Print 32 comment(s) - last by marvdmartian.. on Nov 22 at 10:35 AM

If shut down, the site would take about seven to 12 months to fix

Security experts said that shutting the website down entirely until all fixes are made would be in the best interest of consumers' private information.

According to a report from Reuters, Representative Chris Collins (R-NY) asked four experts about the security of the healthcare site during a congressional hearing by the House of Representatives Science, Space and Technology Committee. 

The experts consisted of two academics and two private sector technical researchers. 

Collins asked the experts a series of questions during the hearing, but two in particular stood out: Is secure, and would they recommend shutting it down entirely until it's completely fixed? 

As to whether the site is secure today or not, all four experts agreed that it is not as of today. 

"The privacy and security of consumers' personal information are a top priority," said Jay Carney, White House spokesman. "When consumers fill out their online marketplace applications they can trust that the information that they are providing is protected by stringent security standards."

When asked if the site should be shut down, three of the experts said "yes" while the fourth said they'd need more information before they could give an answer.

However, if this were to happen, David Kennedy (head of computer security consulting firm TrustedSec LLC and a former U.S. Marine Corps cyber-intelligence analyst) said it would take about seven to 12 months to fix. This is due to the size of the site, which runs 500 million lines of code. 

The federal government's health insurance marketplace -- -- has seen a load of technical issues since launch on October 1. It has been difficult for many uninsured Americans to browse the website and login, let alone select an insurance plan. 

Republican investigators with the House of Representatives Energy and Commerce Committee unveiled the emails in a recent investigation of the troubles. 

Last month, Verizon's Terremark -- which hosts and allows uninsured Americans to both search and buy health insurance -- lost network connectivity after a technical failure. The glitch also threw off a data services hub that connects a number of federal agencies and is used to verify people's identity, citizenship, etc. This verification is necessary to check if people are eligible for tax credits that cut the cost of monthly insurance premiums.

Shortly after, Microsoft offered its help with's technical issues. The House Oversight Committee sent letters to others as well, such as Kayak and Verizon, looking for help.

President Barack Obama has called the website glitches "unacceptable."

It recently surfaced that project manager Henry Chao sent an email out about the site's main contractor -- CGI Federal -- on July 16, which is being seen as an early warning that the October 1 launch of might not go so well.

"I just need to feel more confident they are not going to crash the plane at take-off," Chao said in the email.

Source: Reuters

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Ah, but ideology at stake
By Dorkyman on 11/20/2013 6:07:11 PM , Rating: 1
Messiah would never agree to such a thing. Obamacare is his baby, his legacy. The man is a raging narcissist. He would rather chew off his arm.

RE: Ah, but ideology at stake
By amanojaku on 11/20/2013 6:40:29 PM , Rating: 3
Sorry to interrupt your rant, but are you seriously implying that Obama would rather have the site up and doing nothing, further tarnishing his reputation? The man is many things, but he's not stupid. If a temporary - let me repeat that, TEMPORARY - shutdown of the site is the best course of action, Obama would do it. In no way does this affect the Patient Protection and Affordable Care Act, other than to add more negative publicity. You can still phone a call center to apply. He's done what he wanted to do; Obamacare is here to stay.

RE: Ah, but ideology at stake
By KCjoker on 11/20/2013 7:20:26 PM , Rating: 4
"Obamacare is here to stay."...unfortunately you may be right.

RE: Ah, but ideology at stake
By tayb on 11/20/2013 7:57:17 PM , Rating: 5
The only way Republicans can repeal the Affordable Care Act in the near future is to gain a 2/3 majority in both the Senate and the House. That isn't happening.

The next option would be to win the Presidency in 2016 (inauguration 2017) and then win a filibuster proof majority in both the Senate and the House. The likelihood of a single one of those happening is fairly slim at this time but the likelihood of all three happening is basically non-existent.

After all the talk the past 3 years Republicans are desperately hoping that this bill fails. Because if it is successful they are going to look like the largest group of schmucks in American history.

RE: Ah, but ideology at stake
By Nfarce on 11/20/2013 10:36:14 PM , Rating: 3
Considering we are already seeing unintended consequences of this law (millions losing their health insurance plans, tens of thousands of hourly employees having their hours cut back or worse their jobs cut completely for starters, countless others having their premiums and co-pays skyrocket), I don't think the Republicans have much to worry about. Maybe that's why a host of Democrats up for re-election next year are now backing a plan of delaying the individual mandate of the ACA, something the Republicans called for from the start.

