FCC Says Its Specific Plan To Stop DDoS Attacks Must Remain Secret (arstechnica.com)

← Back to Stories (view on slashdot.org)

FCC Says Its Specific Plan To Stop DDoS Attacks Must Remain Secret (arstechnica.com)

Posted by BeauHD on Monday July 31, 2017 @09:20AM from the undermining-security dept.

An anonymous reader quotes a report from Ars Technica: FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter last month that it was researching "additional solutions" to protect the comment system. Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return.

"Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC's IT staff has worked with commercial cloud providers to implement Internetbased solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs." The CIO's answers to lawmakers' questions were sent along with a letter from Pai to Reps. Frank Pallone, Jr. (D-N.J.), Elijah Cummings (D-Md.), Mike Doyle (D-Penn.), DeGette (D-Colo.), Robin Kelly (D-Ill.), and Gerald Connolly (D-Va.). The letter is dated July 21, and it was posted to the FCC's website on July 28.

88 comments

Min score:

Reason:

Sort:

I Found It by Shakrai · 2017-07-31 09:24 · Score: 5, Funny

It was in a drawer next to Trump's plan to defeat ISIS. More details to follow.

--
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
1. Re:I Found It by sconeu · 2017-07-31 09:39 · Score: 1
  
  I guess I'm way older than you.... I thought it was next to Nixon's Secret Plan to end the war in Vietnam.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
2. Re:I Found It by harvey+the+nerd · 2017-07-31 09:49 · Score: 0
  
  Um, this is an Obama holdover. Cuzin to the Awans maybe?
3. Re:I Found It by sexconker · 2017-07-31 11:00 · Score: 1, Insightful
  
  Nixon's plan was to nuke. He was told that wouldn't be happening about 5 minutes into his term.
4. Re:I Found It by Ziest · 2017-07-31 11:00 · Score: 2, Insightful
  
  A secret plan to end an undeclared war backed by a silent majority.
  No one does bullshit better than GOP
  
  --
  Another day closer to redwood heaven
5. Re:I Found It by Anonymous Coward · 2017-07-31 12:08 · Score: 0
  
  Not really, ISIS rose from the ashed of the Sunni Baath Party, which the US disenfranchised after the invasion under the Bush Administration... because they had a secret plan to find WMD's
6. Re:I Found It by Anonymous Coward · 2017-07-31 13:01 · Score: 0
  
  No it wasn't. He never had a plan.
7. Re:I Found It by s.petry · 2017-07-31 13:51 · Score: 0
  
  Seeing as how the Democrats have controlled the House and Senate almost exclusively for 40 years from 1957, you can't blame the GOP. Citation for the lazy.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
8. Re:I Found It by dog77 · 2017-07-31 14:07 · Score: 1
  
  Please site a reference for this. There was no secret plan. Nixon was quoted before the 1968 elections saying “If I had any way to end the war, I would pass it on to President [Lyndon] Johnson.” All evidence prior to the 1968 election was that Nixon would end the war, not win the war, through a combination of diplomatic and military pressure. He actually did increase the aggressiveness of aspects of the war such as going after the enemy in sanctuary areas, but as a strategy of applying pressure, rather than seeking an all out military victory.
  
  I am not trying to defend Nixon or his strategy, I just don't like political narratives based on false and misleading information.
  
  https://mediamythalert.wordpre...
9. Re:I Found It by Chewbacon · 2017-07-31 16:01 · Score: 1
  
  You mean "bomb the **** outta them?"
  
  --
  Chewbacon
  The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
10. Re:I Found It by Anonymous Coward · 2017-07-31 23:49 · Score: 0
  
  Seeing as how the Democrats have controlled the House and Senate almost exclusively for 40 years from 1957, you can't blame the GOP. Citation for the lazy.
  That is not an excuse or reason at all. Because the other did not done the right thing doesn't mean you will not do the right thing too.
11. Re:I Found It by s.petry · 2017-08-01 02:42 · Score: 1
  
  I didn't give an excuse or reason, I gave a fact. GP blamed the GOP for problems, yet the GOP was not in control of the Legislative branch of the Government and hadn't been for decades. GP's assertion is provably false because of the fact I provided. Plenty of blame to go around, so take your share if you are a Democrat.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
12. Re:I Found It by JoePete · 2017-08-01 05:02 · Score: 1
  
