It's Way Too Easy to Get a .gov Domain Name
krebsonsecurity.com> A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.
> Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley.
A minor nit: Many of these cities do have a .gov domain. For example, NYC has nyc.gov. So, I would suspect (or I’d hope) the GSA wouldn’t issue newyorkcity.gov to a random fraudster as easily.
Houston has houstontx.gov.
Philadelphia has phila.gov.
San Jose has sanjoseca.gov.
LA has .. lacity.org? That’s a bit unexpected.
Some cities may also use a subdomain of their states domain, which may or may not be a .gov.
> Some cities may also use a subdomain of their states domain, which may or may not be a .gov.
This reminds me of how longwinded the domain hierarchy for .us originally was. In MN (not sure if it's the same for every state), city domains were "www.ci.cityname.mn.us". Then the school district's web site was "www.cityname.k12.mn.us". Not only was the order inconsistent (why not www.k12.cityname etc.?) but sometimes the city might be typed differently - i.e. the main Minneapolis site had "minneapolis" in the domain, but the school district had "mpls".
In the primordial days of the web, back before good search engines, this didn't make it very easy to find the school's web site.
Fortunately many governments realized this and moved once .gov became available to cities & states. (or they just used .org). For instance Minneapolis uses minneapolismn.gov, but many are still on the old style domains. The school district uses mpls.k12.mn.us, but at least they've dropped the "www."
In Norway, people employed by the local municipalities have email adresses that are literally of the style
where "employee" and "municipality" are literal strings (in Norwegian) and the others are variables. It's incredible, I've seen people with 50 character long email addresses.$firstname[.$middlename].$lastname@employee.$municipalityName.municipality.noIf you want to reschedule your Canadian citizenship ceremony, this is the address to email: RCC.DNCitSCRScheduling-ConvocationSCRCitRN.IRCC@cic.gc.ca
Looks like part of that might be attempting to craft a bilingual email address? This kind of thing is tough to get right— in many cases the easiest thing is to just make up a word that's understandable in both languages but isn't obviously preferential to either, like how the transit agency in Ottawa is called "OC Transpo".
On the other hand, for email addresses in particular, it should be easy to just have one in each language, which also makes sense in terms of the person replying knowing upfront which language you'd like to use based on which address your query came in on.
They could/should just use an alias where both email address point to the same inbox and would solve that issue in 2 minutes.
Exactly. Belgium is trilingual and just makes aliases, even to domain names.
Why is that incredible? It is pretty common for many institutions to have that kind of email. Universities for instance often have similar emails so that just by looking at the email you know if the person is a teacher / student / temp worker and which chair they belong to, sometimes which campus in addition.
Many big companies have similar things to identify the BU of the email holder or indicate a contractor status (helpful for security policies).
I don't know, I guess in the industries I work it's much more common to have emails that are somewhat unpredictable, like mide54@corp.com
Some unis. I had the three letter username (helps my name starts with W) at Berkeley. You could pick anything you wanted.
it's not common to have such a long email
those are called .us locality domains.
ci.<locality name>.<state>.us is assigned to the city, there are several other similarly non-obvious assignments, anyone is permitted to register one.
I found this page that talks about it more: http://telecafe.org/smw/.US_Locality_Domains
More confusingly, our legislature has used a Mongolian domain name. Looks like they (mostly) have redirects set up now: http://www.leg.mn
School districts are separate from municipalities and often will span multiple.
> School districts are separate from municipalities and often will span multiple.
School districts may or may not be subordinate to city or county governments, and this may not be consistent state wide (of course, he heirarchy of city vs county may not be consistent statewide—looking at NYC.)
School districts are not always subsets of cities. Sometimes they even cross town, county, parish, or township lines.
The city of Lafayette's police department (in the SF East Bay) accepts crime tip emails using a Gmail address (94549TIP@gmail.com). It's plastered on all their police cars, even though the city and police department have an official domain. Though even that is a .org domain, lovelafayette.org.
So an email address that looks like a fraud (or just random) and a domain name that looks like a porn site.
94549 is their city zip code. And a palindrome.
Yep, growing up in Lafayette the teachers always said, no reason not to remember, you only need to learn three digits.
> And a palindrome.
spilled my coffee
Well presumably one would not be feeling much “Love Lafayette” when reporting crimes.
... but they would want to get the government, the "gman" involved - so "gmail" fits perfectly!
