“Typo leak” exposes millions of US military emails to Mali web operator (opens in new tab)

(ft.com)

151 pointscafemachiavelli2y ago68 comments

68 comments

> Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages — almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: “This risk is real and could be exploited by adversaries of the US.”

> Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia. When Zuurbier’s 10-year management contract expires, Malian authorities will be able to gather the misdirected emails. The Malian government did not respond to requests for comment.

Oops.

globalise832y ago

Not sure much can be done here short of the US Government hijacking the .ml domain altogether via ICANN, which, if even achievable, would probably cause worse side-effects than the leaking of low-grade intelligence to Mali. Probably the best partial mitigation would be to make it a condition of doing business with the military to put a blocker on all emails to .ml domain, and for all partner militaries to do the same. Still won't prevent every instance, but they can probably prevent 80% of the most sensitive emails by doing this for 20% of people who communicate with them.

nocsi2y ago

They don’t even need to hijack the actual TLD. Just have an internal catch all that is defined on their internal DNS. Then the sender has to double confirm the addresses before it’d be passed through.

halJordan2y ago

Amazing that this common sense isn't what people think of first.

guluarte2y ago

the problem is people sending emails to the wrong domain

2 more replies

groone2y ago

How about blocking outgoing mail to these domains? Let's assume there is no important e-mail business going on with Mali

flotwig2y ago

It sounds like the DOD already does block emails to .ml because of this issue:

> Lt. Cmdr Tim Gorman [...] said that emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.

I think the issue is people sending emails from personal accounts that the DOD cannot control. The article also mentions travel agents as another source of the email.

1 more reply

basch2y ago

or just rewrite it. all .ml becomes .mil, and then have .mil run a relay if it was an actual email to .ml.

then make it part of any contract that if you do business for .mil, and you use microsoft/zoho/gsuite etc, that they automatically run a set of ".mil compliance settings" overlaid onto your tenant.

nonameiguess2y ago

Any e-mails with PII or other information considered sensitive is supposed to be encrypted, which is at least one reason contractors get CACs and .mil e-mails of their own, so they're able to send encrypted e-mails.

Given what can be figured out by collecting thousands of hotel itineraries or whatever is actually being leaked here, it may just be the DoD needs to crack down and expand the definition of what is considered sensitive.

hgsgm2y ago

The average business has no idea how to install a blocker like that.

The military should move to domain that is safer from typosquatting, by controlling a bunch of related TLDs.

Or continue not caring about spying on random unclassified information.

lolinder2y ago

The average business uses G Suite or MS Office, and I'm sure that they could find the right setting if their government contract were dependent on it. That's a heck of a lot easier to pull off than migrating >1.4 million military personnel to a new email address.

1 more reply

viraptor2y ago

That's really understanding companies. If you can get a military contact, you can hire a person who can figure out email filters. It's not the only, or even hardest hoop you'd need to jump through.

martinflack2y ago

They'd need every permutation of 2, 3 letters of m, i, l; and while we're at it, add the keys close-by on a qwerty layout.

It seems like a better approach would be to harden all email software in usage to ban almost-but-not-quite .mil at the end of email addresses, looking for the above permutations client-side before anything is transmitted.

DropInIn2y ago

Maybe have thier email system do a check for a tld matching that and send a verification email before sending, just to make sure they aren't blocking legit email delivery?

Because I can see some serious shortcomings in your proposal right off the bat...

1 more reply

globalise832y ago

Well, only the permutations which are also a valid domain, that narrows the field a lot and is also an easily obtainable list.

1 more reply

thiht2y ago

The ICANN has no governance over ccTLDs, so not doable.

patmorgan232y ago

Except ICANN controls the root DNS servers no?

1 more reply

neilv2y ago

The cause isn't just a "typo". Sounds like they went to effort to set up DNS MX records and SMTP servers for domains like `army.ml`.