  As much as this is off-topic, I think the record shows Nixon brought an end to the war by removing the bombing halt that had been imposed by Johnson. Most notably, the Linebacker II campaign, which allowed sustained bombing of the north and Hanoi, brought the North Vietnamese to the negotiating table. We ended up with a peace treaty, the release of POWs, and the survival of South Vietnam - which was essentially our main reason for being there. Now, not long after, we have Nixon resigning in the midst of the Watergate scandal, Congress passing the Case-Church amendment, and then, an opportunistic North Vietnam invading the south again, knowing (or at least making a safe bet) that given Watergate and Case-Church, the U.S. wouldn't come back to Southeast Asia despite the pleas of the South or Nixon's successor (Ford). If you want to couch this as Democrats vs. Republicans, so be it, but consider this: Six presidents (three Democrat, three Republican) and 13 Secretaries of Defense served in their capacities between the First Indochina War (precursor to Second Indochina War, aka the Vietnam Conflict) and the fall of Saigon. Of those six presidents, three came to office through succession. Nearly every major event in the war came near a presidential transition (how is that foreign opportunism?).
13. Re:I Found It by q4Fry · 2017-08-01 05:46 · Score: 1
  
  It was in a drawer next to Trump's plan to defeat ISIS. More details to follow.
  Operation "Beware of the Leopard" ?
How could it fail? by MountainLogic · 2017-07-31 09:25 · Score: 5, Insightful

After all, unvetted encryption and security have never failed. And the best security is obscurity!
1. Re:How could it fail? by Anonymous Coward · 2017-07-31 09:45 · Score: 0
  
  Nail on the head!
Security through obscurity... by Anonymous Coward · 2017-07-31 09:26 · Score: 1

is no security at all.
1. Re:Security through obscurity... by Obfuscant · 2017-07-31 09:59 · Score: 2
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".
2. Re: Security through obscurity... by Anonymous Coward · 2017-07-31 10:50 · Score: 0
  
  Works really well.
  Just power off the old pentium box server.
3. Re:Security through obscurity... by Anonymous Coward · 2017-07-31 11:12 · Score: 1
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".
  Indeed, it's the difference between knowing that you look like a fool now, and being made to look like a complete fool at some unknown time later.
4. Re:Security through obscurity... by Anonymous Coward · 2017-07-31 12:17 · Score: 0
  
  Or not looking like a fool at all in public, or to people who pay your salary, because successful attacks are never reported.
5. Re:Security through obscurity... by Anonymous Coward · 2017-07-31 12:39 · Score: 1
  
  Or not looking like a fool at all in public, or to people who pay your salary, because successful attacks are never reported.
  Successful attacks aren't discovered.
6. Re:Security through obscurity... by Ol+Olsoc · 2017-07-31 12:54 · Score: 3, Funny
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".
  Then again, it ican be just as important to keep the fact that there is no plan a secret.
  We have had many plans that were bragged about by the party of the moral high ground turn out to be no plan at all. OBlamacare repeal, the Freedom Jesuscare health act, and everything Don for Life has ever promised. If the model is followed, it involves shutting the computer off and not much more.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
7. Re:Security through obscurity... by Obfuscant · 2017-07-31 13:00 · Score: 0
  
  Then again, it ican be just as important to keep the fact that there is no plan a secret.
  
  You are claiming a fact when you have none. You assume there is no plan because nobody is willing to tell you what it is.
  I assume that it is prudent not to tell anyone who has no need to know what your plan is. That's the difference. I understand the concepts of opsec and infosec and prefer that our government follow those precepts unless there is a compelling reason not to. I see none here.
8. Re:Security through obscurity... by Ol+Olsoc · 2017-07-31 13:08 · Score: 2
  
  Then again, it ican be just as important to keep the fact that there is no plan a secret.
  You are claiming a fact when you have none. You assume there is no plan because nobody is willing to tell you what it is.
  SRSLY? Tell me exactly where I claimed there is no plan. Having an awesome completely foolproof secret plan that will work every time and make the free internet safe forever and anon might have every bit the same need for secrecy as "We got nuthin'.
  You need to read a little better before just deciding to disagree because you want to argue with someone.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
9. Re:Security through obscurity... by Obfuscant · 2017-07-31 13:38 · Score: 1
  
  Tell me exactly where I claimed there is no plan.
  
