It's the connection to the other systems that would be the concern under your scenario. How parts are organized and connected is architecture. That's pretty much the definition of architecture.
thejeff wrote: Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered. If you have a copy of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
thejeff wrote:
Meanwhile, if you delayed for these theoretical concerns, actual people continue to not get care because they can't get insurance. Compare the death toll, even making wildly bad assumptions for your scenario.
This is an attempt at a risk assessment, but the right people need to make it.
Justin Rocket wrote: By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse. Wrong!
Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing.
Pathfinder Adventure, Rulebook Subscriber
Justin Rocket wrote: This is an attempt at a risk assessment, but the right people need to make it. That I will agree with, but we are certainly not the right people for that task as armchair software developers. So I think I will bow out of the discussion.
thunderspirit wrote:
No, what you're suggesting is that the ACA server is as vulnerable as any server is. Which is true.
No, its not true. All else being equal, a server which has only popular COTS software at least three years old, but not discontinued is going to be less vulnerable than a server running custom code which hasn't been through a good code review.
Justin Rocket wrote:
thejeff wrote: Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered. If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.
With greater ease than they do now, when the insurance company is actually trying to deny care.
Krensky wrote: Justin Rocket wrote: By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse. Wrong!
Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing. Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone.
thejeff wrote: Justin Rocket wrote:
thejeff wrote: Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered. If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.
With greater ease than they do now, when the insurance company is actually trying to deny care. You're fixated on that one type of attack I mentioned and you are ignoring my more important statement that we do not know what risks are involved in this application until a thorough risk assessment is done.
Justin Rocket wrote: Krensky wrote: Justin Rocket wrote: By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse. Wrong!
Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing. Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone. Strike two.
That was the total spent on all aspects of the federal exchanges. Most of which has nothing to do with the website.
Krensky wrote: Justin Rocket wrote: Krensky wrote: Justin Rocket wrote: By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. (Snip) Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing. Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone. Strike two.
That was the total spent on all aspects of the federal exchanges. Most of which has nothing to do with the website. Ummm- did you notice that you are contradicting yourself now?
">$600M" != "$394M"
Krensky wrote: Most of which has nothing to do with the website. the figure I provided is for HealthCare.gov. Consequently, it includes the cost of the data hub, etc.
Quote: The highest volume of obligations
related to the development of information technology systems for the
FFEs.
it does not, however, include salaries nor admin costs
Usagi Yojimbo wrote: Krensky wrote: Justin Rocket wrote: Krensky wrote: Justin Rocket wrote: By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. (Snip) Total contract value is just shy of $300 million, which is the most the contact is worth. Only about $170 million was spent though.
But thank you for playing. Your data is wrong. The GAO report states that $394 million was spent up through March '13 on contracts alone. Strike two.
That was the total spent on all aspects of the federal exchanges. Most of which has nothing to do with the website. Ummm- did you notice that you are contradicting yourself now?
">$600M" != "$394M" Did you see the part where I wrote, "through March '13"? Where I live, it is November.
Justin Rocket wrote: Krensky wrote: Most of which has nothing to do with the website. the figure I provided is for HealthCare.gov. Consequently, it includes the cost of the data hub, etc.
Quote: The highest volume of obligations
related to the development of information technology systems for the
FFEs.
it does not, however, include salaries nor admin costs And you're out.
Pick an exit strategy and bow out now since everything you've said is a misrepresentation or fabrication.
http://m.washingtonpost.com/blogs/fact-checker/wp/2013/10/24/how-much-did-h ealthcare-gov-cost/
Yeah. I mean, you know we all have google right?
Justin Rocket wrote: thejeff wrote: Justin Rocket wrote:
thejeff wrote: Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered. If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.
With greater ease than they do now, when the insurance company is actually trying to deny care. You're fixated on that one type of attack I mentioned and you are ignoring my more important statement that we do not know what risks are involved in this application until a thorough risk assessment is done. That's because it's the only thing you've suggested that would be "putting everyone's life at risk". I'll freely admit there are privacy and identity theft concerns.
I deal with software test too, though on a very different level. I know the difference between life or safety critical code and lower risk code. This is very definitely not life critical code. Pretending it is because of theoretical hacks is just fearmongering.
I'm glad you all have Google. You can decide for yourself whether to believe the GAO or the Washington Post. I side with the GAO.
thejeff wrote: Justin Rocket wrote: thejeff wrote: Justin Rocket wrote:
thejeff wrote: Even so, "putting everyone's life at risk" is such a wild exaggeration it's worth nothing more than laughter. Emergency, life threatening care gets done and they worry about the insurance or other forms of payment later. If people are being denied care that should be covered because someone hacked the insurance companies system, then it will be questioned and discovered. If you have a company of the ACA architecture, I'd love to review it. Until then, you don't know what is connected to what.
