Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes

Posted by timothy on from the all-eggs-one-basket dept.

cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"

52 of 351 comments (clear)

  1. Before they patch the hole by TimMD909 · · Score: 4, Funny

    The root password is "password1".

  2. So it has come to this by Impy+the+Impiuos+Imp · · Score: 5, Funny

    > 70,000 Healthcare.Gov Records In 4 Minutes

    Lie! There aren't even 70,000 people who have successfully registered yet.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:So it has come to this by SJHillman · · Score: 3, Funny

      69,000 of those records are actually just "F1RST P0ST!". Just like a typical Slashdot article.

  3. New job for NSA by Anonymous Coward · · Score: 5, Insightful

    Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.

    1. Re:New job for NSA by cbhacking · · Score: 3, Insightful

      I'm not personally familiar with the database they're using, but it's worth noting that injection attacks work on some noSQL databases too. It all depends on how the data is added and accessed; any language (for even very loosely defined values of "language") that fails to clearly distinguish instructions from data risks the latter being interpreted as the former.

      Just in case you were being serious. :-)

      --
      There's no place I could be, since I've found Serenity...
    2. Re:New job for NSA by DoofusOfDeath · · Score: 4, Funny

      Well, at least you know it isn't vulnerable to SQL injection attacks.

      Exactly. Just the other day, they probably told Congress, "We're vulnerable to no SQL injection attacks!"

  4. Every citizen? by maharvey · · Score: 3, Interesting

    Whats this about every US citizen?

    1. Re:Every citizen? by Crudely_Indecent · · Score: 5, Interesting

      As I understand it, the system is tied into other federal databases. Just because you haven't signed up, doesn't mean you aren't in one of the other databases that healthcare.gov is connected to.

      --


      "Lame" - Galaxar
    2. Re:Every citizen? by SJHillman · · Score: 4, Insightful

      You find me a US citizen who has no information in any of the databases that Healthcare.gov connects to. They'd have to have no birth (or death) records, no SS#, no driver's license, no registered vehicles, no house, no legal spouse, never filed a tax return, no credit card, no bank accounts... even in the most backwoods redneck areas of the country, you'd have trouble finding someone that doesn't exist in any government database.

  5. Re:Okay, but... by SJHillman · · Score: 5, Insightful

    How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.

  6. What data? by WPIDalamar · · Score: 3, Insightful

    What data was he able to access?

    Two ends of a possible spectrum I see...
    - Being able to tell 70k accounts exist by some numerical ID
    - Getting full personal information for 70k accounts including name, address, ssn, payment details

  7. Re: Okay, but... by ranton · · Score: 5, Insightful

    While that is true, customers have the choice to not work with companies that have shown poor security practices. No one can stop paying taxes if they feel the government isn't protecting the information in their tax returns. If the government wants to be trusted with information we wouldn't give to a private company, then they bear a much higher responsibility to keep it secure.

    It is similar to how we require police to log every firing of their weapon, while we don't require the same of private gun owners. The fact that we trust the police with power we don't give to normal citizens means they have to be held to a higher level of scrutiny.

    --
    -- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
  8. Re:Throw money at it! by TheCarp · · Score: 5, Insightful

    > Forget the military-industrial complex; sequestration is shutting that down.

    ROTFL really? You actually think that is shutting down or that the fake sequestration dance had shit to do with it?

    Last year, right before sequestration hit, congress approved massive military spending on all sorts of pork. Sequestration itself was even only a cut in budget increases. Sequestration is very narrowly aimed at making paper cuts look like gaping wounds....and does so with exacting precision.

    I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.

    The military industrial complex is alive and well.

    --
    "I opened my eyes, and everything went dark again"
  9. Sometimes I wonder about numbers by kruach+aum · · Score: 5, Insightful

    If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).

  10. Re:Okay, but... by Anonymous Coward · · Score: 4, Informative

    History suggests so.

    The NASDAQ runs as an exchange operation, buying and selling stocks electronically as an exchange. The CBOE does the same thing for options, which have many similar features including risk profiles and such. The International Medical Exchange was a private venture designed to do exactly this kind of work and worked well; it was eventually acquired by Anthem Blue Cross and incorporated into their sign-up system to help match people to the right Blue Cross policies and options.