  Already quoted you: "Then again, it ican be just as important to keep the fact that there is no plan a secret." Where did this fact come from?
  
  Having an awesome completely foolproof secret plan that will work every time and make the free internet safe forever and anon might have every bit the same need for secrecy as "We got nuthin'.
  
  Hyperbole much? No, not "might", "does". That's the basis behind the concept of "infosec".
10. Re: Security through obscurity... by Anonymous Coward · 2017-07-31 14:23 · Score: 0
  
  How is this tripe upvoted?
  The quote is that it's foolish to rely ONLY on obscurity. It's a perfectly valid component in any layered security model. Why give the attackers anything to make their work easier?
11. Re:Security through obscurity... by Ol+Olsoc · 2017-07-31 16:09 · Score: 1
  
  Tell me exactly where I claimed there is no plan.
  Already quoted you: "Then again, it ican be just as important to keep the fact that there is no plan a secret." Where did this fact come from?
  Can! It CAN be important.
  Make no mistake, if I for a New York minute thought that there was no plan, I would have written: "The fact that there is no plan is just as important to keep secret."
  Not a bit of ambiguity there. That would be me saying exactly that there was no plan. But I didn't write that. Can does not mean is.Thanks for playing, but I'm not in the mood to diagram sentences tonight.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
12. Re:Security through obscurity... by EETech1 · 2017-07-31 19:45 · Score: 1
  
  The plan is to let the ISP charge you per bit, and throttle you at will. This should take care of all that excess traffic!
13. Re:Security through obscurity... by mysidia · 2017-08-01 02:44 · Score: 1
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using.
  In this case, they should explain what their plan is. If that would be a "concern", then it probably means that their plan is a flawwed one, and they should be taking comments from the public about potential alternative mitigation plans.
  They could start by introducing Captchas on submission forms, for example.
14. Re:Security through obscurity... by mysidia · 2017-08-01 02:47 · Score: 1
  
  We have had many plans that were bragged about by the party of the moral high ground turn out to be no plan at all.
  Yeah... pretty much. The TRUE test of the quality of a security plan, is to be able to explain it in reasonable detail, AND not have experts laugh at you and point out slews of holes.
  If you're trying to keep it secret, then it is most likely because you either have no credible plan, or you don't have much confidence in it....
  We're talking about anti-hacker defenses. This is not a military endeavor, where we should be concerned about adversaries copying our defense tactics to their own security planning.
15. Re:Security through obscurity... by Obfuscant · 2017-08-01 05:46 · Score: 1
  
  Can! It CAN be important.
  
  "Then again ... the fact ..."
  
  Make no mistake, if I for a New York minute thought that there was no plan, I would have written: "The fact that there is no plan is just as important to keep secret."
  
  The only difference between what you wrote and what you thought you wrote is "it can be important". You are not questioning the fact, only the importance.
  Had you meant to question the fact, you would have conditionalized the fact, not the importance of keeping it secret. Like: "If it was a fact there was no plan, it would be important to keep that secret".
  
  Can does not mean is.
  Right. Got that. "It can be just as important to keep it a secret" means maybe it isn't important to keep a fact a secret.
16. Re:Security through obscurity... by Ol+Olsoc · 2017-08-01 10:31 · Score: 1
  
  Yeah... pretty much. The TRUE test of the quality of a security plan, is to be able to explain it in reasonable detail, AND not have experts laugh at you and point out slews of holes.
  If you're trying to keep it secret, then it is most likely because you either have no credible plan, or you don't have much confidence in it....
  We're talking about anti-hacker defenses. This is not a military endeavor, where we should be concerned about adversaries copying our defense tactics to their own security planning.
  Right, this is what I'm saying. If they say "We have this awesome plan it's great, so great, it will take care of that problem right away. But we can't tell you anything about it!
  It might mean there is an awesome plan that is great. It might also mean "we got nuthin! Either way, the public won't know. Personally, I'm with you. Something that lends some credence to the idea is best - the public doesn't need the deep dark details - most wouldn't understand them anyhow.
  But we've been spoon-fed so much pure distilled bullshit about taking one day to fix problems that will be sooo easy, that anyone who isn't skeptical has massively suspended disbelief.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Sorry Guys by whitlocktj · 2017-07-31 09:28 · Score: 5, Insightful

