Slashdot Mirror
Air Force Emails Sensitive Information to Tourism Site
Khuffie writes "The US Air Force has been sending sensitive information, including flight plans for Air Force One, to a website promoting the town of Mildenhall in Suffolk. When told of the error by the site's owner, the Air Force did not attempt to fix it at first. When reminded at a later time, instead of fixing the issue, they advised the owner to 'block unrecognizable addresses from his domain and have an auto-reply sent reminding people of the official Mildenhall domain and blocked his website from access on base.'"
...because it's always someone elses problem.
quickly signs up for:
colonelblimp@area51.com
thechief@whitehouse.gov
maninred_onthegate@certaindeath.com
admin@guam.com
fatgord@no10.co.uk
binladen@caves_r_us.pak
just to see what comes my way
If he's the Walrus then can I be a penguin please?
Why didn't somebody just buy his domain off him, let him keep the website, and route the email to a bit shredder for all but the admin addresses, like "webmaster"?
Isn't the Airforce the branch that has been tasked with Cyberspace security? Some kind of Cyber Command? Military Intelligence at its highest magnitude.
It's the only way to neutralise the tourist threat!
Home fucking is killing prostitution.
It's almost as if they WANT someone to kill the president....
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I see from TFA that the owner finally took his site off-line because of the problem. So the USAF probably considers the problem solved. Another triumph for American diplomacy.
It was only after sensitive information had leaked that anything was done about it.
init 11 - for when you need that edge.
Now taking bets on which intelligence agency or terrorist organization will be the first to snap up the domain once it becomes available.
The Vice president accidentally shoots a man in the face, and it's the mans fault for getting in the way of the buckshot. The Air Force emails sensitive information to a website owner, and it's the site owner's fault for receiving it.
The Cheney Effect is spreading!
This from the mighty mighty Air Force which banned blogs, which accidentally flew nukes cross-country, which wants to start a "Cyber-Command." Not trying to flame, but why do they insult their own intelligence by banning the viewing of blogs while allowing this sort of crap to happen?
If the Air Force is sending that info over unencrypted e-mail, they have bigger problems than just the e-mail going to the wrong domain.
This kind of makes me suspicious that he article might just be hyperbole.
As reported here, American airmen at the Mildenhall base have been caught on camera snorting drugs!
I wonder if taking down the website will stop the emails from coming?
Nope, I dont think so.
. . . when you make titless WAFs into Windows admins.
What?
'block unrecognizable addresses from his domain'
isn't it more effective if air force domain names are removed from world wide dns ?
The world belongs to those who get up early. - I'm far from being the king of Earth then
Stargate geek.
.
.
.
.
.
.
.
.
.
.
.
.
crap.
Karma: Chameleon (mostly due to the fact that you come and go).
They forgot to blame Al Gore for inventing it. Quick, somebody throw them a link to PGP.
How you tell them also matters... what if the messages were more or less like:
Tourism site: All your air bases are belong to us
USAF: Measure 1
Tourism site: All your air bases are still belong to us
USAF: Measure 2
Is so outrageos this way.
I spent 20 years in the Air Force. All DOD domains end in .mil not .com. We only have this persons word, didn't see one example. Flight plans via email. Crap! the DOD uses a device called KG-58 its an encryption device. The key is sent via courier every month. That is the only approved way to send any sensitive information.
"It had the notice 'Destroy by any means to prevent capture'," Right, that's absolute crap. One that is not the correct wording. Two its an electronic message, its on your hard drive. Did his computer explode after reading it? I'm sure there are idiots who sent things to his domain. But these just could not be official communications. There are way too many safeguards in place.
People from government ministry of finance offices in African Nations are always send me stuff too.
Lets see some real proof!
I think that this may have to do with bravado, but more likely it has to do with plain old ignorance. I seriously doubt the Airforce has good IT personnel. Maybe I'm being an IT snob, but from what I've heard from family members that work in government and other civil service (one is pretty highly ranked) is that (as we all know) woefully behind the times. I suspect that an email about data being sent to a public URL may have been seen as cryptic to whatever administrator ended up with the information. On a different thread I was talking about identify theft and how the government is one of the largest areas where proprietary data is stolen from. I think that it's just another symptom of a much more systemic problem within government agencies in the US.