You do realize that reply has nothing to do with the quoted part. That was what could happen if your fears were correct and someone was able to hack through the ACA into an insurance company's system and deny payment for care. Assuming the kind of malicious intent that actual wants to hurt people instead of stealing data/money btw.
If that happened, the non-computer parts of the system get involved and deal with it.
With greater ease than they do now, when the insurance company is actually trying to deny care. You're fixated on that one type of attack I mentioned and you are ignoring my more important statement that we do not know what risks are involved in this application until a thorough risk assessment is done. That's because it's the only thing you've suggested that would be "putting everyone's life at risk". I'll freely admit there are privacy and identity theft concerns.
I deal with software test too, though on a very different level. I know the difference between life or safety critical code and lower risk code. This is very definitely not life critical code. Pretending it is because of theoretical hacks is just fearmongering. pretending that serious vulnerabilities can't exist on a complex piece of software which has been rushed into production is sticking one's head in the sand.
Which both say the same thing.
This is just embarrassing now.
Krensky wrote: Which both say the same thing.
This is just embarrassing now.
They very clearly don't. the article you posted is about someone who guessed what the total was.
Yeah, the post article is breaking down and explaining the GAO report...
Justin Rocket wrote: Krensky wrote: Which both say the same thing.
This is just embarrassing now.
They very clearly don't. the article you posted is about someone who guessed what the total was. Oh so you didn't read it. Gotcha.
meatrace wrote: Justin Rocket wrote: Krensky wrote: Which both say the same thing.
This is just embarrassing now.
They very clearly don't. the article you posted is about someone who guessed what the total was. Oh so you didn't read it. Gotcha. Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million.
Justin Rocket wrote: meatrace wrote: Justin Rocket wrote: Krensky wrote: Which both say the same thing.
This is just embarrassing now.
They very clearly don't. the article you posted is about someone who guessed what the total was. Oh so you didn't read it. Gotcha. Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million. Keep reading, then apologize.
Krensky wrote: Justin Rocket wrote: meatrace wrote: Justin Rocket wrote: Krensky wrote: Which both say the same thing.
This is just embarrassing now.
They very clearly don't. the article you posted is about someone who guessed what the total was. Oh so you didn't read it. Gotcha. Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million. Keep reading, then apologize. Yeah really.
Krensky wrote: Justin Rocket wrote: meatrace wrote: Justin Rocket wrote: Krensky wrote: Which both say the same thing.
This is just embarrassing now.
They very clearly don't. the article you posted is about someone who guessed what the total was. Oh so you didn't read it. Gotcha. Devine methodically searched through all of the task orders for the CGI Federal contract, highlighted in blue what she guessed was related to the health-care Web site — and came up with a figure of just $70 million. Keep reading, then apologize. Are you refering to the place they cherry pick numbers out of the GAO report (essentially ignoring the report's big numbers while cherry picking the report's low numbers?
At the end of the article for those who don't want to follow the link
Washington Post wrote: update, Oct. 30: In testimony on Capitol Hill, Health and Human Services Secretary Kathleen Sebelius said, in response to a direct question: "Congresswoman, we have spent about $118 million on the website itself, and about $56 million has been expended on other IT to support the web."
That adds up to $174 million.
Justin Rocket wrote: Are you refering to the place they cherry pick numbers out of the GAO report (essentially ignoring the report's big numbers while cherry picking the report's low numbers? What? No. They quote the 394m figure, but note that it includes a wide swath of contracts not related to the website.
Regardless, I think the 394 million amount, directly from the GAO, is the best figure we have, not some phantom 600 million that you asserted.
Justin Rocket wrote: I'm glad you all have Google. You can decide for yourself whether to believe the GAO or the Washington Post. I side with the GAO. there are some credibility and sourcing issues here- didn't one get their numbers and information from the other?
Freehold DM wrote: Justin Rocket wrote: I'm glad you all have Google. You can decide for yourself whether to believe the GAO or the Washington Post. I side with the GAO. there are some credibility and sourcing issues here- didn't one get their numbers and information from the other? Yep.
|
2 people marked this as a favorite.
|
So...
Healthcare.gov is complex software. Check.
Complicated software has vulnerabilities. Check.
Therefore Healtcare.gov likely has some vulnerabilities. Check.
Ergo, the ACA is bad. Wait...what?
And Justin, you're demanding detailed design docs on the Internet (the existence of which would be a huge security breach) to prove the software is secure? Do you even understand how ludicrous you sound?
bugleyman wrote: So...
Healthcare.gov is complex software. Check.
Complicated software has vulnerabilities. Check.
Therefore Healtcare.gov likely has some vulnerabilities. Check.
Ergo, the ACA is bad. Wait...what?
Actually, I think the logic continues from '...has some vulnerabilities' (sure, as you say)
to: therefore, people will die, because Obama
And then pick back up with 'Ergo, the ACA is bad'
If you can't follow that, you must be willfully blind!