    If you make a claim, fine, but use examples to back up your tear-down of the private sector. Private enterprise historically is far more productive and capable than Government in this kind of venture.

  11. Re:Okay, but... by cbhacking · · Score: 4, Insightful

    Sure they would. Not all of them, true, but most. That's not to say they'd be perfect, but they would certainly have done better. Banking websites, despite often having stupid legacy requirements like 8-character passwords or relatively weak SSL ciphers, are routinely designed with vastly better security than is being described here. That's for their own sites; for ones operating under such a high-profile-the-gov-is-paying situation? They'd be idiots not to, and contrary to what it sometimes seems, not many successful companies are actually run by idiots. This whole fiasco has the potential to spell death for this company, and its top people, at least in government circles. They'll be too toxic to touch!

    Don't get me wrong, really good web security is hard. There's simple fixes for pretty much every class of problem, but there are a *lot* of possible problems and some of them are pretty un-intuitive. Knowing what security to implement, where, and how to do it is pretty specialized knowledge. In theory, it should be something every web developer knows, of course. In practice, that's not the case at all. Instead, there are a bunch of basic guidelines every code monkey is given, and then there are a handful of experts who oversee the whole thing. Small companies, or those operating on a tight budget of either time or money, may opt to leave that part to some outside experts once the code is already written (I would know; this is what I do) but they still often at least make the attempt.

    To go completely without such expertise, on such a high-profile project, though? Pure folly. Even where the implementation of security recommendations is hard (and sometimes it is), the cost of failing to implement them will be much greater, and they really should know that.

    --
    There's no place I could be, since I've found Serenity...
  12. I can almost imagine how it might be done by QilessQi · · Score: 5, Interesting

    Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:

    1. Create an account on the site.
    2. Log in.
    3. Notice that your URL ends in something like /showUserProfile?userID=70001
    4. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:
    5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.

    A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.

    --
    Koans and fables for the software engineer
    1. Re:I can almost imagine how it might be done by cbhacking · · Score: 4, Interesting

      Yep. I see this all the time. Sometimes it's a little more subtle, though. Like, say, storing that value in a cookie. Most people never look at their cookies, but a web security expert (on either side) is more likely to see the cookies than they are to see the actual site rendering. Or the value might be something that in the abstract is impossible to guess (like 59340341412091985) but if you happen to know your SSN and your birthdate, you might recognize those values in that 17-digit mess (it's even easier if, for example, there's a | character between the parts) and then you can (relatively easily) start guessing other peoples' pairs.

      Sometimes it's even more subtle and requires some actual work to get at it, like storing an ID value concatenated with some other garbage like the date in a cookie encrypted with a static key (this one is actually fairly commonly done as a method of generating a token *identifying* the authenticated session, after all, if you don't have the key you can't generate the authentication token, right?). However, if you can guess which bits of that token are the ID (not hard; they're the ones that are the same whenever a given account signs on, but different for every account) you can twiddle the bits and basically brute-force the search space of valid IDs. There are still many ways to make this at least *somewhat* harder to attack, but a lot of developers won't bother... and there are ways to do it *worse*, too, like using an XOR with a constant mask instead of a merely re-using the key with a real cipher.

      --
      There's no place I could be, since I've found Serenity...
    2. Re:I can almost imagine how it might be done by QilessQi · · Score: 3, Informative

      Good point. I've always been impressed by how hackers can exploit the information gleaned from a very sample interactions with a system to discern the underlying algorithm behind token choice, etc. I saw a step-by-step presentation recently from DEFCON on how the presenter was able to break into someone's social media account, IIRC by whittling down millions or billions of possible authentication tokens to a very small number by a combination of social engineering and sleuthing using the clock time, host IP, etc. I wish I could find it again and post it here; it was dizzying.

      --
      Koans and fables for the software engineer
  13. oblig by cellocgw · · Score: 4, Funny

    Even worse, after accessing all those records, he logged in again as Bobby Tables and...

    --
    https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
  14. Re:Throw money at it! by CrimsonAvenger · · Score: 5, Insightful

    I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.

    Do remember that it was Obama that "closed down parks" and "did everything they could to make people feel the cuts", not Congress.

