Bonum Certa Men Certa
Links 10/12/2022: KDE Development Report and More Gemini Browsers Coming | [Meme] Superheros Don't Need No Stinkin' Updates

Sirius Open SORES: There's a Lot More to Security and Privacy Than Namedropping (e.g. 'ISO' and 'GDPR')

Sirius certificate

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they've long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we'll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).



Suffice to say, patching is part of the work, including patching one's own machine. Anything else would be irrational (like blasting people over "commuting" time) because security starts in one's own domain. And yet, I was being told off by the company's founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am). Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

"Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”


I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.


If I cannot observe systems that are monitored and supported, it's not "unacceptable". It's still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).



Acronyms Lingo



Speaking of "GDPR" or "ISO" without even grasping the meaning behind laws and regulations is "cheap talk". Without comprehension of the issues, this boils down to 'name-dropping' (like "GDPR" or "ISO"). Currently, the company would gladly take technical advice from people who openly admit they don't care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients' names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren't reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data -- including several incidents staff witnessed where people's (patients') privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty



With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. 'Low level' staff cannot access systems at a level of user management, so this was demonstrably a 'high level' failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company's infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties -- a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of "bad optics", pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant -- a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.
Links 10/12/2022: KDE Development Report and More Gemini Browsers Coming | [Meme] Superheros Don't Need No Stinkin' Updates

Recent Techrights' Posts

IBM 'Dinobabies' Speak Out
"They want newbies out of school at a much cheaper rate"
Mass Layoffs at Microsoft, March 2026
When will the media properly investigate this?
An American War on GNU/Linux, Software Freedom, and British Investigative, Science-Based Reporting - Part IV - Escalating to Ministers, Explaining the Severity of These Matters
British Sovereignty at Stake
 
Kafkaesque: Unlawful Activities in the UK to Cover Up Unlawful Activities in the United States of America
Why is bribery and even extortion seen is OK? Because rich people do those things?
Former IBM Executive, Ron Hovsepian, Doomed S.u.S.E. (SUSE)
SUSE is like a child nobody wants to raise
Quiet Layoffs or Silent Layoffs Alleged at Microsoft
Will some investigative journalists do their job now and ask Microsoft tough questions?
After a Long Lull LinuxTeck (linuxteck.com) Came Back Only as a Slopfarm
Unlike Linuxiac, LinuxTeck wasn't very active in recent years
Links 11/03/2026: EPO and USPTO Software Patents Thrown Out Again, Copyright Concerns Over Slop (Plagiarism Using Buzzwords)
Links for the day
Microsofters' SLAPP Censorship - Part 9 Out of 200: 5RB Barrister Does Not Even Know the Name of His Own Client (That He Was Paid Well Over $200,000 to 'Speak' or 'Cover' for)
If you assault women in the United States, there's a barrister available for you in the UK
IBM's Fedora is Now Led by GAFAM Slop
The official word of Fedora is partly slop
Links 11/03/2026: "Drill, Baby, Drill" and Social Control Media Recognised as Threat to Democracy
Links for the day
5 Years Since Freenode Conflict
IRC isn't going away
A Week Ahead of Next EPO Strike the Staff Representatives Show the Administrative Council That the Office Lost the Best Staff, It's No Longer Attractive
the message circulated regarding the open letter to the Administrative Council
Jeff Bezos as an Individual Said to Have Enough Capital to Buy IBM
Assuming a market capitalisation of 234.70 billion
Starting Soon: Another New Series About Richard Stallman
There are some inside stories we can tell
Gemini Links 11/03/2026: School, Code Slop, and "Fancy Weapons"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, March 10, 2026
IRC logs for Tuesday, March 10, 2026
Geminispace Continues to Grow
Geminispace Will Soon Have 5,000 Capsules
Very Little Slop About "Linux"
We hope to see slop eradicated by year's end
BBC Lied for Its Longtime Sponsor (Bribes for 15+ Years) Bill Epsteingate, in Effect Covering Up Sex Trafficking of Underage Girls
The state of the media is truly awful
Microsoft GitHub is Not Free Hosting and It Won't Last
Not for much longer [...] Microsoft is afraid to say that it is pulling the plug, but it seems inevitable
"The Lost Generation" Came Back, This Time Literally
Based on my limited experience with young people ("alphas"), they're lost
IBM is Not Likely to Survive Another Decade
Despite having already survived over a century [...] Last week we saw claims that some company would likely acquire IBM for its remaining assets
IBM Has Just Been Sued Again by Its Own Staff (This Time a Manager, Stephen P. Gutierrez)
IBM's behaviour towards its staff can prove costly
When a Company Says Its Layoffs are "Due to AI" Check the Debt (Typically the Real Reason for Mass Layoffs)
The mass layoffs at Microsoft continue, but Microsoft hides those in some of the same ways IBM does
Doing More With Less
primacy of concepts rather than bells and whistles
Andy and Helen in Cybershow on Divesting From the United States' Technology and Politics
It is no longer considered a taboo to say this and it's not "anti-American" because many Americans can relate to and agree with such criticism
Links 10/03/2026: "GEMA v. Suno Copyright Case" and "Valve Faces PRS Lawsuit Over Allegedly Unlicensed Steam Music"
Links for the day
Gemini Links 10/03/2026: Woods in UK, Slop Laziness, and "Small Technology and Small Economic"
Links for the day
Garrett Announces LibreLocal Instance in Northampton, Massachusetts (USA)
his message was the only one last month
Microsofters' SLAPP Censorship - Part 8 Out of 200: Gross Misuse of UKGDPR to Protect the Agenda of American Back Doors (Mass Surveillance)
Responding to bunk claims regarding UKGDPR and claims of 'analytics' in our sites
Links 10/03/2026: Oil Prices Rising, South Korean/US Military Assets Redirected
Links for the day
Links 10/03/2026: Rust Rewrites by Slop "20,171 Times Slower", "You MUST Review LLM-generated Code"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, March 09, 2026
IRC logs for Monday, March 09, 2026
Attacks on Techrights Make Techrights Stronger and Attract More Whistleblowers to Techrights
The harder they attack us, the more productive we become
The Register MS Has Just Taken Money From Google (Where the Former Chief Editor Now Works) for Femmewashing and Ponzi Scheme Promotion
now The Register MS not only promotes a Ponzi scheme but also bags money to pretend Google respects women
People at IBM Are Still Smart Enough to Understand What's Really Going on
"I would never refer someone to work at IBM that I liked! I hope all of you have reviewed IBM on Glassdoor."
European Patent Office (EPO) to "Eventually Eliminate the Tasks Performed by Formalities Officers"; EPO Run by People Without Experience in Patents
full paper
RMS is 73 Next Week
Richard Matthew Stallman (RMS) turns 73 exactly 7 days from now
Iran & FSFE: blackmailing women, from football to the French Government (CNIL)
Reprinted with permission from Daniel Pocock
An American War on GNU/Linux, Software Freedom, and British Investigative, Science-Based Reporting - Part III - Very Strong Legal Basis for an Appeal
The case is now being escalated to a Foreign Secretary and former Deputy Prime Minister
Police investigations, lawsuits & Debian leader election candidate shortage
Reprinted with permission from Daniel Pocock
Richard Stallman (RMS) Has Defeated Cancel Culture, a Mostly American Phenomenon
RMS is talking now
No Slop Found in RSS Feeds, Only in Google News
No slopfarm will survive for very long, certainly it'll go bust as soon as readers (if it had any) know what it is
Links 09/03/2026: Many Security Breaches and a Pandemic of Censorship
Links for the day
People Who Work or Worked at IBM Hate It
bluewashing is only the first step
Richard Stallman (RMS) Talks in 30 Minutes, Next Stop Bern (Last Stop)
We assume he'll travel back to Boston after that
IBM's Fedora as a Booster of Slop Disguised as Code or Computer Programs
Maybe we should also stop seeing a doctor and instead ask chatbots about symptoms?
Richard Stallman (RMS) Talk Five Hours From Now
there is growing recognition for what he really did for everybody
What the Solicitors Regulation Authority (SRA) and Action Fraud UK Have in Common
Don't let London become the world's "crime capital"
EPO Strike 10 Days From Now, Planning Assembly Tomorrow, Last Couple of Strikes Had High Participation Rates (1,500-1,600 Staff Went on Strike)
The next strike is in 10 days' time and then there will be another strike
Dr. Andy Farnell on How GAFAM, NVIDIA and Others Lie to People Via the Sponsored Media to Prop Up Lies Under the Guise of "AI"
Lots of key aspects are covered
Links 09/03/2026: GAFAM Outsourcing, "MAGA Political Meddling" in EU, Indonesia Bans Social Control Media for Children Under 16
Links for the day
Using Slop (and Slop in Articles) to Attack Copyleft 'on Budget'
This article is pure BS from an anti-GPL and anti-RMS 'activist'
Why The Register MS Sold Out to Microsoft: They're Losing Lots of Money, The Register MS is Bleeding to Death, Based on Its Own Financial Records
With over 6 million pounds in debt (nearly 10 million US dollars) we guess it's likely some other company will take over the site (if it deems it worthwhile)
Microsofters' SLAPP Censorship - Part 7 Out of 200: Like With the Serial Strangler From Microsoft, Misuse of UK-GDPR to Try to Hide Embarrassing Facts
They do and say really bad things, then allege it's a "privacy violation" to mention those things
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, March 08, 2026
IRC logs for Sunday, March 08, 2026
Gemini Links 09/03/2026: Exponentials and Tailscale
Links for the day
Sloppyleft
Article by Alexandre Oliva