Forgot your password?
typodupeerror
Security

Register your own .mil Domain 334

Posted by CmdrTaco
from the someone-should-register-paper.mil dept.
JWSmythe writes " As reported in This Story at theregister.co.uk ,and on dailyrotten.com, it seems the US Department of Defense has dropped the ball. Not only can you register a .mil domain, but you can find "secret" domains that aren't publically known (the gov't uses security through obscurity?). I'm looking forward to hacker.mil, warez.mil, and porn.mil."
This discussion has been archived. No new comments can be posted.

Register your own .mil Domain

Comments Filter:
  • hard to believe (Score:1, Interesting)

    by Anonymous Coward on Sunday January 26, 2003 @11:42AM (#5161786)
    I work for the Air Force and I really find this hard to believe -they are very careful with their networks, almost to the point of making working there very difficult!
  • what was that about homeland security? I guess it's all a load...
  • 2600 contest? (Score:5, Interesting)

    by capnjack41 (560306) <spam_me@crapola.org> on Sunday January 26, 2003 @11:44AM (#5161794)
    Doesn't (didn't) 2600 have a contest like this? The first person to manage to get a .mil domain gets a free subscription, or something like that?
  • by GabrielF (636907) <GJFishmanNO@SPAMcomcast.net> on Sunday January 26, 2003 @11:53AM (#5161845)
    IIRC a few years ago the Chinese were caught buying up surplus military equipment including replacement parts for Apache helicopters and hard drives containing sensitive nuclear data. Admittedly with such a huge organization carelessness is to be expected, especially since these guys are overworked and underpaid, but I do wish that the government would stop encouraging average americans to be paranoid when they constantly drop the ball themselves.
  • by jdreed1024 (443938) on Sunday January 26, 2003 @11:54AM (#5161855)
    For those who didn't RTFA, one of the points of the article is not only are there unprotected admin interfaces that let you register your own domain (that's what they're talking about - you still can't register .mil through register.com or anything), add a user, and view traffic stats on DoD sites (even "hidden" ones), but that all these pages (including default passwords) are cached by Google.

    This implies that even if the DoD fixes the problem, the Google caches will still be available (until they expire or are replaced). Now, in the past, we've heard reports of people being upset that Google cached information. However, this time, the cache contains information pertaining to "national security" (that great new buzzword). I wonder, what will happen? Will these URLs be silently deleted from the cache? Will Google be told that cacheing links is now illegal because it could aid terrorists? Will they be prevented from cacheing .gov and .mil? Will Google be sued out of existence?

    We've all found Google caches to be useful, when, say the documentation for an open source project is hosted via 56K modem line in the Czech Republic, for example, or even when a site is Slashdotted, but it'll be interesting to see what happens about this, and how the goverment may over-react.

    (Note, if you're too stupid to understand this, I'm not talking about blame here - don't bother saying "Google rulez, the militery is dum asses for leeving these sitez open, u r an idiot...". I'm talking about reprocussions. Certainly Google doesn't "know" what information a link contains when they cache it. Certainly it's the government's fault for leaving open admin pages with default passwords listed on the page. But just because someone isn't at fault, doesn't mean they can't get screwed over.)

  • Re:what about... (Score:3, Interesting)

    by Blimey85 (609949) on Sunday January 26, 2003 @11:55AM (#5161862)
    Mod this fucker up!!!

    That's the funniest shit so far today.

    The peace.mil was also pretty good.

    I'm wondering how with all the billions of dollars we spend on military shit, how the military can constanly screw things up... BTW, was .mil supposed to only be US mil or could any military anywhere get a .mil domain? And what kind of proof did you have to show to prove you were a military organization?

  • Re:here it is... (Score:2, Interesting)

    by Anonymous Coward on Sunday January 26, 2003 @12:05PM (#5161904)
    From the site, before it gets taken down...
    Please complete the information below then click the SUBMIT button to send this request to the proper office. If you are not a DOD Employee you must complete the Non-DOD Employee section. If you are requesting access other than QUERY ONLY you must notify your Contracting Officer or Government Sponsor so they can obtain and send verification of access level authorized by the appropriate Functional Data Administrator or Component Data Administrator to the Help Desk. Once received by the DDDS Help Desk your request will be processed and you will be sent via Email, Telephone or mail a USERID which you will use to logon to the DDDS. The first time you logon you will be required to enter a password.


    If you do not receive your userid within a few days please contact the DDDS Help Desk. We have been experiencing problems that we do not always get the online submissions. You may be requested to please print this request form and fax it to the Help Desk for processing.

    Also, please be sure that if you fill and print this page that the printout is legible. Many applications that are faxed can not be read thus slowing the process of getting an id.
    Karma Whoring is gay, that's why this is A/C. Plus I'm outside the US, they can't touch me. Oh waitasec...
  • hmm (Score:2, Interesting)

    by rask22 (144831) on Sunday January 26, 2003 @12:17PM (#5161962)
    I also found this [nic.mil]
  • Re:Hmm.... (Score:5, Interesting)

    by Anonymous Coward on Sunday January 26, 2003 @12:21PM (#5161995)
    Dunno but you can do it for him:

    nic.mil/cgi-bin/domain [nic.mil]
  • Patriotic Honeypots (Score:2, Interesting)

    by Unfallen (114859) on Sunday January 26, 2003 @12:33PM (#5162067) Homepage
    How long til the .mil and the .gov and the rest realise that spoofed sites like these could be a fantastic tool in capturing possible IPs of those stupid enough to actually try to use them. Even if you chained through a string of proxies to register the domain, it'd still be useless without somewhere to point it at.

    Editing *.mil* domains through a *logged* cgi form on a *.mil* server. Hello, no, I don't think so, thankyouverymuch. Might as well just a T-Shirt saying "got root?" or something... ;)
  • Re:here it is... (Score:3, Interesting)

    by Charles Dodgeson (248492) <jeffrey@goldmark.org> on Sunday January 26, 2003 @12:36PM (#5162085) Homepage Journal
    The site [disa.mil] certainly allows anyone to fill out the form. But it gives the distinct impression that all submitted requests are processed by a human. So until I see something like "rumor.mil" registered, I'm not convinced that this is as wide open as the original article suggests.

    And, no. I'm not going to be the one to try it.

  • Re:Aaahh (Score:2, Interesting)

    by Anonymous Coward on Sunday January 26, 2003 @12:47PM (#5162143)
    And then from there, it does...
    NOTHING.
    It gives you a text template which you are intended to then mail in.

    This is not a story.
  • by Mish (50810) on Sunday January 26, 2003 @12:54PM (#5162181)
    Out of all the 'links' that have been posted in the comments of this article this one is the scariest.

    Open access to a list of IP addresses of .mil workstations or at least proxies...
  • by ReadParse (38517) <(john) (at) (funnycow.com)> on Sunday January 26, 2003 @01:06PM (#5162234) Homepage
    "National security" is not a new buzzword. "Homeland defense" is a new buzzword, but "national security" has origins much older than 9/1/01 -- at least as far back as the beginning of the cold war.

    Good point in general, though. Seems like the maintainer of a website should have the ability to remove content from said website, in the event that it turns out to not be true, to be libelous, dangerous, or any number of other things. I've always thought a Google feature to purge specific pages from the cache would be a good idea, but the implementation of that would be tricky.

    One of the biggest problems with this is how to ensure that the requestor is authorized to speak for the website? A good first thought is to coordinate with the e-mail addresses in the whois record for the domain, but of course any domain can have any number of separate websites managed by different people.

    Let me think aloud for a moment... we know that Google looks for a robots.txt file before indexing a site. Let's say that a field were added to the robots.txt file that identifies a specific PGP key that is authorized to perform such actions. Not specific to Google, of course... this would be the e-mail address that speaks for the site in any number of ways. Something as simple as:

    MaintainerKey: 9AB3250D

    I don't know a whole LOT about PGP, but I think I know that each public key has a hex identifier (mine is above) that uniquely identifies it and allows others to request it from a keyserver.

    When an e-mail formatted in a specific format (at the discretion of Google and other individual publishers of course) comes in, the public key can be retrieved and the signature of the e-mail validated, and they at least know that the sender is authorized by the site to speak for it. Action from this point forward would be at the discretion of Google, but this is at least a potential TECHNICAL solution to the problem of access.