Also, not only did they set up something specifically to capture the emails that they knew weren't intended for them (incidentally preventing the senders' own SMTP servers from alerting the senders of the problem almost immediately), but... it sounds like they also examined the content of some of the diverted emails that they knew were sensitive and not intended for them.

I can't tell from the article whether they've finally disabled this diversion of the emails. Nor whether they had a plan to scrub all copies of the emails before it's out of their control, maybe offering US diplomats/officials a deadline to get a copy if they want it

Also, if they're now acting in good faith, and interfacing with US officials, I wonder who leaked this situation to the press, and why.

moonraker2y ago

It's impossible to know but I imagine a press leak (and further coverage by cable news and other traditional print media outlets) is the only way that members of Congress would actually care enough to hold members of the military and Department of Defense accountable so that they'll eventually find a way to resolve the issue.

Whether that'll take the form of a software engineering solution or a "social engineering" solution - in the form of Congressional hearings and the like - remains to be seen.

fanf22y ago

They aren’t being at all subtle about it, for example:

    ;; ANSWER SECTION:
    navy.ml.    300 IN MX 0 handle.catchemail.ml.

    army.ml.    300 IN MX 0 handle.catchemail.ml.

Very unethical way to handle sensitive data.

morpheuskafka2y ago

Unethical? Why should Mali have an ethical duty to respect military or intelligence of a foreign country with no alliance that could easily be their enemy some day?

TazeTSchnitzel2y ago

If .mil is typoed to .ml (Mali), I suppose it's also typoed to .il (Israel), but I imagine that worries the DoD less.

slavboj2y ago

Israel conducts a large amount of spying on the USA and exports a large volume of military tech to China, but for domestic political reasons the DoD likes to ignore them as a threat.

hgsgm2y ago

Israel spies for its own interests, which, per US gov foreign policy, align with US interests. Similar to France and UK.

2 more replies

InitialLastName2y ago

That probably happens to some extent, but the .mil -> .il typo is easier to spot (in what is probably a list of addresses) than .mil -> .ml.

HydianSnake12y ago

The boss is probably already CC'd

screamingninja2y ago

The title gives the impression that one typo led to the leaking of millions of emails from the US military servers, which is not the case here.

- Presumably each typo led to one leak. "Typos leak emails" would be more appropriate in that case.

- Are they really "US military emails" if they originated from elsewhere and one of the intended recipients was on the '.mil' domain? Apparently "emails sent directly from the .mil domain to Malian addresses are blocked before they leave the .mil domain".

GoblinSlayer2y ago

If those emails weren't encrypted, they weren't secret.

taeric2y ago

I mean, you aren't wrong; but opsec covers things that are not necessarily secret. Just look up news on strava leaks.

paulddraper2y ago

Ok thanks.

But let's be real...There's a difference between having unsecured packages on your doorstep and sending packages to another address entirely.

gonzo412y ago

The real secret is how any military is able to be effective under the crushing weight of the bureaucracy it seems to build around itself.

htrp2y ago

@dang.... should probably correct the title to say Typos vs Typo

The current title implies that its a single keystroke misconfiguration that is causing this when instead it's lots of people just not typing the e-mail correctly.

lolinder2y ago

@dang is a no-op, you need to email hn@ycombinator.com to recommend a change.

That said, this is the original title and it makes sense to me—it's a single typo repeated many times over.

hombre_fatal2y ago

I also read it like they did but at the same time this granularity of title management doesn’t make sense since it wastes time optimizing for people who want to comment without reading the article.

1 more reply

trustingtrust2y ago

A temporary solution would be to block all traffic of email to ml domain on computers and vpn used by the military and respond with an error. If anyone outside military computers and emails is sending such classified information this is a bigger problem and not just a typo issue.

Update: missed the part that this is incoming emails problem from non military.

devrand2y ago

According to the article the issue is non-military originating emails. They used an example of a doctor’s office sending x-rays to a patient but mistyped the TLD.

