This is a sad but easily fixed vulnerability on the part of the FCC. The bigger issue, in my mind, is the fact that the student (presumably an American citizen) who just uploaded a file via a public API is legitimately scared of aggressive retribution from his government. That should speak volumes of where we've fallen as a country.
Does it really? I'm genuinely curious during what time period you think our government would've reacted differently. This got me thinking, how would people expect different countries to react to something like this?
By making that tweet he's impersonating a government agency and passing it off as an official document. If he hadn't posted that tweet I'm sure he wouldn't have anything to fear.
EDIT: I looked up the relevant law: False Impersonation of Federal Officer or Employee [0]. It doesn't seem he got anything of value, so it's unlikely he could be charged. Although I'd be surprised if he didn't at least receive a stern conversation from a government official.
> That should speak volumes of where we've fallen as a country.
Yeah, it's obviously substantially below FDR interning 100,000 Japanese people [1] based on their ethnicity. Or spraying black neighborhoods with toxic chemicals to test on them in the 1950s. [2] Or J Edgar Hoover's decades-long parade of power abuses and rights violations of the American People. Or Lyndon Johnson inserting us - hundreds of thousands of drafted young men - into a civil war in Vietnam, in which we helped to directly kill vast numbers of people with no clear plan or explanation for why we were there. Or the testing of hundreds of nuclear weapons on US soil, with little concern for how it would harm citizens. Or Sherman burning down Atlanta. Or Nixon's parade of abuses. Or the CIA's countless, terrifying programs in the 1970s. Or how the FBI tried to get MLK to kill himself. Or prohibition and the terrible results that imposed upon the people (eg rampant organized crime). Or the 50 year war on drugs and the horrific toll that has taken on the people.
We used to treat our people with the utmost dignity and respect.
He published a document[1] on their website with the letter head of the FCC, signed as the FCC. He was trying to impersonate the FCC. There were plenty of other things he could have posted to show off the vulnerability, without the worry of legal trouble.
I'd argue along the same lines as a dead comment here:
the student's mistake (well, beyond not contacting them to report the issue) was using the FCC's official letterhead to create an embarrassing document and uploading it to their official website and posting it on social media.
That's pretty much a "fuck you" and not a great way to start a conversation.
Unfortunately, these "temporary" file uploads end up accessible from the main FCC domain (i.e. fcc.gov), unlike e.g., Google (e.g., "googleusercontent.com" vs. "google.com"). In Google's case, the separate domain helps distinguish the content as unofficial.
It's understandable why it was originally engineered this way, since it's probably easier to create a subdomain under fcc.gov rather than to get an unrelated domain, but that's why we ended up here!
"Easier" is a relative. And in this case relatively small.
The server and DNS configuration you need for a subdomain is identical to what you need for separate domain. Possibly slightly more to manage if you are using the "naked" domain because of the DNS issue with not supporting CNAME records on the naked domain.
If you already have a wildcard SSL certificate for the subdomain a separate domain might be more work because you need a new cert and you don't if you stick with a subdomain.
The most work is actually buying the domain.
Then again, this is government we are talking about so buying a $10 domain is probaly three weeks worth of paperwork.
A lot of public universities had a homegrown dropbox lurking somewhere in their infrastructure. Thankfully they were already abused to the point that schools have been shutting them down over the last 5-10 years. (Usually abuse not in the form of malware, but in the form of file sharing movies, etc)
The description of the author of the pdf that made the rounds yesterday is exactly what I expected.
It's a shame most organizations do not do a good job handling vulnerability reports from outside sources and everyone knows is (so nobody tries to alert the organization). I would be very surprised if he was the first procrastinating college student to figure this out.
I'll send reports of vulnerabilities to some companies out there, but the US government is one are I would never speak a word about any of this to.
If I had discovered this, I'd wipe my trail clean and never speak of it again. The likely hood that I'd end up in federal prison for it is just way too high.
