Register your own .mil Domain

JWSmythe writes " As reported in This Story at theregister.co.uk ,and on dailyrotten.com, it seems the US Department of Defense has dropped the ball. Not only can you register a .mil domain, but you can find "secret" domains that aren't publically known (the gov't uses security through obscurity?). I'm looking forward to hacker.mil, warez.mil, and porn.mil."

sp

goatse.mil?

Re:sp

[Patrick13]

antiwar.mil ?

Re:sp

[bluethundr]

flour.mil ?

Hmm....

[LinuxCumShot]

I wonder if Osama has Al-Queda.mil?

Re:Hmm....

Dunno but you can do it for him:

nic.mil/cgi-bin/domain

what about...

[DarklordSatin]

runofthe.mil

Re:what about...

[GMontag]

well, I prefer Piece.mil, as I find well toned and armed women hot, but I digress (digression in an intorduction?)

Anyway...

I'm wondering how with all the billions of dollars we spend on military shit, how the military can constanly screw things up...

Because it is run by humans, contrary to some theories on the Left.

BTW, was .mil supposed to only be US mil or could any military anywhere get a .mil domain?

US Military only.

And what kind of proof did you have to show to prove you were a military organization?

The command that handles the domain verifies the request. I am sure that there are ways to insert a fake request and have it approved (in addition to this new finding), the same way we inserted false reports about bad Chinese ammunition into the NVA system, etc.

Re:what about...

[Idarubicin]

And what kind of proof did you have to show to prove you were a military organization?

I think if you show up at the registrar's door with guns, then he'll accept that you deserve a .mil domain.

Peace?

[Vigilante42]

peace.mil

2600 contest?

[capnjack41]

Doesn't (didn't) 2600 have a contest like this? The first person to manage to get a .mil domain gets a free subscription, or something like that?

Re:2600 contest?

[weave]

2600 would be all into finding out how to do it and telling the world about it, but not going ahead and actually doing it. I've never seen them advocate breaking into systems, just how in can be done. If you read the letters to the editor in the mag and their responses to people who want to do malicious cracking, you'll see they stomp em pretty hard for being stupid.

Besides that, the military might have an incompetent admin that exposes something stupid like that, but I for one wouldn't want to try my luck at exploiting it. I think you'd face better odds for survival as a black man spitting on an LAPD officer in a remote area away from public view.

General.mil

[CheeseburgerBlue]

Mmmm....cereal.

Link to .mil Registry

[Motherfucking+Shit]

http://www.nic.mil/dodnic. No, I didn't go poking around. If you've got bigger balls than I, perhaps you can link to the supposed admin area...

Nothing to see here

[isorox]

This is a runofthe.mil story

The Register story is two days old.

[More+Karma+Than+God]

Why is this just hitting Slashdot now?

As far as I know The Register broke the story, and nobody else has cited information that wasn't in The Register's article.

Does anyone have a screenshot of this site?

Impressive?

[hafree]

Pretty cool... First person to get a .va (Vatican City State) domain gets my vote though.

Re:Impressive?

[MrEd]

Hey, I've got www.gayboysinbondage.va! Do I get a prize?

I pitty the poor idiot who actually uses that !

[red-beard's]

Whoever is stupid enough to screw with the DOD is on their own . I remeber the letter of the cyber terrorism bill all too clearly . They'll be bustin down your front door and haulin you away like you are illian(sp?) gonzales on crack . Oh an mind you once they have you your rights are revoked as you are a terrorist . Boy after this incident I'll be watching as i drive through washington dc for a line of the idiots heads who tried out this vulnerability on pikes per Rumsfields orders .This is a bad time to be poking at americas security . Kinda like throwing rocks at a rabid junkyard dog while sittin in his dog house .

In a related story...

[NOT-2-QUICK]

The secret government TLD .bush was recently discover by a small group of drunken frat boys while searching for new free prOn sites...

Early reports indicated that Jenna was involved, but this has to be corroborated! :-)

n2q

Re:In a related story...

[kasperd]

I was searching for porn, "bush" wouldn't be the first word to pop into my head..

Clinton?

I'd like to see...

[Sentry21]

Perhaps this story would be best posted at the rumour.mil?

Come on, that was funny!

Oh well..

--Dan

How long before Google is sued?

[jdreed1024]

For those who didn't RTFA, one of the points of the article is not only are there unprotected admin interfaces that let you register your own domain (that's what they're talking about - you still can't register .mil through register.com or anything), add a user, and view traffic stats on DoD sites (even "hidden" ones), but that all these pages (including default passwords) are cached by Google.