ElectricalUnion2y ago

Weird because the USA top level domain is supposed to be .us, with that being one of the first country code top level domains.

1 more reply

gilbertbw2y ago

It sounds like they already do:

> He said that emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.

One of the examples is a hotel booking confirmation, which would come from a third party.

lolinder2y ago

This is still a valid suggestion because a lot of the emails are from long-running government contractors. They may not be able to solve all of them, but requiring government contractors to block .ml domains in their email systems would be a start.

Am4TIfIsER0ppos2y ago

Conspiracy theory time: deliberate acts to provide Casus Belli for American invasion. Along the lines of Colin Powell's vial of anthrax at the UN or the "baby incubators" statements from a Kuwaiti princess a decade earlier.

The article states "closely allied with Russia" and the current establishment desires to punish anyone who doesn't distance themselves from Russia. The emails might be nothing sensitive to the state but they can just lie and say "Mali is deliberately intercepting emails meant for the military". Well that wouldn't even be a lie because someone did set up something to catch emails going to dot-ml which were meant for dot-mil.

A nice war helps also helps with elections at home.

boveus2y ago

I would put my money on a junior enlisted / junior officer not paying attention when they type the email to book their hotel over a government conspiracy to generate a Casus Belli to invade Mali of all places.

A4ET8a8uTh02y ago

As reasons go, this appears to a pretty weak one ( not that US needs a good or even a real reason anyway based on our Afghanistan / Iraq experience ). Remember, that you want to sell a war to the populace at a time where war is not exactly popular.

bloqs2y ago

Hanlon's Razor disagrees

causi2y ago

Why would the US want to invade Mali?

jpoesen2y ago

Mali's a Daesh hotbed.

Mali has been close to Russia politically, culturally, economically, and militarily since the 1960's.

Mali's welcomed Russian troops, including Wagner's, in the wake of the French pulling out.

"[The Russian involvement in Mali] signals a major expansion of Russia's military interests in Africa and a strategic setback for the West. The deployment of Russian military contractors signals a profound break with France and the West."

https://www.bbc.com/news/world-africa-58751423

https://www.reuters.com/world/africa/un-security-council-end...

https://www.chathamhouse.org/2021/12/russias-presence-mali-r...

https://en.wikipedia.org/wiki/Mali%E2%80%93Russia_relations

Eumenes2y ago

Chyna

j / k navigate · click thread line to collapse

68 comments

nouryqt2y ago

https://archive.is/0vhxP

nubinetwork2y ago

Oops.

globalise832y ago

nocsi2y ago

halJordan2y ago

Amazing that this common sense isn't what people think of first.

guluarte2y ago

the problem is people sending emails to the wrong domain

2 more replies

groone2y ago

How about blocking outgoing mail to these domains? Let's assume there is no important e-mail business going on with Mali

flotwig2y ago

It sounds like the DOD already does block emails to .ml because of this issue:

I think the issue is people sending emails from personal accounts that the DOD cannot control. The article also mentions travel agents as another source of the email.

1 more reply

basch2y ago

or just rewrite it. all .ml becomes .mil, and then have .mil run a relay if it was an actual email to .ml.

then make it part of any contract that if you do business for .mil, and you use microsoft/zoho/gsuite etc, that they automatically run a set of ".mil compliance settings" overlaid onto your tenant.

nonameiguess2y ago

hgsgm2y ago

The average business has no idea how to install a blocker like that.

The military should move to domain that is safer from typosquatting, by controlling a bunch of related TLDs.

Or continue not caring about spying on random unclassified information.

lolinder2y ago

1 more reply

viraptor2y ago

That's really understanding companies. If you can get a military contact, you can hire a person who can figure out email filters. It's not the only, or even hardest hoop you'd need to jump through.

martinflack2y ago

They'd need every permutation of 2, 3 letters of m, i, l; and while we're at it, add the keys close-by on a qwerty layout.