Unrelated: What is with the MAGA types that started them using 'cuck' as a catch-all derogatory term? Do any of them realize it's a common sexual fetish which people knowingly and consensually engage in? It's not actually an insult, it's like saying "person who likes bondage".
Etymologically, cuckhold used to refer to someone being cheated on without their knowledge and consent (and still has that meaning in the dictionary, though its usage is rather archaic now). Using it to refer to the fetish is somewhat more recent. Historically, it has been used as a derogatory term or insult in certain cultures and time periods. So their usage of it isn't exactly unprecedented, though it is odd that it's been latched on to as a generic insult. https://en.wikipedia.org/wiki/Cuckold
I've always heard it in more of a political sense. An example for the cuck insult would be, Foo is a cuck because he likes to watch others come over to his house and fuck his wife.
When applied to political situations, Foo's wife would be the US and the others would be illegal immigrants. So Foo is a cuck because he wants illegal immigrants to come over and mess up the US.
And I do believe that many of them are aware that it's a fetish, with many jokes about Foo's wife's boyfriend.
If I recall correctly it was a term popular in other circles (like /r/theredpill on reddit) that make up a lot of the popular online alt-right communities (like /r/the_donald) [1]. The merging of these communities (that generally seem to have hate and/or cynicism as their common thread) resulted in new insults like libcuck (combination of libtard and cuck). It would be fascinating if it wasn't so depressing.
IMO, it's because it's a term that they can use without getting much kickback. Before, they might use "fag" or whatever, but folks would (rightly) take offense to that. Even folks not directly targeted by those slurs would call out their use. Not as many people are going to go out of their way to defend cuckolds and fight back against the new(ish) slur.
when i read it, the implication i got was that the accused gets perverse pleasure from watching corporations defile civil liberties.
like, if he called him a douche, i'd assume it was to say he doesn't care about his obligations to the american people and is only interested in helping his rich buddies... not that the prankster was too lazy to come up with anything other than a gross and generic comparison to female hygiene.
It's doubly interesting because seemingly all these people who pride themselves on not being cuckolds seem to need rescuing by a reality tv star with bad hair and small hands.
If that's not the definition of being "cucked" I'm not sure what is.
[+] [-] guptaneil|8 years ago|reply
[+] [-] TheAceOfHearts|8 years ago|reply
By making that tweet he's impersonating a government agency and passing it off as an official document. If he hadn't posted that tweet I'm sure he wouldn't have anything to fear.
EDIT: I looked up the relevant law: False Impersonation of Federal Officer or Employee [0]. It doesn't seem he got anything of value, so it's unlikely he could be charged. Although I'd be surprised if he didn't at least receive a stern conversation from a government official.
[0] http://www3.ce9.uscourts.gov/jury-instructions/node/508
[+] [-] adventured|8 years ago|reply
Yeah, it's obviously substantially below FDR interning 100,000 Japanese people [1] based on their ethnicity. Or spraying black neighborhoods with toxic chemicals to test on them in the 1950s. [2] Or J Edgar Hoover's decades-long parade of power abuses and rights violations of the American People. Or Lyndon Johnson inserting us - hundreds of thousands of drafted young men - into a civil war in Vietnam, in which we helped to directly kill vast numbers of people with no clear plan or explanation for why we were there. Or the testing of hundreds of nuclear weapons on US soil, with little concern for how it would harm citizens. Or Sherman burning down Atlanta. Or Nixon's parade of abuses. Or the CIA's countless, terrifying programs in the 1970s. Or how the FBI tried to get MLK to kill himself. Or prohibition and the terrible results that imposed upon the people (eg rampant organized crime). Or the 50 year war on drugs and the horrific toll that has taken on the people.
We used to treat our people with the utmost dignity and respect.
[1] https://en.wikipedia.org/wiki/Internment_of_Japanese_America...
[2] http://www.businessinsider.com/army-sprayed-st-louis-with-to...
