
FCC says its cybersecurity measures to prevent DDoS attacks must remain secret - janober
https://techcrunch.com/2017/07/31/fcc-says-its-cybersecurity-measures-to-prevent-ddos-attacks-must-remain-secret
======
komali2
I really liked [1]this comment on reddit illustrating evidence that not only
was there no cyber attack on the FCC, but that it also self-orchestrated its
supposed "DDOS." Curious HN's thoughts.

Realistically (or perhaps otherwise), what can Americans without enough money
to lobby individually, do to prevent the FCC acting against our greater good,
especially in the face of evidence that they are maliciously acting against
the greater good? I have already called all of my senators and congressfolk,
as well as written the president (for all that will do). This does not feel
effective.

[1]([https://www.reddit.com/r/technology/comments/6odans/fcc_now_...](https://www.reddit.com/r/technology/comments/6odans/fcc_now_says_there_is_no_documented_analysis_of/dkgxguo/))

~~~
MikeKusold
While I suspect the DDOS was fabricated, the linked reddit comment is flawed.

They claim that because the FCC uses Akamai as a CDN, that the FCC is immune
from DDOS attacks. The FCC comment section is heavily reliant on a database,
and you could simply overwhelm the database to DDOS that site. I would bet it
is unlikely that the FCC utilized a cache for the queries.

~~~
hilyen
It really depends, the calls to their database wouldn't be direct, it'd be
through a REST API which then communicates with a DB. That REST API likely has
some sort of DDOS protection, like for example how cloudflare protects ALL
requests to the domain.

But anyway, their excuse that it needs to be secret is BS, DDOS protection
methods are widespread and not very secret as it is. They probably just want
to keep it secret, because they don't actually have proper DDOS protection.

~~~
featherverse
> But anyway, their excuse that it needs to be secret is BS, DDOS protection
> methods are widespread and not very secret as it is. They probably just want
> to keep it secret, because they don't actually have proper DDOS protection.

This.

At what point did the government become a special interest group which does
not exist to protect the nation it serves? Providing good security advice is
their job.

Even if they do have some super secret techniques, keeping them secret is not
a strategy, it's what idiots who don't know anything about technology or
computers or network security would do.

I would trust Cloudflare's staff over the FCC's I.T. department every day of
the week, and I hate Cloudflare.

~~~
lilott8
Not only that, in what way does an independent agency having zero ties to
national security or the IC have any right to hold just about* anything
secret? This is asinine!

~~~
arca_vorago
I think you underestimate just how far we've allowed natsec expansion to taint
even the most benign agencies.

As a constitutionalist, the real problem as I have condensed it is that the
balance between providing for the common defense has completely overshadowed
things like securing the blessings of liberty. Our gov is increasingly leaning
authoritarian, and the populace has allowed it.

~~~
lilott8
I wouldn't say I've underestimated anything. That was an honest question; as
in: "what mental gymnastics did the FCC do to even think that keeping secrets
is allowable?"

That aside, I would agree with you.

~~~
arca_vorago
Ah, a small miscommunication I guess. My guess is the decision to keep secrets
was made and then someone was told to do the gymnastics.

------
saagarjha
Translation: their protection is bad and they don't want to reveal its
mediocrity publicly, or there was no attack.

~~~
stock_toaster
My guess is both. The actual volume of semi-automated (there were a few canned
form submission tools) negative feedback may have resulted in a DOS (due to
unexpected volume), and the mitigation was probably just to write it to
/dev/null.

~~~
yebyen
There was most definitely an automated (fraudulent) effort, if you doubt it go
and see [1] if submissions were made in members of your family's name. I have
no idea if it's Comcast doing it, my impression is that's just a catchy name
for the site.

There is a complex regex search that the site uses to find copies of "the
comment" – I was shocked how many of my family members (not with their actual
addresses, but names of actual members of my family) filed brief comments that
start out "The unprecedented regulatory power the Obama Administration imposed
on the internet is smothering innovation, damaging the American economy and
obstructing job creation."

Presumably the text is varied in order to hamper the efforts of people like
Comcastroturf that are trying to help quantify the number of these fraudulent
comments that were filed.

I have no idea if the volume of these type of comments are enough to
constitute a "DoS" attack, let alone DDOS, but the scale is quite grand.

I was shocked how few names I had to try before I found copies of "the
comment" in filings in the names of many members of my family. Maybe about 50%
hit rate. Higher with a common name.

[1]: [http://www.comcastroturf.com](http://www.comcastroturf.com)

~~~
zamalek
So the reason FCC won't release these records is that they don't want to
implicate their boss?

~~~
yebyen
Haha. Yes

The news coverage of this campaign was back in May, but the campaign continued
on into July at least.

------
wavefunction
It's ok, we got Barron and Ajit on it, they're geniuses at the cyber.

In all seriousness, my research following the DDOS/astro-turfing campaign led
me to at least some of the astro-turfing being the result of efforts by the
Center for Individual Freedom[0] a far right-wing political operation
masquerading as a non-profit.

There's an entire shadowy layer of questionable "public advocacy" groups out
there tied to unquestionably partisan organizations. And sometimes even the
political parties themselves.

The Center for Individual Freedom for example has received monies from
Crossroads GPS[1], which is Karl Rove's umbrella organization for disbursing
funds raised nationally to further the extreme agenda of the American right-
wing and its financial backers, whether that be Putin or the Kochs.

[0]://cfif.org

[1]://www.motherjones.com/politics/2012/04/karl-rove-crossroads-gps-center-
individual-freedom/

------
coldcode
Well one way to tell would be to DDoS the FCC and see if it works. But of
course they likely don't have anything and are just covering up their
fictitious story with gobbledegook. Proving they were DDoS'd by showing
evidence of the attack would in no way affect how they protect against it. But
then they know that.

------
vxNsr
The FCC's comments and all their interactions with the public since Ajit Pai
has taken over honestly sound like what I would say to someone who I know has
no idea about how technology works and I screwed up but I don't want them to
know. I'm surprised we haven't heard about BSODs and exchange emails being
lost or hard drives accidentally wiped after two days as is policy.

It's pretty clear that he's trying to pull the wool over our eyes and because
the tech press has gone from being actual journalists to just eating up PR
pieces and worrying about access so much that they refuse to do any real
investigations, we're left with no one who appears credible to the public to
actually do the investigation and publicize the wrong-doing.

------
wadeboggs
Hard to defend against the old 'John Oliver mentioned my website' DDoS.

------
oneplane
Because obscurity is the best security!... right? FCC knows what's best for
everyone.

~~~
tdeck
Isn't DDOS mitigation an area where obscurity is the standard? I am no expert
on this but it seems like most providers keep the info about how they filter
traffic pretty close to the chest.

~~~
0xcde4c3db
As far as I can tell (as someone in the networking field but not a DDoS or HA
expert), the standard for DDoS mitigation is basically "be bigger": too many
POPs/routes, too much capacity to eat packets and establish TCP connections,
capacity to serve cached responses, etc. such that even a huge attack simply
can't exhaust your resources. To even think about classification and filtering
means that you're somehow ingesting and processing this stuff; DDoS becomes
threatening exactly when you lack the capacity to do that.

~~~
tdeck
I guess I was thinking about providers like prolexic that filter the traffic
for you. They must have some methodology for doing that.

------
Wheaties466
A DDoS is often also used to describe infrastructure that cannot handle load
by people who do not know what they are talking about. I suspect that is what
has happened here.

------
kakarot
Security by obfuscation... That's not a good sign.

------
bluetwo
I just don't trust that guy.

