Hacker News new | past | comments | ask | show | jobs | submit login
The FCC.gov Website Lets You Upload Malware Using Its Own Public API Key (hackernoon.com)
324 points by knaik94 on Aug 31, 2017 | hide | past | web | favorite | 100 comments

This is a sad but easily fixed vulnerability on the part of the FCC. The bigger issue, in my mind, is the fact that the student (presumably an American citizen) who just uploaded a file via a public API is legitimately scared of aggressive retribution from his government. That should speak volumes of where we've fallen as a country.

Does it really? I'm genuinely curious during what time period you think our government would've reacted differently. This got me thinking, how would people expect different countries to react to something like this?

By making that tweet he's impersonating a government agency and passing it off as an official document. If he hadn't posted that tweet I'm sure he wouldn't have anything to fear.

EDIT: I looked up the relevant law: False Impersonation of Federal Officer or Employee [0]. It doesn't seem he got anything of value, so it's unlikely he could be charged. Although I'd be surprised if he didn't at least receive a stern conversation from a government official.

[0] http://www3.ce9.uscourts.gov/jury-instructions/node/508

Is creating a document with an official letterhead but no signature an "impersonation of Federal Officer or Employee"? Paraphrasing Sir Humphrey, that seems to cause epistemological problems of sufficient magnitude as to lay upon the logical and semantic resources of the English language a heavier burden than they can reasonably be expected to bear.

I think it depends what you're doing with it. For example, if I use my document with official letterhead to send my neighbor a fine that he should pay by mail in cash (that I can then intercept from his mailbox) - that's probably criminal. On the other hand, if I were to use my forged letterhead to write "Don't just trust anything written on a document like this, it's easy to forge!" I hope that wouldn't be.

The original incident in the article seems more like the latter to me. If I were on the jury, I certainly wouldn't convict.

Your example still seem like it wouldn't be impersonation, even if it's fraud.

It's not an official document unless it's officially written in the minutes by an official

Surely that's what makes it impersonation?

I believe mattyw was replying to my reference of Yes, Prime Minister with another one :)


> That should speak volumes of where we've fallen as a country.

Yeah, it's obviously substantially below FDR interning 100,000 Japanese people [1] based on their ethnicity. Or spraying black neighborhoods with toxic chemicals to test on them in the 1950s. [2] Or J Edgar Hoover's decades-long parade of power abuses and rights violations of the American People. Or Lyndon Johnson inserting us - hundreds of thousands of drafted young men - into a civil war in Vietnam, in which we helped to directly kill vast numbers of people with no clear plan or explanation for why we were there. Or the testing of hundreds of nuclear weapons on US soil, with little concern for how it would harm citizens. Or Sherman burning down Atlanta. Or Nixon's parade of abuses. Or the CIA's countless, terrifying programs in the 1970s. Or how the FBI tried to get MLK to kill himself. Or prohibition and the terrible results that imposed upon the people (eg rampant organized crime). Or the 50 year war on drugs and the horrific toll that has taken on the people.

We used to treat our people with the utmost dignity and respect.

[1] https://en.wikipedia.org/wiki/Internment_of_Japanese_America...

[2] http://www.businessinsider.com/army-sprayed-st-louis-with-to...

> This is a sad but easily fixed vulnerability on the part of the FCC.

By law they need to share what you post publicly, including files. This 'vulnerability' has been around for decades.

Hosting files is a feature. The bug is doing so on the same domain as an official government source. The fix is registering a non-gov domain like fccusercontent.com and hosting files from there. (Also they should probably limit the API to only accept pdf's, txt, and other reasonable file types.)

Or something like citizens-uploaded-content.gov

This is more realistic because I believe the US government is mostly restricted from using the .com TLD. That decision came from:

"Digital Government: Building a 21st Century Platform to Better Serve the American People". United States Federal CIO Council. May 23, 2012.

The Federal goverment can authorize a contractor to host authorized content: annualcreditreport.com

This is a bad idea, though, as it makes it easy and legal for non-authorized entities to impersonate the authorized ones: freecreditreport.com

How PDF is a reasonable file type?

This is what github did with gist and github pages, for similar issues.

It seems more appropriate just to add a ~ to the url, indicating that it's a user-uploaded file from an otherwise trusted domain. Browsers can then warn users about that however they want.

