Millions of US military emails have been mistakenly sent to Mali, a Russian ally, because of a minor typing error.

Emails intended for the US military’s “.mil” domain have, for years, been sent to the west African country which ends with the “.ml” suffix.

Some of the emails reportedly contained sensitive information such as passwords, medical records and the itineraries of top officers.

32 points

That’s what we in the cybersec business call an “oopsie daisy I made a little fucky-wucky”.

For real though, this isn’t a problem yet. The TL;DR is that Mali has a top-level domain “.ml”. Just like “.co.uk” for the UK. And the military uses the domain “.mil”. So lots of emails accidentally get sent to “[Military email]@[Military email server].ml” instead of sending to .mil.

So a bad actor could simply set up an e-mail server with .ml domains that mirror the military’s .mil ones, and start collecting all of those mis-addressed emails.

So why isn’t it an issue yet? Because we had a contract with Mali to manage their domain. They literally signed administrative rights for the .ml domain over. So the US was able to basically set up their own .ml mirrored sites, to capture all of those mis-addressed emails. They have captured thousands throughout the years, because military members keep misaddressing their emails. Supposedly containing all kinds of sensitive data. Everything from medical records to troop movements and equipment inspection reports.

But that contract ends this week, so Mali could 100% start registering their own domains when that contract expires and domain registrations begin expiring.

permalink
report
reply
8 points

One solution to this would be to set the .mil mail servers to either correct or bounce all .ml addressed mail, no? It makes emailing legitimate .ml addresses more difficult, but requiring a second, dedicated gateway or mailserver for .ml would be at most inconvenient.

permalink
report
parent
reply
5 points
*
Deleted by creator
permalink
report
parent
reply
4 points

which I would hope is trivial for them to do without requiring the job to be bid on…

As someone with moderate experience working for the federal government, I wish I had your hopes

permalink
report
parent
reply
15 points

Like what in the fuck how could anyone in charge be this stupid and careless??

permalink
report
reply
10 points

For years. Unbelievable.

permalink
report
parent
reply
3 points

Minor typos seem pretty believable to me

permalink
report
parent
reply
3 points

Me too. There’s a guy who sometimes fat fingers my email address instead of his own, over the years I’ve had a bunch of his receipts and confirmation emails.

permalink
report
parent
reply
1 point

It was a single letter, so I’d say it was a small one, but minor? Given the implication I’d say it’s pretty far from minor. It’s a typo that should’ve been preemptively avoided; all it took was the appropriate amount of caution and foresight. That it wasn’t acknowledged as a problem immediately is astounding, but that it continued to happen for years without knowledge is most definitely unbelievable.

permalink
report
parent
reply
3 points

I presume you’ve never once made a single letter typo?

permalink
report
parent
reply
1 point
*

Making a typo that can send to the wrong place is a common error by anyone. Net security that allows it, presumably some of them from military intranets or in various correspondences without flagging it a problem, that’s a huge mistake. The solution was a patchwork to make the problem a future one, which is so government typical. Probably would have required some reprogramming in COBOL, and they couldn’t find anyone.

permalink
report
parent
reply
1 point

Who are you talking about? The ICAAN? (The Internet Corporation for Assigned Names and Numbers)?

permalink
report
parent
reply
2 points

Pretty funny to call Mali a Russian ally. That’s a bit of a reach.

permalink
report
reply

Given it’s the military you would hope nothing actually serious was sent via email in the first place at least on a system connected to the internet. Yes personal records etc are important but they’re rarely if ever national secrets.

permalink
report
reply

worldnews

!worldnews@sh.itjust.works

Create post

Welcome! This community is constantly upgrading and is a current work in progress. Please stay tuned.

/c/Worldnews@sh.itjust.works strives for high-quality standards on the latest world events.

The basis of these standards comes from the MBFC, which uses an aggregate of methodologies, including the IFCN and World Freedom Indices, to rate the Bias and Factual Reporting of News.

These are non-profit organisations with full transparency of their funding and structure. Likewise, this community is also transparent – Please feel free to question its staff and the overall content of this community.


Does your post fit the standards? Check this thread!


Rules:

Disallowed submissions

  • US internal news/US politics (Allowed while the Fediverse grows)

  • Editorialised titles

  • Editorials, opinions, analysis

  • Feature stories

  • Non-English articles

  • Images, videos or audio clips – General Social media posts (Only Allowed during ongoing world events)

  • Petitions, advocacy, surveys

  • All-caps words in titles

  • Blogs

  • Old news (≥ 1-Month-old) articles

  • Memes/GIFs

  • Unlabeled NSFW images/videos

  • URL shorteners

  • Paywalls (Copy-Pasting the Article content or bypassing the paywall is allowed)

Commenters will receive one public warning with only one strike if violating any of the following rules:

  • Celebrating death/Advocating violence

  • Genocide denial/downplaying genocide

  • Disinformation/misinformation

  • Health disinformation/misinformation

  • Bigotry / Other offensive content Personal attacks on other users

  • The general rules of the sh.itjust.works instance apply!

Thank you.

todo list:

  • Automate a bot to check standards

  • Introduce tl;dr bot

  • Gain more moderators

Community stats

  • 162

    Monthly active users

  • 523

    Posts

  • 980

    Comments

Community moderators