A mountain of net neutrality comments, a privacy paradox, ransomware warnings and more

FCC publishes 2.44 million comments from Open Internet docket

The Federal Communications Commission released a trove of more than 2 million responses to its Open Internet docket in a single zipped XML file.

The network neutrality proceeding, in which the FCC is considering whether to allow fast lanes on the Internet for paid, prioritized traffic, has attracted wide public attention, from Internet activists to HBO's John Oliver.

FCC special counsel for external affairs Gigi Sohn announced the release in a blog post.

The FCC received more than 700 comments via its website and more than 1.7 million via email, totaling 2.44 million. Most of these are likely duplicates or form letters written by advocacy organizations, according to a preliminary analysis of 800,000 comments by the Sunlight Foundation.

The current release covers the official comment period from July 19 to Sept. 15. There are an additional 1.3 million comments that were received when the comment period was extended, totaling 3.7 million replies to the FCC's notice of proposed rulemaking, a record response.

Privacy board lacks mechanism for tracking recommendations

The independent government agency charged with reviewing intelligence community programs doesn't have an established channel for learning whether its recommendations have been adopted by agencies, said David Medine, chairman of the Privacy and Civil Liberties Oversight Board.

The young agency has been grappling almost exclusively with the revelations of intelligence community surveillance practices leaked by Edward Snowden since Medine's confirmation in May 2013. So far, the PCLOB has weighed in on bulk telephonic metadata collection from U.S. carriers conducted under Sec. 215 of the Patriot Act and foreign surveillance of e-mail and web content as well as the tapping of network infrastructure under Sec. 702 of the same statute.

The administration has largely agreed with the recommendations issued by PCLOB in January 2014 that bulk metadata collection be modified, if not with their argument that the program was not authorized by statute, Medine said at an Oct. 22 meeting of the Information Security and Privacy Advisory Board. PCLOB issued its 702 report in July, recommending more transparency in the way information about U.S. persons is swept up in collections conducted against foreign targets, how that data may be retained and used, and changes to the way the NSA explains its choice of targets for surveillance.

But there's no method in place, Medine said, to find out whether PCLOB recommendations are being adopted in NSA's minimization and compliance practices.

"We've never had precedents for what happens when we issue our reports," Medine said. "We are going to address over time how we oversight our oversight," he said, but noted that as of now there hasn't been enough time for the adoption of PBCLOB recommendations.

Medine said that PCLOB's relations with NSA were good, and he didn't anticipate any difficulty in learning where the board's recommendations are being implemented.

CERT says don't give in to ransomware demands

In an Oct. 22 alert, the Department of Homeland Security's Computer Emergency Readiness Team (CERT) told computer users not to buckle under to cybercriminals' "ransomware" demands for payments to unlock hijacked computers.

Ransomware, malware that creeps into computers, locks their owners out, and extorts payment for re-access, has been a growing problem for years, said the notice. Typical payment demands are in the $100-$300 range, and CERT cited studies that showed a ransomware operator could reap as much as $33,000 in a day, or $395,000 per month from a single command and control server that handles 5,000 computers.

The Oct. 22 CERT notice explained details of the scam and protections against it. Among the usual advice about not clicking on suspicious emailed links and visiting questionable sites, the notice advised not to pay any ransom.

"Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."

Network outage delays National Weather Service forecasts

A network outage at the National Weather Service has affected the quality of its weather forecast data, the National Center for Environmental Prediction (NCEP) warned on Wednesday.

The outage also meant that all or most of the satellite imagery has stopped publishing to the National Oceanic and Atmospheric Administration and National Weather Service websites; "current" imagery is at least one day old.

This is not the agency's first major IT meltdown. In late August, the National Weather Service website crashed because of an influx of data request from an external Android application. And in May, the Weather Service's warning dissemination system failed during a firewall upgrade.

However, the NCEP is saying these model forecasts can still be considered credible. In an email to the Washington Post, Chris Vaccaro, a spokesperson for the National Weather Service, said "there's a lot of redundancy in the observing system that can help to offset the data."

NASA satellite imagery websites appear to be up-to-date, indicating that this issue is with the National Weather Service networks alone, the Post reported.

FDA learns from network attacks -- by the agency IG

After an October 2013 breach in which the sensitive information of 14,000 user accounts were compromised within its system, the Food and Drug Administration’s computer network underwent a month-long penetration test to address cyber vulnerabilities which may have enabled future breaches to occur, according to a report issued by the agency's Office of Inspector General (OIG).

With the permission of FDA officials and without notifying the FDA’s incident response team, the OIG conducted the test from Oct. 21 through Nov. 10, 2013, and discovered a number of vulnerabilities within the network. “Web page input validation was inadequate," the testers found, "external systems did not enforce account lockout procedures, security assessments were not performed on all external servers, error messages revealed sensitive system information, and demonstration programs revealed sensitive information.” The exploitation of these vulnerabilities, the report said, could have allowed the “unauthorized disclosure or modification of FDA data and/or the FDA’s mission-critical systems being made unavailable.”

The OIG made seven recommendations for the FDA to address -- which included resolving any underlying web vulnerabilities, establishing effective processes to ensure the resilience of its systems against cyberattacks, and sporadically assessing each of its networked systems.

GSA trumpets reverse auction savings

The General Services Administration hosted almost 1,000 reverse auctions that saved government agencies millions in 2014, according to a GSA official in charge of the events.

In an Oct. 21 blog post, Charles Wingate, a branch chief at GSA's Federal Acquisitions Services/IT Commodities Division, said more than 20 agencies across government created 900 auctions and saved over $6 million during fiscal 2014.

He added that 60 percent of the auctions were set aside for small businesses and that agencies awarded more than 85 percent of the procurements conducted through GSA's reverse auctions to small businesses, totaling more than $19 million.

Wingate also said that reverse auctions generated 23 percent savings off standard contract prices.