From some quick googling, it seems to me that having a ~ in the url is not a standard, rather it is only a coincidence that most of the time it is used in cases where the content is user uploaded (e.g. the user home directory on a UNIX machine).

It's not a coincidence, the reason that universities and other content providers follow this pattern is specifically to signal that the company/institution doesn't vouch for whatever is being hosted.

The reason is because that's how mod_userdir has worked for a couple of decades or so.

It was a way to easily allow unprivileged users to share content from their ~/public_html/ directory.

Interesting. This makes sense from a technical perspective.

Nevertheless, it's clearly associated with UGC content, and as far as I know there have never been any major sites that have hosted non-UGC content using this scheme. (E.g. there is no history of use for things like Amazon product pages or whatever.)

And in school we were always taught that content coming from user pages on university systems shouldn't be cited as if it were academic content being published or endorsed by the university. I'm sure others were taught the same.

The reason this matters is the same origin policy, which tilde does not protect you from

That makes sense. I still think there is good reason to create a standard around this indicating UGC content within a subdomain though. For example:

- Browsers might want to treat it differently for malware scanning purposes.

- Content owners might want to treat it differently when filing automated DMCA complaints.

- Search engines might want to treat it differently for ranking purposes.

One of the biggest reasons why GitHub (for example) uses a separate subdomain is so that a persistent XSS exploit on their UGC domain cannot access HTTPOnly cookies or other information from their real domain. Impersonation is a bigger problem for a government, but it's also a security measure against how broken the current security model for things like cookies is.

I get why subdomains can be useful for preventing XSS and CORS issues, especially for non API-driven sites. The problem is that subdomains are used for all sorts of things, so just because something is on a subdomain doesn't signal that it's UGC content. Even if you hosted each person's content on its own subdomain, it would still be useful to have a standard way to signal that this content wasn't created by the organization who owns the domain.

The benefit of the tilde is that, at least as far as I know, it has never been used for anything other than signaling that something is UGC content. (Even if that was a technological accident and not its original intent.)

> it would still be useful to have a standard way to signal that this content wasn't created by the organization who owns the domain.

Do you think the assumption that the content was created by the organization who owns the domain should be default? Wouldn't it be better for the organization to provide a signature for the content it did create?

> Do you think the assumption that the content was created by the organization who owns the domain should be default?

Sure, and I think that is the current assumption. What's missing is a way to specify UGC content that wasn't created by the organization.

> Wouldn't it be better for the organization to provide a signature for the content it did create?

I don't think this would be viable for two reasons:

- It would require people to do the work to opt in, without any obvious incentive for doing so.

- No obvious way to different UGC content from javascript dependencies, fonts, ad trackers, etc.

Whereas there are good use cases for allowing folks to mark content as being UGC. For example, let's say the game Draw Something wanted to let users upload their creations. So no security issues, since images are created through their own app, but they don't necessarily want everyone thinking that they're spending all day creating and uploading millions of dick drawings either.

I have no idea what problem you think you are solving. Could you clearly state your goals and why you think they are broadly applicable?

So the original question was how to signal that files uploaded by users to the FCC were not created by the FCC. Some people suggested entirely different domains, but that's hacky and doesn't really solve the issue. And maybe the content should be hosted on a subdomain for security reasons, but that still doesn't solve the issue of signaling that it wasn't created by the FCC.

I suggested just adding a ~ to the domain name, because when you see a domain name like this:


It's universally recognized that the content on that page was not created by columbia.edu or cs.columbia.edu in an official capacity.

Other people said we can't do this because it's not an official standard, so I said let's just make it a standard. Which I think is good because it keeps an important piece of Internet culture alive by codifying it, which would let people rely on it when designing new systems. And ultimately it should work because there is no history of this URL pattern being used for non-UGC content.

it amazes me that you consider this post to be an accurate depiction of the way the world is.

it appears your only goal is to be right.

Ugh, typo (and I can't edit it anymore). I meant "separate domain". Subdomains actually don't protect against cookie attacks.

They use it because universities traditionally exposed per-user web pages through the Unix shortcut path to their home account directory. The tilde has no other significance and doesn't make much sense outside of a Unix system.

Normal people not familiar with tech wont know what that means. They'll see fcc.gov and think its safe.

Is that an actual standard or... just common practice?