I would assume the LA City one was chosen because it’s still shorter than Los Angeles and it also differentiates from LA County. Much of the LA metropolitan area is within the county limits but not part of the city of LA.
The issue with lacity.org is the TLD, which creates confusion amongst the general public.
Legitimate domains for government entities should ALL be on .gov, which should be rigorously controlled.
Then I can tell my family to trust any .gov site, and assume that anything else is fraudulent.
lacity.org undermines this.
Tell your family never to trust any site no matter the domain, sites are hacked too easily.
You'd be better off telling your family to distrust .gov sites by default.
Could be also because they have lots of Spanish speakers? La ciudad == the city, Spanglish la city, :)
I would think it also needs to differentiate from Louisiana.
yeah, the county website is likewise https://www.lacounty.gov/
> LA has .. lacity.org? That’s a bit unexpected
Vs lacounty.gov I guess?
or losangeles.ca.gov would be neat
LA gov doesn't belong to CA gov, federalism, etc.
> LA gov doesn't belong to CA gov, federalism, etc.
Federalism does not exist within states but between states and the federal government. Los Angeles (whether county or city) is an administrative subdivision of the State of California, not an separate sovereignty.
OTOH, Los Angeles isn't getting a .ca.gov domain because the state government doesn't want to dilute it's brand with local government websites, but that's about branding, not Federalism.
While it is true that federalism is a wrong term, but there exists a general idea of independence of different levels of government. I am not sure about US constitutional arrangement, but in country where i live there there is clear and explicit concept that municipal, province and country (executive) governments are independent of each other, not subordinate. Therefore, it would be inappropriate for city to get a subdomain managed by higher-level government entity.
The relationship between states and localities is governed by the constitution and laws of each individual state and not the US Constitution.
In my particular state, and in many but not all others, local governments whether that be counties, cities or towns are administrative districts which only have the rights and powers which the state chooses to delegate to them through state law and the particular charter granted by the state to the administrative district. The state through the normal legislative process can change those rights and powers or even eliminate a particular administrative district.
In the united states, municipalities are subordinate to the state (equivalent to province). They generally have charters outlining distinct areas of responsibility, but usually to change the scope of that responsibility requires legislation at the state level. At each level the executive, judicial and legislative branches are separate.
There's not federalism within states in a legal sense the way there is between states and the feds, but cities value their independence too and prefer to have their own infrastructure. I would expect the city, rather than the state, to be the reason they don't use a subdomain of the state's .gov domain.
vs lastate.gov aka Louisiana
Perhaps Los Angeles and Louisiana have a truce where neither one takes la.gov
We have a TLD for NYC. It is, expectedly, not used for the city's official website. I guess people don't know how to visit TLDs in their browser. (I believe it would be "nyc.")
That's not how .nyc is used or is expected to be used. It's a top-level domain, not a dotless host name. Here's an example of how it's used: https://thecity.nyc/
> That's not how .nyc is used or is expected to be used. It's a top-level domain, not a dotless host name.
While it is prohibited by the ICANN policy [1], it is not strictly enforced so that there are multiple TLDs with A/AAAA records. They traditionally could be resolved with a trailing dot (thus it is not a dotless host name, that would have no dot), but nowadays many browsers refuse to resolve them without an explicit scheme. But they do still exist: try `http://pn./` for example.
This prohibition only applies to gTLDs. It does not apply to ccTLDs.
Aha, thank you for pointing it out---I actually overlooked a very informational RFC that says exactly this [1].
http://ai./ is a better example.
both pn and ai are giving me DNS errors in chrome on ubuntu.
The DNS server at work (which I maintain... oops) doesn't work, but home and other servers do work:
host ai. 1.1.1.1 Using domain server: Name: 1.1.1.1 Address: 1.1.1.1#53 Aliases: ai has address 209.59.119.34 ai mail is handled by 10 mail.offshore.ai.
HN doesn't like your link's formatting. Try: http://www.pn./ or http://www.pn/
This unintentionally makes a point about how hard these domains are to use; they're not supported very well.
The problem is the closing ` is being treated as part of the URL.
Your .pn link doesn't work for me without www part.
At least for https://www.fi/ the case is that someone registered "www" as the domain name in the early days.
