ddos – Techdirt (original) (raw)
Researcher Finds Russian Cybersecurity Far Shittier Than The Mythology Suggests
from the shoe-on-the-other-foot dept
For much of the last decade, Vladimir Putin has attempted to compensate for various shortcomings (like a less sophisticated real world military) by launching cyber and propaganda attacks on much of the world. And while this, for a while, resulted in a mythology that Russia was in a league of its own when it comes to hacking and cybersecurity, the reality isn’t nearly that exciting.
Jeremiah Fowler, co-founder of the cybersecurity company Security Discovery, spent much of the last year investigating Anonymous’ attacks on Russia as a response to the Russian invasion of Ukraine. In a random sampling of 100 Russian databases, he found 92 of them to have been compromised recently.
That’s in addition to widespread DDOS attacks, hack and leak attacks on numerous companies still doing business in Russia, the hacking of Russian printers to show anti-war messages, hacking retail receipt printers to transmit anti-war messages, and even the hacking of Russian streaming services to show heavily propagandized Russian citizens real-time war footage:
The hacking collective #Anonymous hacked into the Russian streaming services Wink and Ivi (like Netflix) and live TV channels Russia 24, Channel One, Moscow 24 to broadcast war footage from Ukraine [today] pic.twitter.com/hzqcXT1xRU
— Anonymous (@YourAnonNews) March 6, 2022
Fowler began his investigation rather underwhelmed at the claims being made by Anonymous and other hacking groups, noting a lack of evidence in most media reports. But when he actually began investigating the found the attacks to be widespread and Russia’s defenses fairly pathetic:
“Anonymous has made Russia’s governmental and civilian cyber defenses appear weak,” he told CNBC. “The group has demystified Russia’s cyber capabilities and successfully embarrassed Russian companies, government agencies, energy companies and others.”
“The country may have been the ‘Iron Curtain,‘” he said, “but with the scale of these attacks by a hacker army online, it appears more to be a ‘paper curtain.’”
Russia’s great innovative contributions to the twenty-first century have so far been implementing online propaganda (“flooding the zone with shit” to destabilize truth itself, as fascists like to say) at global scale, carpet bombing children at shopping malls, and completely removing even the faintest pretense of ethical considerations from nation state hacking attacks.
Online propaganda, war crimes, and reckless global hacking obviously aren’t exclusive to Russia (or the U.S., or China, or Israel), but the idea that Russia’s pioneering efforts on this front meant it was somehow technologically exceptional in any way don’t appear to actually be based on much of anything.
Filed Under: cybersecurity, database, ddos, hacking, privacy, propaganda, russia
Parler Attempting to Come Back Online, Still Insisting The Site's Motivation Is 'Privacy' Despite Leaking Details On All Its Users
from the about-that dept
Last week, I explained my thoughts on why the Parler takedown from AWS didn’t bother me that much — considering that there were many other cloud and webhosting solutions out there. Yet Parler has quickly discovered that many other providers aren’t interested in hosting the company’s cesspool of garbage content either. As I pointed out, at some point, some element of that has to be on Parler for attracting such an audience of garbage-spewers. Either way, we figured the site would eventually be back up, and now it appears that it’s on its way. The site put up a holding page with a few “Parlezs” (their version of tweets) from its execs and lead cheerleaders.
The site appears to be using Epik for hosting and DDoSGuard for DDoS protection. Neither of these are that surprising. Epik has built up something of a specialty in hosting the garbage, hate-filled websites no one else wants to touch. It has hosted Gab, 8chan/8kun, and The Daily Stormer among others. DDoSGuard is a somewhat sketchy Russian company that provides services to an equally sketchy group of sites — and some terrorist groups. Brian Krebs has recently discussed how DDoSGuard may create some significant liability issues:
A review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online.
Replying to requests for comment from a CBSNews reporter following up on my Oct. 2020 story, DDoS-Guard issued a statement saying, ?We observe network neutrality and are convinced that any activity not prohibited by law in our country has the right to exist.?
But experts say DDoS-Guard?s business arrangement with a Denver-based publicly traded data center firm could create legal headaches for the latter thanks to the Russian company?s support of Hamas.
Ooof. There’s a lot more in Krebs’ writeup.
