For over 10 years, millions of emails associated with the US military have been getting sent to Mali, a West African country allied with Russia, due to a typo, according to a report from the Financial Times. Instead of appending the military’s .MIL domain to their recipient’s email address, people frequently type .ML, the country identifier for Mali, by mistake.
Johannes Zuurbier, a Dutch entrepreneur contracted to manage Mali’s domain, tells the Financial Times that this has been happening for over a decade despite his repeated attempts to warn the US government. When Zuurbier began noticing requests for nonexistent domains, like army.ml and navy.ml, he set up a system to catch these misdirected emails, which the Financial Times reports “was rapidly overwhelmed and stopped collecting messages.”
Since January alone, Zuurbier has reportedly intercepted 117,000 misdirected emails, several of which contain sensitive information related to the US military. According to the Financial Times, many of the emails include medical records, identity document information, lists of staff at military bases, photos of military bases, naval inspection reports, ship crew lists, tax records, and more.
Once Zuurbier’s 10-year contract with Mali ends on Monday, authorities in Mali will be able to gain access to the emails
Some of the misdirected emails were sent by military staff members, travel agents working with the US military, US intelligence, private contractors, and others, the Financial Times reports. For example, an email from earlier this year reportedly contained the travel itinerary for General James McConville, the US Army’s chief of staff, for his visit to Indonesia. The email included a “full list of room numbers,” along with “details of the collection of McConville’s room key at the Grand Hyatt Jakarta.”
Zuurbier won’t be able to intercept these emails for much longer, however. Once his 10-year contract with Mali ends on Monday, authorities in Mali will be able to gain access to the emails. Russia established a presence in Mali last year through the Wagner Group, a Russian state-backed paramilitary organization that recently staged a rebellion against President Vladimir Putin. In May, the US State Department said the Wagner Group sought to use Mali as a route to transport war supplies to Ukraine.
“The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously,” Tim Gorman, a spokesperson for the Office of the Secretary of Defense, says in an emailed statement to The Verge. Gorman adds that emails sent from a .mil domain to Mali are “blocked” and that the “sender is notified that they must validate the email addresses of the intended recipients.”
Gorman acknowledges that this doesn’t stop other government agencies or those working with the US government from mistakenly sending emails to Malian addresses, though. Still, he notes that “the Department continues to provide direction and training to DoD personnel.”
Shit like this is why there’s no way governments can pull of shit like faking the moon landings or aliens
Or that’s exactly why they do this type of shit so we think they can’t never discount the 4D chess angle.
Idk man, I thought this obvious sarcasm was funny.
I was being sarcastic too
That’s what I was meaning
Honestly, this is just people being stupid. Validate your addresses. Maybe they should change from .mil to .mil.us or something so at least it’s going to a US address (and fits the rest of the world better).
Any org that deals with sensitive info should
-
Ensure that emails going outside the org go through additional scrutiny.
-
The user should have to validate the sensitivity of the email and attachments so the system can deny passing them to untrusted networks.
-
Use PKI to encrypt important messages so only the recipients can unencrypt them
-
Use domains that are entirely separated from the internet for military sensitive stuff (NIPR Net, SIPR, JWICS, etc). Those won’t route to the open internet in other countries for any reason.
The PKI bullet comes with its own damn issues, though. I understand it is more secure, but fucking Christ neither I nor the recipient can access that email and the email chain next month for some fucking certificate issue related reason.
Now, WTF did we say in that email? What was the work around for that issue that we had that month? Do we even fucking remember what we were talking about?
I hate it, it’s bad. Maybe it’s just the army’s email and not like that in other corporate or military email systems. I regularly pull up old email chains to review what we did back when, to spin myself back up on issues and work arounds, to then RE the email for a situation update request, etc. if I can’t access them, which is a common issue, then it’s causing more harm than help.
-
The vast majority of security breeches are just people being stupid.
This isnt just people being stupid, its a failure by the pentagon to
secure their classified commsenforce the restriction on public email account usage by their employees/contractors/whomever. At the very least they should be using some kind of pubkey encryption or better yet only emails over their intranet.They explicitly state these are not classified communications.
These are sensitive unclassified. Things like PII/P&P, CUI, are able to be sent via unclassified channels.
Not sure about DoD specifically right now, but I also know that DoE and DoD contractors do encrypt their emails and have checks in place whenever something gets sent to an outside org. Not sure why that’s not the case with these emails.
How is that not stupid?
a military should have safeguards against user error like this. making a careless mistake typing an email address shouldn’t allow the user to potentially leak national secrets.
They said it’s not just stupid people being stupid. Given the stakes of allowing stupid people to be stupid in this context, there should be guardrails in place so that even stupid people being stupid can’t lead to something like this.
Which is itself, stupid.
This isnt just people being stupid
Emphasis mine.
yeah when i read this i thought the same thing about .mil.us and then i thought of the sheer amount of systems, configs, address books, notification services, DNS, and everything else the military is running around the globe. I have no doubt the us military could pull off that move but it would no doubt be yet another pentagon money hole and they would likely drag out the redeployment over the next decade.
But then I thought, why the hell are any of these emails not encrypted in the first place? You’re the god damn pentagon, I’m sure you can figure out PGP. If these secrets are so secret then why are they sending them in plain text.
Mistakes like this always can happen. For this you usually have technical safeguards to prevent this from happening (like PGP). The military just apparently didn‘t care too much.
Lmao the US isn’t gonna give up owning the .gov and .mil tlds
they wouldn’t have to, they would just stop using them for sending classified secrets.
lol
My thoughts exactly
lmao even
Shouldn’t sensitive military information be encrypted?
They would just mail the encryption keys to mali
They would just mail the encryption keys to mali
well with pgp that’s completely fine to do, assuming you’re mailing the public keys and not private.
Yup.
You really would think.
The incompetence here is insane… you would assume, being the US military and all, they would at least use pgp if not also set limits on which outside emails can be contacted.
According to the article, it sounds like it was more often private contractors working with the military rather than military personnel themselves
User error, as are most issues. Not surprised.
It’s funny how we have the most impressive and well-funded military in the world, and then stuff like this still happens. Honestly, I think it shows even with really smart or technically knowledgeable people you should still build systems to minimize user error. For example, if military communications were handled through an encrypted messaging application instead of by email there would have been very little possibility of us accidentally sending national secrets to Mali.
The issue here isn’t “military communications”, but civilian-to-military communications.
I think they got off of floppy disks about 5 years ago
That’s true, and moreso I think a case of if it works why change it? There obviously are reasons to change it, but with something using outdated mediums if it’s still doing the job government agencies can be reluctant to put in money to upgrade it.
Why weren‘t they using PGP? This would have prevented this.
Too complicated to use. /s
This, unironically.
XD
I blame IT