And then there's the snapshot of sentiment of how American really feel about Obamacare:

CBS poll: 31% approve of the ACA, 61% disapprove
Gallup: 40% approve, 55% disapprove
Rasmussen: 38% approve, 58% disapprove

RE: Ah, but ideology at stake
By Samus on 11/21/2013 1:54:56 AM , Rating: 1
The problem is, virtually nobody really understands the ACA because all the media reports is negativity. At its roots, it will help everybody's health and financial situation, also improving the economy. This has been demonstrated in every other industrialized country on the planet.

By way of which, we are the only first-world country that doesn't have universal healthcare, which this bill STILL won't address.

Obamacare isn't healthcare. It's just health insurance.

RE: Ah, but ideology at stake
By Zaranthos on 11/21/2013 8:02:20 AM , Rating: 3
I really wish people weren't so clueless. The media by and large was firmly on the side of Obamacare and sang its praises for years. It's only now when the sky is falling that they have to report bad things, well, because there's virtually nothing good to report.

It's going to improve the economy by all the people losing insurance because they now can't afford it, hiring armies of new people to answer phones and hold peoples hands while they apply? Because the website doesn't and won't work for who knows how long, and costs are going up for almost everyone that actually produces for the country in the form of hard work and paying their taxes. By and large the only people actually signing up are the poor who get most of it subsidized by the government. Did you ever think that despite its problems we had the best healthcare system in the world? Because we did and most of the problems with rising costs were because of government meddling. It was the government paying only a percentage of costs of medicare and medicaid that were forcing prices higher and higher because the people who actually paid had to pick of the difference for the people the government was supposed to be covering.

People are so damned clueless and that's why we're doomed.

RE: Ah, but ideology at stake
By jimbojimbo on 11/21/2013 10:26:59 AM , Rating: 2
By and large the only people actually signing up are the poor who get most of it subsidized by the government.
Sadly the dumb bill's entire plan to fund this is by forcing people that by choice opt not to have insurance because they are primarily healthy and don't need it. Those people will be the last to buy into this or may even opt not to do so because by some reports the money taken out of their taxes would be less than the amount they would have to pay for the insurance and getting the insurance isn't really worth it due to the extremely high deductibles.
This entire bill should have been blocked the second Pelosi admitted to voting about it before reading it. Pass a bill so you can read it later? What the hell happened to reading it before passing it?

RE: Ah, but ideology at stake
By KFZ on 11/21/2013 3:39:46 AM , Rating: 2
"Bill"? ACA is law, and the hope is to repeal.

Delays. Shredded insurance plans. A total failure of a website. Public sticker shock. Non-"solutions". IT infrastructure (the problem no one is talking about). A Presidential apology (and I'd use that term loosely). A WH and Democrat party in full damage control, as it has been throughout every calamity this administration finds itself in...

and you claim it's the Republicans who are all talk and desperation?

We're witnessing an implosion and you're talking like the GOP is wishing for something bad to happen. In case you just came from watching MSNBC, here in reality we're looking for how this actual mess is going to get cleaned up, when the WH and key lawmakers are going to accept responsibility and want to see heads roll.

RE: Ah, but ideology at stake
By merc14 on 11/21/2013 9:02:45 AM , Rating: 2
You need to catch up and get past your liberal bias. Democrats are runnning away from this monstrosity like scalded dogs. Latest poll has 93% (CBS Poll)of Americans wanting this mess repealed or massively overhauled. ACA has nothing to do with healthcare and everything to do with power, money and control over people. Oh, let's not forget keeping democrats in power for generations with the 'The republicans want to take away your healthcare." mantra they were expecting to use for the next 50 years+.

RE: Ah, but ideology at stake
By spamreader1 on 11/21/2013 10:16:51 AM , Rating: 2
Republicans aren't hoping this bill fails. No sane person would want such a massive mess. They just happend to have seen the writing on the walls long before those that refused, and some who continue to refuse, to see it. Then it was pushed through so hard that it couldn't be fixed. The only way to try to fix it was to stop it before it did any damage, but alas, the damage is now done. So it's a matter of how to try and recover before it gets worse. It seems there was a severe lack of testing prior to release. Would have been so bad to have tested and say "Hey um, Mr. President, yea, we're uh, not ready for this yet." And then fixed it before rolling it out.

Right now one of the worst things is that the blame game is still going on instead of addressing the issue.

As an independant I'm so sick of the media spinning this as a us vs them issue. Last time I checked we're all Americans. Quit splitting the country in half. Checks and balances was designed to prevent this kind of stuff, but it's being bypassed more and more since 9/11.

RE: Ah, but ideology at stake
By FITCamaro on 11/21/2013 12:21:37 PM , Rating: 2
The law is doing exactly what those in charge wanted. Creating chaos and dysfunction so that they can then ride in and save the day with another "We have to do this to fix" scenario that ends with the government running health care. Reid even admits now that the goal was a single payer system.

