And Just Why Are Military Officials Sending Top Secret Info Over Email?

from the just-wondering dept

Mon, Mar 3rd 2008 10:45pm — Mike Masnick

The Register has a story about how the guy who ran the website mildenhall.com (which promoted the village of Mildenhall in the UK) has completely shut down the website following pressure received from US officials after they discovered that emails intended for Air Force personnel at the Mildenhall Air Force base (who uses the domain mildenhall.af.mil) were being misdirected to the owner of the .com site. We've seen similar stories of misdirected emails in the past, so perhaps this isn't a huge surprise. In fact, a similar issue may have opened up the Justice Department to one of its big scandals last year, when emails intended for addresses at whitehouse.gov were sent instead to whitehouse.org. However, the question remains why anyone is sending top secret info, such as the whereabouts of President Bush as well as battlefield strategies and passwords, over unsecured email accounts in the first place? Isn't the military supposed to keep those things off the main grid?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: domain name, email, mildenhall, military base

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Le Blue Dude, 4 Mar 2008 @ 12:03am

The wars of today
Are fought with the weapons of tomorrow, and the tactics of yesterday
[ link to this | view in chronology ]
Brian, 4 Mar 2008 @ 12:34am

How does a conversation like that really occur?

"Uh, are you the owner of mildenhall.com? Yeah... we're gonna have to ask you to take down your site. Why? Because we employ a bunch of retards. Also, we'd like to please ask you to forget about that secret list of WoW, Second Life and Eve-Online suspected terrorists we sent you. (That bastard luvspoontang who killed my paladin is gonna pay.) Anyway, we realize that we have absolutely no right to ask this of you, but do take down your site. If you don't, we'll make your life hell with all kinds of costly law suits. You won't be able to afford an Internet connection, much less run a site."

::5 minutes of laughter:: "You're serious? I realize that you can't see me flipping you off through the phone, but I'm doing it anyway." ::click::

~Brian, who loves seeing his tax dollars at work.
[ link to this | view in chronology ]
- mobiGeek, 4 Mar 2008 @ 9:41am
  
  Re:
  You drastically overestimate the intelligence of one side of that discussion.
  
  I think it would be more like:
  
  "You are operating mildenhall.com specifically to confuse military personel"
  
  "Look ol' chap, Mildenhall is a village in the UK..."
  
  "In addition, you are stealing secret military communications in direct violation of US and military law. The lives of Marines are at risk. MARINES!! You low-life. You won't survive the first hour of boot camp."
  
  "See here my good man, I am not subject to..."
  
  "We risk our lives to save your worthless hide, to protect your precious rights."
  
  "Yes, but..."
  
  "Surrender it now!"
  [ link to this | view in chronology ]
linuxamp, 4 Mar 2008 @ 12:34am

So these government employees are mis-typing domains so everyone else has to cease and desist? That's just stupid. If Firefox and OpenDNS can catch mistyped domains you'd think that the government email/DNS servers should be modified to catch similar mistakes especially with such important information.
[ link to this | view in chronology ]
- steve, 4 Mar 2008 @ 2:55pm
  
  Wanted: IT Professionals in the Government
  I think this is evidence the our government's IT infrastructure is lacking heavily.
  It doesn't take much for information to get out so I guess that's why we have encryption? Right?
  I say hire more people that know what they are doing...
  I would gladly pay taxes for that...
  [ link to this | view in chronology ]
moe, 4 Mar 2008 @ 12:46am

Let's try reading before commenting ...
First of all, no one from the U.S. forced the website offline. The site's operator was "forced" to shut it down due to a few factors, including an overwhelming amount of spam; he's assuming someone sold his address to spammers, but in all reality the bots probably found it on their own. Bottom line -- this was a decision he made of his own volition.