I know all of you are concerned about Net Neutrality and would like to submit your claims on our site, but someone decided to attack us when you visited our site. Oh, you want evidence of the hack? Sorry, we cannot provide that. But rest assured, it will be prevented in the future. Oh, you want to know how we will prevent it? Well, that's a secret too. Oh, you don't think it actually happened? No, it did. Don't worry.
1. Re:Sorry Guys by WillAffleckUW · 2017-07-31 10:22 · Score: 2
  
  We should vote on that using one of the easily hacked vote machines in use in the US today. You know, one of the ones that was hacked (e.g. every single one) at DEFCON.
  Yeah, sure.
  
  --
  -- Tigger warning: This post may contain tiggers! --
2. Re:Sorry Guys by reboot246 · 2017-07-31 10:54 · Score: 0
  
  Pai doesn't trust the Democrats. Wise man.
3. Re:Sorry Guys by Ol+Olsoc · 2017-07-31 12:58 · Score: 1
  
  We should vote on that using one of the easily hacked vote machines in use in the US today. You know, one of the ones that was hacked (e.g. every single one) at DEFCON.
  Yeah, sure.
  I recall articles about the ease with which the voting machines and system could be hacked around 2004-5. That includes actual hacking and a recipe for changing votes in order to make certain one candidate would beat another.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re:Sorry Guys by Anonymous Coward · 2017-07-31 13:03 · Score: 0
  
  Pai isn't a Democrat. Therefore he is a fool.
oh, right by Anonymous Coward · 2017-07-31 09:35 · Score: 0

pretty sure their plan to resist DDoS attacks (aka "complaints by American citizens RE: what is detrimental to their rights & freedoms") is to employ botting as active countermeasures against the people they're supposed to serve. it's a common theme with the Trump administration
great idea! by TimMD909 · 2017-07-31 09:35 · Score: 1

Security through obscurity always works! In other news, Ajit recommends moving telnet to port 22 and changing the password from "secret" to "S3CR3T", and they'll never get in as long as you keep it secret. Foolproof!
BRING ME THE HEAD OF JOHN OLIVER by Thud457 · 2017-07-31 09:35 · Score: 1

whoops, now you've gone too far!

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Trump always picks the best! by Zero__Kelvin · 2017-07-31 09:35 · Score: 0, Troll

Wait, are you telling me a former attorney is telling us all how his plan is to implement obscurity based security, and might be a liar? Didn't... see .... that ... coming.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
in other words by Anonymous Coward · 2017-07-31 09:40 · Score: 0

We are going do use cloudflare and other solutions that big boy corporate types use, we just are not going to tell you because we want you to think we are doing something different and special when we in fact have no clue what we are doing.
1. Re: in other words by Anonymous Coward · 2017-07-31 20:15 · Score: 0
  
  Clownflare..... oh, wait you're serious? If you want bugs at every layer of the stack and worse uptime than if you used nothing, they're certainly the go-to choice.
Bull-Fucking-Shit by Anonymous Coward · 2017-07-31 09:40 · Score: 3, Informative

There was never a DDOS attack. It was a delibarate attemps by the FCC to silence the critics of its plan to kill net neutrality.
1. Re:Bull-Fucking-Shit by fafalone · 2017-07-31 19:41 · Score: 1
  
  Because if only a few more had gotten through, what then? Pai would change his mind? Trump? Congress? None of them give a rats ass what people want, or the already overwhelming opposition would matter.
Cap'n Crunch by Anonymous Coward · 2017-07-31 09:43 · Score: 0

I wonder of Cap'n Crunch will start putting whistles in cereal boxes again
Security thru Obscurity always works (until it doesn't)
Here's my 1-step plan to prevent attacks: by Rick+Schumann · 2017-07-31 09:47 · Score: 3, Insightful

Step #1: Listen to the American public and industry leaders and SUPPORT NET NEUTRALITY.

