FCC Says Its Specific Plan To Stop DDoS Attacks Must Remain Secret

An anonymous reader quotes a report from Ars Technica: FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter last month that it was researching "additional solutions" to protect the comment system. Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return.

"Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC's IT staff has worked with commercial cloud providers to implement Internetbased solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs." The CIO's answers to lawmakers' questions were sent along with a letter from Pai to Reps. Frank Pallone, Jr. (D-N.J.), Elijah Cummings (D-Md.), Mike Doyle (D-Penn.), DeGette (D-Colo.), Robin Kelly (D-Ill.), and Gerald Connolly (D-Va.). The letter is dated July 21, and it was posted to the FCC's website on July 28.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[sconeu]

I guess I'm way older than you.... I thought it was next to Nixon's Secret Plan to end the war in Vietnam.

Re:

[sexconker]

Nixon's plan was to nuke. He was told that wouldn't be happening about 5 minutes into his term.

Re:

[dog77]

Please site a reference for this. There was no secret plan. Nixon was quoted before the 1968 elections saying “If I had any way to end the war, I would pass it on to President [Lyndon] Johnson.” All evidence prior to the 1968 election was that Nixon would end the war, not win the war, through a combination of diplomatic and military pressure. He actually did increase the aggressiveness of aspects of the war such as going after the enemy in sanctuary areas, but as a strategy of applying pres

Re:

[JoePete]

As much as this is off-topic, I think the record shows Nixon brought an end to the war by removing the bombing halt that had been imposed by Johnson. Most notably, the Linebacker II campaign, which allowed sustained bombing of the north and Hanoi, brought the North Vietnamese to the negotiating table. We ended up with a peace treaty, the release of POWs, and the survival of South Vietnam - which was essentially our main reason for being there. Now, not long after, we have Nixon resigning in the midst of the

Re:

[Ziest]

A secret plan to end an undeclared war backed by a silent majority.

No one does bullshit better than GOP

 

Re:

[s.petry]

Seeing as how the Democrats have controlled the House and Senate almost exclusively for 40 years from 1957, you can't blame the GOP. Citation [wikimedia.org] for the lazy.

Re:

[s.petry]

I didn't give an excuse or reason, I gave a fact. GP blamed the GOP for problems, yet the GOP was not in control of the Legislative branch of the Government and hadn't been for decades. GP's assertion is provably false because of the fact I provided. Plenty of blame to go around, so take your share if you are a Democrat.

Re:

[harvey the nerd]

Um, this is an Obama holdover. Cuzin to the Awans maybe?

Re:

[Chewbacon]

You mean "bomb the **** outta them?"

Re:

[gl4ss]

-- just stop accepting public comments?

well, actually, yeah. that is their plan.

they were getting too many public comments, getting "flooded" with comments if you will. and flooding is ddos. so therefore, they just stopped reading the stuff or taking them to consideration so the problem is solved.

Re:

[q4Fry]

It was in a drawer next to Trump's plan to defeat ISIS. More details to follow.

Operation "Beware of the Leopard" ?

How could it fail?

[MountainLogic]

After all, unvetted encryption and security have never failed. And the best security is obscurity!

Re:

[WillAffleckUW]

Not hard to hide an orbiting death laser platform...just to be sure.

You'd be surprised how hard that is, actually.

Re:

[ubrgeek]

Not if you throw enough Bothans at the problem.

Re:

[WillAffleckUW]

Oh, I thought you meant IRL.

Re:

[skovnymfe]

I imagine just getting it up there would trigger a few alerts.

Security through obscurity...

[Anonymous Coward]

is no security at all.

Re:

[Obfuscant]

Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".

Re:

[Anonymous Coward]

Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".

Indeed, it's the difference between knowing that you look like a fool now, and being made to look like a complete fool at some unknown time later.

Re:

[Anonymous Coward]

Or not looking like a fool at all in public, or to people who pay your salary, because successful attacks are never reported.

