> Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages — almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: “This risk is real and could be exploited by adversaries of the US.”
> Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia. When Zuurbier’s 10-year management contract expires, Malian authorities will be able to gather the misdirected emails. The Malian government did not respond to requests for comment.
Not sure much can be done here short of the US Government hijacking the .ml domain altogether via ICANN, which, if even achievable, would probably cause worse side-effects than the leaking of low-grade intelligence to Mali. Probably the best partial mitigation would be to make it a condition of doing business with the military to put a blocker on all emails to .ml domain, and for all partner militaries to do the same. Still won't prevent every instance, but they can probably prevent 80% of the most sensitive emails by doing this for 20% of people who communicate with them.
They don’t even need to hijack the actual
TLD. Just have an internal catch all that is defined on their internal DNS. Then the sender has to double confirm the addresses before it’d be passed through.
And if the senders are mostly within the US military and are thus resolving that domain through their infrastructure, changing the outgoing domain resolution configuration for the mail servers may be able to help with this.
Yeah, you don't have to route those emails. I'm pretty sure the number of people sending emails to both .mil and .ml are a dozen people in the State Dept.
It sounds like the DOD already does block emails to .ml because of this issue:
> Lt. Cmdr Tim Gorman [...] said that emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.
I think the issue is people sending emails from personal accounts that the DOD cannot control. The article also mentions travel agents as another source of the email.
Sales and travel agents, an IT depts worse nightmare. People too busy to double check anything are the fault of emails delivering to the wrong recipient.
or just rewrite it. all .ml becomes .mil, and then have .mil run a relay if it was an actual email to .ml.
then make it part of any contract that if you do business for .mil, and you use microsoft/zoho/gsuite etc, that they automatically run a set of ".mil compliance settings" overlaid onto your tenant.
Any e-mails with PII or other information considered sensitive is supposed to be encrypted, which is at least one reason contractors get CACs and .mil e-mails of their own, so they're able to send encrypted e-mails.
Given what can be figured out by collecting thousands of hotel itineraries or whatever is actually being leaked here, it may just be the DoD needs to crack down and expand the definition of what is considered sensitive.
The average business uses G Suite or MS Office, and I'm sure that they could find the right setting if their government contract were dependent on it. That's a heck of a lot easier to pull off than migrating >1.4 million military personnel to a new email address.
Hey, a new job for Clippy! "It looks like you're writing an email to a Mali address. Did you actually want to use a .mil address?". Especially Malians will welcome this feature...
That's really understanding companies. If you can get a military contact, you can hire a person who can figure out email filters. It's not the only, or even hardest hoop you'd need to jump through.
They'd need every permutation of 2, 3 letters of m, i, l; and while we're at it, add the keys close-by on a qwerty layout.
It seems like a better approach would be to harden all email software in usage to ban almost-but-not-quite .mil at the end of email addresses, looking for the above permutations client-side before anything is transmitted.
Maybe have thier email system do a check for a tld matching that and send a verification email before sending, just to make sure they aren't blocking legit email delivery?
Because I can see some serious shortcomings in your proposal right off the bat...
It's not just a question of whether it makes a legit TLD; it's also whether military personnel should have any reason to send email there from a given system.
If I remember well the operations of the root DNS are delegated to other companies/organizations (Verisign for example).
I don't know how easy it would be to insert lies in the root DNS servers, without it being spotted, and without it triggering a potential war if it impacts ccTLDs.
The cause isn't just a "typo". Sounds like they went to effort to set up DNS MX records and SMTP servers for domains like `army.ml`.
Also, not only did they set up something specifically to capture the emails that they knew weren't intended for them (incidentally preventing the senders' own SMTP servers from alerting the senders of the problem almost immediately), but... it sounds like they also examined the content of some of the diverted emails that they knew were sensitive and not intended for them.
I can't tell from the article whether they've finally disabled this diversion of the emails. Nor whether they had a plan to scrub all copies of the emails before it's out of their control, maybe offering US diplomats/officials a deadline to get a copy if they want it
Also, if they're now acting in good faith, and interfacing with US officials, I wonder who leaked this situation to the press, and why.