--cally
--Cally
I was bothered by the Air Force's casual response to this problem as well. Not to mention their mistreatment of the domain owner, telling him to rewrite his 550 SMTP reply to inform senders of the base's domain. Why didn't a "Communications Squadron" offer to work with the domain owner to resolve these problems? The fact that the USAF shrugged off this rather simple problem onto the domain owner tends to confirm your suspicions about the quality of their IT services.
It's the only way to be sure!
(Wait, technically, that *would* be effective in this case. Reprehensible, but effective.)
Find out *.mil domains being used.
Register the *.com domain names.
Wait for email...
Profit!!!
Many Thanks go to Microsoft's "auto-complete" mail feature.
Bin L.
I love how I have to read other country's news reports to find out what's going on in my own country...
Dear Media Agency,
It has come to the attention of the Air Force that it is likely your e-mail servers may have inadvertently received confidential Air Force e-mails. These e-mails were sent in error. We beg and plead with you to not consider this a "leak" to your organization. These "leaks" will arrive to you though regular channels. As you may have received several thousand e-mails we ask that you forget everything that you read and delete everything. If you print a story about this and decide to publish some example e-mails, please contact us as we will help you find some really juicy e-mails. Again, we did not do this on purpose.
Since our e-mail servers are already having some serious problems, if you are not the intended recipient, please discard this e-mail immediately. We do not have any serious problems with our e-mail servers. If this is the tourism site again, please redirect these e-mails to major news organizations - and then delete.
Thank you,
US Air Force
We fuck up more before 8 a.m than most people fuck up all day.
SJW: Someone who has run out of real oppression, and has to fake it.
It's easy to poke fun at the Air Force, but this is a serious IT question.
.tld?
.com mail, or rerouting that mail to .mil addresses, since they certainly have users with legitimate e-mail needs that send mail to .com accounts. Even blocking mildenhall.com might prevent some legitimate use of a tourist site, perhaps for military with families visiting the area.
.tld occasionally in the heat of the moment.
How do you keep (sometimes stupid) users from sending proprietary (or even run of the mill) e-mail to addresses with the wrong
It's not as easy as blocking all
Additionally, that wouldn't solve the greater problem which could easily crop up again with randolph.com, eglin.com, edwards.com or any number of similarly named commercial sites.
Education has its limits, and even experienced users will type the wrong
Certainly nobody should send sensitive information unencrypted over non-secure channels, but it sounds like the biggest problem here was the volume of the traffic.
Does anyone have a good solution to this problem?
that the person involved was more conscientious than this guy: http://youhavegotthewrongperson.blogspot.com/
There is no mechanism to prevent Lt Snuffy from emailing his flight plan to anyone. There are official channels, but pilots are notorious for being arrogant so they do what they want. You can give a guy millions of dollars in training and equipment but still not stop them from acting like an idiot.
This is not really an IT problem in that you can't prevent a user from sending email. You can educate them (if they will listen, but who is a Sargent to tell a Colonel what to do), you could block "mildenhal.com" in the DNS but then you will have users complaining that they can't surf there. If it were me in the IT shop I would go to the users and tell them to use ".MIL" and their encryption, but not much else because you can't fix stupid.
Certainly nobody should send sensitive information unencrypted over non-secure channels, but it sounds like the biggest problem here was the volume of the traffic.
Didn't the DoD come up with the solution to this in the '80s? Remember the Orange Book?
That's the solution: you need mandatory access control when you're dealing with classified material. If you're sending material from a classified computer, or moving it from a classified zone on a compartmentalized computer system, then it should be encrypted automatically. If the computer system does not implement MAC then it needs to be treated as if all the data on it was at the level of the maximally classified data it's allowed to contain.
C2 security isn't good enough for stuff like this.
This is pretty upsetting, especially when considering that I've worked for a military contractor for the past 5 years and I've had to do security audits from the government each year. Do they audit their own people?
I suspect that USAF is using contractors for their IT needs, much like the rest of the US Gov't.
