U.S. Homeland Security staff were unable to access DHS computer network because the security certificates expired

Originally published at: http://boingboing.net/2017/02/21/herpderpland-security.html

…

These folks are allowed to run around with scissors.

Gordelpus.

Hey, um, folks? This really isn’t rare, happens all the time. Even for companies that are really, REALLY good at IT, missing a certificate update on critical servers can cause some widespread issues. I speak from experience. I work at a research lab and we have an EXCELLENT IT department (I should know, they employ me), but we had some certificate issues just before Christmas and for three days running various systems were affected preventing people from logging into them. It started with VPN, which is critical around the holidays so folks can work remotely, then the problem was noticed in payroll, business software… even the trouble ticketing system the IT department used for tracking customer issues. Ouch. I was taking calls at 2:00 in the morning for critical outages, it wasn’t fun.

I’m going to have to give them a pass on this one, it happens.

These are the same people demanding social media passwords and phone lock PINs. They also note people’s passport info, maintain a no-fly list, and recently held a five-year-old for hours because he was considered a “terrorist threat”.

They also have some sort of passport history about everyone – I’ve been asked about business trips that didn’t take me through the US by US customs officials. So they’re getting info from other countries and storing it.

When you wield that kind of data and hold that kind of power, no, you don’t get a pass. This is not a corporate situation.

Agreed. If they can’t maintain their own network, they have no right demanding my social media passwords.

All of which are important things to point out and be worried about, but have nothing to do with this story. This is an internal issue with network access, not abusive behavior. It literally has nothing to do with whether they are corporate or a public organization and is a staple issue with server management. I can guarantee every organization, no matter their private or public functions, has dealt with this at one time or another.

This is one of those cases where folks are piling on and claiming all problems are part and parcel of the same issues. They aren’t. One is a crappy, ridiculous, ludicrous policy problem tied to an abuse white house administration. This is server management, and is a problem that afflicts every organization at one time or another because of the complexities of interconnected business systems and internal network and their security.

I feel for you on this one, since the holiday season is a horrible time for a cert to expire.The cert issuing system is still clunky and slow and cert issuers don’t give end-users adequate and timely reminders about expirations.

However, as an organisation focused on security, and national security at that, DHS doesn’t get a pass from me for not having their own house in order at the same time they demand that travellers follow security protocols which are sometimes of more dubious efficacy than SSL certs. I’d expect a security-focused org or company to have one or more staff whose job duties include keeping up a dedicated database of server assets and their certs and making sure that they’re updated in a timely manner.

Fair enough, I guess I can see that point and concede it. And in every organization, there needs to be WAY more spending on IT infrastructure and support so that problems like this don’t happen. But that’s been the case since I started twenty years ago, and I don’t see it ever changing. IT doesn’t “produce” anything, so it’s considered a drain on resources even if the need for security is paramount.

Nope, sorry. Government services which deal with sensitive information get held to a higher standard. And if they can’t manage their back end to a high enough standard, what they’re doing on the front end is impacted.

There’s also this thing called integration, which amounts to “you never get to say ‘not my department’”.

“Meh, it happens to everyone” is not a good response to security issues, and will land you in a lot of hot water just about everywhere I’ve worked in IT. This is one of the times where it’s totally correct to pile on. If the IT at DHS is worth a damn, they’re piling on themselves right now.

DC runs on the backs of non-partisan adminstrative people. I guarantee that the people responsible for renewing the certs under Trump are the same people who were responsible for it under Obama. It could just be an issue with the chaos that surrounds a change of administration.

otoh I feel more secure when DHS staffers are not able to access the vast data troughs the agencies collected over the years…

Good point, well made.

except the stupid typo in “trough”. sigh.

I’m really not going to criticize you on stupid typos.
Glass houses, and all that…

Lol. Look out for the same news around this time next year.

It seems equally likely that those people left the department during the transition (as many many civil servants have done, hoping to avoid a shark sandwich), and were not replaced quickly enough to prevent such an oops.

Don’t count on it. In the days just before the inauguration, there was a lot of grumbling by mid-level outgoing Obama people that they’d had almost zero contact from the transition team on getting up to speed on routine housekeeping and basic functions. There were predictions that you’d soon start seeing a lot of little things just not getting done - I suspect this is one of those cases. The consequences of this one don’t appear too serious, but that may not always be the case.