FCC Says Its Specific Plan To Stop DDoS Attacks Must Remain Secret (arstechnica.com)

← Back to Stories (view on slashdot.org)

FCC Says Its Specific Plan To Stop DDoS Attacks Must Remain Secret (arstechnica.com)

Posted by BeauHD on Monday July 31, 2017 @09:20AM from the undermining-security dept.

An anonymous reader quotes a report from Ars Technica: FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter last month that it was researching "additional solutions" to protect the comment system. Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return.

"Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC's IT staff has worked with commercial cloud providers to implement Internetbased solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs." The CIO's answers to lawmakers' questions were sent along with a letter from Pai to Reps. Frank Pallone, Jr. (D-N.J.), Elijah Cummings (D-Md.), Mike Doyle (D-Penn.), DeGette (D-Colo.), Robin Kelly (D-Ill.), and Gerald Connolly (D-Va.). The letter is dated July 21, and it was posted to the FCC's website on July 28.

53 of 88 comments (clear)

Min score:

Reason:

Sort:

I Found It by Shakrai · 2017-07-31 09:24 · Score: 5, Funny

It was in a drawer next to Trump's plan to defeat ISIS. More details to follow.

--
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
1. Re:I Found It by sconeu · 2017-07-31 09:39 · Score: 1
  
  I guess I'm way older than you.... I thought it was next to Nixon's Secret Plan to end the war in Vietnam.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
2. Re:I Found It by sexconker · 2017-07-31 11:00 · Score: 1, Insightful
  
  Nixon's plan was to nuke. He was told that wouldn't be happening about 5 minutes into his term.
3. Re:I Found It by Ziest · 2017-07-31 11:00 · Score: 2, Insightful
  
  A secret plan to end an undeclared war backed by a silent majority.
  No one does bullshit better than GOP
  
  --
  Another day closer to redwood heaven
4. Re:I Found It by dog77 · 2017-07-31 14:07 · Score: 1
  
  Please site a reference for this. There was no secret plan. Nixon was quoted before the 1968 elections saying “If I had any way to end the war, I would pass it on to President [Lyndon] Johnson.” All evidence prior to the 1968 election was that Nixon would end the war, not win the war, through a combination of diplomatic and military pressure. He actually did increase the aggressiveness of aspects of the war such as going after the enemy in sanctuary areas, but as a strategy of applying pressure, rather than seeking an all out military victory.
  
  I am not trying to defend Nixon or his strategy, I just don't like political narratives based on false and misleading information.
  
  https://mediamythalert.wordpre...
5. Re:I Found It by Chewbacon · 2017-07-31 16:01 · Score: 1
  
  You mean "bomb the **** outta them?"
  
  --
  Chewbacon
  The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
6. Re:I Found It by s.petry · 2017-08-01 02:42 · Score: 1
  
  I didn't give an excuse or reason, I gave a fact. GP blamed the GOP for problems, yet the GOP was not in control of the Legislative branch of the Government and hadn't been for decades. GP's assertion is provably false because of the fact I provided. Plenty of blame to go around, so take your share if you are a Democrat.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
7. Re:I Found It by JoePete · 2017-08-01 05:02 · Score: 1
  
  As much as this is off-topic, I think the record shows Nixon brought an end to the war by removing the bombing halt that had been imposed by Johnson. Most notably, the Linebacker II campaign, which allowed sustained bombing of the north and Hanoi, brought the North Vietnamese to the negotiating table. We ended up with a peace treaty, the release of POWs, and the survival of South Vietnam - which was essentially our main reason for being there. Now, not long after, we have Nixon resigning in the midst of the Watergate scandal, Congress passing the Case-Church amendment, and then, an opportunistic North Vietnam invading the south again, knowing (or at least making a safe bet) that given Watergate and Case-Church, the U.S. wouldn't come back to Southeast Asia despite the pleas of the South or Nixon's successor (Ford). If you want to couch this as Democrats vs. Republicans, so be it, but consider this: Six presidents (three Democrat, three Republican) and 13 Secretaries of Defense served in their capacities between the First Indochina War (precursor to Second Indochina War, aka the Vietnam Conflict) and the fall of Saigon. Of those six presidents, three came to office through succession. Nearly every major event in the war came near a presidential transition (how is that foreign opportunism?).
8. Re:I Found It by q4Fry · 2017-08-01 05:46 · Score: 1
  