    Then there's the matter of public key revocation and expiration. Perhaps it's a better idea to have an e-mail address is the robots.txt file and to accept e-mail from that address provided that the current PGP public key is used to sign the message.

    Again, just thinking out loud...
  • Re:what about... (Score:4, Interesting)

    by GMontag (42283) <gmontag AT guymontag DOT com> on Sunday January 26, 2003 @01:26PM (#5162334) Homepage Journal
    well, I prefer Piece.mil, as I find well toned and armed women hot, but I digress (digression in an intorduction?)

    Anyway...

    I'm wondering how with all the billions of dollars we spend on military shit, how the military can constanly screw things up...

    Because it is run by humans, contrary to some theories on the Left.

    BTW, was .mil supposed to only be US mil or could any military anywhere get a .mil domain?

    US Military only.

    And what kind of proof did you have to show to prove you were a military organization?

    The command that handles the domain verifies the request. I am sure that there are ways to insert a fake request and have it approved (in addition to this new finding), the same way we inserted false reports about bad Chinese ammunition into the NVA system, etc.
  • by joshuac (53492) on Sunday January 26, 2003 @02:48PM (#5162810) Journal
    and what is _really_ scary is looking at the this list, it looks like plenty of admins have been accessing this system from home; the log dates back to 1-jan-2002. If you are a lazy cracker, grep for all the lines with "DSL" in them, and probably 80-90% of those hosts are home workstations of military sysadmins of one type or another. If they are dumb enough to leave logfiles of users accessing a server used for military network administration open to the public, imagine what their home computers are like...

    What's even more depressing is that it looks like some of these guys use AOL...
  • by DrDaman (538661) on Sunday January 26, 2003 @02:55PM (#5162857) Homepage
    tried, but all nameservers must be registered with THEIR whois, therefor the nameservers for slashdot NS1.VASOFTWARE.COM isn't valid and their whois client is offline, assuming this is their fix for the time being.
  • Re:what about... (Score:3, Interesting)

    by blair1q (305137) on Sunday January 26, 2003 @03:09PM (#5162917) Journal

    Because we spend $$billions on toys, and virtually nothing on people.

    Toys make defense companies rich. Servicemembers are paid less than fast-food workers.
  • by Buzz_Litebeer (539463) on Sunday January 26, 2003 @04:04PM (#5163198) Journal
    Actually Homeland Defence was used by hitler, so its not new either.
  • Lose your +2? (Score:5, Interesting)

    by schlach (228441) on Sunday January 26, 2003 @04:14PM (#5163255) Journal
    I'm responding to your sig.

    Ok, so the new way of doing things is that instead of adding a point to your comment's overall score when you post with your karma bonus, your comment is posted at 1 with a separate "karma_bonus=yes|no" variable. Thereafter, users can specify how much weight to assign to the karma bonus on their preferences page. This was 0 when the editors quietly rolled in the changes without telling anyone (why so sneaky?), but has since been changed to '+1' by default, to by default be the same as the old way.

    So, your comment that got 3 good moderations is scored at 4/1. Users who have a '+1' modifier to karma bonus will see this comment at 5, whereas users with a '0' karma modifier will see it at 4, and users with (for whatever reason) a '-6' modifier will see it at -2. If such a thing were possible.

    Unfortunately, I see this as making it unlikely that comments posted with a karma bonus will ever be modded up to 5, since most moderators will be viewing with a karma bonus and see that the comment is already scored at 5, and that it therefore cannot be modded up further.

    I'm going to say that the way this was changed was disgraceful. There is no reason not to maintain a place on slashdot indicating how the code is being changed. I have relied on CmdrTaco's journal [slashdot.org] to inform me of changes, but in this case it was silent, and after thinking about it further, it's still a crappy way of running things.

    It all goes back to the difference between slashdot as community and slashdot as business. As a business, sure, slashdot can do whatever the hell it wants, who am I to lecture, blah blah blah. But as a community, changing things in profound ways without approval, comment, or even notification is bastardly. And slashdot as a business would do well to perceive its dimensions as a community.

All life evolves by the differential survival of replicating entities. -- Dawkins

Working...