This implies that even if the DoD fixes the problem, the Google caches will still be available (until they expire or are replaced). Now, in the past, we've heard reports of people being upset that Google cached information. However, this time, the cache contains information pertaining to "national security" (that great new buzzword). I wonder, what will happen? Will these URLs be silently deleted from the cache? Will Google be told that cacheing links is now illegal because it could aid terrorists? Will they be prevented from cacheing .gov and .mil? Will Google be sued out of existence?

We've all found Google caches to be useful, when, say the documentation for an open source project is hosted via 56K modem line in the Czech Republic, for example, or even when a site is Slashdotted, but it'll be interesting to see what happens about this, and how the goverment may over-react.

(Note, if you're too stupid to understand this, I'm not talking about blame here - don't bother saying "Google rulez, the militery is dum asses for leeving these sitez open, u r an idiot...". I'm talking about reprocussions. Certainly Google doesn't "know" what information a link contains when they cache it. Certainly it's the government's fault for leaving open admin pages with default passwords listed on the page. But just because someone isn't at fault, doesn't mean they can't get screwed over.)

Re:How long before Google is sued?

[ReadParse]

"National security" is not a new buzzword. "Homeland defense" is a new buzzword, but "national security" has origins much older than 9/1/01 -- at least as far back as the beginning of the cold war.

Good point in general, though. Seems like the maintainer of a website should have the ability to remove content from said website, in the event that it turns out to not be true, to be libelous, dangerous, or any number of other things. I've always thought a Google feature to purge specific pages from the cache would be a good idea, but the implementation of that would be tricky.

One of the biggest problems with this is how to ensure that the requestor is authorized to speak for the website? A good first thought is to coordinate with the e-mail addresses in the whois record for the domain, but of course any domain can have any number of separate websites managed by different people.

Let me think aloud for a moment... we know that Google looks for a robots.txt file before indexing a site. Let's say that a field were added to the robots.txt file that identifies a specific PGP key that is authorized to perform such actions. Not specific to Google, of course... this would be the e-mail address that speaks for the site in any number of ways. Something as simple as:

MaintainerKey: 9AB3250D

I don't know a whole LOT about PGP, but I think I know that each public key has a hex identifier (mine is above) that uniquely identifies it and allows others to request it from a keyserver.

When an e-mail formatted in a specific format (at the discretion of Google and other individual publishers of course) comes in, the public key can be retrieved and the signature of the e-mail validated, and they at least know that the sender is authorized by the site to speak for it. Action from this point forward would be at the discretion of Google, but this is at least a potential TECHNICAL solution to the problem of access.

Then there's the matter of public key revocation and expiration. Perhaps it's a better idea to have an e-mail address is the robots.txt file and to accept e-mail from that address provided that the current PGP public key is used to sign the message.

Again, just thinking out loud...

Aaahh

I found this without having to click on this

Re:Aaahh

And this is the domain registration link.

Won't work without a .mil email address, though.

Re:Aaahh

This too, for reserving your very own netblock.

Re:Aaahh

[Big+Mark]

From the ftp link they gave. You need this info to register:

H2B. Sponsoring Agency..........:

Indicate the Service, Unified or Specified Command, DoD operating
Agency, or non-DoD Agency of the US government that you are affiliated
with. (for a valid list of agencies, please refer to the
service-agencies.txt located in the netinfo directory).

Example: AF

Ah. So you can't get one if you're not a serviceman. No story, methinks.

-Mark

Re:Aaahh

[xintegerx]

Wow, I didn't believe it was there!

I found references to http://www.nic.mil/cgi-bin/whois on google. I was debating on trying /admin and etc instead, but didn't :)

Instead, I searched for

admin http://www.nic.mil

on Google, to verify the news. I ended up clicking on a web site that shows beginning web masters useful resources.

From there, I went to the site one level above, and from there clicked a link to view a document about standard run of the mill no big whoop procedures about webmastering (pretty useful if you want to be a contractor or write software and have it comply, I assume.)

BTW the security notice on this document is a link to army.mil's privacy policy, which says:

Information presented on Army Home Page is considered public information and may be distributed or copied unless otherwise specified. Use of appropriate byline/photo/image credits is requested.

Anyway, on this document I was just describing, click the second link to the defenselink webmasters area.

There (which is also public according to their stated policy) you can click on "Domain Registration in the .mil domain" and see this
http://www.nic.mil/ftp/mgt/bul-9605.txt

These are just public info resources. army.mil's security policy says if you try to upload or change stuff, that's what they care about.