But what struck me as most ridiculous about Parler’s holding page (beyond trying to hide behind MLK Jr.’s “Letter from a Birmingham Jail” as if Parler’s raging nut job userbase is somehow oppressed) is that the company is still claiming that beyond being a place for (a misunderstood concept of) “free speech,” that the impetus behind the site was about “protecting privacy.”
That reads:
Now seems like the right time to remind you all ? both lovers and haters ? why we started this platform. We believe privacy is paramount and free speech essential, especially on social media. Our aim has always been to provide a nonpartisan public square where individuals can enjoy and exercise their rights to both.
We will resolve any challenge before us and plan to welcome all of you back soon. We will not let civil discourse perish!
The “privacy is paramount” line is one that Parler really only started spewing more recently. Rebekah Mercer used a similar line when she outed herself as a co-founder of the platform and it never made any sense at all. After all, Mercer was also behind Cambridge Analytica, a company involved in what is now considered one of the biggest privacy breaches in the history of social media. The whole “privacy” claim seemed like little more than a convenient talking point to pretend that their approach was somewhat different than Facebook’s or Google’s.
But in the case of Parler, it’s even more ridiculous. After all, this was a company that required users who wanted to get its version of “verified” to hand over their social security numbers. And, of course, before Parler shut down, a hacker was able to grab nearly the entire corpus of Parler posts, including pictures and videos that did not have location metadata stripped out. This allowed multiple reporters to find and highlight Parler users as they stormed the Capitol, exposing exactly who was raiding the Capitol and what evidence they revealed about their own activities. Indeed, it’s becoming clear that law enforcement is using this data to go around arresting tons of people.
Doesn’t seem that privacy protecting, after all, now does it?
Of course, much of this seems to be due to just plain old incompetence, rather than malice. Last week there was also a fascinating thread on Parler’s clueless CTO, who didn’t seem to understand some fairly basic things about running a large internet-scale service. That thread, by software engineer Sarah Mei is worth reading, if only to reach the conclusion, that Parler “might have done better with four ferrets in a trench coat.”
So, yes, the site may be coming back, but to say that it takes privacy seriously, while asking for social security numbers, hosted on a dodgy host, with a DDoS provider best known for its Russian home-base and its willingness to provide services to terrorists and online criminals… I would suggest that anyone who thinks of Parler as supportive of privacy, do so at their own risk.
Filed Under: competition, ddos, free speech, hosting, privacy, russia
Companies: ddosguard, epik, parler
Biggest Ransomware Attack Yet Crippled U.S. Hospitals Last Weekend
from the maybe-TikTok-isn't-our-biggest-problem dept
Thu, Oct 1st 2020 01:31pm - Karl Bode
We’ve talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, this kind of apathy towards privacy and security in everyday technology isn’t a laughing matter. Whether it’s cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, security experts have spent the better part of the decade warning us the check for our apathy on this front is coming due. We’ve (and this includes government agencies) have spent just as long ignoring them.
That’s particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. Earlier this month, a woman died in Germany after a ransomware attack on her hospital delayed life-saving treatment. Though she most certainly probably isn’t, she’s being declared the first person to be killed by the steady parade of such attacks that have plagued the medical sector for much of this decade.
Last weekend, Universal Health Services, with more than 400 locations in the United States, was hit by one of the biggest ransomware attacks in U.S. history. As a result, the hospital chain was forced to resort to using pens and paper to manage patients after their computer systems ground completely to a halt. Such attacks usually come on the weekend when the hospitals are short staffed, and the results usually aren’t pretty:
“Two Universal Health Services nurses, who requested to not be named because they weren?t authorized by the company to speak with the media, said that the attack began over the weekend and had left medical staff to work with pen and paper.
One of the nurses, who works in a facility in North Dakota, said that computers slowed and then eventually simply would not turn on in the early hours of Sunday morning. ?As of this a.m., all the computers are down completely,? the nurse said.”
This is of course not a new problem. Massively profitable medical organizations routinely underfund their privacy and security IT infrastructure, and the government penalties have been negligible. As a result, for most of this decade security researchers like Brian Krebs have been noting that hospitals are hit with 20 ransomware attacks a day. And of course the problem isn’t just in surgical tools and antiquated computer systems, it extends to high tech gear like pacemakers embedded with wireless connectivity, which result in the kind of hackable products make global covert wetwork operatives giddy.