It's impossible to know but I imagine a press leak (and further coverage by cable news and other traditional print media outlets) is the only way that members of Congress would actually care enough to hold members of the military and Department of Defense accountable so that they'll eventually find a way to resolve the issue.
Whether that'll take the form of a software engineering solution or a "social engineering" solution - in the form of Congressional hearings and the like - remains to be seen.
Unethical? Why should Mali have an ethical duty to respect military or intelligence of a foreign country with no alliance that could easily be their enemy some day?
Israel conducts a large amount of spying on the USA and exports a large volume of military tech to China, but for domestic political reasons the DoD likes to ignore them as a threat.
Israeli politicians campaign in the US. There’s a lot of mutual personal, commercial and government interests between the two countries that often are out of alignment with official positions.
France also has a complicated relationship and does more adversarial spying.
The USS Liberty incident is so often used as a boogeyman to make Israel seem overtly malicious to the USA. Often forgotten is that the day before the incident, the Israeli air force accidentally bombed one of their own infantry columns.
Any state based on racism and supremacist ideology and found and controlled by persons who were explicitly terrorists (likud descends directly from irgun etc) is a threat to not just the US but all of human kind...
But you can't really say that about Israel because they'll use the default antisemitism attack, alongside various dogwhistles to encourage harassment, until you are silenced.
The title gives the impression that one typo led to the leaking of millions of emails from the US military servers, which is not the case here.
- Presumably each typo led to one leak. "Typos leak emails" would be more appropriate in that case.
- Are they really "US military emails" if they originated from elsewhere and one of the intended recipients was on the '.mil' domain? Apparently "emails sent directly from the .mil domain to Malian addresses are blocked before they leave the .mil domain".
@dang.... should probably correct the title to say Typos vs Typo
The current title implies that its a single keystroke misconfiguration that is causing this when instead it's lots of people just not typing the e-mail correctly.
I also read it like they did but at the same time this granularity of title management doesn’t make sense since it wastes time optimizing for people who want to comment without reading the article.
A temporary solution would be to block all traffic of email to ml domain on computers and vpn used by the military and respond with an error. If anyone outside military computers and emails is sending such classified information this is a bigger problem and not just a typo issue.
Update: missed the part that this is incoming emails problem from non military.
According to the article the issue is non-military originating emails. They used an example of a doctor’s office sending x-rays to a patient but mistyped the TLD.
> The domain was originally administered by the United States Department of Defense, but is today operated by Verisign, and remains under ultimate jurisdiction of U.S. law.
.edu holds US-centric requirements today. Not sure about .org, .net, etc.
> He said that emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.
One of the examples is a hotel booking confirmation, which would come from a third party.
This is still a valid suggestion because a lot of the emails are from long-running government contractors. They may not be able to solve all of them, but requiring government contractors to block .ml domains in their email systems would be a start.
Conspiracy theory time: deliberate acts to provide Casus Belli for American invasion. Along the lines of Colin Powell's vial of anthrax at the UN or the "baby incubators" statements from a Kuwaiti princess a decade earlier.
The article states "closely allied with Russia" and the current establishment desires to punish anyone who doesn't distance themselves from Russia. The emails might be nothing sensitive to the state but they can just lie and say "Mali is deliberately intercepting emails meant for the military". Well that wouldn't even be a lie because someone did set up something to catch emails going to dot-ml which were meant for dot-mil.
A nice war helps also helps with elections at home.
I would put my money on a junior enlisted / junior officer not paying attention when they type the email to book their hotel over a government conspiracy to generate a Casus Belli to invade Mali of all places.
As reasons go, this appears to a pretty weak one ( not that US needs a good or even a real reason anyway based on our Afghanistan / Iraq experience ). Remember, that you want to sell a war to the populace at a time where war is not exactly popular.
Mali has been close to Russia politically, culturally, economically, and militarily since the 1960's.
Mali's welcomed Russian troops, including Wagner's, in the wake of the French pulling out.
"[The Russian involvement in Mali] signals a major expansion of Russia's military interests in Africa and a strategic setback for the West. The deployment of Russian military contractors signals a profound break with France and the West."