Re:Aaahh

[ShdwFear]

http://nic.mil/cgi-bin/cs
http://nic.mil/cgi-bin/ domain
http://nic.mil/cgi-bin/ip-num
http://nic. mil/cgi-bin/occ
http://nic.mil/cgi-bin/asn
http: //nic.mil/cgi-bin/xtac
http://nic.mil/cgi-bin/rou ter
http://nic.mil/cgi-bin/host

other toys
http://frwebgate.access.gpo.gov/cgi-bin/usef tp.cgi ?IPaddress=162.140.64.88&filename=he99027.txt&dire ctory=/diskb/wais/data/gao

http://boulder.noaa.gov/noc/nhcexit.txt

Re:Aaahh

[GMontag]

Oh PALEEEEEEZE! LOL!

AF.mil does not count, we are only talking about the real military here.

Re:Aaahh

[JWSmythe]

Anyone with a decent sized pay site only needs to check their web server logs.. The script kiddies that try to crack passwords are great for supplying me with an endless supply of anonymous web proxies. :)

clever

allyourbase.mil

??

Perfect...

[SoSueMe]

Perfect for SlashDot... "Rumor.mil"

here it is...

link

How to bring down...

[Big+Mark]

... the U.S. Government's DNS servers:

1) Register slashdot.mil
2)Point /. to there
3)BANG!

-Mark

Here is the access list

http://www.nic.mil/visitors.txt and http://www.nic.mil/help

Re:Here is the access list

[Mish]

Out of all the 'links' that have been posted in the comments of this article this one is the scariest.

Open access to a list of IP addresses of .mil workstations or at least proxies...

Re:Here is the access list

[joshuac]

and what is _really_ scary is looking at the this list, it looks like plenty of admins have been accessing this system from home; the log dates back to 1-jan-2002. If you are a lazy cracker, grep for all the lines with "DSL" in them, and probably 80-90% of those hosts are home workstations of military sysadmins of one type or another. If they are dumb enough to leave logfiles of users accessing a server used for military network administration open to the public, imagine what their home computers are like...

What's even more depressing is that it looks like some of these guys use AOL...

Oh great

[LordDartan]

Now with all the linking on slashdot to .mil sites, I can see the military thinking it's a huge DDOS terrorist attack!

Now repeat after me...I will not slashdot military websites...:)

Don't do it...

[fmaxwell]

I went to that link and it requires that you indicate a sponsoring agency. Since none of us have one, registering a domain would require entering false information into a DoD computer in order to gain unauthorized access. That is just a very bad idea.

While it might be funny to register al-qaeda.mil, grain.mil, or saddam.mil, you don't want to find yourself occupying Kevin Mitnick's old cell. The Department of Defense is not renowned for their lighthearted sense of humor and fun. They may very well decide to make an example of someone. Or they might just decide to hold someone for months or years prior to even filing charges.

It's not worth risking your freedom and your future livelihood for a prank.

Address

[AirLace]

The URL is http://sites.defenselink.mil/

It hasn't been possible to add new domains or run queries since Friday, so don't even bother.

Since Slashdot if a Pussy-land...

[Q+Who]

I did the process at the .mil NIC site.

After you fill all the forms, there's:

PAY ATTENTION!

This online program makes no changes to the WHOIS database.

The scope of this online program is to send the template to the e-mail address entered in the field below.

Once you receive the completed template, you must forward it to the appropriate point of contact for action.

The NIC will not process any templates until it receives this template (by email) from the domain administrator or service PMO.

So you are essentially filling a template, which you can do by hand as well, following the instructions here.

It lets you retrieve POC by a handle though. I don't know the access level of this information in USA, but this is quite odd, since it seems that the handles are assigned by initials, and are of progressively increasing length.

I also wonder where does this interface gets that data from... There's a DB somewhere, and it can be probably hacked via this interface.

Re:41 minutes...

[mchappee]

> Anyone want to bet how much jail time they'll get?

Probably none at all. This seems like one of those special "extra-constitutional" areas where someone just disappears and winds up in Git-Mo (Guantanamo Bay). Perhaps "volunteering" their time being chased through the jungle with sensors attached so that 'American Army II' will be even more realistic. :-)

You think that NataliePortman.mil is funny, wait till you see 270 pounds of 5'8" nerd huffing and puffing his way through the jungles of Cuba with the Marines in hot pursuit. :-) That would be great.

Matthew

Smart move

[Ungrounded+Lightning]

No, I didn't go poking around.

Smart move.

Can you say "honeypot"? I KNEW you could.

Lose your +2?

[schlach]

I'm responding to your sig.

