

Denial-of-service tool targeting Healthcare.gov site discovered - aniketpant
http://arstechnica.com/security/2013/11/new-denial-of-service-attack-aimed-directly-at-healthcare-gov/

======
japhyr
If you are discussing this topic, you might consider referring to the
legislation as the "Affordable Health Care Act", which I believe is the title
on the actual legislation. Calling it "Obamacare" triggers an overly emotional
response from people on both side of this issue.

Ask people if they want universal affordable health care, and most people will
discuss the issue. Ask people if they want Obamacare, and you instantly raise
all sorts of issues that have nothing to do with health care.

Edit:

I agree with many of the responses here as well. The actual name, which I
believe has ten titled parts [0], is a bit of marketing copy as well. But at
least it's marketing copy that relates to the substance of the act.

Calling it Obamacare makes it personal, and this is about much more than Obama
taking care of all of us.

I'd love to see a neutral name for the legislation itself. I am starting to
call it "the current health care legislation".

[0] -
[http://www.hhs.gov/healthcare/rights/law/](http://www.hhs.gov/healthcare/rights/law/)

~~~
ctdonath
I can't refer to the legislation by its name because I consider its name
disingenuous. A rose by any other name may smell as sweet, but calling dung a
rose doesn't make it smell any better. Words mean things; "affordable" the act
isn't. The legislation itself raises all sorts of issues that have nothing to
do with health care.

ETA: "Obamacare" is used because it's a catchy name which is both quite
descriptive ( _Obama_ pushed this health _care_ law thru, so he owns it) and
is _not_ inherently insulting (like "Bushoppression" or "Obamasux" mentioned
elsewhere in this thread). Use of this popular nickname causes a frenzy
because of its subject, not its inherent phrasing - it is not an ad-hominem
attack.

~~~
kapitalx
As an anecdote, we signed up my inlaws for $2/month after subsidies. Until now
they couldn't afford the $900/month so they didn't have insurance. I'd say
that's pretty affordable, almost free.

~~~
trebor
It isn't free. Someone else is paying your parent's bill, either through their
own premiums (which some say have tripled, though they have no prior
conditions) or through taxes. Don't judge the price till the bill takes full
effect; you may not be smiling.

~~~
gte910h
And people were paying for their medical care gotten in emergency rooms too

------
skwirl
While I personally am OK with the Affordable Care Act, and do not doubt for a
second that many conservatives and libertarians are reveling in the troubles
the federal healthcare exchange website has been facing, I do not for a second
believe that it is due to a DDoS from people running this tool. I would be
very surprised if this tool even existed before the exchange site was
launched. It seems to be someone seeking attention after the fact, and here we
are giving it to them.

~~~
ck2
There is no reason why both cannot be true.

The site was built poorly and political foes are also trying to ddos it.

Personally I think it would be nice if we had stronger laws and actual
enforcement against ddos.

------
aelaguiz
The screenshots of IDA with Delphi in it really bring me back. Ahh reverse
engineering, life was so simple then.

Whoever wrote this was definitely older. Nobody under 35 knows Delphi ;)

~~~
tazjin
Delphi is the standard programming language taught to many German kids in
school. I have many friends in Germany (I live in Sweden) and they have
horrible stories from those "lessons" :-)

Problem is not all of them are knowledgeable/interested enough to realise that
what they're being taught is deprecated and not worth a lot.

~~~
aelaguiz
It always shocks me how long technology hangs around. It's easy to forget how
many critical systems are powered by VB3 or Cobol.

~~~
ErikAugust
It would be cool with in modern web development there were a tool that allowed
you to design webpages as easily as you could design UI in VB3. Just saying.

~~~
TimJYoung
Our product, Elevate Web Builder, provides this type of functionality:

[http://www.elevatesoft.com/products?category=ewb&type=web](http://www.elevatesoft.com/products?category=ewb&type=web)

For example, coding a button event handler is just like it is in Visual
Studio/Delphi - just double-click on the button in the form designer and
you're in the code editor positioned inside of an empty event handler code
block.

~~~
ErikAugust
Very cool.

------
grecy
Wow, the government brings in a program to genuinely try and help people, and
the people want to tear it down because it "violates their rights".

America you so crazy.

~~~
VonGuard
This comes from a very concerted effort by highly placed folks in the US (Koch
Brothers, health care companies). Essentially, they create fear and confusion
around the new laws through Fox News and dial-in radio, and American idiots
eat it up like it was the Bible truth. The people in this country who are
against the health care law, uniformly, know nothing about it and regurgitate
Fox News BS when asked why it's a bad law.

Thing is, the law has its issues, but the other side never gets near them,
they just make shit up "death panels" and government interference and stuff.
I, as an American, am super embarrassed by all this. It doesn't help that the
health care companies wrote the fucking law, anyway... now they're fighting
against it!

The sad truth is, unless we have a single-payer, socialized medical system,
none of these changes will help much. Really, the biggest change the new law
enacts is that it forces health care companies to cover people with pre-
existing conditions like Diabetes and heart disease. Right now, they can tell
you to go away, they won't cover that stuff. IN 2014, I hear they'll be forced
to at least offer you a psychotically expensive plan if you have diabetes....
Ah, this country sucks ass.