Instead of government, private industry, advocates, and experts working in coalition to create meaningful standards for medical devices and internet of things devices, we instead enjoy wasting calories on tech policy games of Whac-A-Mole in which we freak out about the outrage du jour that may or may not warrant it (see: TikTok). This kind of incoherent, histrionic approach to internet security isn’t, if you hadn’t noticed, working out particularly well.
Filed Under: cybersecurity, ddos, hospitals, iot, ransomware, security
Companies: universal heath service
Using Networks To Govern Network Problems
from the internet-governance dept
Today, botnets and the Distributed Denial of Service (DDoS) attacks that can accompany them, are considered among “the most severe cybersecurity threats.” Botnets have caused extensive economic harm to businesses, banks, hospitals, and government agencies around the world. Furthermore, botnets are used to spread political propaganda aimed at distorting democratic elections. In fact, U.S. government officials concluded that the Russian propaganda campaign has not stopped since the 2016 election and the magnitude of the issue is expected to grow. Yet, a time-tested framework for addressing the problem already exists. Governing complex internet-based problems is best accomplished by a network of stakeholders similar to the way the internet is currently governed.
In her Nobel Lecture, Elinor Ostrom emphasized the necessity to study human economic behavior in any complex system. She added that no “one size fits all” policy solution would work for a highly complex socio-economic issue, but approaches created by a disperse, spontaneously self-organized group are far more innovative. This is the essence of polycentric order as defined by Elinor and Vincent Ostrom. A polycentric order has multiple overlapping decision-making centers comprised of individuals equipped with necessary knowledge and expertise to create better outcomes for issues of high complexity.
In the case of cybersecurity, where dynamic response is critical – distributed network actors are best suited to govern complex cyber problems. While policymakers are one such group in this governance network, the efforts of other stakeholders are critical to maintaining flexibility and adaptability to emerging threats. The role of policymakers is to facilitating the emergence of multiple decision-making centers, which is key for resolving botnet issues.
In his book Networks and States, Milton Mueller offers a comprehensive analysis of network actors outside of the nation-state system as well as their effectiveness in addressing cybersecurity issues. Mueller outlines distinct challenges of cybercrime such as its globalized scope, boundless scale, and its decentralized and distributed nature. He argues that efficient institutions and new organizational forms are in a continuous process of emerging out of the interactions between public and private actors.
Mueller asserts that meaningful solutions to cybersecurity issues are only possible at the trans-national level. Such large international organizations as Internet Corporation for Assigned Names and Numbers (ICANN), The World Intellectual Property Organization (WIPO), and Internet Governance Forum (IGF) among others, provide governance at the international internet governance. Mueller highlights that an effective global internet security policy will recognize the interdependence of markets, nation-state specific property rights protections, and shared information and communication resources. He proposes that a “denationalized liberal approach” would be effective in resolving this dilemma. Moreover, he concludes that a true denationalized liberal governance will emerge out of the interactions of globally networked communities. His conclusions regarding internet security governance are, therefore, aligned with the Ostromian approach.
There have been some promising developments in collaboration between private and public sectors. In 2018, USTelecom and ITI announced the creation of the Council to Secure the Digital Economy. The Council brings together the leaders from the Information and Communication Technology sector to create a more resilient digital ecosystem. For example, they produced the botnet guide, a compilation of best practices by large scale enterprises that can be implemented in a variety of industries to mitigate the threats of the distributed denial of service attacks. Additionally, the Federal Trade Commission has been facilitating meetings between stakeholders.
Past and future administrations can learn from the Clinton Administration’s Framework for Global Electronic Commerce that made space for stakeholders to be involved in governing the internet and maximized cooperation between public and private initiatives for cyber-security. Indeed, the Obama administration’s cybersecurity plan included a call for technology companies to fight botnets collectively. The Trump administration declared its commitment to giving the Federal agencies legal authority to combat botnets.
Government should not be the only source of governance in addressing cybersecurity problems. Botnets are best combated by a multistakeholder effort between public and private entities. The tenants of “polycentricity” and “decentralized liberalism” capture the wisdom of a more distributed governance approach.
Anne Hobson is a program manager at the Mercatus Center at George Mason University. Yuliya Yatsyshina is an MA Fellow at the Mercatus Center at George Mason University.