Expect my consultation bill in the mail, Mr. Pai.
1. Re:Here's my 1-step plan to prevent attacks: by Anonymous Coward · 2017-07-31 11:26 · Score: 0
  
  great plan, the check is in the e-mail.
2. Re:Here's my 1-step plan to prevent attacks: by Anonymous Coward · 2017-07-31 12:26 · Score: 1
  
  Sorry, there's no 'profit' step.
3. Re:Here's my 1-step plan to prevent attacks: by Anonymous Coward · 2017-07-31 13:56 · Score: 0
  
  I do not support net neutrality until all those sites become neutral. or at least TRY to hide the censorship.
  That will never happen.
  So. I do not support net neutrality and made sure the fcc and my reps know it.
  You cant claim neutrality while fucking over anyone because. 'they're just a random user who didn't even pay, fuck them.'
  So nope. Fuck net neutrality. Not yours.
  try not being hypocrites if you want support.
4. Re:Here's my 1-step plan to prevent attacks: by Anonymous Coward · 2017-07-31 22:44 · Score: 0
  
  idiot, you don't support net neutrality. What the Obama administration imposed is not network neutrality, it was incumbent protection.
5. Re:Here's my 1-step plan to prevent attacks: by orgelspieler · 2017-08-01 04:06 · Score: 1
  
  ????????????????? So the reason why you think it's ok for your ISP to throttle your Netflix connection unless they pay ransom is because Facebook doesn't like boobies? That makes no sense whatsoever.
6. Re:Here's my 1-step plan to prevent attacks: by Anonymous Coward · 2017-08-01 04:21 · Score: 0
  
  Congratulations; you're the biggest faggot on the planet, please kill yourself.
7. Re:Here's my 1-step plan to prevent attacks: by Rick+Schumann · 2017-08-01 04:23 · Score: 1
  
  You're an idiot and you have no idea whatsoever what you're talking about.
8. Re: Here's my 1-step plan to prevent attacks: by Anonymous Coward · 2017-08-01 04:42 · Score: 0
  
  I don't care if site xyz censors or not because I don't go there.
  I do care if ATT slows down all non ATT affiliated sites because I'm unlikely to visit ATTs crap content anyway and want the bandwidth I paid for wherever I'm going, not just to their garden.
wikileaks reveal... by Anonymous Coward · 2017-07-31 09:49 · Score: 0

dat dey be usin a birewall! de birewall be program 2 onely alow aufurize peepul 2 axes de serber.
How could it laze? by Anonymous Coward · 2017-07-31 09:51 · Score: 0

Not hard to hide an orbiting death laser platform...just to be sure.
1. Re:How could it laze? by WillAffleckUW · 2017-07-31 10:20 · Score: 2
  
  Not hard to hide an orbiting death laser platform...just to be sure.
  You'd be surprised how hard that is, actually.
  
  --
  -- Tigger warning: This post may contain tiggers! --
2. Re:How could it laze? by ubrgeek · 2017-07-31 11:14 · Score: 2
  
  Not if you throw enough Bothans at the problem.
  
  --
  Bark less. Wag more.
3. Re:How could it laze? by WillAffleckUW · 2017-07-31 11:25 · Score: 1
  
  Oh, I thought you meant IRL.
  
  --
  -- Tigger warning: This post may contain tiggers! --
4. Re:How could it laze? by skovnymfe · 2017-08-01 04:25 · Score: 1
  
  I imagine just getting it up there would trigger a few alerts.
Let me guess... by Anonymous Coward · 2017-07-31 09:53 · Score: 1

The new system only accepts the submissions ajit agrees with.
Secret? by galabar · 2017-07-31 09:53 · Score: 1

Not a Trump hater, but it seems like anything done to discourage DDOS attacks needs to be public. I'm not sure how "secret" plans can be helpful on an open internet.
1. Re:Secret? by Obfuscant · 2017-07-31 10:04 · Score: 1
  
  Not a Trump hater, but it seems like anything done to discourage DDOS attacks needs to be public.
  Why? Will those countermeasures be more effective if more people know what they are? I don't think so. Will they be more effective if the details are broadcast to the public and a few helpful members of the public with behind the scenes knowledge of those systems then post exact means to bypass them?
  