    Most of the cuts did nothing that would've been noticed by the average citizen, but you can't generate outrage at Congress with barely noticable cuts. So they spent extra money putting traffic cones up blocking sites from which Mount Rushmore could be photographed, and shut off access to the Tomb of the Unknowns (which normally has no restrictions to access - it's in the middle of a lawn).

    --

    "I do not agree with what you say, but I will defend to the death your right to say it"
  15. This Was Commercial by mx+b · · Score: 3, Informative

    I think it is important to point out that effectively this was the work of a commercial company. It was contracted out, and the contractor subcontracted and did whatever it wanted at that point. (Sounds like relatively little government oversight of the project was had, considering the massive cleanup effort when it came to light).

    I think it would be fair to argue that the government should have been more involved and had more oversight of the project. I actually wish it was developed "in-house" so to speak, and open source (as I think all publicly funded software should be). The government can do great things. Look at NASA. We have(had?) plenty of smart people with the goal to do something awesome. I wish we hired a software/computing/cryptography group like NASA to just go in there and get it done in an awesome manner. I think the government work could have been magnitudes better if it was done this way.

    This was a failure on both sides really -- too many government officials that insist the best way to do things is like a private contractor do it (either for ideology or money), and commercial companies more interested in the paycheck than anything else.

    1. Re:This Was Commercial by Anonymous Coward · · Score: 3, Insightful

      I think it is important to point out that effectively this was the work of a commercial company.

      No its not. A commercial company would be losing money hand over fist, being sued by customers by the thousands, no one would choose to do business with it, and they would have run out of investment money long ago.

      The ONLY way to have a failure of this magnitude is with the unlimited coffers of the government, funded by tax payers with no say in it.

    2. Re:This Was Commercial by CrimsonAvenger · · Score: 4, Informative

      The government can do great things. Look at NASA.

      NASA? Pretty much everything they do consists of issuing a design spec and taking bids. Even Apollo and Saturn were actually designed by private companies.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    3. Re:This Was Commercial by tibit · · Score: 4, Informative

      They do program management, and that's very important. healthcare.gov would fare much better if it had NASA-style, competent program oversight.

      --
      A successful API design takes a mixture of software design and pedagogy.
    4. Re: This Was Commercial by NeutronCowboy · · Score: 3, Insightful

      So when a government agency does something good, it's because it outsourced some work to the private sector. If it does something bad, it is because it is a government agency. Did I get that right? For some reason , I smell a variation of the "privatize profits, socialize losses" mantra.

      --
      Those who can, do. Those who can't, sue.
  16. Big mouth by jargonburn · · Score: 4, Funny

    He should probably shut it. Doesn't he know that the best security is obscurity? If he keeps talking about how vulnerable that website is, someone MIGHT actually hack it! Is that what he wants??

  17. Re:Okay, but... by cbhacking · · Score: 5, Informative

    Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.

    * Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...

    --
    There's no place I could be, since I've found Serenity...
  18. Re:Go Team USA! by Enry · · Score: 3, Insightful

    Hence the reason why decoupling your insurance from your employer is a great idea.

  19. Re:Government! by TemperedAlchemist · · Score: 4, Informative

    The private sector did build the website.

  20. How do I get clients like this? by rebelwarlock · · Score: 4, Funny

    I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?

    1. Re:How do I get clients like this? by PRMan · · Score: 3, Insightful

      Connections. People don't pay people because they're good. They pay them because they are their friends.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    2. Re:How do I get clients like this? by Zontar_Thing_From_Ve · · Score: 5, Interesting

      I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?