Filed Under: ddos, denial of service attacks, internet governance
'Oversight' Hearing Fails Utterly To Hold FCC Accountable For Lying To Congress About Fake DDOS Attack
from the ill-communication dept
Thu, Aug 16th 2018 12:19pm - Karl Bode
FCC “oversight” hearings continue to be comically lacking in the actual oversight department. As we noted previously, today was Congress’ opportunity to hold the FCC and agency head Ajit Pai accountable for making up a DDOS attack and then lying (repeatedly) about it to the press, FBI investigators, and Congress. As we’ve previously stated, both e-mails obtained via FOIA and an FCC Inspector General report (pdf) found that the FCC bizarrely made up a DDOS attack to try and explain away the fact that John Oliver viewers pissed about the net neutrality repeal crashed the FCC comment system.
The IG’s report and internal e-mails clearly illustrate that not only did FCC CIO make up a DDOS, but several FCC staffers then misled Congress repeatedly about the total lack of evidence supporting that claim. The false statements were bad enough to warrant them being forwarded to the DOJ, which refused to prosecute anyone. But the e-mails also highlight how the FCC’s press office repeatedly misled numerous press outlets, and even went so far as to issue statements denigrating reporters like Gizmodo’s Dell Cameron for being “irresponsible” as they slowly uncovered the fake claims.
In a functional democracy, this is the sort of thing that would be covered extensively at a hearing purportedly designed specifically to hold the FCC accountable to Congress and the public. In said fictional healthy democracy, Congress might even, you know, actually do something about it.
But today’s hearing was little more than a joke, rife with lots of giggling, football references, and numerous softball questions — but few if any hard inquiries about the DDOS attack that wasn’t. The closest thing Pai experienced to actually being pressured came from Senator Brian Schatz. But when pressed as to what he knew and when, Pai again threw his employees under the bus, denying that he had any knowledge of or role in the FCC’s efforts to mislead Congress and public. The exchange is here for those interested:
In the exchange, Pai said he suspected there was no foul play from the beginning and that the “DDOS” was just the John Oliver effect. When pressed as to why Pai didn’t do more to correct the false claims earlier, Pai said he “wanted you to get this information sooner” but remained quiet at the behest of the FCC IG (which has yet to respond to press inquiry). “I made the judgment that we had to adhere to the [IG’s] request,” claimed Pai, “even though I knew we would be falsely attacked for having done something inappropriate,? Pai said. ?The story in this report vindicated my position.”
Except the IG’s report doesn’t vindicate Pai’s position, and somebody at the hearing should have pointed that out. In fact, the IG’s report shows that it wasn’t just the FCC CIO that had been making false DDOS claims for the better part of the last year. There’s ample evidence, had anybody on the oversight committee actually wanted to press the issue, that numerous FCC employees repeatedly and intentionally doubled down on claims Pai now claims he knew weren’t true.
For example, the IG report found that at least three staffers provided false statements to not only Congress, but also to FBI investigators trying to determine the scope of the alleged attack. And throughout the inquiry Pai’s press shop issued statements attacking press outlets for being “irresponsible” simply for reporting the fact there was no evidence or “analysis” to support the FCC’s allegation:
“The FCC has never stated that it lacks any documentation of this DDoS attack itself,” the agency states. “And news reports claiming that the Commission has said this are without any basis and completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners.”
But none of that was true. There was no DDOS attack and there was no evidence, “voluminous” or otherwise. Again, there’s every indication that the FCC doubled down on the fake DDOS claim because it wanted to downplay media reports showing that millions of Americans were pissed about the death of net neutrality (it wasn’t public outrage, we were attacked!). It’s the same reason why the FCC refused to do anything about the bogus comments that plagued the repeal’s net neutrality comment period: it wanted to push the Trumpian narrative that the massive public anger over the attack net neutrality wasn’t real.
The fact that Pai’s press shop was actively spreading false statements and maligning reporters makes it pretty obvious that Pai actively participated in or was at least aware of the FCC’s head fake. But at no point during the “oversight” hearing was this avenue of inquiry pursued. Instead, users who tuned in for a reckoning got to enjoy Ted Cruz once again misrepresenting what net neutrality was, and gushing missives from telecom-sector allies like Senator John Thune on Pai’s (artificial) love and adoration of neglected rural broadband markets.
Aside from the fake DDOS attack, the hearing was yet another missed opportunity to seriously hold the FCC to account on a number of issues, including making up data and ignoring the public in the rush to repeal net neutrality, gutting funding for rural broadband, eroding consumer privacy protections, killing efforts to improve cable box competition, propping up predatory prison telco monopolies and every other little anti-consumer, pet project Ajit Pai has embraced as leader of the agency. But instead of “oversight,” users that tuned in this morning got something that looked much more like a bipartisan game of patty cake.