  I'm not sure how "secret" plans can be helpful on an open internet.
  I'm not sure how you equate "secret plans" with not telling "everyone who doesn't need to know" exactly what your security systems are.
2. Re:Secret? by Anonymous Coward · 2017-07-31 14:33 · Score: 0
  
  Not a Trump hater, but it seems like anything done to discourage DDOS attacks needs to be public.
  Why? Will those countermeasures be more effective if more people know what they are? I don't think so. Will they be more effective if the details are broadcast to the public and a few helpful members of the public with behind the scenes knowledge of those systems then post exact means to bypass them?
  You aren't looking at the bigger picture. The bigger picture is that we want to see a world where the Federal Communications Commission, with the *full backing of the CIA and NSA* can succeed in requesting and receiving public comments about an internet related issue *over the internet*. Instead, we have the FCC outsourcing that expert knowledge requirement to big $$ companies, and then keeping it secret, because they are really truly saying that their DDoS strategem requires what academia and industry know as "security through obscurity". Which has a long academic history which factors into perceptions of credibility and assessment of the infrastructure in question.
  That the FCC has to wave their hands and pull out the security through obscurity card... does not lend itself to optimism about the current skill level of the CIA, NSA, and FCC regarding 'the cyber'. I mean, I guess DDoS attacks on the internet are a relatively new thing. :(
3. Re:Secret? by bluefoxlucid · 2017-08-01 02:00 · Score: 1
  
  It's easy. They'll secretly stop paying attention to comments at all, thus mitigating the whole thing. This has already been put through numerous test runs over the past months.
  
  --
  Support my political activism on Patreon.
4. Re:Secret? by Obfuscant · 2017-08-01 06:04 · Score: 1
  
  You aren't looking at the bigger picture. The bigger picture is that we want to see a world where the Federal Communications Commission, with the *full backing of the CIA and NSA* can succeed in requesting and receiving public comments about an internet related issue *over the internet*.
  
  No, I didn't miss that. I don't agree that we need the full backing of the CIA and NSA, however. The support of the CIA or NSA is irrelevant. We can have nice things and get comments "over the internet" without the FCC explaining in detail how it will mitigate a DDOS in the future. Telling, not telling, same difference.
  
  because they are really truly saying that their DDoS strategem requires what academia and industry know as "security through obscurity".
  No, they did not say that. You said that. You assume because they won't tell you the details of their information security that they don't have any. What you are missing is the concept of "infosec". The only people you tell about your security systems are people who have a need to know. You don't have that need. The congress doesn't have that need, especially since telling congress means telling the public at large.
  In case you've never dealt with the government, I can tell you that "infosec" and "opsec" overall is gaining increased emphasis. For example, I cannot tell you any of the military frequencies I work with on a regular basis because you have no need to know. It doesn't matter that you can find them on Google in five seconds (less, actually, but Google didn't show the "x results in x seconds" for a specific number). You might call this "security through obscurity", but the mil calls it "infosec". When you understand that concept, you'll maybe understand why the FCC didn't actually say they needed "security through obscurity".
  And unless you can explain a need to know, like, for example, that the security will work better because you know what it is, infosec says that you don't get told. Don't feel bad, I don't have a need to know either and they haven't told me.
What;s the big secret? by DaMattster · 2017-07-31 10:10 · Score: 1

The government learns how to stop DDoS attacks from the civilian sector. What's the big secret there?
1. Re:What;s the big secret? by Anonymous Coward · 2017-07-31 18:03 · Score: 0
  
  The government learns how to stop DDoS attacks from the civilian sector. What's the big secret there?
  Presumably how incompetent the NSA and CIA are that they aren't up to the task of securing the nation's internet comment system relating to comments about the nation's internet regulatory system. Some paranoid schizophrenics are probably worried about that, lol. The other day I saw this Oliver Stone movie about this magical dude who worked for the NSA. I bet some of his magical friends could kick the asses of all those mean FCC comment system attackerzzzZZZ
  Wake me up at the intermission.
Was the plan to roll weak sauce servers? by WillAffleckUW · 2017-07-31 10:11 · Score: 1

Wait, think I found their plan.
Was it the one to roll weak sauce servers with bad failback positions and not code for massive volumes of legit comment requests?
Yeah, it was right here, next to the plan marked Mooch's Retirement Plans.