Look folks, there seems to be a fundamental misunderstanding of what the problem is here.
a) Military computer users suffer from the same lack of applications training that corporate users do, therefore their rate of screwups is no higher than any other userbase. The do receive more computer security briefings than your average corp user, but that doesn't make up for lack of understanding on the part of the user when it comes to knowing how to use anything.
b) The Air Force and Army *DO* have email encryption. However, it is user selectable - i.e., when emailing anything it is up to the user to make the determination if the encryption is warranted, and then select the option.
c) The problem here is with the SENDER. The owner/operator of the email domain at Mildenhall is not at fault. You can't troubleshoot a problem with people on the OTHER end of a problem situation. If they aren't using the Exchange GAL and typing in an @.com address instead of an @af.mil address, you really can't resolve the PEBKAC for them, can you?
'nuff said!
"Nothing is so important that you cannot make fun of it." -Clarke
... the best place on the web for 3 day old technology news stories.
Not likely to do anything, but I'd wonder if I got that message.
Mildenhall is the site of an RAF base, actually now a USAF base. Not totally random sending it to this recipient, where I could see them somehow mistaking one Mildenhall for another. But still dumb as a blade of grass.
Maybe they need a new mail server? FC7 should do, or something from IBM, all wrapped up in a pretty $MM mainframe?
sheesh...
deleting the extra space after periods so i can stay relevant, yeah.
I laugh because this concerns little emails.
When I lived in the small Wiltshire village of Mildenhall, we often had convoys of military vehicles being misdelivered.
"Where's the air base?" the lead driver would ask.
"150 miles North East of here!" we'd all reply.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
From 2001 to 2005, CIBC, a large Canadian bank sent faxes containing customers' fund transfer requests to a West Virginia scrapyard. The faxes didn't stop until the bank was publicly embarrased in the national media.
-- "At Microsoft, quality is job 1.1" -- PC Magazine, Nov. 1994
My guess is that Airmen were replacing .gov with .com when typing emails.
There was also a full page ad in yesterdays (dead tree) New York Times saying the same kind of thing. Too bad we can't arrange for the Times to do a story on this and arrange it to be on the facing page from the USAF's next ad.
I was in the US Air Force for 12 years, and and have now been in private industry for about the same, and I can tell you the USAF is reflective of all organizations. It makes mistakes like all others, exceeds standards in a lot, and at the end of the day gets the job done using the resources allotted to it. If there is low hanging fruit there, it is generally no more or less than anywhere else.
no comment
Signing your posts is lame (this is not usenet), but double-signing? Wow. I checked, you do this a LOT.
is still an oxymoron.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Who among us would be happy to have Dick Cheney as president?
Why is this modded -1?
The poster asked a very legitimate question that points out the real issue here, namely that people are addressing their mildenhall.af.gov mail to mildenhall.com.
Thanks for your insightful post, and if I hadn't already commented on this thread I'd mod you up.
Kind of reminds ya of the 1990s urban legend about Canadian lighthouses and U.S. aircraft carriers.
....and seemingly on the mark with regard to the Air Force's suggestions regarding email filtering, responsibility for security breaches etc.
US Ship: Please divert your course 0.5 degrees to the south to avoid a collision.
CND reply: Recommend you divert your course 15 degrees to the South to avoid a collision.
US Ship: This is the Captain of a US Navy Ship. I say again, divert your course.
CND reply: No. I say again, you divert YOUR course!
US Ship: THIS IS THE AIRCRAFT CARRIER USS CORAL SEA*, WE ARE A LARGE WARSHIP OF THE US NAVY. DIVERT YOUR COURSE NOW!!
CND reply: This is a lighthouse. Your call.
Not true, of course. But, funny.
The first principle is that you must not fool yourself - and you are the easiest person to fool. -Richard Feynman
The US Air Force has been sending sensitive information, including flight plans for Air Force One, to a website promoting the town of Mildenhall in Suffolk.
Why am I suddenly reminded of that scene in Airplane!:
Ted Striker: My orders came through. My squadron ships out tomorrow. We're bombing the storage depots at Daiquiri at 1800 hours. We're coming in from the north, below their radar.
Elaine Dickinson: When will you be back?
Ted Striker: I can't tell you that. It's classified.
What a bunch of friggin' idiots.
You understand what a low-hanging fruit is, right?
It's no reflection on the quality or caliber of people and projects in the AF.
When your goal is to pick fruit from a tree, the low-hanging ones are the easiest to reach and thus the first to get picked.