Ok, so the new way of doing things is that instead of adding a point to your comment's overall score when you post with your karma bonus, your comment is posted at 1 with a separate "karma_bonus=yes|no" variable. Thereafter, users can specify how much weight to assign to the karma bonus on their preferences page. This was 0 when the editors quietly rolled in the changes without telling anyone (why so sneaky?), but has since been changed to '+1' by default, to by default be the same as the old way.

So, your comment that got 3 good moderations is scored at 4/1. Users who have a '+1' modifier to karma bonus will see this comment at 5, whereas users with a '0' karma modifier will see it at 4, and users with (for whatever reason) a '-6' modifier will see it at -2. If such a thing were possible.

Unfortunately, I see this as making it unlikely that comments posted with a karma bonus will ever be modded up to 5, since most moderators will be viewing with a karma bonus and see that the comment is already scored at 5, and that it therefore cannot be modded up further.

I'm going to say that the way this was changed was disgraceful. There is no reason not to maintain a place on slashdot indicating how the code is being changed. I have relied on CmdrTaco's journal to inform me of changes, but in this case it was silent, and after thinking about it further, it's still a crappy way of running things.

It all goes back to the difference between slashdot as community and slashdot as business. As a business, sure, slashdot can do whatever the hell it wants, who am I to lecture, blah blah blah. But as a community, changing things in profound ways without approval, comment, or even notification is bastardly. And slashdot as a business would do well to perceive its dimensions as a community.

Summary

[JWSmythe]

Here's a summary of the proposed domains. :)

If you want to know who submitted it, read through the comments again.

Enjoy!

Al-Queda.mil
runofthe.mil
General.mil (cereal)
Cara.mil (caramel)
Rumor.mil (which would be slashdot.org.. hehe)
rastafarian.mil
peace.mil
Piece.mil ("as I find well toned and armed women hot")
starfleet.mil
diploma.mil
peace.in.our.ti me.mil
gin.mil
pointlessdeath.mil
2600.mil
Nat aliePortman.mil
runofthe.mil
slashdot.mil
allyo urbase.mil
IN-SOVIET-RUSSIA-we-practice-better-in ternet-secur ity-than-lazy-capitalist-pigs.mil
in.soviet.russi a.mil.registers.you.mil
slashdot.mil
kevinmitnic k.mil
2600.mil
fuckedcompany.mil
bushisanidiot. mil
ashcroftisan ass.mil
sgc.mil
weoverthrewiran.mil
weoverthrew guatemala.mil
weassinatevietnamese.mil
wekillciv iliansinasia.mil
wesupportcoupinchile.mi
wesuppo rtmilitartyinemsavabor.mil
wetrainedosama.mil
we supportcontras.mil
wegavesaddammoney.mil
wegavei raqweapons.mil
weoverthrewpanama.mil
webombaspir infactories.mil
"noches.mil" (Thousand nigths)
"dos.mil" (Two thousand)
blackop.mil
pepper.mil
paper.mil
dar k.satanic.mil
deathstar.mil (for dvader@deathstar.mil)
milf.mil
Wind.mil
honeypo t.mil

This is a great find.. .

[toker95]

For those who REALLY want a .MIL domain name... Having spent a good deal of time in the US Navy dealing with the fun of keeping seperated, classified and unclassified networks, I can tell you exactly how much of a threat this problem is, to national security.. None. At the very worst, as pointed out in earlier posts... slashdotting a public domain .mil site (like http://chinfo.navy.mil/) would only serve to seriously tick off servicemembers family's, and the average run of the mill PR guys for the navy. Classified servers, sites, and networks are encrypted before they ever touch the same cables as the internet. In many cases, they never DO touch the same cables, but.. Yes, alot of that -classified- traffic passes over the same lines as your average slashdot post, BUT... its highly encrypted before it ever gets there (encryption level and equipment obviously varied by classification level, some data doesn't even get to TOUCH a networked computer). As well, a LARGE portion of the .mil domain's are setup to ONLY see traffic from another authorized .mil network (usually managed by IP address's). If your .mil network needs access to see my network, as well as getting the usual userids and passwords, my net admins need to talk to yours, and put your 1.2.3.xxx address into our firewall. So, the threat here? The threat is really only to the fact that its completely possible to now have a bazillion "yourname.yourwebsite.mil" websites running around... And this wouldn't HURT anything persay, because most .mil websites are acronyms like "subhqnorva.navy.mil" (for Submarine Squadron Headquarters Norfolk Virginia). US Military bungle? Yes National Security Threat? Minimal... Do you really want a .mil domain? Gee, only if you want to cause unnecessary trouble for a government trying to prepare for war...