  It was in a drawer next to Trump's plan to defeat ISIS. More details to follow.
  Operation "Beware of the Leopard" ?
How could it fail? by MountainLogic · 2017-07-31 09:25 · Score: 5, Insightful

After all, unvetted encryption and security have never failed. And the best security is obscurity!
Security through obscurity... by Anonymous Coward · 2017-07-31 09:26 · Score: 1

is no security at all.
1. Re:Security through obscurity... by Obfuscant · 2017-07-31 09:59 · Score: 2
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".
2. Re:Security through obscurity... by Anonymous Coward · 2017-07-31 11:12 · Score: 1
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".
  Indeed, it's the difference between knowing that you look like a fool now, and being made to look like a complete fool at some unknown time later.
3. Re:Security through obscurity... by Anonymous Coward · 2017-07-31 12:39 · Score: 1
  
  Or not looking like a fool at all in public, or to people who pay your salary, because successful attacks are never reported.
  Successful attacks aren't discovered.
4. Re:Security through obscurity... by Ol+Olsoc · 2017-07-31 12:54 · Score: 3, Funny
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".
  Then again, it ican be just as important to keep the fact that there is no plan a secret.
  We have had many plans that were bragged about by the party of the moral high ground turn out to be no plan at all. OBlamacare repeal, the Freedom Jesuscare health act, and everything Don for Life has ever promised. If the model is followed, it involves shutting the computer off and not much more.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
5. Re:Security through obscurity... by Ol+Olsoc · 2017-07-31 13:08 · Score: 2
  
  Then again, it ican be just as important to keep the fact that there is no plan a secret.
  You are claiming a fact when you have none. You assume there is no plan because nobody is willing to tell you what it is.
  SRSLY? Tell me exactly where I claimed there is no plan. Having an awesome completely foolproof secret plan that will work every time and make the free internet safe forever and anon might have every bit the same need for secrecy as "We got nuthin'.
  You need to read a little better before just deciding to disagree because you want to argue with someone.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:Security through obscurity... by Obfuscant · 2017-07-31 13:38 · Score: 1
  
  Tell me exactly where I claimed there is no plan.
  
  Already quoted you: "Then again, it ican be just as important to keep the fact that there is no plan a secret." Where did this fact come from?
  
  Having an awesome completely foolproof secret plan that will work every time and make the free internet safe forever and anon might have every bit the same need for secrecy as "We got nuthin'.
  
  Hyperbole much? No, not "might", "does". That's the basis behind the concept of "infosec".
7. Re:Security through obscurity... by Ol+Olsoc · 2017-07-31 16:09 · Score: 1
  
  Tell me exactly where I claimed there is no plan.
  Already quoted you: "Then again, it ican be just as important to keep the fact that there is no plan a secret." Where did this fact come from?
  Can! It CAN be important.
  Make no mistake, if I for a New York minute thought that there was no plan, I would have written: "The fact that there is no plan is just as important to keep secret."
  Not a bit of ambiguity there. That would be me saying exactly that there was no plan. But I didn't write that. Can does not mean is.Thanks for playing, but I'm not in the mood to diagram sentences tonight.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
8. Re:Security through obscurity... by EETech1 · 2017-07-31 19:45 · Score: 1
  
  The plan is to let the ISP charge you per bit, and throttle you at will. This should take care of all that excess traffic!
9. Re:Security through obscurity... by mysidia · 2017-08-01 02:44 · Score: 1
  
  Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using.
  In this case, they should explain what their plan is. If that would be a "concern", then it probably means that their plan is a flawwed one, and they should be taking comments from the public about potential alternative mitigation plans.
  They could start by introducing Captchas on submission forms, for example.
10. Re:Security through obscurity... by mysidia · 2017-08-01 02:47 · Score: 1
  
  We have had many plans that were bragged about by the party of the moral high ground turn out to be no plan at all.
  Yeah... pretty much. The TRUE test of the quality of a security plan, is to be able to explain it in reasonable detail, AND not have experts laugh at you and point out slews of holes.
  If you're trying to keep it secret, then it is most likely because you either have no credible plan, or you don't have much confidence in it....
  We're talking about anti-hacker defenses. This is not a military endeavor, where we should be concerned about adversaries copying our defense tactics to their own security planning.
11. Re:Security through obscurity... by Obfuscant · 2017-08-01 05:46 · Score: 1
  
  Can! It CAN be important.
  
