back to article When uploading comments to the FCC, you can now include malware

A laughably insecure comment system has left US comms watchdog the FCC open to malware attack, and the agency doesn't seem to know what to do about it. The security hole was spotted by a 20-year-old US university student, who found that when someone applies to put a comment onto the FCC website, the system allows almost any …

  1. Pascal Monett Silver badge
    Facepalm

    What ? A comment system that allows for uploading anything ?

    Who on God's green Earth thought that it was a good idea to allow any Internet netizen, meaning any number of effin' trolls, to upload up to 25MB of almost anything ?

    I mean, my grandmother might have thought it was a good idea, but she died before the PC was a thing. She would not have had the slightest idea of what that implied.

    So it seems to me that the FCC is chaired by my grandmother's knitting club.

    Good luck explaining this world to them.

    1. Yet Another Anonymous coward Silver badge

      Re: What ? A comment system that allows for uploading anything ?

      Uploading is fine.

      The problem is that this also lets you download, from an fcc.gov link with https and the nice little green padlock, and then a message asking if you want to trust content from fcc.gov

  2. DNTP

    Never confuse incompetence for malice

    Unless, of course, one has reason to believe Pai and the Puppets desire another 'plausible' reason to discredit public commentary on net neutrality, and have an excuse to cast the entire neutrality movement as saboteurs and criminals who just want to keep their attack platform.

  3. Dan 55 Silver badge

    I bet I know what that webform does

    Stick everything in an email, attachment and all, and send it to a mailing list running on an Exchange server. The mailing list emails viewed with Outlook on Windows machines.

    Due to sod's law, it couldn't be anything else.

  4. Anonymous Coward
    Anonymous Coward

    Crypto-malware incident begging to happen?

  5. adam payne

    ""The Commission has had procedures in place to prevent malware from being uploaded to the comment system. And the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system."

    What about the unknown malware or one that has been specifically crafted for them.

  6. Nimby
    Devil

    no known malware

    Methinks they missed the point.

  7. kain preacher

    With numpties like these how would they know if they have been infected ? This like taking a windows or even a linux server and turning on ever single port possible with no fire walls and wounder why you got hit.

  8. This post has been deleted by its author

  9. Purple-Stater

    A bit o' false equivalency?

    "And this is the agency that wants to regulate the internet"

    Dang. Who'd have thought that the FCC commissioners were doing their own IT work‽

    1. HieronymusBloggs

      Re: A bit o' false equivalency?

      "Who'd have thought that the FCC commissioners were doing their own IT work‽"

      Are you saying the FCC is not ultimately responsible for work done on its behalf by those it hires?

  10. Otto is a bear.

    Um

    Whilst the file size is a bit surprising, though maybe not, it's really what happens to the files after they are uploaded that's the key. Every single government department I have ever worked with allows you to upload files, and of any type, remember just because the file says it's a PDF, doesn't mean it actually is. In every case uploaded files are triaged to make sure they are what they say they are, quarantine what's suspicious and store the rest, which in some cases might actually be a virus, one man's virus is another man's data. Mind you, if the FCC doesn't do this, then they deserve everything they get, but somehow I suspect they do. Remember a Windows virus is useless on Unix or non-intel system, and content systems don't tend to execute uploaded files as they are data to it.

  11. Anonymous Coward
    Anonymous Coward

    not a big deal...

    with net neutrality gone, it's the ISPs job to secure the FCC's communications!

    (yes, that was a joke. Horrible, but still a joke).

  12. Maelstorm Bronze badge
    Trollface

    FCC: We are a bunch of clowns...

    It wouldn't surprise me if someone uploaded some NSA hacking tools to the comment system, or even better, the stuxnet worm. So if someone downloaded it and became infected, would the FBI throw the FCC in jail? Who knows.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like