It's a unix standard, or at least more than just a design pattern. You know how in any unix shell, typing cd ~ takes you to your home directory? This is actually a shortcut for typing cd ~yourusername. So having xyz.tld/~username/... in a url path means that the file is hosted in userland, since ~username is the first part of the filepath hosted behind that URL.

Websites have been using this pattern for 25+ years, so it's pretty universal by now.

It's not even a standard. At best you could call it a convention. And a much more narrowly defined one than you seem to think.

The `~` or `~username` is expanded by your shell (but not necessarily all shells) and has nothing to do with the operating system. If you pass a filename like `~myusername/test.txt` to any unix's open() syscall, it's going to either fail or open a file in a directory literally called `~myusername`. This means anywhere you're passing a filename into a program that isn't your shell does not generally support that syntax.

A narrowly defined, poorly recognized convention is not a great thing to rely on for security purposes.

Fair enough. What's the process for submitting it as a proposed standard? I'll write it up.

It depends on where you want to make the proposal. I'd make a guess with the POSIX standard. At that point, I think you'd submit a proposal somewhere around http://www3.opengroup.org/content/posix®

Also, that ® at the end of posix is part of the URL, you will unfortunately get a 404 if you don't copy-paste it right. You might be better to search for "site:opengroup.org posix"

Good luck, man

It's not a security standard.

Agree. Which is why I have decided to be unhelpful instead of risk spending my life in prison for trying to fix a bug.

File types should be restricted, there is no need to allow exes to be uploaded.

On the flip side, using a gov website to host malware probably has a multiplier effect on charges brought against someone if they get caught.

He published a document[1] on their website with the letter head of the FCC, signed as the FCC. He was trying to impersonate the FCC. There were plenty of other things he could have posted to show off the vulnerability, without the worry of legal trouble.

[1]: https://ecfsapi.fcc.gov/file/DOC-578d579d1f000000-A.pdf

> He was trying to impersonate the FCC.

Was he? This was obviously satirical. Impersonation involves a genuine attempt at deception, not merely having a few trappings of something official. Otherwise, what's the difference between this and somebody dressing-up as a cop for Halloween?

It isn't similar to dressing up a cop. It would be similar to dressing up as one, going to the police station, and telling people that they were a cop. Then trying to explain that it was only a joke and they didn't think people would believe them.

I'd argue along the same lines as a dead comment here:

the student's mistake (well, beyond not contacting them to report the issue) was using the FCC's official letterhead to create an embarrassing document and uploading it to their official website and posting it on social media.

That's pretty much a "fuck you" and not a great way to start a conversation.

After reading the API docs, it appears that the FCC operates a mini-imgur/pastebin/file hosting service to help attach files to FCC filings:


Unfortunately, these "temporary" file uploads end up accessible from the main FCC domain (i.e. fcc.gov), unlike e.g., Google (e.g., "googleusercontent.com" vs. "google.com"). In Google's case, the separate domain helps distinguish the content as unofficial.

It's understandable why it was originally engineered this way, since it's probably easier to create a subdomain under fcc.gov rather than to get an unrelated domain, but that's why we ended up here!

"Easier" is a relative. And in this case relatively small.

The server and DNS configuration you need for a subdomain is identical to what you need for separate domain. Possibly slightly more to manage if you are using the "naked" domain because of the DNS issue with not supporting CNAME records on the naked domain.

If you already have a wildcard SSL certificate for the subdomain a separate domain might be more work because you need a new cert and you don't if you stick with a subdomain.

The most work is actually buying the domain.

Then again, this is government we are talking about so buying a $10 domain is probaly three weeks worth of paperwork.

More likely that the developer didn't even think about it, I know I probably wouldn't.

You should!

There are security implications galore, mostly due to the same-origin policy. Books can and have been written about web security; if you're writing webapps, you need to read one.

I'm not saying you shouldn't think about it, it's just a non-obvious vulnerability.

Most of them are. Thus the book.

My feeling is that it's like computer security, you can bleat all you like about how the millions of developers have to magically know this stuff, or you can build it in by default.

One method works, one doesn't.

But keep on telling people to read a book, for all the good it will do.

It's not like I'm in any position to do what you're suggesting. It's a bit late to revamp the entire web "security model" by this point.

Then again, this is government we are talking about so buying a $10 domain is probaly three weeks worth of paperwork.

It's not that bad.

It is slightly annoying that the procurement rules don't let sysadmins buy multi-year domain registrations---not even for .gov domains.