  "Then again ... the fact ..."
  
  Make no mistake, if I for a New York minute thought that there was no plan, I would have written: "The fact that there is no plan is just as important to keep secret."
  
  The only difference between what you wrote and what you thought you wrote is "it can be important". You are not questioning the fact, only the importance.
  Had you meant to question the fact, you would have conditionalized the fact, not the importance of keeping it secret. Like: "If it was a fact there was no plan, it would be important to keep that secret".
  
  Can does not mean is.
  Right. Got that. "It can be just as important to keep it a secret" means maybe it isn't important to keep a fact a secret.
12. Re:Security through obscurity... by Ol+Olsoc · 2017-08-01 10:31 · Score: 1
  
  Yeah... pretty much. The TRUE test of the quality of a security plan, is to be able to explain it in reasonable detail, AND not have experts laugh at you and point out slews of holes.
  If you're trying to keep it secret, then it is most likely because you either have no credible plan, or you don't have much confidence in it....
  We're talking about anti-hacker defenses. This is not a military endeavor, where we should be concerned about adversaries copying our defense tactics to their own security planning.
  Right, this is what I'm saying. If they say "We have this awesome plan it's great, so great, it will take care of that problem right away. But we can't tell you anything about it!
  It might mean there is an awesome plan that is great. It might also mean "we got nuthin! Either way, the public won't know. Personally, I'm with you. Something that lends some credence to the idea is best - the public doesn't need the deep dark details - most wouldn't understand them anyhow.
  But we've been spoon-fed so much pure distilled bullshit about taking one day to fix problems that will be sooo easy, that anyone who isn't skeptical has massively suspended disbelief.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Sorry Guys by whitlocktj · 2017-07-31 09:28 · Score: 5, Insightful

I know all of you are concerned about Net Neutrality and would like to submit your claims on our site, but someone decided to attack us when you visited our site. Oh, you want evidence of the hack? Sorry, we cannot provide that. But rest assured, it will be prevented in the future. Oh, you want to know how we will prevent it? Well, that's a secret too. Oh, you don't think it actually happened? No, it did. Don't worry.
1. Re:Sorry Guys by WillAffleckUW · 2017-07-31 10:22 · Score: 2
  
  We should vote on that using one of the easily hacked vote machines in use in the US today. You know, one of the ones that was hacked (e.g. every single one) at DEFCON.
  Yeah, sure.
  
  --
  -- Tigger warning: This post may contain tiggers! --
2. Re:Sorry Guys by Ol+Olsoc · 2017-07-31 12:58 · Score: 1
  
  We should vote on that using one of the easily hacked vote machines in use in the US today. You know, one of the ones that was hacked (e.g. every single one) at DEFCON.
  Yeah, sure.
  I recall articles about the ease with which the voting machines and system could be hacked around 2004-5. That includes actual hacking and a recipe for changing votes in order to make certain one candidate would beat another.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
great idea! by TimMD909 · 2017-07-31 09:35 · Score: 1

Security through obscurity always works! In other news, Ajit recommends moving telnet to port 22 and changing the password from "secret" to "S3CR3T", and they'll never get in as long as you keep it secret. Foolproof!
BRING ME THE HEAD OF JOHN OLIVER by Thud457 · 2017-07-31 09:35 · Score: 1

whoops, now you've gone too far!

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Bull-Fucking-Shit by Anonymous Coward · 2017-07-31 09:40 · Score: 3, Informative

There was never a DDOS attack. It was a delibarate attemps by the FCC to silence the critics of its plan to kill net neutrality.
1. Re:Bull-Fucking-Shit by fafalone · 2017-07-31 19:41 · Score: 1
  
  Because if only a few more had gotten through, what then? Pai would change his mind? Trump? Congress? None of them give a rats ass what people want, or the already overwhelming opposition would matter.
Here's my 1-step plan to prevent attacks: by Rick+Schumann · 2017-07-31 09:47 · Score: 3, Insightful

Step #1: Listen to the American public and industry leaders and SUPPORT NET NEUTRALITY.