Now, to the meat of the article. Mike is right, this info is supposed to kept off the main grid. Just like everything else, once you add humans to the equation then anything can happen. What I'd like to see is the USAF request any addresses that sent classified info from the site's owner. Then, immediately suspend those accounts, provide refresher training, and review whether or not the individuals still need access to the off-grid systems.
[ link to this | view in chronology ]
- Enrico Suarve, 4 Mar 2008 @ 1:22am
  
  Re: Let's try reading before commenting ...
  I submit that if you are the kind of fuckwit that sends classified information unencrypted via plain text email without even checking the address first, that you are probably the same kind of fuckwit that clicks on every "yes please install malware on my machine now" button going.
  Therefore I can actually see a very likely correlation indeed between numbers of moronic service men sending you mail and the corresponding amount of spam
  
  But like you I read the article and the bit that got me was
  
  "Sinnott says he brought the SNAFU to the attention of Air Force officials but was never able to get the problem fixed. At first, they didn't seem to take the matter seriously, but eventually, they "went mental," he said. Officials advised Sinnott to block unrecognizable addresses from his domain and set up an auto-reply reminding people of the address for the official air force base"
  
  Translated: "The solution to our national security problem is for you (a foreign citizen) to do stuff for free and fix the problem for us"
  
  Genius
  
  So basically all the corporatly or privatly owned domain names such as whitesands.com should do the same thing?
  
  That makes so much more sense than USAF applying proper security precautions and policies in their own system
  
  I don't know about anybody else but I'm going looking for any unused domain names that sound like US Forces bases - anyone interested in US Military secrets should contact me in a few weeks at Area41.com
  
  Just hope I get the domain names before Achmed does it himself
  [ link to this | view in chronology ]
mike allen, 4 Mar 2008 @ 1:38am

I wouldnt
take the site down nor would co-operate with the morons if they want there secrets back they got to pay. about 1 million US dollars each time would be about right. now let me see is mildenhall. com available again.
[ link to this | view in chronology ]
Roy, 4 Mar 2008 @ 3:39am

Sounds like deja vu
I got my first domain name back in 1996. It was intentionally obscure. In '99, a company in the Beltway district opened, and noticed I had their company name .com. I got one oblique inquiry about buying it that went nowhere. They settled for name-inc.com instead.

Over the next 4 years, I'd get emails intended for them from people (some of them in the company in question) who forgot to type the '-inc' part. I would politely return each one with a note saying "Perhaps you meant to type..." and include all the attachments I had mistakenly received. Attachments like meeting minutes, schedules and draft proposals. Eventually they contacted me and we did negotiate the sale of the name. First (and last, so far) domain name I ever sold.

Oh, the company was a computer security firm.
[ link to this | view in chronology ]
James, 4 Mar 2008 @ 4:11am

LMAO
They really did this (sent top secret messages via standard email--note for non-funny types: question is rhetorical)?

GET A CLUE. Standard email is not secure you might as well broadcast it over a loudspeaker or write it on a postcard.
[ link to this | view in chronology ]
Hellsvilla, 4 Mar 2008 @ 4:23am

The NIPRNET is useless
Just like every other walled garden, the SIPRNET is useless, and so most users simply use the NIPRNET. Yes, they should still be encrypting classified data, but since noone has invented a truly functional certificate pair encryption system, its rather awkward and still quite difficult to use, especially with someone you've never corresponded with before.

As for the military's OTHER messaging system... well... it's freakin horrid to use, and noone would want to use that unless it an official message.

So the military has two options. Use COTS email as best as they can (and punish users when they mess up), or stick with decades old technology. Which would you decide?
[ link to this | view in chronology ]
Kevin, 4 Mar 2008 @ 4:26am

That's why...
That's why it's mandatory that all US Military forces use encrypted email solutions utilizing PKI. So when they DO manage to send and email to the wrong address it will be encrypted and unreadable. What's that? You say that they don't encrypt their emails? Not even the top secret emails?

Well, in that case they deserve what they get.
[ link to this | view in chronology ]
- moe, 4 Mar 2008 @ 4:39am
  
  Re: That's why...
  At least in the Army it's not mandatory to use encryption, but the option is available. There is an automated way to require the use of encryption, but it's not used to day for reasons I won't get into here.
  
  Of course, if it is in any way a hassle to use you can bet people will just resort to using any one of the plethora of free web-based email providers.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2008 @ 5:58am

Funny, I work for a bank and everything that leaves our network requires us to verify that we are sending to an address that is not local. It knows all of the domains that have been added as part of buy-outs, mergers, etc.