--
-- Tigger warning: This post may contain tiggers! --
Yeah, skip public accountability! Works everytime! by slack_justyb · 2017-07-31 10:19 · Score: 1

Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred
Wow, and the FCC is what I would consider a pretty bland department much like USDA or FCIC. But wow, what a way to totally derail any credibility the department had. Hint, anytime an agency thinks doing something totally opaque to public review is a good idea, it's usually not a good idea.
Security through obscurity explained . . . by Tanman · 2017-07-31 10:23 · Score: 2

If obscurity is the primary method of security, meaning "if they discover how we are doing it then they can defeat it," then you have no security. You must plan for the eventuality that someone will know how you do it. So, if the FCC's new method requires that it remain obscure to remain effective, then it might as well have already been compromised. Of course, having an obscure security system that nobody knows about is helpful. Nobody would argue otherwise. But that should just be icing on the cake - a nice little perk. Think of this comparison of a time-lock safe vs. a hidden book box:
Look at a time lock safe:
1. It is known
2. The way it works is known
3. It is effective because of the security measures of the safe
This is opposed to hiding valuables in a hidden book box:
1. If it is not known, it might work
2. If it is not known, it might be discovered through thorough searches and thus fail
3. If it is known, it definitely won't work
If you hide the time lock safe, then you do add a layer of cursory security. However, it is not the location/disguise of the safe that matters. It's the function of the safe's defenses that protect the valuables.
1. Re:Security through obscurity explained . . . by bluefoxlucid · 2017-08-01 02:06 · Score: 1
  
  If you hide a time-lock safe, people go, "Shit, I didn't bring the tools for this." That's the odd thing about computers: they can be perfectly secure. A safe you can drill through in a week or so; code is math, and you have to find a mistake in the math or else no amount of axes and sledgehammers is getting you in.
  That's why reducing attack surface and layered security are paramount: less attack surface means the flaws are more-likely to be somewhere else; layers of security means you need to find multiple flaws in your attack surface--and you may need to get through higher layers to exploit flaws in lower layers anyway (although that doesn't matter, since you still need to break it all). This is why hacking into a home network directly is nigh on impossible (you can't even get into the Web configuration UI! You're looking for a high-impact kernel-level networking bug in a NAT router!), while hacking banks and corporate Web services is a constant threat (lots and lots of shit to attack).
  Security is an odd topic.
  
  --
  Support my political activism on Patreon.
Corporate cocksuckers by Anonymous Coward · 2017-07-31 11:06 · Score: 0

Start killing them and you'll see problems disappearing before your eyes.
Security by Obscurity isn't security! by MikeDataLink · 2017-07-31 11:07 · Score: 1

Security by obscurity isn't a security mechanism, rather a puzzle... If getting into your house is simply a matter of finding where you left the Hide-a-key then your house was never secure in the first place.

--
Mike @ The Geek Pub. Let's Make Stuff!
Solution by Anonymous Coward · 2017-07-31 11:07 · Score: 0

If someone actually did DDoS the FCC (and every FCC-run thing on the net), it would be rather poetic justice.
- It would show that no such plan to prevent future attacks is in place.
- It would show that there are copious logs and public details when real attacks occur. Show that security professionals, network providers, etc. start beating their drums during actual DDoS attacks.
- It would show that the FCC wants actual help from outsiders when attacks keep them offline.
- It would show that the FCC is full of shit and not fulfilling its charter under the current "leadership".
- It would give us cause for flushing Ajit Pai down the toilet like the turd that he is.
DDoS protection IS possible... apk by Anonymous Coward · 2017-07-31 11:19 · Score: 0