Filed Under: ajit pai, brian shatz, david bray, ddos, fcc, john oliver, lies, oversight, senate, ted cruz
On Thursday, Ajit Pai Has To Explain Why His FCC Made Up A DDOS Attack And Lied To Congress
from the getcha-popcorn-ready dept
Wed, Aug 15th 2018 06:18am - Karl Bode
So FCC boss Ajit Pai will need to don some tap-dancing shoes this Thursday, when he’ll be forced to explain to a Senate oversight committee why his agency not only made up a DDOS attack, but lied repeatedly to the press and Congress about it.
As we recently noted, e-mails obtained by FOIA request have proven that the FCC completely made up a DDOS attack in a bizarre bid to downplay the fact that John Oliver’s bit on net neutrality crashed the agency website last year. A subsequent investigation by the FCC Inspector General confirmed those findings, showing not only that no attack took place, but that numerous FCC staffers misled both Congress and the media when asked about it.
Pai initially tried to get out ahead of the scandal and IG report by issuing a statement that threw his employees under the bus while playing dumb. According to Pai’s pre-emptive statement, the entire scandal was the fault of the FCC’s since-departed CIO and other employees who mysteriously failed to alert him that this entire shitshow was occurring (you can just smell the ethical leadership here):
“I am deeply disappointed that the FCC?s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I?m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn?t feel comfortable communicating their concerns to me or my office.”
There’s several problems with Pai’s statement. One, while FCC CIO David Bray was hired by the Obama-era FCC, he remained employed (and spreading the false DDOS attack) well through last year under Pai’s “leadership.” Two, the FCC IG found that Bray and several other employees had not only been circulating the false DDOS report to reporters, but had repeatedly misled Congress (again under Pai’s watch). The lies of three FCC employees to Congress were deemed severe enough that they were reported to the DOJ, which refused to prosecute anybody (I’m sure you and I would have been granted the same benefit of the doubt).
That Pai had no idea that any of this was happening is a pretty big stretch, especially considering that the FCC continues to block FOIA requests for certain e-mail exchanges related to the stupid affair. As such, when Pai appears before a Senate oversight committee on Thursday, the big question is going to be: just how long did Pai know that his staff was actively misleading Congress in numerous back and forth letter exchanges on the subject?
The other major problem, and it’s one you’d hope lawmakers at the hearing address, is that Pai’s claim that this was all the fault of rogue employees doesn’t gel with the fact that Pai’s press shop was actively misleading and denigrating reporters throughout this whole affair. For example, when the press began digging into the agency’s shaky claims, Pai’s FCC thought it would be a good idea to send a prickly statement to numerous media outlets. That statement not only tried to claim reporters were “irresponsible” simply for trying to clear up the matter, but that the FCC had “voluminous documentation” proving the DDOS attack occurred:
“The FCC has never stated that it lacks any documentation of this DDoS attack itself,” the agency states. “And news reports claiming that the Commission has said this are without any basis and completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners.”
Outside of the first sentence, nothing in that official FCC statement is true. So again, the idea that Pai knew nothing at all about this mess is hard to believe. Especially given that his own press shop and numerous employees were busy lying to Congress and denigrating reporters simply for getting to the truth. Pai’s explanation for this should make for good television, whether or not Congress grows a spine and actually holds Pai’s feet to the fire.
If you’ve watched Pai’s FCC work, it seems pretty clear at this point that the nonexistent DDOS attack, much like the FCC’s refusal to address bogus comments during the net neutrality public comment period, are all part of the same effort: doing everything possible try and downplay the scope and importance of the massive, unprecedented public opposition to Pai’s historically unpopular policies.
You’d like to think there’s something vaguely resembling accountability at the end of this story. At the very least, it’s likely that the bogus DDOS attack and fake comments will be playing starring roles during the upcoming net neutrality hearings, where all of this can be used to add context to the FCC’s rushed, facts-optional efforts to repeal net neutrality exclusively at broadband monopolies’ behest.