Expect my consultation bill in the mail, Mr. Pai.
1. Re:Here's my 1-step plan to prevent attacks: by Anonymous Coward · 2017-07-31 12:26 · Score: 1
  
  Sorry, there's no 'profit' step.
2. Re:Here's my 1-step plan to prevent attacks: by orgelspieler · 2017-08-01 04:06 · Score: 1
  
  ????????????????? So the reason why you think it's ok for your ISP to throttle your Netflix connection unless they pay ransom is because Facebook doesn't like boobies? That makes no sense whatsoever.
3. Re:Here's my 1-step plan to prevent attacks: by Rick+Schumann · 2017-08-01 04:23 · Score: 1
  
  You're an idiot and you have no idea whatsoever what you're talking about.
Let me guess... by Anonymous Coward · 2017-07-31 09:53 · Score: 1

The new system only accepts the submissions ajit agrees with.
Secret? by galabar · 2017-07-31 09:53 · Score: 1

Not a Trump hater, but it seems like anything done to discourage DDOS attacks needs to be public. I'm not sure how "secret" plans can be helpful on an open internet.
1. Re:Secret? by Obfuscant · 2017-07-31 10:04 · Score: 1
  
  Not a Trump hater, but it seems like anything done to discourage DDOS attacks needs to be public.
  Why? Will those countermeasures be more effective if more people know what they are? I don't think so. Will they be more effective if the details are broadcast to the public and a few helpful members of the public with behind the scenes knowledge of those systems then post exact means to bypass them?
  
  I'm not sure how "secret" plans can be helpful on an open internet.
  I'm not sure how you equate "secret plans" with not telling "everyone who doesn't need to know" exactly what your security systems are.
2. Re:Secret? by bluefoxlucid · 2017-08-01 02:00 · Score: 1
  
  It's easy. They'll secretly stop paying attention to comments at all, thus mitigating the whole thing. This has already been put through numerous test runs over the past months.
  
  --
  Support my political activism on Patreon.
3. Re:Secret? by Obfuscant · 2017-08-01 06:04 · Score: 1
  
  You aren't looking at the bigger picture. The bigger picture is that we want to see a world where the Federal Communications Commission, with the *full backing of the CIA and NSA* can succeed in requesting and receiving public comments about an internet related issue *over the internet*.
  
  No, I didn't miss that. I don't agree that we need the full backing of the CIA and NSA, however. The support of the CIA or NSA is irrelevant. We can have nice things and get comments "over the internet" without the FCC explaining in detail how it will mitigate a DDOS in the future. Telling, not telling, same difference.
  
  because they are really truly saying that their DDoS strategem requires what academia and industry know as "security through obscurity".
  No, they did not say that. You said that. You assume because they won't tell you the details of their information security that they don't have any. What you are missing is the concept of "infosec". The only people you tell about your security systems are people who have a need to know. You don't have that need. The congress doesn't have that need, especially since telling congress means telling the public at large.
  In case you've never dealt with the government, I can tell you that "infosec" and "opsec" overall is gaining increased emphasis. For example, I cannot tell you any of the military frequencies I work with on a regular basis because you have no need to know. It doesn't matter that you can find them on Google in five seconds (less, actually, but Google didn't show the "x results in x seconds" for a specific number). You might call this "security through obscurity", but the mil calls it "infosec". When you understand that concept, you'll maybe understand why the FCC didn't actually say they needed "security through obscurity".
  And unless you can explain a need to know, like, for example, that the security will work better because you know what it is, infosec says that you don't get told. Don't feel bad, I don't have a need to know either and they haven't told me.
What;s the big secret? by DaMattster · 2017-07-31 10:10 · Score: 1

The government learns how to stop DDoS attacks from the civilian sector. What's the big secret there?
Was the plan to roll weak sauce servers? by WillAffleckUW · 2017-07-31 10:11 · Score: 1

Wait, think I found their plan.
Was it the one to roll weak sauce servers with bad failback positions and not code for massive volumes of legit comment requests?
Yeah, it was right here, next to the plan marked Mooch's Retirement Plans.

--
-- Tigger warning: This post may contain tiggers! --
Yeah, skip public accountability! Works everytime! by slack_justyb · 2017-07-31 10:19 · Score: 1

Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred
Wow, and the FCC is what I would consider a pretty bland department much like USDA or FCIC. But wow, what a way to totally derail any credibility the department had. Hint, anytime an agency thinks doing something totally opaque to public review is a good idea, it's usually not a good idea.
Re:How could it laze? by WillAffleckUW · 2017-07-31 10:20 · Score: 2

Not hard to hide an orbiting death laser platform...just to be sure.
You'd be surprised how hard that is, actually.