      My first job out of college was working for the Department of Defense as a civilian programmer (I worked for a specific branch of the US military, but I'd prefer not to name it). I can tell you based on what I saw that the answer to your question is "Get a contract awarded to you." My first job was that I was hired to work with a small team trying to finish up a salvage operation on some old IBM hardware that the contractor never completed the project on. We were finishing up making it work after the contractor gave up and gave us the computers. I can't say this with 100% absolute certainty, but the senior guy on the project insisted that the contract got fully paid and the vendor never was sued for giving up on the project without meeting what the project called for. He said they just turned over the computers and the source code for as far as they had gotten and called it a day with Uncle Sam just shrugging his shoulders about it. I learned while working there that literally anything can be justified if it's on a contract. No cost is so high that it can't be justified if it's on a contract between the DoD and a private company. The right wingers unfortunately help to waste US taxpayer money here by insisting that everything there is can be done "cheaper" (ha ha ha) by any private company. Almost all of my DoD career was spent working on various projects where the government reclaimed them from a contractor (sometimes after completion, sometimes when the contractor just gave up on it) and everything was significantly cheaper for us once we took over the projects. So what happens is that unscrupulous vendors bid cheaply on contracts they can't be sure that they can actually complete because they're rarely sued and they can usually get fully paid or close to it for any half-way attempt they make on the project. Nobody on the right ever questions the wisdom of this process because it is "saving money".

  21. Re:Okay, but... by Anonymous Coward · · Score: 5, Informative

    A mitigating start could be to outlaw the scam that is the credit reporting agencies in their current form.

  22. Re: Okay, but... by Anonymous Coward · · Score: 4, Insightful

    But what about the companies who store info on me that I've never done business with? There are plenty of data aggregators out there that have tons of people in databases without any of them ever having done any direct business with them.

  23. Re:Throw money at it! by MightyYar · · Score: 3, Informative

    I'm amazed at how poorly government can handle even modest changes in funding... and not just at the federal level. During the financial crisis, our local school system had a 5% cut, and you would have thought the world had ended. They zeroed out maintenance, fired teachers, cut programs, all to preserve a yet-to-be-negotiated pay raise for the staff. Meanwhile, in my job in the private world we all took a 25% reduction in pay for a while when the company's revenue went suddenly to nearly zero, so my sympathy was not exactly running high.

    Mind you, cutting 5% returned them to the previous year's levels. No one could answer my question about how they managed to hold it all together the year before if the funding was "so bad".

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  24. No. It's NOT the same thing by Anonymous Coward · · Score: 4, Insightful

    The example you gave - the securites markets - deal only with impersonal numbers. There have been a bit of screw ups in the past (Flash crash for exmaple.), but it's a matter of backing up trades and lecturing member firms and maybe a little slap on the wrist.

    No real harm done other than some big Wall Street firms getting dinged a couple million dollars - chump change to them.

    With Healthcare.gov, we're dealing with individuals information - individuals who don't have the means to defend themselves legally if or when someone abuses their information.

    A big corp's nusence is a citizen's nightmare and ruin.

    NOT The same thing.

  25. Re:Okay, but... by Forty+Two+Tenfold · · Score: 4, Funny

    From the misery of this site it looks as if it was specifically designed to kill Obamacare.

    --
    Upward mobility is a slippery slope - the higher you climb the more you show your ass.
  26. Re:Okay, but... by funwithBSD · · Score: 5, Interesting

    Two things:

    According to the article, the government is not REQUIRED to tell you about hacking attempts. HIPPA and other laws require that they disclose "hacks"

    Second, as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive. No one ever "hacked" into the systems for access to data beyond the one account they hacked.

    --
    Never answer an anonymous letter. - Yogi Berra
  27. Re:Then Why No Hack Job? by Shatrat · · Score: 3, Insightful

    The whole point is that it probably has, and their security is so bad they can't even detect it, let alone prevent it.

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  28. Re:Okay, but... by fahrbot-bot · · Score: 4, Insightful

    How many commercial companies would have this much customer data at risk?

    Well.. I can name at least three: Equifax, Experian, and TransUnion.

    --
    It must have been something you assimilated. . . .
  29. Re:Okay, but... by phantomfive · · Score: 4, Informative

    being legally mandated to do something dangerous isn't good.

    The worrisome thing is, you don't even need to do anything to be exposed to danger. Your information is already in the system, waiting to be exposed.

    --
    "First they came for the slanderers and i said nothing."
  30. Re:Go Team USA! by geminidomino · · Score: 4, Insightful

    We have representatives

    Coulda fooled me...

  31. Re: Okay, but... by ADRA · · Score: 4, Insightful

    Its a false dichotomy because you can never know the inherent security of a company you do business with really. Often these companies are veiled behind the companies you do perform business with anyways, so who's to say that although 'Walmat' may be secure, but maybe their downstream credit merchant bureau has huge leaks, or maybe their third party BI / sales data processing service has some inherent flaw, or ... Security isn't as simple as putting the onus on a very complicated problem and just saying 'sure, I trust Walmat with my credit, address, phone', etc..