Hmm, I guess the current browsers simply don't like such domain and automatically put www. At the very least, the Google DNS gives the following:
But I agree that these domains are now out of luck, given that browsers no longer even remotely support them.ai. 209.59.119.34 cm. 195.24.205.60 dk. 193.163.102.58 gg. 87.117.196.80 je. 87.117.196.80 pn. 80.68.93.100 tk. 217.119.57.22 uz. 91.212.89.8 ws. 64.70.19.33I see that the Vatican has given up. Long ago, http://va/ was it. No other name under va existed. Netscape Navigator was able to navigate to that part of the net.
It really did make sense for such a tiny place.
https://nyc.nyc, so good they domain named it twice...
Missed opportunity for ny.ny
Nope, two character TLDs are reserved for ccTLDs, and New York definitely isn't a country.
I mean, someone made some policy that says that... but it would be fun! Do people still have fun these days?
The reasons why these don't work go much belong policy. Let's say that you're trying to advertise city social services in a subway ad campaign; how in the world do you get people to go to just "nyc" as the domain name? I guarantee you most of them will end up just performing a search on "nyc". It simply doesn't work. When you put nyc.gov as the domain name, everyone knows what that is and how to navigate to it.
Secondly, we have the expectation that subdomains of a given domain are run by the same entity, and represent natural semantic subdivisions. E.g. there's google.com, the over-arching website for all of Google and its first major product, and then for its other major products there's maps.google.com, mail.google.com, docs.google.com, etc.
This doesn't work with nyc, because subdomains of nyc are actually registrable domain names all their own that are controlled by other entities. So you can't have nyc be the overarching website for NYC, and then have parks.nyc, housing.nyc, business.nyc, etc., as natural subdivisions of it, because other people can own those domain names! So now you have no great way to subdivide up your site, and other people's sites are easily confusable as yours.
The only real way to do a dotless root DNS website is if you control the entire TLD; it has to be closed and not open to registration by external parties.
> LA has .. lacity.org? That’s a bit unexpected.
It needs disambiguation because of Louisiana, while "Los Angeles" is more heavily in the collective conscious
Just because the cities have .gov domains does not counter the fact that the other, very official looking, domains are unused and potentially available.
Sure, but the sentence:
> A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.
Is factually wrong.
My township (step below city) has a .com domain.
Is moldbug your mayor/ceo?
Good reporting, until this paragraph:
Now consider what a well-funded adversary could do on Election Day armed with a handful of .gov domains for some major cities in Democrat strongholds within key swing states: The attackers register their domains a few days in advance of the election, and then on Election Day send out emails signed by .gov from, say, miami.gov (also still available) informing residents that bombs had gone off at polling stations in Democrat-leaning districts. Such a hoax could well decide the fate of a close national election.
Why the need to specify "Democrat" strongholds? Doesn't this attack work for any other political-party strongholds as well? Seems like an unnecessarily partisan position to take.
I see what you mean, but I suspect the author might be referring to the Russian disinformation campaign to favour Republicans. I see it just as an example - obviously it can be adapted in either direction, or both just to deter voter participation altogether.
It would be shocking, though, if it turned out that Russia was the only country trying to influence US elections, though, instead of the only one that has been publically exposed.
I think many countries assessed that they were capable of it, but many would think this was a casus belli. Had Clinton been elected instead, she probably would have sought additional sanctions and a firmer stance against Russia because of this.
Yet, with an exception of Iran, the countries with most aggressive foreign policies (Russia, China, North Korea, Saudi Arabia, and Turkey) seem to currently support the election of Republican nominees.
Only certain republicans though
I don’t think the Russian agenda favors Republicans — it favors sowing chaos. Trump was certainly that candidate in 2016 but that could change.
That specific paragraph is a lot of weirdness.
But once you have the domain, somebody who knows what they're doing with DNS and SMTP absolutely could set up proper email services on it (forward-confirmed rDNS, SPF, DKIM signing, DMARC), and send spam with it. It's functionally equivalent to any other domain. Particularly if the intention was to be a one-shot approach that would "burn" both the domain and the hosting services, such as in the days leading up to an election.
A really smart bad actor would use some IP space from an ISP that traditionally has not been a source of spam. Eg: Not an ISP with a lot of low-dollar-value VPS/VM/hosting customers.
There's still some totally "clean" /24 IP blocks out there in the various RBLs and spam listing services if you go searching.
If I were an evil person and did this, I'd try to get the domain at least a few weeks in advance and try to generate a moderate volume of totally legit looking emails, destined for the top 20 major destinations (office365, gmail, etc) and verify from a bunch of sockpuppet accounts that the mail was actually getting delivered. Then I'd turn loose the fire hose.
Should a person want to be really evil, they'd do something like the reverse of what happened to the City of Baltimore with the cryptolocker trojan. Find a list of municipal (water, sewer, gas, electrical, property tax) bill payers and email each of them a plausible looking invoice, with cryptolocker attached. The likelihood of people opening it would be high.
The Houston Chronicle reported today that the Texas GOP plans to purchase several domains resembling democratic candidates and run active disinformation campaigns against them using fake campaign sites[0]. Might’ve had something to do with it.
0: https://www.houstonchronicle.com/news/politics/texas/article...
Another news story today is the lawsuit against the "Devin Nunes' Cow/Mother" Twitter accounts run by anonymous DNC personnel. In each of these incidents the "disinformation" label is used by partisan officials and obsessively repeated by the media (because the creator's identity is not placed in large font at the top), but anyone who looks at it themselves can clearly see that such is satire and opposition material.
This one is particularly great. Made by an enterprising private individual. https://joebiden.info/
When was it confirmed that those twitter accounts were run by the DNC and not just ordinary people? Did the owners break anonymity to the press to prove ownership even though a lawsuit is trying to reveal their identity? That's wild.
"Devin Nunes' Cow" is obviously a satire account. As the judge ruled, a cow clearly can not tweet so nobody reasonably can believe that is actually his cow.
"ZweinerforTexas.com", "ZweinerforTx.com" are not obviously satire, they look like normal campaign urls and are clearly made to deceive.
I'd say it is an unnecessary position to take but would not call it especially partisan. There is no symmetry in the amount of election meddling that has been done by both parties. Saying the GOP may be a party interested in election meddling is like saying Iran may be interested in funding islamist terror groups. An unnecessary accusation, but hardly a partisan one.
Large cities tend to be blue, and you want to pick a recognizable large city name to get the point across. Politics aside, the example would've had less impact for a republican stronghold just because it wouldn't be as recognizable a city name.
did he name any cities?
Yes, Miami.
It's a fairly ridiculous scenario in any case.
1. Attacker needs a .gov from a swing state
2. No they don't, because nobody who'd fall for this would analyze the sender address/website URL, let alone for .gov instead of .org/.net/.com, and there's zero need to emulate a gov website anyway, when emulating a news site would be at least as effective
3. It relies on people reading an email on election day before voting and then not bothering to verify what it says anywhere, not having someone tell them it's fake and not hearing about the scam on the news they're watching for the bomb story
Agreed, that was totally gratuitous and it detracts from the article.
That is such a complicate movie plot threat.
Far more direct to just spread those rumors through social media. Which more people pay attention to and believe than .gov. Or just make actual bomb threats.
Democrats _want_ people to vote, most voter registration drives and voter services (offering transportation to a polling place, etc) are run by Democrats or aligned organizations.
related: https://news.ycombinator.com/item?id=21110318
tldr; republicans tend to win by slimmer margins compared to democrats
One of the major political parties in the US has been repeatedly engaging in voter suppression. Is it partisan to observe repeated behavior on one side of the political spectrum, and to extrapolate accordingly?
https://en.wikipedia.org/wiki/Voter_suppression_in_the_Unite...
Specifying "democrat" in this particular example of how an adversary having a .gov domain could be bad adds nothing to the example.
For the rest of the world, voting without proper documents screams voting fraud. It's not that black and white.
From an outsiders perspective, there's very little difference between both your political parties.
It's a figure, not every sentence needs to have stand-in characters written in to appeal to sensitivities like this. Also, maybe if he chose “Republican” it wouldn't hit home, and it'd sound like he's threatening his audience with a good time. ;- )
It could be criticized regardless of the characters chosen.
> “I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment.
I don't think "thought experiment" applies to actually carrying out what you were thinking about.
Came here to say the same thing. I'm surprised how often people misuse the term. Here's my attempt at explaining what are thought experiments: https://thoughtexperiments.net/pages/on-thought-experiments/
>Technically, what my source did was wire fraud (obtaining something of value via the Internet/telephone/fax through false pretenses); had he done it through the U.S. mail, he could be facing mail fraud charges if caught. Yeah, I'm pretty confident that a true thought experiment can't lead to wire fraud charges. "Security research" seems like a more popular, and reasonable, umbrella to hide behind.
The title reminds me when someone reported that it was just as easy to get fully-automatic firearms and other military gear from homeland security for free by pretending to be a police department (fake website) and a simple form.
An alarming amount of societal functionality depends on what effectively amounts to the honor system. This is especially true when it comes to any sort of gatekept specialty profession, like coroners for example.
There was a great talk at DefCon about faking death: https://m.youtube.com/watch?v=9FdHq3WfJgs
This is an incredibly important comment. You cannot legislate loyalty to the country. You cannot legislate morality. You cannot legislate most of what makes a country a hospitable place to make a life.
Culture matters more than anything else.
I don't know if that is a solvable problem. Society is trust, and it always takes trusting someone to make any system work.
People try to build trust-less systems all the time (like blockchains) but always run up against someplace where trust is required.
Trust, but verify. In the TFA case at least, it shouldn’t be that hard to call the office’s number (not the filled out Google Voice number of course, but there has to be a number published by/available through reliable parties) and confirm “is it really your office who’s registering the domain”? if (printed on official letterhead) { return authorized; } is beyond stupid.
Right, but then you are trusting that number list... how is that generated? Can I call someone up and get that number changed?
There are other more straightforward ways to illegally purchase post-hughes machine guns. This is an extremely high risk scheme.
Yeah but
A) military gear is more than automatic weapons. Sometimes they send out things harder to come by than guns to police departments.
B) This scheme costs less than pennies on the dollar.
This scheme only makes economic sense if you neglect to factor in the cost of being sent to federal prison for many years.
Isn't that part of the cost with all the schemes?
Some schemes create paper trails in federal agencies, others do not. In America you can acquire rifles without filling out any paperwork at all, let alone lying to a federal agency on paper. Converting those rifles to automatics can, again, be done without lying on any paperwork in a variety of ways (some more effective than others.) Somebody up to no good would be better served by low-profile acquisition schemes that fly under the radar of regulators, rather than getting their attention then trying to actively deceive them.
All schemes may be risky, but they're not all equally risky. Some schemes are more risky than others. However all of these schemes probably have negative expected payouts if you factor in the FBI being pretty damn good at their jobs. Whatever crime you hypothetically plan on committing with automatic rifles will almost certainly not have a positive payoff when you include the cost of getting busted, and you almost certainly will eventually get busted. When smart people decide to be criminals, they choose white collar crime (arrest rates are very low, and sentencing for those captured is frequently lax.) Violent crime is for idiots who fail to rationally consider the likely consequences of their actions.
Sure, but the point is that federal prison is always a factor in illegal arms, regardless of how you acquire them.
With modern machining and 3D printing, "ghost" guns can just be manufactured from scratch. There are even companies that sell legal components, blueprints and raw material meant to be easily tweaked and machined into a complete weapon.
Yeah, but anyone with access to a machine shop can make good machine guns, it is very easy. This is one of the lower risk approaches.
Though that's still a risk even if you're getting them on the black market, or manufacturing modifications for legally bought AR-15s et al. yourself
You don't even need to purchase them. Anyone with a drill press can make them with impunity.
Not impunity. You have to be a class 7 manufacturer, which is pretty well regulated.
The context was illegal manufacturing, not legal. Obviously one must as you say get a SOT license in order to do things legally.
If you want some irony, from the "dotgov.gov" website linked in the post:
>An official website of the United States government. Here's how you know:
>The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.
Isn't the main issue that TLDs are a poor way of establishing trust?
Otherwiae does every company and government need to get specialized TLDs to prevent impersonation? Even then it only works is users know and always notice the domain.
EV certs are dead for good reason but nothing seems to have replaced them.
I guess the only option is to verify each site once and then bookmark it and always make sure it's https. But on the first visit, how do I know chase.com is Chase Bank?
Well the back of my Chase card says chase.com.
If you tend to use search engines to find websites, you are trusting the search engine to give you the website for Chase Bank.
I feel like google is less likely to give me something fraudulent than e.g. the risk of me misspelling chase or the like
an attacker could purchase google ads for "chɑse.com" (note the unicode "s" instead of "s"
Isn't the homoglyph the IPA "ɑ" character used in place of Basic Latin "a"? The homoglyph URL attack also has some downsides because Unicode is only supported for domains through an extension system, most browsers will convert the above to "xn--chse-r5b.com" after you visit the link.
Seems unlikely google would let scammers with fake domains purchase ads, though maybe they have in the past.
EV certs, for the curious, extended validation certificates:
https://en.wikipedia.org/wiki/Extended_Validation_Certificat...
Interesting that this was done very shortly after the DOTGOV bill was introduced. It's possible that this attack was done by a supporter of the DOTGOV bill in order to provide evidence to help the bill pass.
Does anybody know why the USA hogs the toplevel domain? It's not the only government in the world. It would seem more just to make it more like .com than .edu.
Obviously, because of history of Internet deriving from Arpanet. The whole domain name structure grew out of the needs of the US government, even if the .com domain was largest TLD from the start.
Nope, .gov belongs to the US, so they get to hog it.
It's a historical vestige, the Internet started out as a U.S. government-sponsored research network, so they built it for their own needs. There's absolutely no reason to them to give that up.
It's a perk from building the internet. Early bird gets the worm etc
In addition to all the siblings, government isn't always spelled with 'gov' so it would be useful to the subset of countries where those letters make sense. Compared to say Mexico with http://gob.mx .
Because they came up with it.
Together with selling .org to Ethos Capital, we're getting a worrying picture of problems with the current model of managing TLDs.
Managing TLDs is a lot of power in 2019, since the Internet is such a powerful player now.
I'm not sure what's the best way to manage it, but I am sure that if we leave it as is, we'll see more and more deal with dodgy commercial entities or more entities getting domain names they should not own.
This is dumb.
If someone is doing this, then link?
Else it's obviously to much bother, you're domain will get axed.
Compare to all the domains that won't get axed.
Do they real expect us to believe the population will get fooled on a losangeles.gov but not losangelesgovernment.ws, the difference will be a small percent.
> then on Election Day send out emails signed by .gov
Why the hell won't these be junked like any spam? New domain. Sudden flood. People marking as spam. What, are we in 2010?
I remember when it was easy to get edus. Recall someone who had irc.edu until they got caught.
It was easy to get all sorts of fun domains back in the day. All so you could have lolz in your irc /whois.
Never managed to get one, but I've still got my eyes on the prize: .int :)
Tangent.
This guy has the best and probably most read blog on cybersecurity incidents. He's smart enough to serve ads from his own domain but can't even bother to make his site mobile friendly? I've seen people pick on the sites of free tools and side projects for the same reason but somehow this gets a pass.
Well, it loads instantly and I can read it just fine on my mobile device, which is more than I can say for half of "mobile friendly" sites out there, so there's that...
Anyway, he mentioned about a year ago that he knows the design of his blog is outdated, and he was looking at making it more modern.
he does whatever he wants
...yeah? And? Everyone does whatever they want, not even criminal law makes it impossible to act a certain way. What's your point? It's still a terrible design choice, and it alienates a great number of potential readers.
not everything is a business, maybe he just writes blog posts for fun / himself
So do I, which is why I blocked all images on his site.
Does it matter? Why?
Looks fine on mobile Firefox
Co-incidently, I just watched a Family Guy episode where Peter and Tom Tucker shoot a skateboarding video, which ends up with Peter being attacked by a bear. The skit ends with a fake advert for www.shirt.gov
Obviously, they thought that there was no way someone could register shirt.gov... how wrong they were ;)
Or too hard - why are they US only?
What would be the point? How often do you want to make sure you are on a government website without even caring of which country?
It's just a name, doesn't hold any special assurance for most people.
Until some enemy country starts registering punicode domain lookalikes lol.
Because they created it as one of the original TLDs (along with .arpa, .com, .org, .net, .int, .edu, and .mil) for their research network, ARPANET. Later on the Internet was built from ARPANET.
But those others are not US-only, except .mil
It's the legacy of the internet starting off in the US. The US Government laid claim to .gov. Other countries instead operate .gov.countrytld
Only a handful of countries operate .gov.countrytld, they are mostly named like someoofficename.countrytld.
This is what I used to do back in the day, to get high pagerank(remember that?) In Google
You used to defraud the US Government back in the day? For pagerank? Did you get in trouble?
It was more .edu's back then, I came across more than one (presumably hacked) professors personal sites that where hosting link spam directories
If we go back to the original PageRank algorithm, I don't think it would be affected by this attack. The original algorithm just counts the number of links (or number of sites making links), not the TLDs. So a .com site would be just as good as a .gov site.
Yes but they used to had, I remember correctly higher PR. Back in the day (Twitter had 10, Google had 9 and any gov had 7 atleast) I used to buy those and link to my directory webs.
I wonder if anyone's done any sort of research on how many possible fraudulant .gov sites there could be. Definitely seems like a tool disseminators of fake news and hate campaigns would do.
> who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.
He also can get prosecuted and potentially jail time for such a gamble.
> He also can get prosecuted and potentially jail time for such a gamble.
I'm sure such a threat is definitely going to stop the bad guys, so let's not worry about actual security. /s
The people that should be prosecuted are the ones falling for such an obvious fraud. If you're in control of the .gov TLD and explicitly tell people to use the domain as a sign of legitimacy you are expected to know what you're doing and not be an idiot like the people currently running it.
I would also like to add signing up for an AWS Gov account was at least 12 months ago...a completely automated process where I was approved in no more than 15 mins. The account had a credit card but otherwise was 100% still in free tier mode, and in fact was being used by an open source team so it included ppl from around the world.
The CIA has stated multiple times in court documents (typically they have emerged in cases where the FBI attaché that all embassies have post-911 or someone similar is testifying) concerns about this and why they demanded and got “AWS secret”, a level higher than gov, that was opened in 2017.
Keep in mind though that many governments at state and local still use the TLD of “.us”. For instance Texas has widely used, until within the last year, “https:<subdomain>state.tx.us”. Many states have this legacy naming convention left over, and of course the restrictions are about as somewhat paper thin and avoided on .us as they are on .gov but more. There are changes in the works for this though.
More concerningly though is that the recent issue with the .org TLD clearly, and this can be proven in a straightforward manner, involves a group with unlimited funding by the People’s Liberation Army making this purchase. Ethol Capital is a joke of a firm. They’ve already sanitized the Google Search Results about them, which lol should be obvious when you realize they have taken out a Google Ad for “keypointsabout.org” when you Google them. The proof though is that if you look at court documents from 2015 you will find mention of a firm...SharkTech. Another front company that the PLA loans out from time to time to the Middle East and even as I recall Israel. Anyway as I’ve stated before in comments if you do the reverse Whois searches and dns subdomain enumeration you can find the trail back to No 31 Jin-rong Street. I’ve been asked before to write a post about this always elaborating and Christ I finally took out a domain https://blog.12security.com ... it has nothing on it but Jesus just look at the DNS records it took forever to get that DMARC record to the strictest level involving no 3rd parties and also to split that DKIM key across 3 txt records...which you have to do sometimes for the 2048 keys.
EDIT: forgot to mention there is obviously a connection between SharkTech and Ethol Capital. That will be proven in the blog and it is on me and my very tardy credibility to do it :) look at http://dcsmanage.com out of Los Angeles though if you want to get a head start, and if anyone claims that’s a real IT firm...
>I would also like to add signing up for an AWS Gov account was at least 12 months ago...a completely automated process where I was approved in no more than 15 mins. The account had a credit card but otherwise was 100% still in free tier mode, and in fact was being used by an open source team so it included ppl from around the world.
Are you implying this is somehow an issue? Any US person is able to spin up a Govcloud environment, it isn't meant to be limited to only government agencies/organizations.
I recently worked on a project where we created a govcloud for a non-government company that wanted a secure enclave for a subset of their data. It's certainly not a problem, and I'm not seeing how it relates to this article
If all the above is reasonably easy to verify, you might like to email Krebs about it for wider dissemination. ;)
Sharktech/Nobistech is basically just Leaseweb, a VPS/dedicated server company. I don't believe it to be particularly linked.
And "No 31 Jin-rong Street" is like multiple /8's worth of users, China's largest ISP.
https://news.ycombinator.com/item?id=21412052
According to rshnotsecure every hosting company seems to be a government front, even really small ones like ramnode.
Sounds to me like this researcher is going to be brought up on charges. Well deserved charges. We don’t know what he did with this domain before he contacted krebs. He very well could be covering his tracks and creating plausible deniability.
You break the law, you go to jail. Simple as that. They aught to make an example out of him.
"You break the law, you go to jail. Simple as that."
This is laughably ignorant. It's absolutely not simple as that, by chance.
Surely everyone already knows what happens if you maliciously create a .gov domain? What would making an example of this security researcher do, other than have a chilling effect on the field as a whole?
> Well deserved charges
Who was the victim?
Is there a point you’re trying to make with this weird tirade?