And Just Why Are Military Officials Sending Top Secret Info Over Email?
from the just-wondering dept
The Register has a story about how the guy who ran the website mildenhall.com (which promoted the village of Mildenhall in the UK) has completely shut down the website following pressure received from US officials after they discovered that emails intended for Air Force personnel at the Mildenhall Air Force base (who uses the domain mildenhall.af.mil) were being misdirected to the owner of the .com site. We’ve seen similar stories of misdirected emails in the past, so perhaps this isn’t a huge surprise. In fact, a similar issue may have opened up the Justice Department to one of its big scandals last year, when emails intended for addresses at whitehouse.gov were sent instead to whitehouse.org. However, the question remains why anyone is sending top secret info, such as the whereabouts of President Bush as well as battlefield strategies and passwords, over unsecured email accounts in the first place? Isn’t the military supposed to keep those things off the main grid?
Filed Under: domain name, email, mildenhall, military base
Comments on “And Just Why Are Military Officials Sending Top Secret Info Over Email?”
The wars of today
Are fought with the weapons of tomorrow, and the tactics of yesterday
How does a conversation like that really occur?
“Uh, are you the owner of mildenhall.com? Yeah… we’re gonna have to ask you to take down your site. Why? Because we employ a bunch of retards. Also, we’d like to please ask you to forget about that secret list of WoW, Second Life and Eve-Online suspected terrorists we sent you. (That bastard luvspoontang who killed my paladin is gonna pay.) Anyway, we realize that we have absolutely no right to ask this of you, but do take down your site. If you don’t, we’ll make your life hell with all kinds of costly law suits. You won’t be able to afford an Internet connection, much less run a site.”
::5 minutes of laughter:: “You’re serious? I realize that you can’t see me flipping you off through the phone, but I’m doing it anyway.” ::click::
~Brian, who loves seeing his tax dollars at work.
You drastically overestimate the intelligence of one side of that discussion.
I think it would be more like:
“You are operating mildenhall.com specifically to confuse military personel”
“Look ol’ chap, Mildenhall is a village in the UK…”
“In addition, you are stealing secret military communications in direct violation of US and military law. The lives of Marines are at risk. MARINES!! You low-life. You won’t survive the first hour of boot camp.”
“See here my good man, I am not subject to…”
“We risk our lives to save your worthless hide, to protect your precious rights.”
“Surrender it now!”
So these government employees are mis-typing domains so everyone else has to cease and desist? That’s just stupid. If Firefox and OpenDNS can catch mistyped domains you’d think that the government email/DNS servers should be modified to catch similar mistakes especially with such important information.
Re: Wanted: IT Professionals in the Government
I think this is evidence the our government’s IT infrastructure is lacking heavily.
It doesn’t take much for information to get out so I guess that’s why we have encryption? Right?
I say hire more people that know what they are doing…
I would gladly pay taxes for that…
Let's try reading before commenting ...
First of all, no one from the U.S. forced the website offline. The site’s operator was “forced” to shut it down due to a few factors, including an overwhelming amount of spam; he’s assuming someone sold his address to spammers, but in all reality the bots probably found it on their own. Bottom line — this was a decision he made of his own volition.
Now, to the meat of the article. Mike is right, this info is supposed to kept off the main grid. Just like everything else, once you add humans to the equation then anything can happen. What I’d like to see is the USAF request any addresses that sent classified info from the site’s owner. Then, immediately suspend those accounts, provide refresher training, and review whether or not the individuals still need access to the off-grid systems.
Re: Let's try reading before commenting ...
I submit that if you are the kind of fuckwit that sends classified information unencrypted via plain text email without even checking the address first, that you are probably the same kind of fuckwit that clicks on every “yes please install malware on my machine now” button going.
Therefore I can actually see a very likely correlation indeed between numbers of moronic service men sending you mail and the corresponding amount of spam
But like you I read the article and the bit that got me was
“Sinnott says he brought the SNAFU to the attention of Air Force officials but was never able to get the problem fixed. At first, they didn’t seem to take the matter seriously, but eventually, they “went mental,” he said. Officials advised Sinnott to block unrecognizable addresses from his domain and set up an auto-reply reminding people of the address for the official air force base”
Translated: “The solution to our national security problem is for you (a foreign citizen) to do stuff for free and fix the problem for us”
So basically all the corporatly or privatly owned domain names such as whitesands.com should do the same thing?
That makes so much more sense than USAF applying proper security precautions and policies in their own system
I don’t know about anybody else but I’m going looking for any unused domain names that sound like US Forces bases – anyone interested in US Military secrets should contact me in a few weeks at Area41.com
Just hope I get the domain names before Achmed does it himself
take the site down nor would co-operate with the morons if they want there secrets back they got to pay. about 1 million US dollars each time would be about right. now let me see is mildenhall. com available again.
Sounds like deja vu
I got my first domain name back in 1996. It was intentionally obscure. In ’99, a company in the Beltway district opened, and noticed I had their company name .com. I got one oblique inquiry about buying it that went nowhere. They settled for name-inc.com instead.