FROM -> http://msdn.microsoft.com/en-u...
SYN Attack Protection
---
The named value to enable SYN attack protection is located beneath the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.
Value name: SynAttackProtect
Recommended value: 2
Valid values: 0 1 2
Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
---
SYN Protection Thresholds
The following values determine the thresholds for which SYN protection is triggered. All of the keys & values in this section are under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
Value name: TcpMaxPortsExhausted
Recommended value: 5
Valid values: 0-65535
Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.
Value name: TcpMaxHalfOpen
Recommended value data: 500
Valid values: 100-65535
Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded SYN flood protection is triggered.
Value name: TcpMaxHalfOpenRetried
Recommended value data: 400
Valid values: 80-65535
Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded SYN flood protection is triggered.
---
More Protections
All keys & values in this section are located under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
Value: TcpMaxConnectResponseRetransmissions
Recommended value data: 2
Valid values: 0-255
Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.
Value name: TcpMaxDataRetransmissions
Recommended value data: 2
Valid values: 0-65535
Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.
Value name: EnablePMTUDiscovery
Recommended value data: 0
Valid values: 0 1
Description: Setting this value to 1 (default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation which overworks the stack.
Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.
Value name: KeepAliveTime
Recommended value data: 300000
Valid values: 80-4294967295
Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.
---
"Null-routing" (A network w/ multiple IP addresses ala multi-homed servers ahead of production ones must be done "upstream" of them):
http://en.wikipedia.org/wiki/N...
---
Microsoft &/or Amazon setups alerts them to DoS/DDoS & can start "shutting down" IP address sources of packets for DDoS easily - it's the reason "Anonymous" can't "take them down" (& they've tried).
---
Microsoft: We're not vulnerable to DDoS attacks
http://www.networkworld.com/co...
PERTINENT QUOTE:
"At Microsoft we have robust m
smells like cloudflare. run for the hills. by danda · 2017-07-31 11:31 · Score: 1

has worked with commercial cloud providers
In other words, cloudflare.
If they are using SSL/TLS, this is a problem.
Cloudflare is a giant man in the middle, and a breach of trust between end-users and the websites they wrongly believe they are securely connected to. Sites that use it are subverting the intent of the SSL/TLS certificate system and making the little lock icon meaningless.
See Details
Obscurity by Anonymous Coward · 2017-07-31 11:35 · Score: 0

Undermining security
Could the plan be--- by Anonymous Coward · 2017-07-31 18:18 · Score: 0

-- just stop accepting public comments?
1. Re:Could the plan be--- by gl4ss · 2017-07-31 20:23 · Score: 1
  
  -- just stop accepting public comments?
  well, actually, yeah. that is their plan.
  they were getting too many public comments, getting "flooded" with comments if you will. and flooding is ddos. so therefore, they just stopped reading the stuff or taking them to consideration so the problem is solved.
  
  --
  world was created 5 seconds before this post as it is.
SIGH. So fucking obvious I'm getting tired of it. by Narcocide · 2017-07-31 19:28 · Score: 1

They don't have any plan to stop or even mitigate DDOS attacks. I bet most their "expert" IT staff barely even knows what one is, and the rest of them are the ones actually carrying out the DDOS attacks in the first place.
Nothing more to see here. This country is finished. Move along.
Re:smells like cloudflare. run for the hills. by Barefoot+Monkey · 2017-07-31 21:13 · Score: 1

I personally feel that browsers should consider blocking all external scripts on HTTPS pages unless those scripts have a matching integrity attribute, or at least make valid integrity for foreign scripts a requirement for avoiding the Mixed Content warning.
Sure Ajit Pai, We Believe You.... :( by Anonymous Coward · 2017-08-01 00:21 · Score: 0

Nah. You are trying to control the game. I've got a deal for you -- I'll consult with you for FREE. I'm not traveling to DC for this nonsense because EVERYONE with a web presence that has any marketing impact has ALREADY SOLVED THIS PROBLEM.
Just support Net Neutrality. It's what the American People want. Do your job and listen. All of you government cronies should HAVE to work for free. Then we won't have money do the talking.
Python by Anonymous Coward · 2017-08-01 01:04 · Score: 0

For some reason this headline causes me to envision Michael Palin and John Cleese:
MP: You haven't got a plan.
JC: Yes I do!
MP: No you haven't!
JC: I do!
MP: Tell us about it then.
JC: wull....It's a Secret!
Translation by Anonymous Coward · 2017-08-01 01:16 · Score: 0

We've stopped using Hillary's server.
Just turn off the internet by Anonymous Coward · 2017-08-01 11:35 · Score: 0

At least until everybody is on OUR side again :)