RE: Ah, but ideology at stake
By muIIet on 11/21/2013 10:33:38 AM , Rating: 2
RE: Ah, but ideology at stake
By FITCamaro on 11/21/2013 12:20:04 PM , Rating: 3
He's done what he wanted to do

Ruin the health care system so the government can completely take it over?

Ruin hiring and full time employment as employers struggle with higher costs of doing business?

Create chaos in the insurance market?

Violate the law on multiple occasions?

Create the largest divide between different backgrounds of Americans in history by casting any disagreement as a racial matter?

RE: Ah, but ideology at stake
By marvdmartian on 11/22/2013 10:35:41 AM , Rating: 2
Actually, it works out stupendously for him. While his reputation takes a little ding (quickly forgotten) for rushing a faulty product into the public, he gets way more brownie points to make up for it, by holding off when people have to sign up, AND the added bonus that people won't have to sign up until AFTER the midterm elections next year.

Trust me, the Democrats coming up for re-election are breathing a sigh of relief over this one!

500 million lines?
By tayb on 11/20/2013 7:08:12 PM , Rating: 2
500 million lines? I've heard this number before but I've never seen a source for it or anything to corroborate that number. To me that number seems way too outrageous to be true. I'll try to put it in perspective...

On some days I may write 100 lines of code while on another I may delete several hundred lines of code and replace them with a few better written lines for a net negative. I will estimate way way way too high and say I write 100 lines of code per day.

So how many people of similar productivity would it take to write 500 million lines of code?

~ 1,900 programmers at maximum efficiency every business day for 10 years
~ 3,800 programmers at maximum efficiency every business day for 5 years
~ 9,600 programmers at maximum efficiency every business day for 2 years
~ 19,200 programmers at maximum efficiency every business day for 1 year

That's assuming these programmers are expertly communicating, their code never needs to be reviewed or re-written, all of their functions align together perfectly, and there are no bugs ever.

A more realistic estimate would be to take every single one of those numbers and multiply them by 10. So you get 19,000, 38,000, 96,000, and 192,000. Considering the project was only being worked on for a year I don't believe they hired 192,000 programmers. But maybe they did.

To me this 500 million number doesn't seem remotely possible regardless of the budget. If it is true this site has to be the most bloated piece of software ever written in the history of software development. And there is absolutely no way they could possibly patch every security hole in 500 million lines of code. No way.

RE: 500 million lines?
By JasonMick on 11/20/2013 8:24:51 PM , Rating: 3
I wonder if they're counting database values, auto-generated queries, comments as "code".

The government official did claim the code was that many lines, but how the government defines "code" was not explained and may be technically flawed.

If an employee writes 100 lines per day and that results in 10,000 auto-generated queries which are stored to some sort of database, it could quickly snowball to such a size, assuming that a few hundred engineers or so were put on the site, and spent a year making such junk. I'm not saying that's a normal procedure, but given the site's extreme dysnfunctionality, who knows what jacked up things the developer team was doing...

At the end of the day it's an interesting technical debate, but the bottom line is the site is one massive clusterf--k. Maybe he should ask Mitt Romney for help? ;)

RE: 500 million lines?
By maugrimtr on 11/22/2013 6:52:44 AM , Rating: 2
This entire situation is plain bulls**t.

There is no way the site involved writing 500 million lines of code, which means the quoted fix time is simply ridiculous. In reality, the website probably has a very small core of custom code backed by 499+ million lines of off the shelf software code.

If my numbers are wrong, then a) the government spent an absolute fortune reinventing the wheel and b) the dumbest security expert on the planet would refuse to sign off its audit since it would take far too long to ever complete a quality one properly and c) whoever runs IT over there needs to be fired.

Assuming there's even 1 million lines of custom code (which I seriously doubt), how did these security experts gauge the security of the web application? Were they given access to the code? Did they do any penetration testing? Do have the web application's design document? Did they pull their opinions out of their asses? Well...

Q) Is secure?
A) No.
Q) Is the Heaven OS written by the God himself secure?
A) No.

Any security expert who answers Yes to the above questions is not a security expert. It's an unfair question when probability alone demands that 500 million lines of code will almost certainly contain security flaws. Of course, the healthcare site is insecure. All websites are probably insecure in some way - the trick for hackers is in finding original flaws before the white hats do.

Should the site be taken offline? Impossible to know. If you assume it's insecure, then yes would be the prudent choice. Of course, since all websites are probably insecure this would require closing the entire internet so the correct answer is, of course, no. Unless you know for sure that there's an active flaw that must be fixed now, the show must go on.

