FBI Warned Security Expert Not to Talk About Gov Health Website’s Dangers


Shoot the messenger is the standard bureaucratic response of the system to its own ineptitude all the way down from ObamaCare’s HealthCare.gov to Covered California.

L.A.-based security researcher Kristian Erik Hermansen was signing up for Obamacare via the Covered California site. Given his background in finding vulnerabilities in software and websites, spotting security flaws , he couldn’t help noticing a vulnerability that would allow someone to take over another person’s account on the California site.

He tried contacting Covered California “at least 15 times” by email, phone or chat about the problem, but got no response for over a month.

Hermansen, frustrated that the flaw had been out there for over a month already, decided to release a video of the exploit to YouTube. That got the attention of a Covered California lawyer who contacted him to take the video down.

Hermansen then spoke by phone to the lawyer and a chief security person. “They were not interested in talking about the security issues but about getting the video or any other online mention of the flaw taken down.”

Hermansen said he found more serious issues — such as an exposed admin interface and a potentially raidable database that might have made it easy to steal complete social security numbers en masse — but that he did not explore or expose them publicly to avoid running afoul of the law.

He was most dismayed though by how the site’s administrators reacted to his finding flaws: first ignoring him, then trying to sweep his disclosure under the rug, rather than immediately addressing or fixing the problem that he had found.

On Wednesday, Hermansen said the FBI visited him and told him not to talk about this publicly anymore.

Matt Ploessel, a security researcher who collaborated with Hermansen, reported the problems to the government’s vulnerability clearinghouse US-CERT. He said he also got a call from the F.B.I. Wednesday. “They told me that creating a test account because we didn’t want to touch real live data is fraudulent.”

These kinds of regs criminalize violations of terms of service punish whistleblowers. While professional sites such as Facebook actually pay users for bug reports and security vulnerability detections, government agencies send the FBI after you. No wonder their sites don’t work.

  • Gee

    Hummm – okay where are the leftists and liberals that care so much about the 1st Amendment? He did not yell “Fire” nor did he advocate any sort of crime or violence nor did he even commit anything remotely close to libel.

    On what grounds can they prevent he from speaking? Is this yet another in the long series of “the Emperor has no clothes”?


      Yes. If you point out that Barry has no clothes, expect a) the media to call you a racist; and b) the government to come down on you with the FBI, NSA, IRS, etc. What do you think America is under Barry and the Democratic Left – a free nation?

      • Gee

        The FBI, NSA and IRS do not operate in Israel. Not too worried about them

  • pupsncats

    There is no such thing as privacy. Big brother is everywhere.

  • glpage

    So, not only are they morons, but when we have concrete proof of such we are not allowed to expose it. Hello tyranny.

  • Drakken

    Well let the hackers crash the entire system, I am waiting for some 14 year kid to go hog wild with it and watch as the govt points fingers at each other and the blame game, kabuki theater at its finest.

  • truebearing

    We all have to understand the FBI’s viewpoint. If they can silence reports of corruption or incompetence on the part of the Obama cabal, they don’t have to come up with ridiculous excuses for not investigating them later. No doubt this is mandated by Imambama and Eric the WithHolder.

  • defcon 4

    IF this doesn’t smell like fascism what does?