Ultimately, there's nothing stopping a federal employee or contractor from buying another domain except ignorance of good infosec practices. Even a .gov domain isn't all that expensive---$400/year is a drop in the bucket of federal spending.

Wait, .gov domains cost money? I guess I just thought the us government assigned them as needed to agencies. Never thought about cross agency bills.

41 CFR part 102-173, the law that authorizes GSA to run the dot-gov registry, allows them to recover their operational costs from registrants:


It completely makes sense, I just never thought about it.

And how many layers of red tape do you think the dev would have to go through to get a new domain?

And how far removed is the sub-team that manages this specific content posting part of the web content from the DNS team/process/red-tape to even make the inquiry about how to?

On my team as a private company it looks like:

Dev: "Can I have a domain?" Me: "Sure" 10 minutes later done

In government I imagine you need a procurement order which needs to be approved. And my anecdotal experience has been that the dev teams don't always take high priority in those queues.

I'm sure it's not as hard as I made it out to be but it is certainly not as straight forward as many of us are used to.

It's not really linked to private vs public. It's more of an organisation size question. I can guarantee that if you were working in a megacorp it would be the same issue

I work in a megacorp. Can confirm. Have to file tickets, and they have to seek approvals for either delegation of server allotments and subdomains or new dns pointers or worse.

I regularly need to host internal applications accessible by other staff and often just do so from my machine during the daytime and send them updated IP addresses/ports where they can access them... boss didn't even think it was possible...

Yeah. I imagine the government processes are pretty convoluted.

And this is how you get departments running their own infrastructure lava-layered over the top of the unresponsive corporate IT...

Pretty much.

Some of the tools are temporary mind you, and it's much quicker to run the temp tool on my machine through the local network for a couple of weeks than to spend a few days waiting on resource allocation and then getting it shut down afterward.

Some of them are scheduled to be merged into larger projects that will seek out the necessary permanent resources... in time.

And things always take their time. It's my first excursion into such a large company and it is boggling at times. Things that would be small flaws in a smaller business are magnified 10, or 100x.

I work in a megacorp. I'd expect it to take about a day (but of course we also already have domains for exactly this purpose too).

To be fair, at every large company I've ever worked for (mostly major oil companies, not tech companies) it's at least a two to three month process.

It's actually worse than you made it out to be. In order to buy a dotgov domain, you not only need your management's approval (and since it's "representing the department to the public" that chain goes very high up) you also need to convince GSA (the registrar for dotgov) that you have a need for a new domain. It's not fun unless you're 18f under the Obama administration, and they don't count.

A lot of public universities had a homegrown dropbox lurking somewhere in their infrastructure. Thankfully they were already abused to the point that schools have been shutting them down over the last 5-10 years. (Usually abuse not in the form of malware, but in the form of file sharing movies, etc)

The description of the author of the pdf that made the rounds yesterday is exactly what I expected.

It's a shame most organizations do not do a good job handling vulnerability reports from outside sources and everyone knows is (so nobody tries to alert the organization). I would be very surprised if he was the first procrastinating college student to figure this out.

I'll send reports of vulnerabilities to some companies out there, but the US government is one are I would never speak a word about any of this to.

If I had discovered this, I'd wipe my trail clean and never speak of it again. The likely hood that I'd end up in federal prison for it is just way too high.

I'm not sure why people are saying things like this.

Why would you go to Federal Prison for using an intended feature on a government website?

Because I don't know how it was intended to be used.

Just because you can do something doesn't mean you are legally allowed to. People have been prosecuted for simply opening URLs without any authentication, and I know the specifics of that case were different, but it still terrifies me that I might accidentally trigger a bug in a system that looks "intended" to me, but to them looks like a malicious attack.

And once they have decided it's against their intention, i'm in the wrong. There's no way for me to easily or quickly "prove" my intentions were pure or my understanding was incorrect, and even if I could it's still months or years of litigation possibly with me in jail.

And all of this goes doubly for trying to be a whitehat and letting the government know about vulnerabilities. Saying "hey I found this vuln in your system" is pretty much a confession that I did break the law and used a computer system illegally.

Unrelated: What is with the MAGA types that started them using 'cuck' as a catch-all derogatory term? Do any of them realize it's a common sexual fetish which people knowingly and consensually engage in? It's not actually an insult, it's like saying "person who likes bondage".