--
-- Tigger warning: This post may contain tiggers! --
Security through obscurity explained . . . by Tanman · 2017-07-31 10:23 · Score: 2

If obscurity is the primary method of security, meaning "if they discover how we are doing it then they can defeat it," then you have no security. You must plan for the eventuality that someone will know how you do it. So, if the FCC's new method requires that it remain obscure to remain effective, then it might as well have already been compromised. Of course, having an obscure security system that nobody knows about is helpful. Nobody would argue otherwise. But that should just be icing on the cake - a nice little perk. Think of this comparison of a time-lock safe vs. a hidden book box:
Look at a time lock safe:
1. It is known
2. The way it works is known
3. It is effective because of the security measures of the safe
This is opposed to hiding valuables in a hidden book box:
1. If it is not known, it might work
2. If it is not known, it might be discovered through thorough searches and thus fail
3. If it is known, it definitely won't work
If you hide the time lock safe, then you do add a layer of cursory security. However, it is not the location/disguise of the safe that matters. It's the function of the safe's defenses that protect the valuables.
1. Re:Security through obscurity explained . . . by bluefoxlucid · 2017-08-01 02:06 · Score: 1
  
  If you hide a time-lock safe, people go, "Shit, I didn't bring the tools for this." That's the odd thing about computers: they can be perfectly secure. A safe you can drill through in a week or so; code is math, and you have to find a mistake in the math or else no amount of axes and sledgehammers is getting you in.
  That's why reducing attack surface and layered security are paramount: less attack surface means the flaws are more-likely to be somewhere else; layers of security means you need to find multiple flaws in your attack surface--and you may need to get through higher layers to exploit flaws in lower layers anyway (although that doesn't matter, since you still need to break it all). This is why hacking into a home network directly is nigh on impossible (you can't even get into the Web configuration UI! You're looking for a high-impact kernel-level networking bug in a NAT router!), while hacking banks and corporate Web services is a constant threat (lots and lots of shit to attack).
  Security is an odd topic.
  
  --
  Support my political activism on Patreon.
Security by Obscurity isn't security! by MikeDataLink · 2017-07-31 11:07 · Score: 1

Security by obscurity isn't a security mechanism, rather a puzzle... If getting into your house is simply a matter of finding where you left the Hide-a-key then your house was never secure in the first place.

--
Mike @ The Geek Pub. Let's Make Stuff!
Re:How could it laze? by ubrgeek · 2017-07-31 11:14 · Score: 2

Not if you throw enough Bothans at the problem.

--
Bark less. Wag more.
Re:How could it laze? by WillAffleckUW · 2017-07-31 11:25 · Score: 1

Oh, I thought you meant IRL.

--
-- Tigger warning: This post may contain tiggers! --
smells like cloudflare. run for the hills. by danda · 2017-07-31 11:31 · Score: 1

has worked with commercial cloud providers
In other words, cloudflare.
If they are using SSL/TLS, this is a problem.
Cloudflare is a giant man in the middle, and a breach of trust between end-users and the websites they wrongly believe they are securely connected to. Sites that use it are subverting the intent of the SSL/TLS certificate system and making the little lock icon meaningless.
See Details
SIGH. So fucking obvious I'm getting tired of it. by Narcocide · 2017-07-31 19:28 · Score: 1

They don't have any plan to stop or even mitigate DDOS attacks. I bet most their "expert" IT staff barely even knows what one is, and the rest of them are the ones actually carrying out the DDOS attacks in the first place.
Nothing more to see here. This country is finished. Move along.
Re:Could the plan be--- by gl4ss · 2017-07-31 20:23 · Score: 1

-- just stop accepting public comments?
well, actually, yeah. that is their plan.
they were getting too many public comments, getting "flooded" with comments if you will. and flooding is ddos. so therefore, they just stopped reading the stuff or taking them to consideration so the problem is solved.

--
world was created 5 seconds before this post as it is.
Re:smells like cloudflare. run for the hills. by Barefoot+Monkey · 2017-07-31 21:13 · Score: 1

I personally feel that browsers should consider blocking all external scripts on HTTPS pages unless those scripts have a matching integrity attribute, or at least make valid integrity for foreign scripts a requirement for avoiding the Mixed Content warning.
Re:How could it laze? by skovnymfe · 2017-08-01 04:25 · Score: 1

I imagine just getting it up there would trigger a few alerts.