    Ideally all this 'information' will become a lot less valuable (like making the ability to attain credit a lot more difficult than some data entered into a web page) but that'll happen sooner or later, be assured. The Internet's rather new in this respect, and although safeguards help, they are by no means perfect. You could increase the security (which is always a good idea for items of value), but ideally, we just make a credit card number useless. Who cares. Its a 16 digit number. Its the hundreds / thousands of sites accepting that as 'sufficient' for merchant exchanges that make the number important.

    --
    Bye!
  32. Well the performance of the site is getting better by TheMadTopher · · Score: 4, Funny

    Hackers can get 70K records in 4 minutes from the healthcare.gov website? Great news! That's the best performance metric the website has had yet!

  33. Re:Throw money at it! by bob_super · · Score: 3, Informative

    Someone is very confused between sequestration and shutdown.
    How did you get +5 insightful?

  34. Re:Throw money at it! by TheCarp · · Score: 4, Insightful

    > You're a fool and clearly never worked in Defense Contracting.

    Fool must mean, person with a conscience.

    I certainly hope your post is accurate, its the best news I have heard about the sequesters yet.

    The offence (calling it Defence is bordering on Orwellian and has been for generations now) industry could stand some deep cuts. Mortal blows even.

    --
    "I opened my eyes, and everything went dark again"
  35. Re:Government! by Tridus · · Score: 4, Insightful

    I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.

    CGI botched up the long gun registry in Canada in the same way many years ago.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  36. Re:$700 million - and still insecure!!! by Tridus · · Score: 4, Informative

    The commercial company that built this website was let go from their contract, and without that contract there will likely be firings.

    But yes, feel free to tell us about all the firings from the major corporate breaches that happened in the last year. Because if you think this doesn't happen all the time, you're living in a fantasy world.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  37. Re:Government! by dkleinsc · · Score: 3, Interesting

    I'm guessing the specs didn't include "Allow everyone and his kid brother to access other people's personal information as an aid to identity theft." I'm guessing they also didn't include "Crash all the time" and "Fail to actually allow people to sign up for health care."

    Here's how I see this general situation:
    1. Government contracts with company C to do task X.
    2. Company C, instead of doing X, does the much cheaper Y that looks kind of like X and says they did X.
    3. Conclusion: Company C defrauded the government, and should be held liable, as well as removed from any future consideration for any government contract.
    4. Second conclusion: If government continues to do business with Company C or failed to sue the pants off of the company for breach of contract, then the government screwed up (or is corrupt).
    5. Invalid conclusion: The government screwed up but Company C had nothing to do with it.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  38. Re: Government! by Entrope · · Score: 3, Informative

    You haven't done much contract work, have you? The government illegally exempted this web site from the usual security checks and procedures, and prioritized some aspects of development so it would "meet schedule" with a less-than-fully-working site. They very much did direct the contractors how to spend resources, and security and quality were nowhere near the top of that list.

  39. Spec? What spec? They were making changes ... by perpenso · · Score: 4, Insightful

    I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.

    Spec? What spec? They were making changes two weeks before launch. From the congressional testimony, http://www.cnn.com/2013/10/24/...:

    "In the first detailed account of what happened, officials of four contractors involved in the website creation described a convoluted system of multiple companies operating separately under the oversight of CMS, a part of the Department of Health and Human Services. Each said their individual components generally performed as planned after internal testing, but all conceded that CMS failed to conduct sufficient "end-to-end" testing of the entire system before the launch ... an end-to-end test conducted within two weeks of the launch caused the system to crash. She said it was up to CMS to decide on proceeding with the rollout."

    "... blamed a decision by CMS within two weeks of the launch to require users to fully register in order to browse for health insurance products, instead of being able to get information anonymously, as originally planned."

    The preceding should not be interpreted to mean that the contractor did good work. They may have been a problem as well. My point is that government officials were basically sabotaging their project through mismanagement. Inadequate integration testing, last minute changes, launching despite testing showing they were not ready ... It appears that politicians were in control.