I would think the gov't could do this as well.
[ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2008 @ 7:14am

how ironic
when I was in the USAF I was in charge of computer systems set specifically for sending top secret information. The funny thing is that at the time our base commander would use my top secret system to send "happy birthday"s and "how was golf this weekend" to other generals, which wasted valuable time and money on an extremely expensive system.
[ link to this | view in chronology ]
knowitall, 4 Mar 2008 @ 10:04am

the information is still encrypted
the issue is not that secret information is being leaked it is that the information is not making it to the people that need it. the information sent out in the email is encrypted, all Secret DOD and HLS traffic is sent via x.400 without the proper forteza cards and access card on the receiving end you can not access the information within the email.

Oh and you can't "keep it off the grid" the government does not run a global telcom company it simple encrypts its information.
[ link to this | view in chronology ]
4-80-sicks, 4 Mar 2008 @ 11:09am

Perhaps they should use an address book
I know my users can't get along without one. If somebody in the organization doesn't appear in the address book, they don't know what to do! (Usually it's a case of spelling the recipient's name correctly)
[ link to this | view in chronology ]
Tim Lundberg, 4 Mar 2008 @ 4:58pm

In defense of my fellow Airmen
Anyone who wants to come in and fix the largest, most complicated system in the world is welcome to it.

Remember though there are 4 different services, 6 geographic commands, over 1 million dedicated users, and the system is constantly under attack by nations I shouldn't need to name. A little different then the small business with 50 employees, or the fortune 500 with several thousand employees.
[ link to this | view in chronology ]
- DanC, 4 Mar 2008 @ 5:07pm
  
  Re: In defense of my fellow Airmen
  Granted, it's an incredibly complex system. It also has the problem of being controlled by bureaucracy and budgetary constraints.
  
  That being said, that doesn't excuse the fact that these people don't know who they're sending email to, or their response to the guy running the UK site. Encryption is honestly not that difficult to implement, and should be mandatory for any confidential US government email.
  [ link to this | view in chronology ]
Mick, 4 Mar 2008 @ 9:49pm

mildenhall suffolk england
why don't you just fly over there and just bomb the bastards??????
[ link to this | view in chronology ]
KenM, 4 Mar 2008 @ 9:53pm

Right
I love how these websites throw classifications around and just blindly assume that any email they see from the government on an unclassified medium is somehow "Top Secret". I'm 100% positive that any details found in these emails regarding Bush, troop movements, or strategies were highly embelished in the hopes that it would bring in the hordes of "enlightened", first semester college freshmen hell bent on trashing the US government, military, and way of life.

And for all of you boobs out there assuming that all classifications of government emails are sent over the non-secure internet, thanks for proving that people still talk out of their a$$ without knowing anything.
[ link to this | view in chronology ]
moe, 5 Mar 2008 @ 4:18am

Responses
@knowitall -- you're assuming they're using the secure network. From the details in the article, this isn't the case for a number of reasons. Whatever classification the content was -- it varied from personal emails to info that probably needed a classification -- the receipient provided details, indicating that it wasn't encrypted.

@KenM -- Read the articles. The details provided make it clear that some info was sent over the non-secure network, and that it wasn't encrypted. Who's the boob, now?

The fact of the matter is that this happens. Whether it's to avoid the hassles resulting from the security, or it's people that aren't tech-savvy (older people, or just people that only use computers at work/for email & internet), it's happening. Sticking your head in the sand (knowitall & KenM) doesn't make it go away.
[ link to this | view in chronology ]
pv, 5 Mar 2008 @ 7:35am

I'm not entirely convinced this account is 100% accurate, but if it is what irks most is the slightly 'imperialist' way the USAF seems to have appropriated the name of a UK village. The village was there before the airbase. Perhaps they should simply rename the airbase?
[ link to this | view in chronology ]
Anonymous Coward, 6 Mar 2008 @ 6:10pm

PGP? GPG? Hello?!
"but since noone has invented a truly functional certificate pair encryption system"

Are you honestly telling me that no one here or in the Militerry has heard of PGP, or the GNU implementation, GPG?? I've trained artists and mothers to use Thunderbird+Enigmail to encrypt their e-mails on a regular basis. People who don't understand why they shouldn't use Internet Explorer as a browser, get why PGP is good! Everyone involved with these "leaks" is obviously an idiot.
[ link to this | view in chronology ]