Filed Under: ajit pai, congress, david bray, ddos, fcc, john oliver, lies
Senators Wyden and Schatz Wants To Know Why The FCC Made Up A DDOS Attack
from the makin'-stuff-up dept
Wed, Jun 13th 2018 06:17am - Karl Bode
So we’ve been noting how (thanks to FOIA requests) the FCC has been caught completely making up a DDOS attack in a bizarre, ham-fisted attempt to downplay public opposition to their net neutrality repeal. In short, agency e-mails confirm agency staffers routinely fed false claims to gullible reporters that the FCC website outages caused by John Oliver’s coverage of the repeal were the result of a malicious attack, then used those false claims to further prop up the bogus narrative. The goal was apparently to try and downplay massive public backlash to what Americans overwhelmingly believe to be shitty, corruption-fueled policy.
Not too surprisingly, the FCC has gone radio silent in response to press inquiries on this from numerous press outlets. For such a normally chatty agency, that suggests that FCC lawyers are well aware that this entire fracas could prove to be legally problematic, given the repeated false DDOS claims to the reporters, press, and public (pdf). Most of the e-mails provided so far via FOIA requests are heavily redacted, suggesting there’s likely much more to this story that’s going to emerge over time.
Meanwhile, Senators Brian Schatz and Ron Wyden this week pressed the issue, sending the FCC a letter demanding more insight into the DDOS attack that never was. In the letter, the duo ask for any and all FCC evidence on the phantom attack, and the results of any internal FCC investigations that may have occurred so far:
“On May 9, 2017, we sent you a letter regarding alleged cyberattacks on the Federal Communication Commission’s Electronic Comment Filing System during that month. There was also an ECFS issue involving the net neutrality proceeding in 2014. In our letter we asked that you keep Congress fully briefed as to your investigation.
Beyond your initial internal analyses that you reference in your June 15, 2017, response, have any subsequent FCC or third-party (e.g., vendor, contractor, or government agency) analyses or investigations verified that a cyberattack on ECFS occurred in 2017 and, if so, that the attack is best classified as a DDoS attack? If not, why was no investigation conducted? Please provide any and all reports, findings, and other relevant details of any such investigations.”
Of course from reading the news, the Senators already know the FCC appears to have zero hard evidence that the attack occurred, and previous claims that internal “analysis” had confirmed the attacks were false. Democrats have been hoping to use the repeal of net neutrality to their advantage during the midterms, and the fact evidence proves the FCC lied during their justifications for the move is likely to be politically problematic for the “freedom restorin'” FCC.
Meanwhile, the nonpartisan GAO is currently investigating both this scandal and the identity theft and fraud that occurred during the net neutrality repeal. There’s likely several more layers to this story, some of which are likely to be revealed during the net neutrality court challenges that should take flight sometime in the next few weeks.
Filed Under: ajit pai, brian schatz, ddos, fcc, john oliver, lies, ron wyden
Oddly The Trump FCC Doesn't Much Want To Talk About Why It Made Up A DDOS Attack
from the radio-silent dept
Tue, Jun 12th 2018 06:38am - Karl Bode
We’ve discussed for a while how the FCC appears to have completely made up a DDOS attack in a bizarre effort to downplay the “John Oliver effect.” You’ll recall that both times the HBO Comedian did a bit on net neutrality (here’s the first and the second), the resulting consumer outrage crashed the FCC website. And while the FCC tried to repeatedly conflate genuine consumer outrage with a malicious attack, they just as routinely failed to provide any hard evidence supporting their allegations, resulting in growing skepticism over whether the FCC was telling the truth.
Last week, e-mails obtained via FOIA request revealed that yes, FCC staffers routinely misled journalists in order to prop up this flimsy narrative, apparently in the belief they could conflate consumer outrage with criminal activity. The motive? It was likely for the same reason the FCC refused to do anything about the identity theft and bogus comments we witnessed during the repeal’s open comment period: they wanted to try and downplay the massive, bipartisan public opposition to what the lion’s share of Americans thought was an idiotic, corruption-fueled repeal of popular consumer protections.
Understandably with so much going on, the story floated semi-quietly under the cacophony of other national outrages. But the FCC’s response to the story has proven to be somewhat comical all the same.