~~~
IanDrake
I don't think I fit your description of those who don't like the ACA, but I
don't like it none the less.

I believe we could fix health care costs by removing just one law.

 _Stop making health insurance a tax deductible employee benefit._

Think critically about the effect that small change would have and you'll see
why our system is broken.

~~~
lewispollard
As an interested non-American, how would that change the system?

~~~
IanDrake
In the US, if your employer pays for your health insurance, they pay for it
with pre-tax dollars. If you buy it, you buy with post tax dollars. That's why
employers pay for it in lieu of paying you more.

If your employer pays for your car insurance as a benefit, they pay for it
with post tax dollars, so they don't do that.

So, employers pay the premium on your health care for the tax advantage. Now
consider the how psychology behind not being the one who pays for the premium.

Do you care how much your services cost? No.

Do you care if the premium goes up? No.

Do you shop around for better insurance? No.

Do you care if you loose your job if you're sick? Hell yes.

In effect all normal market pressures are gone. No one who consumes resources
cares about their costs because they're are completely disconnected from
paying them or some derivative of them.

This is why doctors don't post prices.

While the net effect for people with employer provided health insurance is
ever increasing rates, the effect on those people without health insurance is
brutal. They are trying to enter a market that has no price pressure.

~~~
lewispollard
So essentially the market for health insurance is competitive on what
companies can afford rather than individuals? So the proposed change would
force insurance companies to be more competitive on a smaller scale and in the
long run, cheaper. Interesting.

------
ck2
Denying people access to healthcare.gov is like blocking an ambulance trying
to take someone to the hospital, you'd have to be a pretty low criminal to do
it.

If you don't want healthcare then don't buy it and pay the fine (or refuse to
pay the fine) just don't block others.

~~~
ctdonath
That's the problem: people DO want healthcare, but the legislation blocks them
from buying the form of healthcare they want. Seriously ill people with
perfectly good health insurance are getting their plans cancelled for want of
irrelevant requirements; yes, many of us DO consider those causing such
cancellations "pretty low criminals", hence the consternation unto DDOS.

~~~
mistakenot
The legislation does lots of things, including making it possible for people
like me with pre-existing conditions to actually get insurance. Plans are
cancelled because free market corporations decide to cancel them -- the law
could have forced all those companies to continue policies while bringing them
up to standards, but if it did, you'd be complaining about that.

~~~
ctdonath
The law indeed forced those companies to bring policies up to highly
disputable standards, which for all practical purposes amounts to canceling
them and requiring enrollment in much more expensive plans - that is indeed
what I'm complaining about.

~~~
RokStdy
I think you're missing the hypothetical above. I read it as "the law could
have required insurers to bring policies up to snuff without increasing
premiums". That presumably would have kept people from getting cancellation
notices (and would have been a huge controverstifuck).

In any case, I think you're wrong. I think it's nice that there's a minimum
standard for what 'insurance' should actually do. I think mandating certain
minimal care coverage is critical in preventing people from being fleeced by
super cheap plans that don't cover crap.

~~~
ctdonath
I think you're missing the practical reality. Insurers cannot bring policies
"up to snuff" without increasing premiums. The changes are significant enough
(both benefits and costs) that they are for all practical purposes new &
different plans, the old plans are cancelled and new ones must be chosen. That
"minimum standard for what insurance should actually do" is now legislated to
a very high, and very expensive, level; we're not talking minimum reasonable,
we're talking compelling luxury plans.

~~~
RokStdy
The minimums hardly make these plans "Luxury Plans".

The (very good) reason to have minimum coverage requirements is to push people
from burdening the acute care system (ERs). This is necessary in order to keep
overall health costs in check. We cannot, as a society, continue to have
people rely on ERs for their only care.

Some of the lavish coverage that is now required[1]: * Blood Pressure
Screening * Blood Sugar (Diabetes) Screening * Cholesterol Screening

All of these things are precursors to chronic (expensive) conditions. It is
much cheaper to manage these things before you develop heart disease or
diabetes. Mandating coverage for these things is simply the smarter allocation
of resources than treating the end-stage disease.

------
jcromartie
Wasn't there just something on HN claiming DDOS as protected speech?

------
leeoniya
With so much opposition to Obamacare, i would be more surprised if a tool like
this did NOT exist.

------
trebor
Based on the program icon in the screen shot, I think the tool was written in
Delphi 6. I haven't seen that in years!

------
ancarda
As someone who doesn't live in the States, can anyone explain the opposition
to Obamacare other than the recent technical problems (which seem to happen
anytime governments go near a computer)?