Etymologically, cuckhold used to refer to someone being cheated on without their knowledge and consent (and still has that meaning in the dictionary, though its usage is rather archaic now). Using it to refer to the fetish is somewhat more recent. Historically, it has been used as a derogatory term or insult in certain cultures and time periods. So their usage of it isn't exactly unprecedented, though it is odd that it's been latched on to as a generic insult. https://en.wikipedia.org/wiki/Cuckold

So kind of like hosting files you didn't intend to.

It is leakage from the weird inverted sexual landscape that MRAs and incel swim in - an internet in meme grown too large to contain.

It also serves as a handy handle to insult someone's virility or manliness that fits better in a tweet.

> fits better in a tweet

I wonder how much Twitter influences which new slang catches on. 'Bae' is a convenient three letters. For that matter, 'SJW' and 'MRA' are nice and short. You can get each term into a tweet, twice even, without using up much space.

Start throwing around 8 or 10 letter terms and no one is going to tweet them enough to quickly force them into culture.

Interesting point! Given the tools we have now to analyze corpus, I bet you could track the birth of memes - especially with an eye towards the question you posed.

I shorten lots of terms on irc and elsewhere as well, just because it's faster to type. I doubt this is really a twitter only thing, though of course twitter has a huge influence in spreading these things.

> Do any of them realize it's a common sexual fetish which people knowingly and consensually engage in?

That's precisely the intended meaning, that one literally or figuratively enjoys being taken advantage of.

I've always heard it in more of a political sense. An example for the cuck insult would be, Foo is a cuck because he likes to watch others come over to his house and fuck his wife.

When applied to political situations, Foo's wife would be the US and the others would be illegal immigrants. So Foo is a cuck because he wants illegal immigrants to come over and mess up the US.

And I do believe that many of them are aware that it's a fetish, with many jokes about Foo's wife's boyfriend.

If I recall correctly it was a term popular in other circles (like /r/theredpill on reddit) that make up a lot of the popular online alt-right communities (like /r/the_donald) [1]. The merging of these communities (that generally seem to have hate and/or cynicism as their common thread) resulted in new insults like libcuck (combination of libtard and cuck). It would be fascinating if it wasn't so depressing.

[1] https://fivethirtyeight.com/features/dissecting-trumps-most-...

From my experience observing its usage, it can refer to the willful beta-[noun] of any topic. They would call a person a 'cuck' for not taking a lead or position of power, just as easily as they call a country 'cucked' for not being nationalist enough. What remains is promotion of aggressive alpha-everything tendencies.

IMO, it's because it's a term that they can use without getting much kickback. Before, they might use "fag" or whatever, but folks would (rightly) take offense to that. Even folks not directly targeted by those slurs would call out their use. Not as many people are going to go out of their way to defend cuckolds and fight back against the new(ish) slur.

That sounds a little naive. Terms for consensual homosexuality have been used pejoratively for a long time.

It's sort of a linguistic convergence - it began as an in-group term of abuse for those considered not to be hardline enough: https://en.m.wikipedia.org/wiki/Cuckservative

when i read it, the implication i got was that the accused gets perverse pleasure from watching corporations defile civil liberties.

like, if he called him a douche, i'd assume it was to say he doesn't care about his obligations to the american people and is only interested in helping his rich buddies... not that the prankster was too lazy to come up with anything other than a gross and generic comparison to female hygiene.

Not so different from the term ass-kisser in that sense.

It's doubly interesting because seemingly all these people who pride themselves on not being cuckolds seem to need rescuing by a reality tv star with bad hair and small hands.

If that's not the definition of being "cucked" I'm not sure what is.

...and probably get 10 years in federal prison for doing so.

... per upload.

... per megabyte.

It says here you uploaded something nasty called a "Mega Bite"? Please explain that.

Given that prosecutors tried to show that Sergey Aleynikov was acting maliciously by using Subversion [0] (obviously it's subversive!), I wouldn't be surprised if they tried that.

[0]: https://www.vanityfair.com/news/2013/09/michael-lewis-goldma...

hacking is an act of war now. pretty sure due process and prison are on the generous end of the outcome spectrum.

it was just a prank bro!

At first, given the headline, I thought this was some new investigative feature.

It looks like they have fixed it (at least some part of it)

"Access Denied. File must be attached to a posted filing to be available."

To me the real shock is someone who can figure this out is against net neutrality! I thought only Comcast etc was against it.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact