Register your own .mil Domain

JWSmythe writes " As reported in This Story at theregister.co.uk ,and on dailyrotten.com, it seems the US Department of Defense has dropped the ball. Not only can you register a .mil domain, but you can find "secret" domains that aren't publically known (the gov't uses security through obscurity?). I'm looking forward to hacker.mil, warez.mil, and porn.mil."

Link to .mil Registry

[Motherfucking Shit]

http://www.nic.mil/dodnic [nic.mil]. No, I didn't go poking around. If you've got bigger balls than I, perhaps you can link to the supposed admin area...

Re:hard to believe

[thac0]

Maybe the air force does make it difficult. I've certainly seen some pretty tight networks myself, but that doesn't mean that everything is. And the subject in question is actually kind of a fringe subject that one might believe to be missed in security sweeps and such.

Aaahh

[Anonymous Coward]

I found this [nic.mil] without having to click on this [nic.mil]

Re:How long before Google is sued?

[vericgar]

http://www.google.com/webmasters/3.html#B2 Google has in place functionality to not cache a page, and has had this for a long time. The fault here is with the DoD. They need to learn some security.

here it is...

[Anonymous Coward]

link [disa.mil]

Re:Aaahh

[Anonymous Coward]

And this [nic.mil] is the domain registration link.

Won't work without a .mil email address, though.

Re:Aaahh

[Anonymous Coward]

This [nic.mil] too, for reserving your very own netblock.

Re:Aaahh

[Big Mark]

From the ftp link they gave. You need this info to register:

H2B. Sponsoring Agency..........:

Indicate the Service, Unified or Specified Command, DoD operating
Agency, or non-DoD Agency of the US government that you are affiliated
with. (for a valid list of agencies, please refer to the
service-agencies.txt located in the netinfo directory).

Example: AF

Ah. So you can't get one if you're not a serviceman. No story, methinks.

-Mark

Here is the access list

[Anonymous Coward]

http://www.nic.mil/visitors.txt and http://www.nic.mil/help

Re:2600 contest?

[neurostar]

Doesn't (didn't) 2600 have a contest like this? The first person to manage to get a .mil domain gets a free subscription, or something like that?

Their contest says that if you resgister 2600.mil (or any 2600.something) and point it to their website, you get a free lifetime subscription. (I think it's any TLD)

neurostar

Re:Aaahh

[xintegerx]

Wow, I didn't believe it was there!

I found references to http://www.nic.mil/cgi-bin/whois on google. I was debating on trying /admin and etc instead, but didn't :)

Instead, I searched for

admin http://www.nic.mil

on Google, to verify the news. I ended up clicking on a web site that shows beginning web masters useful resources.

From there, I went to the site one level above, and from there clicked a link to view a document about standard run of the mill no big whoop procedures about webmastering (pretty useful if you want to be a contractor or write software and have it comply, I assume.)

BTW the security notice on this document is a link to army.mil's privacy policy, which says:

Information presented on Army Home Page is considered public information and may be distributed or copied unless otherwise specified. Use of appropriate byline/photo/image credits is requested.

Anyway, on this document I was just describing, click the second link to the defenselink webmasters area.

There (which is also public according to their stated policy) you can click on "Domain Registration in the .mil domain" and see this
http://www.nic.mil/ftp/mgt/bul-9605.txt [nic.mil]

These are just public info resources. army.mil's security policy says if you try to upload or change stuff, that's what they care about.

Re:2600 contest?

[weave]

2600 would be all into finding out how to do it and telling the world about it, but not going ahead and actually doing it. I've never seen them advocate breaking into systems, just how in can be done. If you read the letters to the editor in the mag and their responses to people who want to do malicious cracking, you'll see they stomp em pretty hard for being stupid.

Besides that, the military might have an incompetent admin that exposes something stupid like that, but I for one wouldn't want to try my luck at exploiting it. I think you'd face better odds for survival as a black man spitting on an LAPD officer in a remote area away from public view.

Address

[AirLace]

The URL is http://sites.defenselink.mil/

It hasn't been possible to add new domains or run queries since Friday, so don't even bother.

Since Slashdot if a Pussy-land...

[Q Who]

I did the process at the .mil NIC site [nic.mil].

After you fill all the forms, there's:

PAY ATTENTION!

This online program makes no changes to the WHOIS database.

The scope of this online program is to send the template to the e-mail address entered in the field below.

Once you receive the completed template, you must forward it to the appropriate point of contact for action.

The NIC will not process any templates until it receives this template (by email) from the domain administrator or service PMO.

So you are essentially filling a template, which you can do by hand as well, following the instructions here [nic.mil].

It lets you retrieve POC by a handle though. I don't know the access level of this information in USA, but this is quite odd, since it seems that the handles are assigned by initials, and are of progressively increasing length.

I also wonder where does this interface gets that data from... There's a DB somewhere, and it can be probably hacked via this interface.

Re:Aaahh

[ShdwFear]

http://nic.mil/cgi-bin/cs
http://nic.mil/cgi-bin/ domain
http://nic.mil/cgi-bin/ip-num
http://nic. mil/cgi-bin/occ
http://nic.mil/cgi-bin/asn
http: //nic.mil/cgi-bin/xtac
http://nic.mil/cgi-bin/rou ter
http://nic.mil/cgi-bin/host

other toys
http://frwebgate.access.gpo.gov/cgi-bin/usef tp.cgi ?IPaddress=162.140.64.88&filename=he99027.txt&dire ctory=/diskb/wais/data/gao

http://boulder.noaa.gov/noc/nhcexit.txt

Re:Of course...

[killthiskid]

Don't get to excited:

Also Important!

In order to use this online registration utility, you MUST have a WORKING e-mail address located on the NIPRNET.

If you do not have an e-mail address, you should use the plain-text templates available by FTP

Of course, not wanting to be labelled a combatent, that's as far as I went.

Re:Aaahh

[j3ss]

The people who run Anonymizer will give up their logs to any law enforcement agency if asked to do so. Anonymizer is good for hiding your tracks from other netizens but I wouldn't trust it for anything illegal.

Re:NIPR.MIL

[Anonymous Coward]

NIPR just stands for "Non-classified Internet Protocol Router"... usually used as "NIPRNet". Basically the name for DoD's slice of the internet.
Not to be confused with "SIPRNet", which is the secure side, which isn't even connected to the regular internet. It's called "air gap".

DISA reverses much of it's IP space to the NIPR.MIL domain. So basically you had a DoD visitor to your web site... since there are hundreds of thousands of DoD NIPRNet users, that's not to suprising.

That's the way it's been for decades

[Animats]

That's exactly the process used in the early days of the Internet, when, to register a domain, you emailed a similar template to somebody at SRI International, which ran the Network Information Center. Then you waited for a week or so for the domain to show up in the HOSTS.TXT file on the FTP server, and months for enough hosts to download it that anyone could reach you. MILNET ran the same way, but somebody at Defense Communications Agency processed the requests for the ".MIL" domain.

Once DNS came in (yes, there was an Internet before DNS), delegation started working. Early thinking was that you'd have one second-level domain for each large organization, which would then manage its own third-level namespace. MILNET still works that way. Since the military is very hierarchical, the organizational structure matches the DNS hierarchy.

Historically, there weren't many top-level .MIL updates. Most changes were further down in the hierarchy. If the NIC for MILNET is still using that template, it's probably still that way.

Re:Address

[Anonymous Coward]

The above comment is the only correct one I've seen so far. nic.mil is obviously a standard mail form template, and submissions are reviewed by a human. sites.defenselink.com on the other hand, is a custom app to manage the domains. It also fits the description of adding a new user without authenticating, as described in the story.

http://sites.defenselink.mil/ [google.com]
http://sites.defenselink.mil/servlet/DataEntry [google.com]
http://sites.defenselink.mil/servlet/DataEntry/add user [google.com]

BTW, I found this independantly by searching for '"add user" site:.mil'.

Summary

[JWSmythe]

Here's a summary of the proposed domains. :)

If you want to know who submitted it, read through the comments again.

Enjoy!

Al-Queda.mil
runofthe.mil
General.mil (cereal)
Cara.mil (caramel)
Rumor.mil (which would be slashdot.org.. hehe)
rastafarian.mil
peace.mil
Piece.mil ("as I find well toned and armed women hot")
starfleet.mil
diploma.mil
peace.in.our.ti me.mil
gin.mil
pointlessdeath.mil
2600.mil
Nat aliePortman.mil
runofthe.mil
slashdot.mil
allyo urbase.mil
IN-SOVIET-RUSSIA-we-practice-better-in ternet-secur ity-than-lazy-capitalist-pigs.mil
in.soviet.russi a.mil.registers.you.mil
slashdot.mil
kevinmitnic k.mil
2600.mil
fuckedcompany.mil
bushisanidiot. mil
ashcroftisan ass.mil
sgc.mil
weoverthrewiran.mil
weoverthrew guatemala.mil
weassinatevietnamese.mil
wekillciv iliansinasia.mil
wesupportcoupinchile.mi
wesuppo rtmilitartyinemsavabor.mil
wetrainedosama.mil
we supportcontras.mil
wegavesaddammoney.mil
wegavei raqweapons.mil
weoverthrewpanama.mil
webombaspir infactories.mil
"noches.mil" (Thousand nigths)
"dos.mil" (Two thousand)
blackop.mil
pepper.mil
paper.mil
dar k.satanic.mil
deathstar.mil (for dvader@deathstar.mil)
milf.mil
Wind.mil
honeypo t.mil

This is a great find.. .

[toker95]

For those who REALLY want a .MIL domain name... Having spent a good deal of time in the US Navy dealing with the fun of keeping seperated, classified and unclassified networks, I can tell you exactly how much of a threat this problem is, to national security.. None. At the very worst, as pointed out in earlier posts... slashdotting a public domain .mil site (like http://chinfo.navy.mil/) would only serve to seriously tick off servicemembers family's, and the average run of the mill PR guys for the navy. Classified servers, sites, and networks are encrypted before they ever touch the same cables as the internet. In many cases, they never DO touch the same cables, but.. Yes, alot of that -classified- traffic passes over the same lines as your average slashdot post, BUT... its highly encrypted before it ever gets there (encryption level and equipment obviously varied by classification level, some data doesn't even get to TOUCH a networked computer). As well, a LARGE portion of the .mil domain's are setup to ONLY see traffic from another authorized .mil network (usually managed by IP address's). If your .mil network needs access to see my network, as well as getting the usual userids and passwords, my net admins need to talk to yours, and put your 1.2.3.xxx address into our firewall. So, the threat here? The threat is really only to the fact that its completely possible to now have a bazillion "yourname.yourwebsite.mil" websites running around... And this wouldn't HURT anything persay, because most .mil websites are acronyms like "subhqnorva.navy.mil" (for Submarine Squadron Headquarters Norfolk Virginia). US Military bungle? Yes National Security Threat? Minimal... Do you really want a .mil domain? Gee, only if you want to cause unnecessary trouble for a government trying to prepare for war...