Justin Rocket wrote: By the latest figures I could find, healthcare.gov is costing over $600,000,000 to develop. That's more than half what it cost to develop MS Vista. Either that indicates the degree of complexity (and likilihood of serious security issues) in the code or it represents fraud, waste, and abuse. I already posted a link to data explaining that the ACA website involves about 1000% of the amount of code that Windows Vista uses.
So, I mean, you'd better hope that we consider your argument ridiculous (we do), or else you'd be forced to acknowledge that, by your own logic, the ACA website was a steal. We paid less than $200 million for a system with a level of complexity that would have cost Microsoft $10 billion to put together.
Of course, amount of code isn't the same as the complexity of the product, but it's certainly less preposterous of a premise than the one you're throwing around.
They must have cut down quite substantially on the testing then. :-)
Sissyl wrote: They must have cut down quite substantially on the testing then. :-) [Shaking fist] No, you are wron... Well, yeah. Sigh. :(
If the number I've seen bandied about (I do not vouch for this) of two weeks of testing is correct? That is not the amount of testing that those of us in the field would call "not insane".
Let us hope that it is as accurate as the $600M figure cited above. ;)
Scott Betts wrote: (snip)
I already posted a link to data explaining that the ACA website involves about 1000% of the amount of code that Windows Vista uses.
(snip)
Of course, amount of code isn't the same as the complexity of the product, but it's certainly less preposterous of a premise than the one you're throwing around.
I didn't see that link, do you still have it handy?
I'm trying to wrap my head around 10x as much code (however defined) for a glorified website. Huh.
It is usually a question of good, fast, cheap, pick any two. And if it's an absolute steal... AND has a tight deadline...
|
6 people marked this as a favorite.
|
Usagi Yojimbo wrote: bugleyman wrote: So...
Healthcare.gov is complex software. Check.
Complicated software has vulnerabilities. Check.
Therefore Healtcare.gov likely has some vulnerabilities. Check.
Ergo, the ACA is bad. Wait...what?
Actually, I think the logic continues from '...has some vulnerabilities' (sure, as you say)
to: therefore, people will die, because Obama
And then pick back up with 'Ergo, the ACA is bad'
If you can't follow that, you must be willfully blind! You guys, Barack Obama was just here. He grabbed me by the neck and lifted me out of my chair and slammed me down on my bed. I tried to explain that, while I'm sure he's an accomplished lover, he is not my type.
Obama would hear none of it. He pressed his fingers together, like he was going to make a karate chop, and then just slammed them into my abdomen, fingertips first. Before I could even process what happened, Obama pulled out, my appendix in hand. I'll never forget what he said next, hand dripping with my blood as he stood over me:
"North Korea hacked healthcare.gov and gave you appendicitis. Put a band-aid on that, drink some Robitussin, and take two aspirin. You'll be fine. And get a haircut, hippie."
Then Obama threw the bloody appendix in my face and climbed out my window into a flying bidet that, as I understand it, became Air Force One as soon as he mounted the thing and blasted off. I got up to get the band-aid and realized that he took my Lego C-3PO on the way out.
Gotta call dick move on the 3PO, Obama.
So not cool! Maybe Obama really DOES want to destroy freedom!
Usagi Yojimbo wrote: Sissyl wrote: They must have cut down quite substantially on the testing then. :-) [Shaking fist] No, you are wron... Well, yeah. Sigh. :(
If the number I've seen bandied about (I do not vouch for this) of two weeks of testing is correct? That is not the amount of testing that those of us in the field would call "not insane".
Let us hope that it is as accurate as the $600M figure cited above. ;) Two weeks of full scale integration test. How all the pieces work together. That says nothing about the testing the individual pieces got.
It's still way too low, but not as ridiculous.
Usagi Yojimbo wrote: Scott Betts wrote: (snip)
I already posted a link to data explaining that the ACA website involves about 1000% of the amount of code that Windows Vista uses.
(snip)
Of course, amount of code isn't the same as the complexity of the product, but it's certainly less preposterous of a premise than the one you're throwing around.
I didn't see that link, do you still have it handy?
I'm trying to wrap my head around 10x as much code (however defined) for a glorified website. Huh. I saw one link Scott posted that compared the supposed amount of code with other things, but I've never seen any good source for the numbers that are being thrown around for lines of code.
I suspect they're crap. Or, at the most generous, include all the library code and all the generated html and similar autogenerated code.
meatrace wrote:
Maybe in your circles. I've talked with a WHOLE lot of people who identify as anarcho-capitalists. AnCap is the new, even more radical version of libertarianism and has the same sort of allure to young, financially stable, white men.
Especially on the internet. It's so prevalent on YouTube and especially in the deep web.
We've seen people extoll the virtues of anarcho-capitalism on these boards, using that very term.
You'll have to forgive me for not following Internet memes. LOLcats had a disturbingly negative effect on me.
|