When your goal is to cut costs, the low-hanging fruit are the ones that are easy to cut because they are 1) big-ticket items where a small reduction in qty yields a large cost-savings and 2) there is little direct elimination of jobs.
Naval yards, for example, fulfill item 1 but not item 2. Orders for new aircraft, however, fulfill both -- though there is indirect job loss.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
The real "Libtards" are the Libertarians!
I'm sure this was on purpose. Leaking false plans is how the spooks can test their enemy's knowledge.
Ah, the good old days of catchall addresses.
I own a .com domain which is the same as the ".co.uk" domain of a religious school in England. The kids mostly just mis-subscribed to mailing lists; I was getting multiple copies of promotional junk from bands. The e-mails between
the staff were interesting, though.
I had to turn off the catchall addresses about five years ago. Dictionary attacks were overloading the spam filters.
encryption should never be an option. it should be mandatory - here's why.
When you have the option of only encrypting "important" messages (and this goes for email, radio broadcast, satellite, whatever) then you draw attention to the importance of a message's content by encrypting it. Military strategists will tell you this is a bad thing. You must send all messages with the same standard or security - that way the baddies have to expend a great deal of time and resources trying to decrypt everything, just to fine the one in 10,000 that is worth the effort.
Even if you think the baddies don't or can't decrypt the messages, if you only encrypt important ones, an onlooker can tell there's something going on by an increase in the number or length of encrypted messages. That in itself is valuable information. It's not unknown for broadcast (remember the "number stations") messages to be sent non-stop, with padding if there's no real content to send, just to cloak the real volumes
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
There *could* be a *WO*man in the office someday.
Personally, when I was in uniform and when I was taken in hand for criticizing a sitting president (84-88, and this happened around 86) I was told (or probably given an implied order) to RESPECT THE MAN IN OFFICE. To hell with that. If an idiot or dunce is in office, call a spade a spade. But, if fools someday (or in the past) take/took office, it would be tragic to not challenge that. I take GREAT offence at being told to unwaveringly GIVE my support for *the president*. If ANY president kills for power or destabilizes governments for control and so on, and tries to assign to that act my name... well, screw that, and SCREW HIM/HER. I have a bigger world view, and it doesn't allow for individual countries to call the shots for all the rest. EVER.
Well, unless you're in Russia. But, hey, even in Russia today, SOME permission is allowed to criticize the government. It just might not get printed.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Besides, these emails should have been going over SIPR (secret military VPN), not NIPR (public Internet). The SIPR machines can't route email to NIPR networks, so the problem never would've happened in the first place if proper OPSEC had been followed. Someone needs an Article 15 for this.
(I'm a former IT1 in the Navy, and worked with Air Force guys in Operation Northern Watch, and I can state that all of the Air Force personnel I worked with in the comms section were highly skilled professionals, so this is not a slam on Air Force-types in general.)
God invented whiskey so the Irish would not rule the world.
Consider:
a) The traffic you're talking about is on what's known as the NIPRNET - meaning UNCLASSIFIED information is what it's supposed to carry. The optional encryption that I refer to is optional because it's really intended to protect FOUO (For Official Use Only) information and other data at around the same level of sensitivity. It is not intended to protect classified information of ANY level. That being said, if the information is of ANY classification rating, it should never have been on the NIPRNET. Meaning - the jackass who posted it is the problem, not the optional encryption.
b) The encryption system in question is actually a PKI setup with two factor authentication (this is public knowlege if you Google it). Encrypting individual messages may draw attention to them, but you have yourself a fine old time trying to decrypt them.
c) There is a whole seprate network devoted to classified information. It is known that the Russians gave up on American cryptography a long time ago - it's that good. If the information was important enough to be protected, that's where it should have gone. Again - if there's a PEBKAC issue or an operator headspace issue it's not something that can be addressed until AFTER the screwup occurs. It doesn't matter how good your security is if your people aren't trained.
"Nothing is so important that you cannot make fun of it." -Clarke
Under similar circumstances, the 2004 US election caging list controversy , where the Republican party was attempting to have thousands of African-Americans taken off the voter rolls, was revealed when sensitive e-mails were addressed to a George Bush parody site instead of the W's actual re-election site. The caging list wound its way into the hands of Greg Palast and the BBC and the rest is history.
Prisencolinensinainciusol. Ol Rait!
