‘This risk is real and could be exploited by adversaries of the US,’ warned the Dutch whistleblower who discovered them.
Starting to wonder if the ageing decision makers are gonna cause more problems like this. But even the young members of the US military have made similar slip-ups. I don’t know what the root cause of the problem is.
It’s all ages and ranks. There’s no accountability anymore unless you’re enlisted E-7 or below, you get fucked. If you’re an officer, you get promoted for doing stuff like this.
this is not just about people in us military, some of these mails may be coming from outside and you can’t really control what you are being mailed in.
how
top level domains .mil vs .ml
so it was a lot of individual typos, not a single big one, but they are appearantly pretty common.
up until now the domain management was outsourced to some commercial company from netherland, which tried to alert US DOD to the problem.
but in near future it is expected the control of the domain to be transferred under the control of local military junta, which can lead to these mails being stored and sold to higher bidder, or some similar fun stuff.
it’s wild to me that .ml isn’t a blocked domain by default for most military contractors and employees
no kidding, that’s the kind of thing that after the first few times it happens, someone from product should flag this and build in a system with redundant checks if you want to send mail to .ml, like:
-
The user has to have permission to send to .ml in the first place
-
Any individual .ml address they want to send to has to be whitelisted in a separate UI from email compose (possibly excluding replies)
-
Any time they send to .ml (or any external domain), the recipient box turns a different color, and there’s a notice, CURRENTLY SENDING TO AN EXTERNAL DOMAIN
- with a list of all external domains included eg you could also be sending to a contractor
- and a count of the domains
-
Any .ml sent mail is auto delayed by a couple minutes and requires you to confirm you wanted to send it (again possibly excluding replies)
I would hope there’s also some flags emails can have for whatever sensitive info levels, these should also come with automatic client-side and server-side validation that you’re not sending them to someone who you shouldn’t.
-
Sounds like a .us tld would’ve saved them some headache.
not sure about that… 😂
More specifically, how does the .ml provider know the content of these messages? Do they just spoof MX for all unregistered domains, or did they specifically register the domain names mimicking the US military hostnames? Both scenarios seem sketchy.
It’s described in the article. The Dutchman who runs the registrar for Mali first started to started to store the emails sent to these invalid addresses before being overwhelmed (and probably realising the literal minefield having US government secrets is) and stopping doing that. So yes his firm was initially intercepting messages sent to the aether by spoofing invalid addresses.
Talking to a friend who works in the VA, he suspects there’s a lazy contractor that’s causing most of this.