One of the FCC staffers accused of making false statements about the DDOS attack was recently departed FCC IT chief David Bray. Original reports stated that Bray and other staffers had been feeding this flimsy DDOS narrative to gullible reporters for years, then pointing to these inaccurate stories as “proof” the nonexistent attack occurred. Under fire in the wake of last week’s report, Bray first doubled down on his claims, adding that the 2014 “attack” hadn’t been publicized because former FCC boss Tom Wheeler covered it up. But Wheeler himself subsequently stated in a report late last week that this was unequivocally false:
“When I was in the greenroom waiting to come in here, I got an email from David Bray, who said ‘I never said that you told us not to talk about this and to cover up,’ which was the term that got used. Which of course is logical, because as the Gizmodo article that you referenced pointed out, A) FCC officials who were there at the time said it didn?t happen, [and] B) the independent IT contractors that were hired said it didn?t happen. So if it didn?t happen it?s hard to have a cover up for something that didn?t happen.”
Since this story was first published, the Trump FCC (which you’ll recall bragged it would be super transparent) has gone radio silent about the story. Multiple requests for comment from numerous news outlets have been ignored since the story broke:
“The FCC has gone dark on this issue. It is refusing to answer questions from reporters. It is even refusing to go on the record to say it stands by its own story about a malicious cyberattack causing its system to crash for a second time last year….(FCC media relations contact Brian Hart) did not respond to multiple follow ups. In fact, his office has not responded to related inquiries for the past eight days. And not just from Gizmodo; it did not respond to Newsweek nor Ars Technica either. When somehow reached by Nextgov, it declined to say anything at all.
It’s understandable the FCC doesn’t want to chat about why it’s withholding data and repeatedly making false statements (pdf) to the press and public, especially given the GAO is currently investigating this whole kerfuffle. Between this and the identity theft and comment fraud during the net neutrality repeal’s public comment period, one gets the aching suspicion there’s a few additional layers to this story that have yet to be unearthed. Both issues may also make an appearance during legal efforts to get popular net neutrality rules restored.
Filed Under: ajit pai, david bray, ddos, fcc, john oliver, lies
E-Mails Show FCC Made Up DDOS Attack To Downplay The 'John Oliver Effect'
from the disinformation-nation dept
Tue, Jun 5th 2018 10:45am - Karl Bode
You might remember that when HBO comedian John Oliver originally tackled net neutrality on his show in 2014, the FCC website crashed under the load of concerned consumers eager to support the creation of net neutrality rules. When Oliver revisited the topic last May to discuss Trump FCC boss Ajit Pai’s myopic plan to kill those same rules, the FCC website crashed under the load a second time. That’s not a particular shock; the FCC’s website has long been seen as an outdated relic from the wayback times of Netscape, hit counters, and awful MIDI music.
But then something weird happened. In the midst of all the media attention Oliver was receiving for his segment, the FCC issued a statement (pdf) by former FCC Chief Information Officer David Bray, claiming that comprehensive FCC “analysis” indicated that it was a malicious DDoS attack, not angry net neutrality supporters, that brought the agency’s website to its knees:
“Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC?s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.”
But the FCC’s claims were seen as suspect by numerous security experts, who say the crash showed none of the usual telltale signs of an actual DDOS. And reports subsequently emerged indicating that the “analysis” the FCC supposedly conducted never actually occurred. When media outlets began noticing that something fishy was going on, the Trump FCC issued a punchy statement accusing the media of being “completely irresponsible.” No evidence was ever provided to journalists or lawmakers that pressured the agency for hard data proving the claims.
Fast forward to this week, and new internal FCC e-mails obtained via FOIA request show that yes, the FCC did routinely try to mislead the public and the press with repeated claims of DDOS attacks that never actually happened:
“The FCC has been unwilling or unable to produce any evidence an attack occurred?not to the reporters who?ve requested and even sued over it, and not to U.S. lawmakers who?ve demanded to see it. Instead, the agency conducted a quiet campaign to bolster its cyberattack story with the aid of friendly and easily duped reporters, chiefly by spreading word of an earlier cyberattack that its own security staff say never happened.”
The story is worth a read, and highlights how former FCC CIO David Bray and FCC media relations head Mark Wigfield repeatedly fed false information about the nonexistent attack to reporters, then used those (incorrect) stories to further prop up their flimsy claims about the DDOS:
“Bray is not the only FCC official last year to push dubious accounts to reporters. Mark Wigfield, the FCC?s deputy director of media relations, told Politico: ?there were similar DDoS attacks back in 2014 right after the Jon Oliver [sic] episode.? According to emails between Bray and FedScoop, the FCC?s Office of Media Relations likewise fed cooked-up details about an unverified cyberattack to the Wall Street Journal.