~~~
ctdonath
Summary: my health care insurance is a matter between me, my doctor, and my
chosen insurer - which is none of the government's business. Disrupting my
insurance because of issues not relevant to my treatment is intolerable.

~~~
mkramlich
Ok that's an understandable position. Let's continue that logic and apply it
everywhere else in life:

The relationship between your neighbors and you is a matter solely between
them and you. The government should not interfere. So, if for example your
neighbor were to choose to rob your house, or murder a loved one, clearly, the
government should not get involved.

When you're driving, that's a matter between you, your car, and perhaps the
road. And your relationship with other drivers or pedestrians is solely up to
you and them. You should all be able to do whatever you want and/or work out
any disputes between each other as they come up. Laws would be pesky and just
be government interference.

And by the way, as to your point about disrupting your insurance for reasons
not relevant to your treatment. That's a big _whoosh_ that misses the point of
the ACA. The whole core point of the ACA was in reaction to private insurance
companies which would _deny_ or _drop_ people who were seriously sick. Thus,
effectively denying _treatment_ , or forcing them to rely on rush-to-
emergency-room treatment, rather than cheaper and less stressful preventative
care, or experience catastrophic costs, which then either bankrupt them and/or
get passed on to all other taxpayers and customers, against those others
parties wishes, anyway. Making sure more people get more and better treatment,
more consistently, is the whole point of the ACA. It's not perfect, nobody
claims that. But it has a heck of a lot of objectively good elements which are
pro-health.

~~~
ctdonath
Malicious non-sequiturs are not persuasive.

Some industries do develop systemic defects, and it is appropriate for
government to apply regulations to correct those. There is a vast difference
between coming up with a regulation amounting to "you cannot drop coverage
just because a case proves costly" or "you must accept pre-existing conditions
for coverage-transferring customers by accepting them at exactly the same
plan/cost as a current customer facing the same treatment costs", vs. taking
over the entire industry and compelling a multitude of costly irrelevancies
and disruptive non-sequiturs.

And you're missing a heck of a lot of objectively bad elements which are anti-
health. The point of a discussion is to address _both_ sides of the issue, not
just loudly ignore the opposition's objections.

------
300bps
I read the summary at [http://www.arbornetworks.com/asert/2013/11/healthcare-
gov-do...](http://www.arbornetworks.com/asert/2013/11/healthcare-gov-dos-
tool/)

Sorry, I don't buy that anyone would've written a custom application to DDoS a
web site by slowly loading two relatively static pages on the site when there
are a billion tools out there that will do the same thing far more effectively
(see LOIC for just one popular example).

This almost seems like a false flag to make healthcare.gov into an innocent
victim of a DDoS attack when as the original article says there is no evidence
of an actual DDoS attack.

~~~
generj
I agree with this viewpoint, though I think it's also possible that a lone
actor, frustrated with Obamacare, acted out using the only tools he knew in a
1/2 hour.

It wouldn't surprise me if healthcare.gov was very vulnerable to DDOS attacks
- we are talking about a 2013 site which is hosted in a single data-center.

~~~
AsymetricCom
I wonder if a five 9's site is possible from a single datacenter. I can't
imagine why not, given it's 3,000m under a mountain.

~~~
generj
A five 9's website is much easier to achieve using multiple, redundant, data
centers.

Otherwise you end up with unforeseen events, like a tornado taking out power,
or a backhoe incident, or internet outages.

------
mkramlich
I predicted things like this were being used. My rough logic is that when you
see directly observible evidence of an entity (Republicans and/or Tea Party in
Congress, or whatever you wish to label them) engaging in a DoS attack against
the American people out in the _open_ \-- in the form of the repeated attempts
to shutdown the Federal government and risk defaults, etc -- it's even
_easier_ to believe the same kinds of people will be arranging for DoS under
the covers, through more shady means.

Not that I'm saying these DoS attacks are effective, or even a significant
factor. I don't have enough data to know. But I have no doubt they were at
least attempted.

~~~
beauzero
We are talking about a government entity trying to tie together purposefully
archaic data feeds from insurance companies, waterfall methodology, a myriad
of different consulting companies, and changing requirements right up until
the last month. ...and you are looking for a conspiracy?

~~~
mkramlich
You have made the mistake of assuming mutual exclusion when I for one did not.
I am a software engineer and I do this professionally. I am fully aware of the
kinds of technical issues, and procedurally issues, which can fully or at
least even partially account for its woes. That was not my point. My point was
pretty clear and I was very very careful with my exact wording, if you'd care
to take a second look at my original comment you've attacked, and probably
downvoted, erroneously.