Successful attacks aren't discovered.

Re:Security through obscurity...

[Ol Olsoc]

Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using. It's called "infosec", or more broadly, "opsec".

Then again, it ican be just as important to keep the fact that there is no plan a secret.

We have had many plans that were bragged about by the party of the moral high ground turn out to be no plan at all. OBlamacare repeal, the Freedom Jesuscare health act, and everything Don for Life has ever promised. If the model is followed, it involves shutting the computer off and not much more.

Re:

[Obfuscant]

Then again, it ican be just as important to keep the fact that there is no plan a secret.

You are claiming a fact when you have none. You assume there is no plan because nobody is willing to tell you what it is.

I assume that it is prudent not to tell anyone who has no need to know what your plan is. That's the difference. I understand the concepts of opsec and infosec and prefer that our government follow those precepts unless there is a compelling reason not to. I see none here.

Re:

[Ol Olsoc]

Then again, it ican be just as important to keep the fact that there is no plan a secret.

You are claiming a fact when you have none. You assume there is no plan because nobody is willing to tell you what it is.

SRSLY? Tell me exactly where I claimed there is no plan. Having an awesome completely foolproof secret plan that will work every time and make the free internet safe forever and anon might have every bit the same need for secrecy as "We got nuthin'.

You need to read a little better before just deciding to disagree because you want to argue with someone.

Re:

[Obfuscant]

Tell me exactly where I claimed there is no plan.

Already quoted you: "Then again, it ican be just as important to keep the fact that there is no plan a secret." Where did this fact come from?

Having an awesome completely foolproof secret plan that will work every time and make the free internet safe forever and anon might have every bit the same need for secrecy as "We got nuthin'.

Hyperbole much? No, not "might", "does". That's the basis behind the concept of "infosec".

Re:

[Ol Olsoc]

Tell me exactly where I claimed there is no plan.

Already quoted you: "Then again, it ican be just as important to keep the fact that there is no plan a secret." Where did this fact come from?

Can! It CAN be important.

Make no mistake, if I for a New York minute thought that there was no plan, I would have written: "The fact that there is no plan is just as important to keep secret."

Not a bit of ambiguity there. That would be me saying exactly that there was no plan. But I didn't write that. Can does not mean is.Thanks for playing, but I'm not in the mood to diagram sentences tonight.

Re:

[Obfuscant]

Can! It CAN be important.

"Then again ... the fact ..."

Make no mistake, if I for a New York minute thought that there was no plan, I would have written: "The fact that there is no plan is just as important to keep secret."

The only difference between what you wrote and what you thought you wrote is "it can be important". You are not questioning the fact, only the importance.

Had you meant to question the fact, you would have conditionalized the fact, not the importance of keeping it secret. Like: "If it was a fact there was no plan, it would be important to keep that secret".

Can does not mean is.

Right. Got that. "It can be just as important to keep it a secret" means maybe it isn't important to keep a fact a secret.

Re:

[mysidia]

We have had many plans that were bragged about by the party of the moral high ground turn out to be no plan at all.

Yeah... pretty much. The TRUE test of the quality of a security plan, is to be able to explain it in reasonable detail, AND not have experts laugh at you and point out slews of holes.

If you're trying to keep it secret, then it is most likely because you either have no credible plan, or you don't have much confidence in it....

We're talking about anti-hacker defenses. This is not a milita

Re:

[Ol Olsoc]

Yeah... pretty much. The TRUE test of the quality of a security plan, is to be able to explain it in reasonable detail, AND not have experts laugh at you and point out slews of holes.

If you're trying to keep it secret, then it is most likely because you either have no credible plan, or you don't have much confidence in it....

We're talking about anti-hacker defenses. This is not a military endeavor, where we should be concerned about adversaries copying our defense tactics to their own security planning.

Right, this is what I'm saying. If they say "We have this awesome plan it's great, so great, it will take care of that problem right away. But we can't tell you anything about it!

It might mean there is an awesome plan that is great. It might also mean "we got nuthin! Either way, the public won't know. Personally, I'm with you. Something that lends some credence to the idea is best - the public doesn't need the deep dark details - most wouldn't understand them anyhow.

But we've been spoon-fed so much

Re:

[EETech1]

The plan is to let the ISP charge you per bit, and throttle you at will. This should take care of all that excess traffic!

Re:

[mysidia]

Even with the ancient adages about "security via obscurity", one does not wisely broadcast details about the security systems one is using.

In this case, they should explain what their plan is. If that would be a "concern", then it probably means that their plan is a flawwed one, and they should be taking comments from the public about potential alternative mitigation plans.

They could start by introducing Captchas on submission forms, for example.

Sorry Guys

[Tyler Whitlock]

I know all of you are concerned about Net Neutrality and would like to submit your claims on our site, but someone decided to attack us when you visited our site. Oh, you want evidence of the hack? Sorry, we cannot provide that. But rest assured, it will be prevented in the future. Oh, you want to know how we will prevent it? Well, that's a secret too. Oh, you don't think it actually happened? No, it did. Don't worry.

Re:

[WillAffleckUW]

We should vote on that using one of the easily hacked vote machines in use in the US today. You know, one of the ones that was hacked (e.g. every single one) at DEFCON.

Yeah, sure.

Re:

[Ol Olsoc]

We should vote on that using one of the easily hacked vote machines in use in the US today. You know, one of the ones that was hacked (e.g. every single one) at DEFCON.

Yeah, sure.

I recall articles about the ease with which the voting machines and system could be hacked around 2004-5. That includes actual hacking and a recipe for changing votes in order to make certain one candidate would beat another.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

BRING ME THE HEAD OF JOHN OLIVER

[Thud457]

whoops, now you've gone too far!

Bull-Fucking-Shit

[Anonymous Coward]

There was never a DDOS attack. It was a delibarate attemps by the FCC to silence the critics of its plan to kill net neutrality.

Re:

[fafalone]

Because if only a few more had gotten through, what then? Pai would change his mind? Trump? Congress? None of them give a rats ass what people want, or the already overwhelming opposition would matter.

Here's my 1-step plan to prevent attacks:

[Rick Schumann]

Step #1: Listen to the American public and industry leaders and SUPPORT NET NEUTRALITY.

Expect my consultation bill in the mail, Mr. Pai.

Re:

[Anonymous Coward]

Sorry, there's no 'profit' step.

Re:

[orgelspieler]

????????????????? So the reason why you think it's ok for your ISP to throttle your Netflix connection unless they pay ransom is because Facebook doesn't like boobies? That makes no sense whatsoever.

Re:

[Rick Schumann]

You're an idiot and you have no idea whatsoever what you're talking about.

Let me guess...

[Anonymous Coward]

The new system only accepts the submissions ajit agrees with.

Secret?

[galabar]

Not a Trump hater, but it seems like anything done to discourage DDOS attacks needs to be public. I'm not sure how "secret" plans can be helpful on an open internet.

Re:

[Obfuscant]

Not a Trump hater, but it seems like anything done to discourage DDOS attacks needs to be public.

Why? Will those countermeasures be more effective if more people know what they are? I don't think so. Will they be more effective if the details are broadcast to the public and a few helpful members of the public with behind the scenes knowledge of those systems then post exact means to bypass them?

I'm not sure how "secret" plans can be helpful on an open internet.

I'm not sure how you equate "secret plans" with not telling "everyone who doesn't need to know" exactly what your security systems are.

Re:

[Obfuscant]

You aren't looking at the bigger picture. The bigger picture is that we want to see a world where the Federal Communications Commission, with the *full backing of the CIA and NSA* can succeed in requesting and receiving public comments about an internet related issue *over the internet*.

No, I didn't miss that. I don't agree that we need the full backing of the CIA and NSA, however. The support of the CIA or NSA is irrelevant. We can have nice things and get comments "over the internet" without the FCC explaining in detail how it will mitigate a DDOS in the future. Telling, not telling, same difference.

because they are really truly saying that their DDoS strategem requires what academia and industry know as "security through obscurity".

No, they did not say that. You said that. You assume because they won't tell you the details of their information security that they don't have any. What you are missing is the concept of "in

Re:

[bluefoxlucid]

It's easy. They'll secretly stop paying attention to comments at all, thus mitigating the whole thing. This has already been put through numerous test runs over the past months.

What;s the big secret?

[DaMattster]

The government learns how to stop DDoS attacks from the civilian sector. What's the big secret there?

Was the plan to roll weak sauce servers?

[WillAffleckUW]

Wait, think I found their plan.

Was it the one to roll weak sauce servers with bad failback positions and not code for massive volumes of legit comment requests?

Yeah, it was right here, next to the plan marked Mooch's Retirement Plans.

Yeah, skip public accountability! Works everytime!

[slack_justyb]

Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred

Wow, and the FCC is what I would consider a pretty bland department much like USDA or FCIC. But wow, what a way to totally derail any credibility the department had. Hint, anytime an agency thinks doing something totally opaque to public review is a good idea, it's usually not a good idea.

Security through obscurity explained . . .

[Tanman]

If obscurity is the primary method of security, meaning "if they discover how we are doing it then they can defeat it," then you have no security. You must plan for the eventuality that someone will know how you do it. So, if the FCC's new method requires that it remain obscure to remain effective, then it might as well have already been compromised. Of course, having an obscure security system that nobody knows about is helpful. Nobody would argue otherwise. But that should just be icing on the cake - a nice little perk. Think of this comparison of a time-lock safe vs. a hidden book box:

Look at a time lock safe:
1. It is known
2. The way it works is known
3. It is effective because of the security measures of the safe

This is opposed to hiding valuables in a hidden book box:
1. If it is not known, it might work
2. If it is not known, it might be discovered through thorough searches and thus fail
3. If it is known, it definitely won't work

If you hide the time lock safe, then you do add a layer of cursory security. However, it is not the location/disguise of the safe that matters. It's the function of the safe's defenses that protect the valuables.

Re:

[bluefoxlucid]

If you hide a time-lock safe, people go, "Shit, I didn't bring the tools for this." That's the odd thing about computers: they can be perfectly secure. A safe you can drill through in a week or so; code is math, and you have to find a mistake in the math or else no amount of axes and sledgehammers is getting you in.

That's why reducing attack surface and layered security are paramount: less attack surface means the flaws are more-likely to be somewhere else; layers of security means you need to find m

Security by Obscurity isn't security!

[MikeDataLink]

Security by obscurity isn't a security mechanism, rather a puzzle... If getting into your house is simply a matter of finding where you left the Hide-a-key then your house was never secure in the first place.

smells like cloudflare. run for the hills.

[danda]

has worked with commercial cloud providers

In other words, cloudflare.

If they are using SSL/TLS, this is a problem.

Cloudflare is a giant man in the middle, and a breach of trust between end-users and the websites they wrongly believe they are securely connected to. Sites that use it are subverting the intent of the SSL/TLS certificate system and making the little lock icon meaningless.

See Details [cryto.net]

Re:

[Barefoot Monkey]

I personally feel that browsers should consider blocking all external scripts on HTTPS pages unless those scripts have a matching integrity [mozilla.org] attribute, or at least make valid integrity for foreign scripts a requirement for avoiding the Mixed Content warning.

SIGH. So fucking obvious I'm getting tired of it.

[Narcocide]

They don't have any plan to stop or even mitigate DDOS attacks. I bet most their "expert" IT staff barely even knows what one is, and the rest of them are the ones actually carrying out the DDOS attacks in the first place.

Nothing more to see here. This country is finished. Move along.