ARN

Military insecurity

How a small English town ended up with the flight plans for Air Force One

The Internet is just shy of its 20th commercial birthday. Given that, and the fact that the Internet is based on technologies that are open, well-documented, and well-understood, you'd think that all serious enterprises that connect their e-mail systems to the Internet would be capable of ensuring their security and protecting their assets.

When I write "serious enterprises" I'm thinking about really big ones like, oh, say, the United States Air Force. The USAF is responsible for the safety of millions of people, including the president when he 's jetting around on Air Force One, and has a budget of billions of dollars to do the job.

The following might seem like a bit of a digression, but stick with me, we'll join up the bits in a moment.

There is a town over in Jolly Old England called Mildenhall in the delightful county of Suffolk where once upon a time (actually March 1997) a gentleman by the name of Gary Sinnott decided that his town needed a Web site.

Sinnott created a very nice site that included a diary and local news, pictures of the town and area, the area's history, and so on. All was well in this webified corner of that green and pleasant land until around 2000 when mildenhall.com started getting a lot of incorrectly addressed e-mail.

If you take the A101 north out of Mildenhall and drive for roughly 5 kilometers (they are, after all, Europeans) you will arrive at the gates of Mildenhall Air Force Base which is shared by both the United Kingdom (it's actually RAF Mildenhall) and the USAF.

Now, when you connect naive users to the Internet and let them use e-mail, what mistake do they pretty much always make? Yep, they assume that every destination is in the .com domain. Thus it was that people both inside and outside the military started sending messages to mildenhall.com rather than mildenhall.af.mil.

Two problems came of this. First, the sheer volume of e-mail overwhelmed Sinnott and his server, and second, much of the content was nothing he ever wanted to see. This included (these are Sinnott's words): "SPAM. Loads of it! Military data -- some very interesting. Personal information -- some very personal. Some of the worst multimedia clips I've ever seen or heard. [And] interesting insights into what some Americans consider to be pornographic."

But the most interesting stuff in this motley collection was military data, which included -- and I am not making this up -- classified battlefield strategies as well as the flight plans for Air Force One!

When Sinnott told the US military about the misaddressed messages back in the early 'Oughts they were somewhat disinterested and carried on being disinterested for several years. According to The Register, "Officials advised Sinnott to block unrecognizable addresses from his domain and set up an auto-reply reminding people of the address for the official air force base."

This, of course, would not solve either Sinnott's problems or those of the military.

Eventually Sinnott did follow one piece of the USAF's otherwise rather useless advice -- "Get rid of the domain." Sinnott killed off his Web site (you can see his final posting via the Wayback Machine).

This was a spectacular example of incompetence and complacency on the part of US military security and all the more worrying considering the amount of money and effort we're told is being put into national defense. I wonder how many more years will have to pass before military security is at least as good as the average enterprise?

Gibbs is secure in Ventura, Calif. Lock down your response at backspin@gibbs.com.