The Journal apparently swallowed the FCC?s revised history of the incident, reporting that the agency ?also revealed that the 2014 show had been followed by DDoS attacks too,? as if it were a fact that had been concealed for several years. After it was published, the Journal?s article, authored by tech reporter John McKinnon, was forwarded by Bray to reporters at other outlets and portrayed as a factual telling of events. Bray also emailed the story to several private citizens who had contacted the FCC with questions and concerns about the comment system?s issues.”
The story isn’t going to get much mainstream traction thanks to numerous other instances of cultural idiocy we’re all currently soaking in, but it’s fairly amazing all the same. In short, the FCC appears to have completely concocted a fake DDOS attack in a ham-fisted effort to try and downplay the massive public opposition to its extremely-unpopular policies.
Of course that’s pretty standard behavior for an agency that also blocked a law enforcement inquiry into fraud during the public comment period, likely also an effort to downplay massive public opposition to the repeal. It’s also pretty standard behavior from a Trump administration that enjoys using bullshit to distract from the fact that countless policies (like repealing net neutrality) run in stark, violent contrast to the admin’s “populist” election message.
This isn’t likely to be the end of this story, and more details are likely to surface in the looming lawsuits against the FCC attempting to restore net neutrality.
Filed Under: ajit pai, david bray, ddos, fcc, john oliver, lies, net neutrality, public comments
GAO Will Investigate The FCC's Dubious DDoS Attack Claims
from the somethin'-fishy-goin'-on dept
Tue, Oct 17th 2017 06:11am - Karl Bode
You might recall that when HBO comedian John Oliver originally tackled net neutrality on his show in 2014, the FCC website crashed under the load of concerned consumers eager to support the creation of net neutrality rules. When Oliver revisited the topic last May to discuss FCC boss Ajit Pai’s myopic plan to kill those same rules, the FCC website crashed under the load a second time. That’s not particularly surprising; the FCC’s website has long been seen as an outdated relic from the wayback times of Netscape hit counters and awful MIDI music.
But then something weird happened. In the midst of all the media attention Oliver was receiving for his segment, the FCC issued a statement (pdf) by former FCC Chief Information Officer David Bray, claiming that comprehensive FCC “analysis” indicated that it was a malicious DDoS attack, not angry net neutrality supporters, that brought the agency’s website to its knees:
“Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC?s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.”
But security researchers who studied that claim found none of the usual indicators that would normally precede such an attack. And subsequent news outlet FOIA requests wound up showing that not only does there appear to have never been any such attack, there was no “analysis” conducted or documented. When media outlets began noticing that something fishy was going on, the FCC issued a punchy statement accusing the media of being “completely irresponsible,” while claiming it had plenty of data proving its attack claims (its FOIA responses to journalists state the complete opposite) — it just didn’t want to show its hand.
Most FCC watchers think there’s two options here. One, the FCC was incompetent and misread John Oliver viewers as a DDoS attack, then tried to cover up said incompetence. Or the FCC knew it wasn’t a DDoS attack, but constructed the narrative to try and downplay media coverage of the plan’s unpopularity, then tried to cover that up. The former is certainly in character, but the latter would go hand in hand with the agency’s apathy toward whoever has been spamming the FCC’s website with fraudulent “support” for what is fairly uniformly seen as shitty policy and a mindless hand out to big telecom.
Heeding calls for something vaguely resembling an answer, the General Accounting Office (GAO) has agreed to launch an investigation into what actually happened at the FCC:
“A spokesman for the Government Accountability Office (GAO) confirmed it has accepted a request from two Democratic lawmakers to probe the distributed denial of service (DDoS) attack that the FCC said disrupted its electronic comment filing system in May. The spokesman said that the probe, which was first reported by Politico, is ?now in the queue, but the work won?t get underway for several months.”
While this story will likely get buried by more pressing news, this inquiry could be notably important in regards to the FCC’s attempts to scuttle net neutrality. If the GAO inquiry finds that the FCC was inept or engaged in a cover up, that could raise all manner of procedural questions over whether the FCC was serving the public interest and following established agency protocol. Combined with the agency’s obvious apathy to the fact that some group is engaged in fraud to generate bogus support for killing net neutrality, whatever the GAO finds could provide some very interesting fodder for the lawsuits to come.
Filed Under: ajit pai, david bray, ddos, fcc, gao, net neutrality