Also, as Reuters noted but DT did not, the questions were running in a rapid Yes.No pattern - the experts were unable to expand on their prudent responses to proffer informed opinions and qualifications.

RE: 500 million lines?
By YearOfTheDingo on 11/20/2013 8:38:33 PM , Rating: 2
You're underestimating the ability of poor programmers to generate code bloat. I've worked with people before who would include stuff into a project not because it's useful but because they want to add an item to their resume. So the simplest of web site could end up with four application frameworks and ten client-side libraries.

RE: 500 million lines?
By TheDoc9 on 11/21/2013 2:10:54 PM , Rating: 2
This is my guess, he's counting both client and server side libraries, including 3rd party. Plus the different frameworks they use for calculation ect. Most of which were probably written 10 years ago or more.

Even still. The 500 million remark is a bold faced lie.

RE: 500 million lines?
By tjacoby on 11/20/2013 10:50:04 PM , Rating: 2
Really? 100 lines in a day?

A website I am working on for a family member has helper file that is 81 lines long... Including "imports" statements, blank lines, etc. I would not hesitate to say they included every blank line in this estimate.

Let's not exclude all of the HTML they wrote, and JavaScript. Non-minimized JavaScript is gigantic, bigger than even C#/Java (can't comment on PHP, and God forbid they wrote this in VB.NET...). Shoot, I am sure they included project files and solution files in that count.

I am sure 500 million is overestimated, but I think 100 lines of code per day is grossly underestimated.

RE: 500 million lines?
By YearOfTheDingo on 11/21/2013 1:20:30 AM , Rating: 2
Someone probably just sat down and did a line count on all the deliverables from vendors. A great portion of the 500 million is likely duplication and dead code.

RE: 500 million lines?
By Solandri on 11/21/2013 4:51:06 AM , Rating: 4
100 lines per day is a pretty good rate. You have to remember that a programmer doesn't just sit there writing code. If I really tried I could probably pound out a thousand lines in a day. But I'd have to spend a couple days before thinking up how I would design and structure the code. And then I'd have to spend the next week or so testing, revising, rewriting parts that don't work, writing documentation, etc. Once you factor all that in, 100 lines a day is a pretty good clip.

RE: 500 million lines?
By mik123 on 11/21/2013 1:15:17 AM , Rating: 2

Entire Facebook code is around 60 million lines.

RE: 500 million lines?
By Samus on 11/21/2013 1:50:22 AM , Rating: 2
In addition, Facebook has been around for 10 years, and debatably has far more features, functionality and security than

Facebook also has an order of magnitude more users than will ever have.

This law was a decent idea but holy cow is this rollout botched. They should have just kept it simple and expanded medicare and medicade to more people.

RE: 500 million lines?
By ipay on 11/21/2013 8:52:44 AM , Rating: 2
expanded medicare and medicade
Yea but that wouldn't have been in the best interest of the insurance companies and their lobbyists.

RE: 500 million lines?
By Gnarr on 11/21/2013 6:08:10 AM , Rating: 2
It says right there in that link that is 5 million lines of code.

RE: 500 million lines?
By Spookster on 11/21/2013 12:56:31 PM , Rating: 2
Even if they were using physical SLOC (Source Lines Of Code) verses logical SLOC that 500 million SLOC is ridiculously high for a website front end and back end application.

The whole thing needs to be scrapped
By YearOfTheDingo on 11/20/2013 7:26:14 PM , Rating: 2
Software development is more than just writing code. Testing is an equally important part of the process--if not more important. At this point, I think it's quite evident that there's no quality assurance built into at all. For instance, take the bug that impacted the Washington state exchange: the state system was sending monthly income when the federal system was expecting annual figures. That's something that a programmer would readily catch had he been developing against a test apparatus. It's clearly not there. I don't see how you can maintain 500 million lines of code with such flimsy QA infrastructure.

By Zaranthos on 11/21/2013 8:09:59 AM , Rating: 2
Because hiring people to do it was based on political favors and not on who can do it best. Then when the poor schmucks get hired they enter the tar pits of government red tape where nothing gets done without doing it twice and reviewing it 5 more times before actually doing it. Quality control? That's someone elses department. I think I heard someone say it's Bush's fault. /facepalm

500 million lines of code.
By Harsh3090416 on 11/20/2013 7:39:56 PM , Rating: 2
Haha I can't believe DailyTech actually published it without any fact checking. Just saying even a modern operating system wouldn't have that many lines of code.

By Harsh3090416 on 11/20/2013 7:47:37 PM , Rating: 2
And I can't believe the fact that they spend 170 to 300 million dollars to build that website. Who ever approved to that budget should be fired right away. That's a complete waste of our hard earned taxed dollars.

"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki