US Homeland Security Employees Locked Out of Computer Networks

Dustin Volz, reporting for Reuters: Some U.S. Department of Homeland Security employees in the Washington area and Philadelphia were unable to access some agency computer networks on Tuesday, according to three sources familiar with the matter. It was not clear how widespread the issue was or how significantly it affected daily functions at DHS, a large government agency whose responsibilities include immigration services, border security and cyber defense. In a statement, a DHS official confirmed a network outage that temporarily affected four U.S. Citizenship and Immigration Services (USCIS) facilities in the Washington area due to an "expired DHS certificate." Reuters first reported the incident earlier Tuesday, which a source familiar with the matter said also affected a USCIS facility in Philadelphia. Employees began experiencing problems logging into networks Tuesday morning due to a problem related to domain controllers, or servers that process authentication requests, which could not validate personal identity verification (PIV) cards used by federal workers and contractors to access certain information systems, according to the source.

Security focused

[Fire_Wraith]

DHS is the primary government agency responsible for protecting the country's civilian infrastructure, including the internet and computer networks. I feel so much better knowing that they're so good at keeping their own systems secure, that even their own workers can't access them.

Re:Security focused

What's so insecure about denying access due to an expired certificate? Isn't that an example of security measures working as expected?

Re:Security focused

Plot twist, the government doesn't manage their own networks anymore, for a while now they've been getting rid of military trained personnel and replacing them with civilian contractors.

Re:Security focused

>I feel so much better knowing that they're so good at keeping their own systems secure

Boy, you must have really been pleased then about that OPM hack in that started in 2014 and wasn't discovered until 2015 that compromised 22 million background check records.

Re:Security focused

Only one prob. The 'DHS' networks they are talking about are file & historical resource websites such as Timekeeping and SharePoint pages with historical files or forms. Not ICBM launch facility webpages.

And the big surprise, (for many), is these websites are contractor designed & maintained. Because the Gov can't seem to shake it's loyalty to Beltway Bandits- despite various talent in govs agencies who can design & maintain such databases.

So although your /sarcasm is probably excellent on other subjects, it falls flat here. To re-title the article it should be: "Contractors Responsible For Day To Day Resource Websites Drop The Ball Again, Yet Big-Gov Blamed Again".

Re:Security focused

[sycodon]

I work for one of the largest Defense companies in the nation. In the last year we have had two major network outages. One related to provider issues and the other related to firewall changes gone bad.

This shit happens. Creating/Managing/Upgrading huge networks like this a very complicated and delicate task.

Re:Security focused

[Notabadguy]

Plot twist, the government doesn't manage their own networks anymore, for a while now they've been getting rid of military trained personnel and replacing them with civilian contractors.

Keep in mind that Department of Homeland security != Military; the Department of Defense (military) is a separate department. And many DHS personnel are unskilled, uneducated workers. TSA and all the security theater is part of DHS. This news article is as special as "Exxon gas station cashiers locked out of computer network."

Baggage handlers, X-Ray viewers, clerks, and even janitorial staff proudly introduce themselves in public as "I'm with Homeland Security." It sounds a lot better than "I'm a baggage handler at the airport."

Re:Security focused

[freeze128]

Just because the security measures are EXPECTED to work that way, doesn't mean that they're good.

Re: Security focused

No, "I'm a baggage handler and I hate those bastards too." sounds much, much better.

Re:Security focused

Availability is a third of the information security triad (Confidentiality, Integrity, Availability). They should have had a plan in place and an alert being sent to a person or three to ensure the cert gets renewed or replaced.

Re:Security focused

[Streetlight]

Sounds like the ultimate in security - pull the plug.

Re:Security focused

[hambone142]

We're talking about government "workers". Perhaps they were upgrading their LGBTQRSTV skills or brushing up on break taking.

Re:Security focused

[Nunya666]

I work for one of the largest Defense companies in the nation. In the last year we have had two major network outages. One related to provider issues and the other related to firewall changes gone bad.

This shit happens. Creating/Managing/Upgrading huge networks like this a very complicated and delicate task.

Certificate management is not a complicated task. Expired certificates is an example of incompetence, not an example of "complicated shit that just happens". It should be somebody's job to manage those expiration dates, period.

Re:Security focused

"What's so insecure about denying access due to an expired certificate?"

Who the fuck ever said it was?

GP said "they're so good at keeping their own systems SECURE, that even their own workers can't access them."

Fuck you and your strawman.

Re:Security focused

[aaarrrgggh]

Replying to fix a fat-fingered mod.

Much like the most secure computer ever made: no drives, no network, no HMI, and no power supply.

Re:Security focused

[zugmeister]

Isn't that an example of security measures working as expected?

Security measures working properly is only good in the proper context.

Car analogy: Your alarm goes off and locks both your steering and brakes. This is good for anti-theft. This is bad if it happens as you're cruising down the freeway.

Re: Security focused

Nobody has the security clearance to authorize that! It's finger pointing all the way down.

Re:Security focused

>It should be somebody's job to manage those expiration dates, period.

Congratulations! Your comment has been nominated for the Most Fucking Obvious Statement of the Day award.

Re:Security focused

Plot twist, the government doesn't manage their own networks anymore, for a while now they've been getting rid of military trained personnel and replacing them with civilian contractors.

This is minor. I'm far more worried about all of Trump's political appointees, since he is apparently directing a purge of anyone who even smells disloyal, even if hired by one of his picks. That pretty much leaves you with:

1) Intelligent people who are sociopaths.
2) Stupid people that are easily led and believe the lies.
3) People that somehow have said nothing, and are patriotic enough to try to keep the country moving

Sociopaths in charge is never a good idea, yet I suppose many businesses manage to function. Being lead by the equivalent of Joseph Goebbels is definitely not a good thing though, so anything bad they do is likely to be magnified. The real danger is if they get an excuse to run wild like heaven forbid another 9/11. Stupid people are going to screw things up in general at that level, but then there was a lot of those that voted for trump, so we already know what damage they can do. Finally, in the case of #3, I'd tend to believe there will be more than enough in the other two categories to at least reduce their effectiveness.

Re:Security focused

[GeekBird]

On the systems I administer, we have an alert that checks the certificate expiration once a day, and alerts it plenty of time to get it renewed.

But a lot of people don't do that, they just mark it on a calendar somewhere, or expect the certificate issuer to notify them. For the latter, often the contact email is to a person no longer with the organization, or in a different role, so it is ignored. That's why my current $Employer insists that certificate emails go to an email list for a group, rather than just to one person.

It wouldn't be quite as funny if it wasn't so very common.

Re:Security focused

[dbIII]

I feel so much better knowing that they're so good at keeping their own systems secure, that even their own workers can't access them

Given some of the people working for them (eg. the TSA gropers) I actually would feel good about it, but not as good as if they slash that massive mall cop welfare program and have some sort of professional airport security instead. While they are at it they can get rid of the DHS guys who go around to toy shops and check if rubicks cubes are legit instead of knockoffs (now that was a weird story).

Re:Security focused

[dbIII]

It's an example of mismanagement and no proper procedures to keep the certificates up to date and an incredibly common failure. Even Microsoft had a very high profile failure of that kind not long ago.

Incompetence is someone not doing their allotted tasks.
Mismanagement is forgetting to allocate a required task to someone.

Re:Security focused

[ebvwfbw]

How can you? Sure, if you have just one machine or two it's no big deal. Suppose you have a modern government agency, a business of any real size, etc? You have the web site - no big deal, they just get a warning message. Then there are the Unix based systems that run ldap, san, well most everything. Blade centers for VMs and such. Then the lightweight stuff that feed the dumb people like the Windows domain controllers and such. Things that people don't use much. It's getting to be a real PIA to find all of these frickin' certificates! They aren't even on standard ports to find. We had a san certificate that had a 10 year life blow out recently because we hit the expiration date. Things came to a grinding halt. That one was by IBM and IBM doesn't even own it anymore.

It's a bitch. If you set it so it doesn't halt things, nobody cares. They'll use a decades old expired certificate - which BTW is almost certainly fine. Expire it and things come to a grinding halt, people can't get work done, sometimes people can't even get machines working to the point they can even fix it anytime soon.

I'm just waiting for something like this to happen to say an amusement park on opening day, right on the day some government agency spent a whole bunch of money to promote - say IRS tax day or something. Wouldn't it be hilarious if they have a big march and all the electronic equipment comes to a grinding halt because the certificate was generated in the morning 5 years before and that was the die by date. Just before the big deal.

Imagine self driving cars. Poof, you're really nice super Edison Roadster shuts down entirely and won't do a thing now because the Mr. Reactor has an expired certificate and you're in the Holland Tunnel into NYC. So are other Edison Roadsters all over town, all over the country!

Re:Security focused

[arglebargle_xiv]

Exactly. Certificate expiry is a CA billing mechanism to make sure you pay your dues every year. Claiming that a certificate that's fully secure at 11:59:59 is totally insecure at 12:00:01 just because the clock ticked is nonsense.

Told you!

This is why we need a WALL!!! Computers is for sissies.

Doing more with less..

[lionchild]

I think I'd like to take this opportunity to point out that this is what happens as we do more and more with IT on less and less staff. While I understand sometimes we think of IT as a cost-center and not a revenue generator, it probably needs to be thought of as more like a utility; because without the lights, water, phones...and internet, you can't do business very effectively these days.

That being said, this happens more and more. Someone is responsible for renewing certificates, but as we renew them for longer and longer periods, that means we simply start to forget about them. Then with the certificate issuer sends out an notification to that IT staffer who used to do that, but was 'right sized' a year and a half ago...no one gets the email. So, the certificate expires and this happens. Same song, different, louder verse, apparently when it happens to DHS, and likely more embarrassing.

Bottom line: Doing more with less, isn't always in everyone's best interest.

Re:Doing more with less..

Yup. In nearly 30 years of consulting on security with corporations large & small as well as State & Federal agencies I have seen no difference in the quality of the work based on organization but a huge difference in security if there is adequate staff that is properly authorized and trained.

My guess is this is a failed update or CA issue not a security one but that remains to be seen.

Re:Doing more with less..

[TechyImmigrant]

That being said, this happens more and more. Someone is responsible for renewing certificates, but as we renew them for longer and longer periods, that means we simply start to forget about them.

An alternative viewpoint is that this is one of the ludicrously bad failings of PKI. Requiring someone to remember to do an infrequent and short task at a point 1 or 2 years in the future, or the whole system collapses when they forget or leave or get booted. We could fix (I.E. delete and replace) PKI and this specific failure would not happen, so the overworked IT staff can go back to deploying Windows NT patches.

Re:Doing more with less..

While I don't at all disagree with your sentiment, the example is a bad one. If there was an IT guy who was downsized and he happened to use his email address (corporate or not) instead of an email forwarder pointed at his email address then the DHS was better off without him. Part of IT is thinking all the time "what if I were hit by a bus tomorrow" and planning for the long-term stability of the group employing you similarly in every action. Failure to do that is failure to do the job.

Re:Doing more with less..

[swb]

I think you're basically right, PKI implementations are horribly complex in practice and doubly (or more!) so with Windows.

It seems to get worse as certificate-based security gets added into products as defaults installations. As an example, Exchange 2016 installs a self-signed certificate by default which gets assigned to SMTP and IIS. The normal (spanning back several releases) process of adding and assigning a public certificate to services doesn't change the self-signed certificate assignment and use for the IIS Exchange Back-End site or for transport connectors.

I ran into these are problems recently with a customer who deleted the self-signed certificate after installing and assigning his public certificate. Bam, dead Exchange GUI -- had to re-bind the back-end Exchange site in IIS with the public certificate.

Another customer had "verify certificates" enabled on their spam service and when they switched SMTP delivery to the new server, the self-signed cert was still being used by the front-end receive connector. It took some kludgy, un-documented Powershell to force the connector to use the public certificate -- ie, the attribute has to be built as a compound variable using sub-attributes of the public certificate combined with some text, and then that variable assigned as the TlsCertificateName on the connector.

So even if you're trying to use certificates, application behavior and certificate selection is pretty opaque in many cases and can actually ignore specific certificate assignment options.

I won't even get into the management trainwreck that is Windows certificate server, with its 2003-era dialog boxes and management tools. In my mind at least, all of this could be modernized and made much simpler to manage, but the toolchain remains completely user-hostile.

Re:Doing more with less..

[Archangel+Michael]

There are several issues with most systems that require certificates to work correctly.

1) Certificates Expire, on a regular basis, have a plan to update them (Auto renew)
2) Notifications should be sent to a "group" email address, not an individual.
3) We have these things called "Calendars" use them
4) Documentation is key, even if 1-3 fail you should have a searchable document that has they dates listed for key events.

The problem is, nobody ever documents shit like this, because actual documentation process takes more time than actually doing the Cert updates.Except when you measure the failure to renew it in time.

Re:Doing more with less..

[EndlessNameless]

Requiring someone to remember to do an infrequent and short task at a point 1 or 2 years in the future

Bullshit.

I could write a PowerShell script in maybe 10 minutes that will list all of the computers in the domain, connect to them, and check for expiring certificates. I can get a reminder in advance---90 days, 30 days, a week, whatever I want. All I have to do is one thing: understand my job.

Alternatively, some tools (like Nessus, which is FOSS) have audits which automatically check for expiring certificates. They can be configured to email a report, and you can notified every day/week/month if you have expiring certs.

This is a stupid, incompetent failure. You can build or buy a tool to avoid this problem very easily. Compared to using passwords, the only reasonable complaint is that you require decent sys admins.

Re:Doing more with less..

[Joe_Dragon]

what about something like certteam@gov.org get's lost in a resizing / outsourcing and is no longer tied to anyone and then the renew cert emails go no where?

Re:Doing more with less..

[swb]

Why aren't these tools built in, though?

IMHO, PKI on Windows is problematic less because PKI is complex but more because the in-built tools suck or are non-existent.

Most IT admins are oversubscribed enough that writing that Powershell script or putting together the third party tools for certificate expiration won't happen, especially when you consider for most organizations the number of certificates that matter is relatively small.

I will grant an exception for Homeland Security, though, as any organization using PKI to that extent ought to have an entire team responsible for managing it, which means they would have the time/tools/experience to deal with it.

Re:Doing more with less..

I was just going to post exactly this, having written such a PowerShell script myself a few months ago.

If your job includes monitoring the security of any number of systems, that needs to include certificates. If you're not going to "remember" when certificates are due to be replaced, then you're still responsible for making sure there's something in place that sends you the notifications ahead of time.

Re:Doing more with less..

> Why aren't these tools built in, though?

Because if they were, people would be complaining about the bloat and that such monitoring isn't something an operating system should be responsible for.

Re:Doing more with less..

They don't complain now? Really? People complaining about something has stopped them before?

Re:Doing more with less..

Sounds like you need to take an exchange class. There's IMAP, POP, SMTP, transport hub, client access, maiblox, and IIS, just as requirements to make the whole show work. If you switch a cert on some but not all dependent connections, you are going to have a bad time.

Learn how your system works and it makes sense. Go unprepared and the "application behavior and certificate section is pretty opaque", but only for you.

Re:Doing more with less..

[Attila+Dimedici]

OK, so you have written such scripts to notify you. Now the company decides they do not need you any more. Are you going to rewrite those scripts to notify someone else? Or even bother to mention to someone that they should do so?

Or the other scenario where you get another job midway between renewals (when you have not had a notification in several months). Will you remember to change who gets notified? Will you remember to tell someone? When you remember 3-6 months later that you would be getting notifications about now, will you call your old employer to let someone know the notifications were never changed?

In a lot of companies, certificate renewal becomes someone's job because they are in the right place at the right time to handle it and everyone else forgets that it even happens until something goes wrong. If nothing goes wrong for several years, no one, except the guy who handles it, remembers that it even happens. This happens with a lot of tasks, and is my biggest fear whenever someone leaves our IT Department: what minor tasks were they doing that they were doing so well we all forgot about them?

It has been great at my current job, only one of the people in our IT Department who was here long enough to do anything everyone would forget about who subsequently left was good enough at it for people to forget...that one person only left because they became suddenly ill and died. Dealing with their absence has been a mess.

Re:Doing more with less..

[thegarbz]

Requiring someone to remember

Requiring someone to remember to do something is not a bad failing of PKI.

It's a bad failing of organisational systems that are supposed to catch this.
It's a bad failing of automation systems which could remove the task.
It's a bad failing of management systems that ensure the task is complete before it becomes an issue and flag it for appropriate response.

Re:Doing more with less..

[Rastl]

Requiring someone to remember to do an infrequent and short task at a point 1 or 2 years in the future

Bullshit.

I could write a PowerShell script in maybe 10 minutes that will list all of the computers in the domain, connect to them, and check for expiring certificates. I can get a reminder in advance---90 days, 30 days, a week, whatever I want. All I have to do is one thing: understand my job.

Alternatively, some tools (like Nessus, which is FOSS) have audits which automatically check for expiring certificates. They can be configured to email a report, and you can notified every day/week/month if you have expiring certs.

This is a stupid, incompetent failure. You can build or buy a tool to avoid this problem very easily. Compared to using passwords, the only reasonable complaint is that you require decent sys admins.

You forgot the part where you were part of a RIF 18 months ago and now your script points to an email address that no longer works. Good on you for automating it but it still takes coordination and adequate staffing to make it happen.

Instead of bragging about how great you are maybe you could look at the challenges of managing a huge infrastructure and see how some things - important things - can be overlooked because someone 'just made it happen', didn't document it, tied it to their personal account, and then is no longer there.

Re: Doing more with less..

this is why *team* mailboxes exist

Re: Doing more with less..

Hell, there's default ones installed on many email server suites. This whole thread is filled with slashdot veterans that apparently do not know how to run an IT department. PKI is not complex if you know how it works. Automation, emails, and organizational administration is even easier. Disappointment is the theme today,

Re:Doing more with less..

[lgw]

Terrible management if that happens. No doubt that's the case here.

Any big network has a dedicated monitoring system with all sorts of plug-ins. Certificate monitoring is just another plug-in. You (if competent) write the plug-in once, and the notification is just the normal for the whole system. You (if good) write a system to auto-renew all your certs based on these scans and notifications, and alarm if the auto-renew fails for long enough..

We had a team that did that where I work. It was particularly amusing when that team's certs all expired - they had chosen to leave themselves out of their own system, for some reason.

Re:Doing more with less..

[GeekBird]

Terrible management if that happens. No doubt that's the case here.

Any big network has a dedicated monitoring system with all sorts of plug-ins. Certificate monitoring is just another plug-in. You (if competent) write the plug-in once, and the notification is just the normal for the whole system. You (if good) write a system to auto-renew all your certs based on these scans and notifications, and alarm if the auto-renew fails for long enough..

We had a team that did that where I work. It was particularly amusing when that team's certs all expired - they had chosen to leave themselves out of their own system, for some reason.

I've written plugins like that.

What gets bad is the alert goes off, and says you have 90 days to renew. Having no power to spend money, you dutifully route a request for a renewal to be paid for. It goes back and forth to accounting for a couple months asking for justifications for the (trivial) expense because no one will give the operations people a p-card or budget. Finally, if you are lucky, a P.O. is issued (for a trivial amount), and you can buy a new certificate before the old one expires. If not, it expires, everyone bitches and calls you incompetent, and all you can do is point to the three month old purchase request and say "We tried to do the needful". Then you are first in the next round of layoffs because of "incompetence" and having embarrassed the bean counters.

Re:Doing more with less..

[dbIII]

Yes the task is not difficult.
However very frequently nobody has been assigned to do the task.

I'm in a small place and can feel smug due to stuff like certwatch notifiying multiple people, but in large places with poor management tasks fall between the cracks. "I thought X was going to do it" is a frequent cry in large barely functional shambolic orgs where execs spend more time golfing than managing, hence the DHS getting hit with this.

Re:Doing more with less..

[dbIII]

OK, so you have written such scripts to notify you. Now the company decides they do not need you any more. Are you going to rewrite those scripts to notify someone else?

In the *nix world you send it to root, postmaster or whatever - a role not a person, so that the next person in the role gets the notifications. That's assuming a real mail server someone and not an enormous flaky suite that tells you to Exchange it for something more reliable.

Re:Doing more with less..

[lionchild]

Additionally, all of the above isn't overly helpful (except maybe the group email address), if you start outsourcing whole departments. Even if if you document things, the chances are there will be some things, like this, lost in translation.

However, you're right, they're generally effective steps to mitigate this issue. Especially number 1, if your credit card info never expires. :-)

Re:Doing more with less..

[EndlessNameless]

OK, so you have written such scripts to notify you. Now the company decides they do not need you any more. Are you going to rewrite those scripts to notify someone else? Or even bother to mention to someone that they should do so?

Shouldn't be a problem.

1. The script and its purpose should be documented. Another admin should be able to update it as needed.

2. The output can be emailed or dumped to a file share. Virtually every mail servers supports lists, so the list (or the file share ACL) would just need to be updated.

In a lot of companies, certificate renewal becomes someone's job because they are in the right place at the right time to handle it and everyone else forgets that it even happens until something goes wrong.

First, this "problem" does nothing to change the fact that 2FA is far more secure than passwords.

Second, this is the result of poor management. Any process can become failure-prone in the face of poor management. You need some ITIL training (or equivalent).

It takes a lot of effort to become a well-run organization, but it is totally worth it.

Dealing with their absence has been a mess.

Entirely avoidable. But it requires discipline from the organization.

1. Poorly-defined processes.

2. Lack of documentation.

3. Lack of personnel depth (aka, cross-training---if you need redundant servers then you also need redundant skill sets)

4. Poor change control (his solo fixes should have been discussed and understood by management and the team)

Re:Doing more with less..

[EndlessNameless]

Having no power to spend money, you dutifully route a request for a renewal to be paid for. It goes back and forth to accounting for a couple months asking for justifications for the (trivial) expense because no one will give the operations people a p-card or budget.

While it's usually bad to exaggerate, you don't need to.

The justification should mention that the entire corporate network will become unstable or unavailable if this procurement is not completed by the deadline, which should be at least a few days ahead of the actual expiration date.

Ideally, the IT management hierarchy will understand and push it through. If not, they should at least be capable of understanding the necessity when their experts start barking about the importance of such a minor purchase.

And if it takes an organization 100 days to procure things, then the staff should begin a critical procurement at least 120 days in advance. The alerts are useless if they do not allow time to respond.

Re:Doing more with less..

[EndlessNameless]

Why aren't these tools built in, though?

PowerShell is a very powerful tool, and it is built in. But that's not what you meant.

There are two ways to get it from the vendor. You pay in cash or labor.

Microsoft is happy to sell you SCOM, which is their network management dashboard (among other things). Very useful in a Windows-dominated environment, but there are better third-party options for shops with Linux and Mac systems.

Unless you're talking about the lowest tier of admins, scripting is part of the job. I cannot understand how people function without CLI literacy. The number of repetitive tasks would be mind-numbing.

I have no problem going to management saying "you can pay $XX thousand per year for operations management software, or I can spend a couple days writing and testing a script." I am perfectly happy offering a cheaper alternative that adds to my credibility and value. Always expand your expertise and share with your team if you have the chance.

Re:Doing more with less..

[TechyImmigrant]

Nope it's a bad failing of PKI. Writing a spec that takes something computers do well and humans to badly and handing it over to the humans.

Not everybody has an IT department. Do you think they should not benefit from communication security because they don't fit the PKI model well.

Re:Doing more with less..

[swb]

I like the idea, but I find it clashes with reality too often.

Management wants everything for free, SCOM they won't pay for and scripting is seen variously as a kind of technological masturbation and time wasting or the creation of unmanageable spaghetti.

Re:Doing more with less..

[swb]

That's kind of bullshit, really, because the enable-exchangecertificate -services flag specifies specific services in an umbrella manner (eg, IIS, SMTP, etc) and neither it nor its official documentation explains that assigning a certificate to these services *won't* actually use this certificate.

Ie, the -services iis flag will get your assigned cert for OWA/ActiveSync/OA with IIS, but the Backend site will hang onto the self-signed cert at installation, as will hub transport SMTP. And it's poorly documented at best and NOT mentioned in the enable-exchangecertificate documentation in addition to running counter to past version behavior.

But the larger problem is that Exchange on premise is rapidly become a spaghetti mess of code written mostly for O365 hosting and cut-down and neutered for sites not quite ready to pay 3 to 5 times as much for hosted Exchange. The documentation blows, which is magnified as more and more configuration melts into a maze of Powershell commands.

I predict that by Exchange 2019 or whatever the next version is that MS will have reduced the documentation and ease of management so much that only sites large enough to support dedicated exchange teams (and access to high-level support) will even be able to run it on premise.

Re:Doing more with less..

[thegarbz]

Writing a spec that takes something computers do well and humans to badly and handing it over to the humans.

The spec has done no such thing.

Re:Doing more with less..

[TechyImmigrant]

Writing a spec that takes something computers do well and humans to badly and handing it over to the humans.

The spec has done no such thing.

Show me where in any X.509/PKI/Application auth related spec it solves the automated continuity problem.
   

Re:Doing more with less..

[thegarbz]

If you can do it with a person and you don't need someone to manually verify something, then it can be automated. PKI specs do not prevent you from doing that.

Re:Doing more with less..

[TechyImmigrant]

But the CA model certainly does.

Stop the presses! Someone in IT fucked up!

The source characterized the issue as one stemming from relatively benign information technology missteps and a failure to ensure network redundancy. There was no evidence of foul play, the source said, adding that it appeared the domain controller credentials had expired on Monday when offices were closed for the federal Presidents Day holiday.

Why did this story need 3 anonymous sources? Jeezus. Hell, why did this story need to be posted at all?

 

Re:Stop the presses! Someone in IT fucked up!

Why did this story need 3 anonymous sources? Jeezus. Hell, why did this story need to be posted at all?

To give Slashdot liberals an excuse to spew their anti-Trump administration diatribes, of course.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

Journalists need a minimum of two anonymous sources to report something as factual to the public. Three anonymous sources is probably CYA from a #FakeNews accusation.

Re:Stop the presses! Someone in IT fucked up!

Journalists need a minimum of two anonymous sources to report something as factual to the public. Three anonymous sources is probably CYA from a #FakeNews accusation.

What color is the sky on THAT planet?

Re:Stop the presses! Someone in IT fucked up!

Obviously the more anonymous sources for a story, the more credible it is.

Re:Stop the presses! Someone in IT fucked up!

[barbariccow]

If I'm one anonymous source... I'm a thousand.

Re:Stop the presses! Someone in IT fucked up!

[fahrbot-bot]

Journalists need a minimum of two anonymous sources to report something as factual to the public. Three anonymous sources is probably CYA from a #FakeNews accusation.

On the other hand, what's the standard for getting #RealNews from our new administration? Seems the more sources they provide, the less "real" their news and facts are. Hmm... Let me do some math... Maybe zero administration sources are needed.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

Maybe zero administration sources are needed.

The current administration is leaking like the Titanic while everyone is too busy rearranging the deck chairs in the Oval Office.

Re:Stop the presses! Someone in IT fucked up!

[Archangel+Michael]

All News is fake depending on who is reporting and who is the reader/viewer.

Kind of like "Planned Parenthood doesn't use public funding for abortion services". Technically "accurate", but really not even close to being accurate.

A woman comes in for an abortion, but gets six other "tests" and diagnostics done. Pregancy test, Pap smear .... etc. All those other "tests" are paid for by government money, none of which are part of the actual "abortion" procedure. Since that Planned Parenthood clinic provides mostly abortion related services, they are "government funded" and would fold if they didn't get any other funding. They subsidize the Abortion with federal monies, using loopholes.

Technically it is "true" that PP doesn't use federal dollars for "abortion". Realistically it is fully subsidized procedure using loopholes. Both sides are considered "alternative facts" by the other side. And the reason we can't have civil discourse about anything any more.

And watch this get modded "Troll" since I used the inflammatory "Planned Parenthood / Abortion" example by people who can't actually debate the actual topic.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

If I'm one anonymous source... I'm a thousand.

That may work for Fox News. Real journalists care about their reputation. If they ever get into court and have to reveal their sources, it would be awfully embarrassing that a thousand anonymous sources turned out to be one person.

Re:Stop the presses! Someone in IT fucked up!

Like his Sweden comment that the press pissed all over themselves telling me he had no clue what he was talking about and made it up?

There was a riot in Sweden yesterday, setting a city on fire, started by refugees, in an area designated by the local police as a "no-go area".

Yea, Trump is making stuff up so bad he is once again correct when all news outlets told me he was lying.

Re:Stop the presses! Someone in IT fucked up!

[barbariccow]

For me, at least, there's a difference between "anonymous" and "name not released" or "redacted." Like if I make an anonymous tip, it's different than if I make a tip on the condition of anonymity. It's generally reported on differently too when they list the source. Maybe I'm just trusting the summary writer in their use of terms too much though; this is slashdot after all.. you wouldn't actually expect me to verify the summary with TFA would you??

Re:Stop the presses! Someone in IT fucked up!

[fahrbot-bot]

And watch this get modded "Troll" since I used the inflammatory "Planned Parenthood / Abortion" example by people who can't actually debate the actual topic.

I don't know enough to discuss the example you provided, but can offer that the funding/expense for Planned Parenthood is probably more complicated than what you proposed and certainly open to skewed interpretation (especially by those opposed to their services -- specifically and, apparently, as a whole) as described by this article from Fact Check: http://www.factcheck.org/2015/...

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

Maybe I'm just trusting the summary writer in their use of terms too much though; this is slashdot after all.. you wouldn't actually expect me to verify the summary with TFA would you??

One time I submitted an manuscript to a magazine. When the magazine was published, I've noticed many errors in every piece. When I asked the editor about all the errors, his response killed me: "An editor doesn't edit."

I never did find out what an editor does if he doesn't edit.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

There was a riot in Sweden yesterday, setting a city on fire, started by refugees, in an area designated by the local police as a "no-go area".

That took place after Trump's "last night in Sweden" speech. What Trump may have been referring to was something he saw on Fox News. If it was on Fox News, it must obviously be true. Unfortunately, Fox News is not an accurate news source.

Re:Stop the presses! Someone in IT fucked up!

[Fire_Wraith]

First, you shouldn't be surprised if you get modded Troll for deliberately using a flamebait/trolling example that is wholly unrelated to the topic.

Second, you're deliberately confusing the issue. If I operate a business, and I sell pork products, and you buy a steak from me, you're not paying for pork, no matter how much you scream about marginal costs and fungible funds.

Third, you're creating a strawman argument, because Planned Parenthood does not primarily provide abortion services, attempts to play cute with the numbers aside. At most the number of PP patients who received an abortion was 12% of the total, and that's assuming none had more than 1.
Reference: http://www.factcheck.org/2015/...

Re:Stop the presses! Someone in IT fucked up!

And the repeat of the complete idiocy of the left. Only this time you were TOLD about it, but were so fucking stupid you repeated the invalid talking points anyways. Do people on the left ever think for themselves?

Trump refers to problems with refugees in Sweden. Press has a fit that its not true. Refugees in Sweden riot setting a city on fire. I POINT it out. creimer comes along and says Trump lied.
That is the series of events that just happened. Even when it is OBVIOUS liberals are lying they continue to lie, they just can't help themselves.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

Do people on the left ever think for themselves?

I'm a moderate conservative. I DON'T SUPPORT TRUMP!

Re:Stop the presses! Someone in IT fucked up!

Sure, thats why you lie to support Planned Parenthood, lie to smear Trump, and then threaten to shoot people.

Moderate indeed. Lie #3 from you just today.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

Sure, thats why you lie to support Planned Parenthood, lie to smear Trump, and then threaten to shoot people.

Where in my comment did I threaten to shoot people?

Moderate indeed. Lie #3 from you just today.

Calling me a liar doesn't change the fact that you're wrong.

Re:Stop the presses! Someone in IT fucked up!

[Archangel+Michael]

1) Yeah, which is why I did it. Inflamatory subject using rational thought. Imagine that.

2) If you ran a Hamburger Restaurant and said that you're not a "Hamburger" place because only 33% of your business was "Hamburgers", would you be telling the truth, or telling a lie?

You sell Hamburger, fries, and a soda, and count that as 1/3, 1/3, 1/3 you'd technically be correct. But everyone in the world would understand that you're in the "hamburger" business. Right?

3) So, yeah, Abortion procedure itself is only 12%. Technically correct using the metric as applied by PP, which is VERY similar to how I explained above. How about you ask the question differently. How many people visiting PP are there to get an abortion vs "other" services they offer. BTW, those "other" services are fairly limited to .... being an abortion provider.

They claim to be "women's health" but they do not offer Prenatal anything ... except abortion. They don't offer Mammograms like they continue to claim (as in NONE). They don't do .... a whole lot of things related to "women's health". (Fact Check article is technically correct: Lies, Damn Lies and Statistics)

BUT I have an idea, I've suggested a number of times. Planned Parenthood can keep all the funding it gets now, if they stop providing abortion or referrals for abortion. Lets see how much of their Business is Abortion. I'll bet it is like a Hamburger shop not being able to actually sell burgers. Just fries, cokes .... And yes, this would settle the case, once and for all. Their primary business is abortion. They can't exist without it.

Re:Stop the presses! Someone in IT fucked up!

[lgw]

Real journalists care about their reputation.

Nice one! Of course, actual journalists threw all that overboard in a desperate attempt to get the Right Person elected. Lost both credibility and the election.

Journalism has been "fiction inspired by true events" for decades, maybe forever. Journalists believe their job is telling the peasants what to think. The truth is one of many tools for that job.

Re:Stop the presses! Someone in IT fucked up!

You have a rich fantasy life, you've been drinking so much pro-birth Koolaide.

A large number of people get birth control, std screening and pap smears from PP. This includes people who have never had or sought abortions.

They handle men's and women's health care, and yes, that includes prenatal care: https://www.plannedparenthood....

Not all PP locations provide abortion services, either.

The depth of your ignorance is astounding, actually. The fact remains, abortion is a legal health care service, regardless of what religious fanatics that want to enslave women to being hosts for the sacred fetus think.

If someonecan't force you to give blood, marrow or a kidney to save their life, then you can't force a woman to be a life support system for a fetus.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

Of course, actual journalists threw all that overboard in a desperate attempt to get the Right Person elected.

The media got the person that they wanted for POTUS: Donald J. Trump. His administration will make Nixon and Reagan look like amateurs in terms of scandals, indictments and prison sentences.

Journalism has been "fiction inspired by true events" for decades, maybe forever.

Creative non-fiction. People don't want facts, they want a story (or, in today's political discourse, a narrative).

Re:Stop the presses! Someone in IT fucked up!

[GeekBird]

Link or it is just more right wing fake news

Re:Stop the presses! Someone in IT fucked up!

[dbIII]

What Trump may have been referring to was something he saw on Fox News

There's no point trying to find out a reason for one of Trumps lies. By the time you've done it there's a new one, so it's best to judge the "biggest electoral college winner" on what he does instead of what he says. That's kind of hard to do since he's been all talk and no action for most of his life, but it's all we can do.

Re:Stop the presses! Someone in IT fucked up!

This Comment that you posted just a little while ago, so I'm not sure how you forgot that you threatened to shoot me.

You have deep psychological problems.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

This Comment that you posted just a little while ago, so I'm not sure how you forgot that you threatened to shoot me.

Let's look at that comment: "I'm going to exercise my 1st and 2nd Amendment rights. Don't like it? Fuck off."

Where exactly in THIS COMMENT did I threaten to shoot you? Note that the word "shoot" doesn't appear in the comment.

You have deep psychological problems.

I'm not the one that needs help.

Re:Stop the presses! Someone in IT fucked up!

[__aaclcg7560]

There's no point trying to find out a reason for one of Trumps lies.

I find it more fun to push the buttons of trump supporters, watch them go from aggressor ("You lie!") to victim ("You threaten to shoot me!").

Re:Stop the presses! Someone in IT fucked up!

[Archangel+Michael]

I'll give you one example of how "marketing" doesn't equal "services". Your linked page, regarding Prenatal care, can you show me where they announce they actually provide prenatal services? The page is nothing more than a wikipedia type page on Prenatal care. I could put the same page up on a personal blog, in its entirety, and would that mean I am actually providing prenatal care? NOPE.

Thanks for trying, but you're believing the hype and not the reality.

Re:Stop the presses! Someone in IT fucked up!

Only if you consider "Birth Control" or "Planning" or related services to the not-yet-pregnant as preemptive Abortions. Then you'd kinda sorta be technically correct.

Re:Stop the presses! Someone in IT fucked up!

[dbIII]

Considering how incredibly politically naive most of them are (they are certainly in for a few shocks and a feeling of betrayal) that's going to get as old as picking on Nixon apologists was.

Re:Stop the presses! Someone in IT fucked up!

[Archangel+Michael]

Yes, they do provide birth control. I never said they didn't. You can even get condoms there, does that mean they can claim they are a male health care provider like they claim they are a "women's healthcare provider" because they perform abortions and give out birth control?

To me, a woman's health center would be more concerned about actual health of women. Abortion is very hard on a woman's body, and there is plenty of documented studies that show this. Not that PP would ever tell you the long term risks of abortion on women.

Re:Stop the presses! Someone in IT fucked up!

[michael_wojcik]

And watch this get modded "Troll" since blah blah blah I'm so fucking daring.

Sigh. The "call me a troll" prolepsis was a tired, trite cliche on Usenet in 1990.

Eternal September remains eternal.

A problem that is easily fixated

[DickBreath]

No big worry if it is merely an expired certificate. Merely incompetence. An ordinary thing that is to be expected.

It would have been a bigger concern if, for security reasons, the president had ordered all passwords changed to the same code used on the president's luggage.

Re:A problem that is easily fixated

Not a big deal until you realize that anyone that knew anything about certificates and the request/renewal process was downsized last year. OOPS.

Re:A problem that is easily fixated

[XxtraLarGe]

12345?

Too Hard

"expired DHS certificate."

Cryptography is too hard technology for human organizations meant to enhance the social status of the members.

Re:Too Hard

[__aaclcg7560]

The new version of PHP should fix that problem.

https://developers.slashdot.org/story/17/02/21/2039256/php-becomes-first-programming-language-to-add-modern-cryptography-library-in-its-core

Re:NOT NEWS!

[NatasRevol]

It's Wednesday. The issue happened on Tuesday.

So, how did it come out 'TWO DAYS AGO'?

Mmmmh

[nospam007]

Another Trump IT nominee on his first day in the job?

Same Problem different Cause

The contract to support the network is sent out for rebid and the winning contractor sees the position responsible for managing certificates as a cost-savings "opportunity" and eliminates the position or combines it with another task and now no one is responsible for the task or the guy that knew how/when the certificates needed to be renewed got too expensive so the position was filled with a newbie with not experience.

Re:Same Problem different Cause

[GeekBird]

The contract to support the network is sent out for rebid and the winning contractor sees the position responsible for managing certificates as a cost-savings "opportunity" and eliminates the position or combines it with another task and now no one is responsible for the task or the guy that knew how/when the certificates needed to be renewed got too expensive so the position was filled with a newbie with no experience.

Yep. That happens all too often in accountant managed companies.

Half of the real reason that tech outfit like to hire young RCGs and recent immigrants is that they cost much less than anyone with even 5 years of experience, much less 25 years. This is why most software sucks.

Re:NOT NEWS!

Tuesday at 00:00, to Wednesday at 23:59 for all intents and purposes is 2 days.

GOOD!

[Gravis+Zero]

That's how expired certificates are supposed to work!

Re: GOOD!

Sure, but it's not how IT is supposed to work.

A strength, not a failing.

If you are concerned with ACTUAL security, then certifications SHOULD be changing not more than every 2 years, ideally with changes in ciphers as often as replacement ciphers are proven as/more secure.

RSA is getting long in the tooth, the current popular ECC ciphers are likely backdoored or soon to be cost effectively crackable.

PKI was designed with certificate lifetimes taking these sorts of situations into account. Nobody wants a certificate that is still around in 20 years and completely useless for securing authentication and interaction over hostile communication links, which all links should be assumed today.

Cert expiration == not a surprising cause

[ErichTheRed]

The interesting part of the article isn't about who is affected, but the "certificate expiration" aspect. I've recently started doing the legwork necessary to learn about public key infrastructure (for our company's internal consumption) and have found that there are 3 prevalent camps out there:
- Developers who just say "here's my credit card, VeriSign, make my customers' browser address bars turn green."
- Admins who get just enough of a PKI background to make the certificate errors go away, then run away screaming -- or worse yet, had it implemented a decade ago by a consultant and have NO CLUE how it works or how to fix it
- Auditors who just say "lock icon, green browser windows, check. Congrats, you're PCI compliant."

For something so critical like certificates, there really is a dearth of resources out there that isn't aimed at hardcore security programmers or one of these three groups. Cert expirations have figured prominently in many outages -- Azure had a partial outage a few years ago because of that very reason. I'm seriously considering writing a "PKI for non-dummies" series of blog posts or something because the amount of misinformation out there is scary!

Re:Cert expiration == not a surprising cause

[Scarred+Intellect]

I'm seriously considering writing a "PKI for non-dummies" series of blog posts or something because the amount of misinformation out there is scary!

Please do. I'm going to have to start learning about this pretty soon for a project I'm working on. I've avoided it up to this point by Googling and clicking boxes and trying and knowing JUST ENOUGH to scrape by and expand existing infrastructure...

Re:Cert expiration == not a surprising cause

[aaarrrgggh]

There really is plenty of good documentation out there, and it isn't that hard to manage. The real problem is category 2 and its permutations-- oh, they expire!, what is a CRL!, or where is the offline root certificate stored!?

The main issue I have is effectively planning, compartmentalization, and execution to ensure a multi-level PKI system is effective and maintainable. It stops me each time I go to set up PKI for our VPN or phone system or ...anything else. A poorly planned system can make things worse.

No problem

[PPH]

Just call Sandeep in the IT department and have him fix .......

Uh, oh.

Re:NOT NEWS!

[K.+S.+Kyosuke]

No way! The Shuttle DISINTEGRATED?

Re:NOT NEWS!

[TWX]

Space Shuttle Challenger DISINTEGRATES in the upper atmosphere. Several ASTRONAUTS without parachutes are DEAD.

Did you write UNIX fortune entries back in the day? This is formatted just like a lot of them...

Some apps need to have the certs installed into th

[Joe_Dragon]

Some apps need to have the certs installed into them even with LDAP stuff each app may need the LDAP keys installed to it's own key store for it to be able to ldap login's.

Check the boss's pc.

[samspock]

I would be very funny to check Trumps laptop to see something like "Your files have been encryped. Send 2 million bitcoins if you ever want to see them again" It's always the boss that does this.

Nothing to worry about

[93+Escort+Wagon]

Giuliani was just converting all the servers to a five-year-old version of Joomla.

Re:Nothing to worry about

[Bob+the+Super+Hamste]

Giuliani was just converting all the servers to a five-year-old version of Joomla.

So a massive modernization then.

First Rule of IT

[IWantMoreSpamPlease]

Always install a backdoor.

For times like this.... ...and for "other" times, as needed.

Re:First Rule of IT

Definitely this, assuming it is approved by management, documented, and secure.

That is what you meant, right?

Mammograms

When asked, under oath, by Congress how many mammogram machines PP operated, they gave an answer. Remember, PP is always touting how they give breast cancer screenings to women, and it is usually the FIRST thing they bring up for why they should continue to be funded, because it is so important.

The answer they gave Congress under oath... ZERO.

That's right, PP has not performed a SINGLE breast cancer screening, despite it being the first thing they list every time funding is threatened from them.

Re:Mammograms

[__aaclcg7560]

That's right, PP has not performed a SINGLE breast cancer screening, despite it being the first thing they list every time funding is threatened from them.

Planned Parenthood does clinical breast exams and make referrals for mammograms if warranted. Interestingly enough, its the group's supporters who talk about mammograms all the time.

https://www.washingtonpost.com/news/fact-checker/wp/2015/10/02/the-repeated-misleading-claim-that-planned-parenthood-provides-mammograms/

Re:Mammograms

You do realize that there are other methods of screening for cancer, yes?

Re:Mammograms

And the SECOND lie by creimer in the SAME story AFTER it was pointed out to him.

PP claims they do cancer screening for breast cancer using mammograms. I point out they LIED about it and had to tell the truth when under oath to Congress, due to possible jail sentences for lying. creimer comes along and tells me they refer people for mammograms elsewhere and implies I lied.

PP has ZERO mammogram machines. As for the other idiot who says there are clinical tests, I'll let you guess what the next step is if they find anything questionable... its not jump to surgery.

What is your problem creimer? Is it just not possible for you to tell the truth? You would be better served just shutting up at this point.

Re:Mammograms

[__aaclcg7560]

You would be better served just shutting up at this point.

I'm going to exercise my 1st and 2nd Amendment rights. Don't like it? Fuck off.

Re:NOT NEWS!

[NatasRevol]

Given that a) the 00:00 wasn't part of the story, and b) 23:59 hasn't happened yet in the affected area, c) what the fuck are you on about?

Re:NOT NEWS!

[TheGratefulNet]

timecube guy.

4 simultaneous days.

something along those line. details are unimportant.

Another Windows Fuckup

Why are we surprised?

PKI can be very touchy.

I'm actually surprised they require it on some systems that are completely within a locked enclosure, on a military base -- the risk of someone goofing up a couple of certs and bringing the thing down for a day is pretty high compared to the risk of somene sneaking i and connecting a network monitorig plug to the fiber links. Seems like a mistake to me.

Makes Sense actually

Usually, when one is caught doing illegal acts on the network, one gets locked out before they even call you up to the office!

Told you to pay that bill

[WillAffleckUW]

Next time listen

Re:

concordo plenamente.

http://www.comocomprarcarrocomdesconto.com

Re:NOT NEWS!

[Hylandr]

I think it's that new quantum time all those research dollars went into finally being put to work.