[+] [-] Alex3917|8 years ago|reply
By law they need to share what you post publicly, including files. This 'vulnerability' has been around for decades.
[+] [-] throw-away-521|8 years ago|reply
[1]: https://ecfsapi.fcc.gov/file/DOC-578d579d1f000000-A.pdf
[+] [-] andai|8 years ago|reply
the student's mistake (well, beyond not contacting them to report the issue) was using the FCC's official letterhead to create an embarrassing document and uploading it to their official website and posting it on social media.
That's pretty much a "fuck you" and not a great way to start a conversation.
[+] [-] phsource|8 years ago|reply
https://www.fcc.gov/ecfs/public-api-docs.html#Full-Filing-St...
Unfortunately, these "temporary" file uploads end up accessible from the main FCC domain (i.e. fcc.gov), unlike e.g., Google (e.g., "googleusercontent.com" vs. "google.com"). In Google's case, the separate domain helps distinguish the content as unofficial.
It's understandable why it was originally engineered this way, since it's probably easier to create a subdomain under fcc.gov rather than to get an unrelated domain, but that's why we ended up here!
[+] [-] throwaway2016a|8 years ago|reply
The server and DNS configuration you need for a subdomain is identical to what you need for separate domain. Possibly slightly more to manage if you are using the "naked" domain because of the DNS issue with not supporting CNAME records on the naked domain.
If you already have a wildcard SSL certificate for the subdomain a separate domain might be more work because you need a new cert and you don't if you stick with a subdomain.
The most work is actually buying the domain.
Then again, this is government we are talking about so buying a $10 domain is probaly three weeks worth of paperwork.
[+] [-] 27182818284|8 years ago|reply
[+] [-] dsfyu404ed|8 years ago|reply
It's a shame most organizations do not do a good job handling vulnerability reports from outside sources and everyone knows is (so nobody tries to alert the organization). I would be very surprised if he was the first procrastinating college student to figure this out.
[+] [-] Klathmon|8 years ago|reply
If I had discovered this, I'd wipe my trail clean and never speak of it again. The likely hood that I'd end up in federal prison for it is just way too high.
[+] [-] peterwwillis|8 years ago|reply
[+] [-] openasocket|8 years ago|reply
[+] [-] Qworg|8 years ago|reply
It also serves as a handy handle to insult someone's virility or manliness that fits better in a tweet.
[+] [-] Redoubts|8 years ago|reply
That's precisely the intended meaning, that one literally or figuratively enjoys being taken advantage of.
[+] [-] JCharante|8 years ago|reply
When applied to political situations, Foo's wife would be the US and the others would be illegal immigrants. So Foo is a cuck because he wants illegal immigrants to come over and mess up the US.
And I do believe that many of them are aware that it's a fetish, with many jokes about Foo's wife's boyfriend.
[+] [-] okreallywtf|8 years ago|reply
[1] https://fivethirtyeight.com/features/dissecting-trumps-most-...
[+] [-] hehheh|8 years ago|reply
[+] [-] emodendroket|8 years ago|reply
[+] [-] eponeponepon|8 years ago|reply
[+] [-] elif|8 years ago|reply
like, if he called him a douche, i'd assume it was to say he doesn't care about his obligations to the american people and is only interested in helping his rich buddies... not that the prankster was too lazy to come up with anything other than a gross and generic comparison to female hygiene.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] TallGuyShort|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] na85|8 years ago|reply
If that's not the definition of being "cucked" I'm not sure what is.
[+] [-] Fjolsvith|8 years ago|reply
[+] [-] koolba|8 years ago|reply
[+] [-] elif|8 years ago|reply
[+] [-] necessity|8 years ago|reply
[+] [-] msimpson|8 years ago|reply
[+] [-] lsmod|8 years ago|reply
"Access Denied. File must be attached to a posted filing to be available."
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] azinman2|8 years ago|reply
https://ecfsapi.fcc.gov/file/7521271363.pdf