When those emails contain the flight plan for Air Force 1, the Air Force really ought to work out a way of controlling that. Preferably a way involving strong encryption, and thorough training of everyone involved about how to use it. There are innocent people aboard that plane who could be killed if anyone decided to take a shot at it to take out Dubya.
Real Daleks don't climb stairs - they level the building.
What then, for all these years, has been stopping them from impeaching/convicting Cheney? It's not like he's squeaky clean, right?
And how about this: due to inaction by Congress, there's even less accountability now as well as for the foreseeable future.
The process has happened before, and not too long ago: Spiro Agnew was forced to resign almost a year prior to Richard Nixon's own resignation.
Today's Democratic party leadership must be seriously disorganized.
This is not my sig
Yes, I do understand low hanging fruit. When I was in the AF I won several suggestion awards for exactly that, and got a token award for things like "Let's but this part for $1.00 from this source instead of $1.50 over here", so it is part of the culture, and both encouraged and rewarded. I also completely re-engineered the supply chain at numerous locations to improve flow, and reduce costs.
My point is that my experience at identifying and actually taking advantage of flow hanging fruit, and identifying and executing effective, efficient, processes has been common to both the AF and private industry. The converse is also true, as a consultant, I see inefficient, ineffective processes in private industry also. Both are sometimes addressed, and sometimes ignored.
I am just one guy, but that is my observation FWIW.
no comment
So he gets spammed. My mail servers do as well, and I'd really wonder how he's filtering through all that crap to find the emails that have these juicy tidbits he says he's getting. Sounds like a BS story to me. Maybe he should turn it into a porn site like whitehouse.com used to be.
It's sad that Gary Sinnott decided to take down the site. He should keep it up, and have all the mail forwarded to Wikileaks just in case something useful comes through again. There are plenty of members of the community who would monitor the email if he doesn't want to deal with it himself!
I'd love to see Air Force One shot down as a result of such a pathetic security breach. Even if the president wasn't on it, it would be such a demoralising blow, such an embarrassment to the United States, it would be glorious.
did anyone mention that the problem was probably with outlook autocompletion or some such where if you don't type the whole the address it appends .com to the end?
as far as IT goes, air force enlisted seem to be more savvy than the other services.
If I received classified information I would post it to wikileaks that would get them to fix the problem pretty quickly.
~Dan
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
just look at MS - when they get it wrong, you have to pay anyway....
this whole priv enterprise is more efficient then govt - give me some solid studies with data...
If the Air Force doesn't have good IT personnel, is that the fault of the personnel, or the management that won't bother to either hire better personnel or train up the ones that they do have? One way or another this is pretty damning for any Military Intelligence to have.
Starbucks, Harbuckle of Breath.
You do realize that the US Air Force is charge with US cyberspace defence?! Check the latest recruiting commercials... Air, Space & Cyberspace.
:)
This kind of response from the USAF is pretty disturbing given their new charter. Still, I supposed they could have called in an airstrike on the town and fixed the problem that way. We should be grateful for small mercies
A One that isn't cold, is scarcely a One at all.
Don't these emails classify as spam?
Sue the US air forces, solve the problem and make a bob or two.
US air forces are like the pig in "Never try to teach a pig to sing. You waste your time and you annoy the pig." -- Robert Heinlein
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Or, when they do send sensitive information by email, use encryption.
It still amazes me how much highly sensitive information is transported in unencrypted form. A few years ago in Netherland, people would find unencrypted USB sticks with unencrypted sensitive military information all over the place. When a Dutch public prosecutor bought a new PC, he simply placed his old PC simply outside with the garbage, somebody else picked it up, and discovered lots of data about sensitive criminal cases still under investigation. The prosecutor got mangled for not disposing of his PC in the proper manner, but I'd like to know how it was even possible that a private PC contains such sensitive data without any sort of rigidly enforced encryption?
That's just like the time Cheney tried to email GDub@whitehouse.com - after the initial shock it was hours of laughter had by all. Except for Cheney because he already laughed one time this millenium.
I seriously doubt the Airforce has good IT personnel.
And no wonder. 50 years ago the best and the brightest wanted to work for the likes of Edward Teller and Robert Oppenheimer. Now they'd prefer to go work for Sergey and Larry.