DropInIn2y ago

Maybe have thier email system do a check for a tld matching that and send a verification email before sending, just to make sure they aren't blocking legit email delivery?

Because I can see some serious shortcomings in your proposal right off the bat...

1 more reply

globalise832y ago

Well, only the permutations which are also a valid domain, that narrows the field a lot and is also an easily obtainable list.

1 more reply

thiht2y ago

The ICANN has no governance over ccTLDs, so not doable.

patmorgan232y ago

Except ICANN controls the root DNS servers no?

1 more reply

neilv2y ago

The cause isn't just a "typo". Sounds like they went to effort to set up DNS MX records and SMTP servers for domains like `army.ml`.

Also, if they're now acting in good faith, and interfacing with US officials, I wonder who leaked this situation to the press, and why.

moonraker2y ago

Whether that'll take the form of a software engineering solution or a "social engineering" solution - in the form of Congressional hearings and the like - remains to be seen.

fanf22y ago

They aren’t being at all subtle about it, for example:

    ;; ANSWER SECTION:
    navy.ml.    300 IN MX 0 handle.catchemail.ml.

    army.ml.    300 IN MX 0 handle.catchemail.ml.

Very unethical way to handle sensitive data.

morpheuskafka2y ago

Unethical? Why should Mali have an ethical duty to respect military or intelligence of a foreign country with no alliance that could easily be their enemy some day?

TazeTSchnitzel2y ago

If .mil is typoed to .ml (Mali), I suppose it's also typoed to .il (Israel), but I imagine that worries the DoD less.

slavboj2y ago

Israel conducts a large amount of spying on the USA and exports a large volume of military tech to China, but for domestic political reasons the DoD likes to ignore them as a threat.

hgsgm2y ago

Israel spies for its own interests, which, per US gov foreign policy, align with US interests. Similar to France and UK.

2 more replies

InitialLastName2y ago

That probably happens to some extent, but the .mil -> .il typo is easier to spot (in what is probably a list of addresses) than .mil -> .ml.

HydianSnake12y ago

The boss is probably already CC'd

screamingninja2y ago

The title gives the impression that one typo led to the leaking of millions of emails from the US military servers, which is not the case here.

- Presumably each typo led to one leak. "Typos leak emails" would be more appropriate in that case.

GoblinSlayer2y ago

If those emails weren't encrypted, they weren't secret.

taeric2y ago

I mean, you aren't wrong; but opsec covers things that are not necessarily secret. Just look up news on strava leaks.

paulddraper2y ago

Ok thanks.

But let's be real...There's a difference between having unsecured packages on your doorstep and sending packages to another address entirely.

gonzo412y ago

The real secret is how any military is able to be effective under the crushing weight of the bureaucracy it seems to build around itself.

htrp2y ago

@dang.... should probably correct the title to say Typos vs Typo

The current title implies that its a single keystroke misconfiguration that is causing this when instead it's lots of people just not typing the e-mail correctly.

lolinder2y ago

@dang is a no-op, you need to email hn@ycombinator.com to recommend a change.

That said, this is the original title and it makes sense to me—it's a single typo repeated many times over.

hombre_fatal2y ago

I also read it like they did but at the same time this granularity of title management doesn’t make sense since it wastes time optimizing for people who want to comment without reading the article.

1 more reply

trustingtrust2y ago

Update: missed the part that this is incoming emails problem from non military.

devrand2y ago

According to the article the issue is non-military originating emails. They used an example of a doctor’s office sending x-rays to a patient but mistyped the TLD.

ElectricalUnion2y ago

Weird because the USA top level domain is supposed to be .us, with that being one of the first country code top level domains.

1 more reply

gilbertbw2y ago

It sounds like they already do:

One of the examples is a hotel booking confirmation, which would come from a third party.

lolinder2y ago

Am4TIfIsER0ppos2y ago

A nice war helps also helps with elections at home.

boveus2y ago

A4ET8a8uTh02y ago

bloqs2y ago