Over the next 4 years, I’d get emails intended for them from people (some of them in the company in question) who forgot to type the ‘-inc’ part. I would politely return each one with a note saying “Perhaps you meant to type…” and include all the attachments I had mistakenly received. Attachments like meeting minutes, schedules and draft proposals. Eventually they contacted me and we did negotiate the sale of the name. First (and last, so far) domain name I ever sold.
Oh, the company was a computer security firm.
They really did this (sent top secret messages via standard email–note for non-funny types: question is rhetorical)?
GET A CLUE. Standard email is not secure you might as well broadcast it over a loudspeaker or write it on a postcard.
The NIPRNET is useless
Just like every other walled garden, the SIPRNET is useless, and so most users simply use the NIPRNET. Yes, they should still be encrypting classified data, but since noone has invented a truly functional certificate pair encryption system, its rather awkward and still quite difficult to use, especially with someone you’ve never corresponded with before.
As for the military’s OTHER messaging system… well… it’s freakin horrid to use, and noone would want to use that unless it an official message.
So the military has two options. Use COTS email as best as they can (and punish users when they mess up), or stick with decades old technology. Which would you decide?
That’s why it’s mandatory that all US Military forces use encrypted email solutions utilizing PKI. So when they DO manage to send and email to the wrong address it will be encrypted and unreadable. What’s that? You say that they don’t encrypt their emails? Not even the top secret emails?
Well, in that case they deserve what they get.
Re: That's why...
At least in the Army it’s not mandatory to use encryption, but the option is available. There is an automated way to require the use of encryption, but it’s not used to day for reasons I won’t get into here.
Of course, if it is in any way a hassle to use you can bet people will just resort to using any one of the plethora of free web-based email providers.
Funny, I work for a bank and everything that leaves our network requires us to verify that we are sending to an address that is not local. It knows all of the domains that have been added as part of buy-outs, mergers, etc.
I would think the gov’t could do this as well.
when I was in the USAF I was in charge of computer systems set specifically for sending top secret information. The funny thing is that at the time our base commander would use my top secret system to send “happy birthday”s and “how was golf this weekend” to other generals, which wasted valuable time and money on an extremely expensive system.
the information is still encrypted
the issue is not that secret information is being leaked it is that the information is not making it to the people that need it. the information sent out in the email is encrypted, all Secret DOD and HLS traffic is sent via x.400 without the proper forteza cards and access card on the receiving end you can not access the information within the email.
Oh and you can’t “keep it off the grid” the government does not run a global telcom company it simple encrypts its information.
Perhaps they should use an address book
I know my users can’t get along without one. If somebody in the organization doesn’t appear in the address book, they don’t know what to do! (Usually it’s a case of spelling the recipient’s name correctly)
In defense of my fellow Airmen
Anyone who wants to come in and fix the largest, most complicated system in the world is welcome to it.
Remember though there are 4 different services, 6 geographic commands, over 1 million dedicated users, and the system is constantly under attack by nations I shouldn’t need to name. A little different then the small business with 50 employees, or the fortune 500 with several thousand employees.
Re: In defense of my fellow Airmen
Granted, it’s an incredibly complex system. It also has the problem of being controlled by bureaucracy and budgetary constraints.
That being said, that doesn’t excuse the fact that these people don’t know who they’re sending email to, or their response to the guy running the UK site. Encryption is honestly not that difficult to implement, and should be mandatory for any confidential US government email.
mildenhall suffolk england
why don’t you just fly over there and just bomb the bastards??????
I love how these websites throw classifications around and just blindly assume that any email they see from the government on an unclassified medium is somehow “Top Secret”. I’m 100% positive that any details found in these emails regarding Bush, troop movements, or strategies were highly embelished in the hopes that it would bring in the hordes of “enlightened”, first semester college freshmen hell bent on trashing the US government, military, and way of life.
And for all of you boobs out there assuming that all classifications of government emails are sent over the non-secure internet, thanks for proving that people still talk out of their a$$ without knowing anything.
@knowitall — you’re assuming they’re using the secure network. From the details in the article, this isn’t the case for a number of reasons. Whatever classification the content was — it varied from personal emails to info that probably needed a classification — the receipient provided details, indicating that it wasn’t encrypted.
@KenM — Read the articles. The details provided make it clear that some info was sent over the non-secure network, and that it wasn’t encrypted. Who’s the boob, now?
The fact of the matter is that this happens. Whether it’s to avoid the hassles resulting from the security, or it’s people that aren’t tech-savvy (older people, or just people that only use computers at work/for email & internet), it’s happening. Sticking your head in the sand (knowitall & KenM) doesn’t make it go away.
I’m not entirely convinced this account is 100% accurate, but if it is what irks most is the slightly ‘imperialist’ way the USAF seems to have appropriated the name of a UK village. The village was there before the airbase. Perhaps they should simply rename the airbase?
PGP? GPG? Hello?!
“but since noone has invented a truly functional certificate pair encryption system”
Are you honestly telling me that no one here or in the Militerry has heard of PGP, or the GNU implementation, GPG?? I’ve trained artists and mothers to use Thunderbird+Enigmail to encrypt their e-mails on a regular basis. People who don’t understand why they shouldn’t use Internet Explorer as a browser, get why PGP is good! Everyone involved with these “leaks” is obviously an idiot.