Bonum Certa Men Certa

Sirius Open SORES: There's a Lot More to Security and Privacy Than Namedropping (e.g. 'ISO' and 'GDPR')

Sirius certificate

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they've long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we'll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).



Suffice to say, patching is part of the work, including patching one's own machine. Anything else would be irrational (like blasting people over "commuting" time) because security starts in one's own domain. And yet, I was being told off by the company's founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am). Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

"Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”


I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.


If I cannot observe systems that are monitored and supported, it's not "unacceptable". It's still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).




Acronyms Lingo



Speaking of "GDPR" or "ISO" without even grasping the meaning behind laws and regulations is "cheap talk". Without comprehension of the issues, this boils down to 'name-dropping' (like "GDPR" or "ISO"). Currently, the company would gladly take technical advice from people who openly admit they don't care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients' names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren't reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data -- including several incidents staff witnessed where people's (patients') privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty



With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. 'Low level' staff cannot access systems at a level of user management, so this was demonstrably a 'high level' failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company's infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties -- a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of "bad optics", pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant -- a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.

Recent Techrights' Posts

Microsoft said “GitHub and its leadership team will continue its mission as part of Microsoft’s CoreAI organisation.” But it's just an empty shell created earlier this year.
In short, it's not too clear what Microsoft has just done except dumping GitHub - i.e. mostly a Web site that loses a ton of money (it always lost money) - into some mysterious new bucket
IBM Layoffs in MCC, or Marketing, Communications and Corporate Social Responsibility (CSR)
IBM and Microsoft inflate their share price by circular financing
The Register MS gets Lazy, Uses Slop
Unlike 3-D renderings or "Classic" CG, slop images aren't quite original and definitely not fair use
 
The Register's Slopfest
Remember when The Register UK (yes, UK) had better standards?
Latest Version of Windows (Vista 11) is a Failure 4 Years After Its Fake 'Leak'
Vista 11 became more scarce this month
Improving Our Archives
Our old archives are still accessed a lot. Making them better is well worth the investment.
Things One Learns as a Litigant in Person at the UK High Court
Don't fear the official manuals
Slopwatch: Lots of Fake Articles From Fake "Linux" Sites and About "Linux"
Google says it's committed to "AI" (it means slop, not AI); that seems like an excuse to dodge accountability
Links 19/08/2025: "Eavesdropping on Phone Conversations Through Vibrations" and Air Canada in Chaos
Links for the day
Gemini Links 19/08/2025: Niche Spaces and "AI Pasta Sauce"
Links for the day
Links 19/08/2025: "NASA Is Giving Up on Climate Change Science" and "Earth's Continents Are Drying Out at an Unprecedented Rate"
Links for the day
Phil Wyett evidence & Debian Zizian plagiarism, modern slavery tendencies
Reprinted with permission from Daniel Pocock
In Many Countries People Move Away From Vista 11
Vista 11 has been available for download for 4 years already, but adoption has been poor
Desktops/Laptops Fall to All-Time Lows in the UK, So Why Does British Media Quote a Famous Criminal on "End of the Smartphone Era"?
mobile usage (for Web access) has never been higher, based on an Irish surveyor, statCounter
The Groklaw Web Site Has Been Hijacked by Scammers
Groklaw.net isn't a safe site to access at this time
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, August 18, 2025
IRC logs for Monday, August 18, 2025
Online Safety Act Does Not Tackle the Worst (and Biggest) Culprits
if our governments are serious about tackling online harms, then they need to look closely at GAFAM and social control media giants
Chat Control (1 and 2) in the European Union Sends the Wrong Message
This is an EU law
Slopwatch: Google News and Serial Sloppers (Fake Articles About "Linux")
Calling out the culprits
Gemini Links 19/08/2025: Digital Legacy and Chat Control
Links for the day
English Law Misused by Americans and Irishmen Against Brits is Unfair
There's always a way to improve existing laws
Overly Maximalist, Expensive, Localised Patent Law is Dooming Western Companies, Argue 3-D Printing Champions
We've long warned (over 7 years already!) that China's approach to patents will impress WIPO by gaming the totals but will doom the West
Links 18/08/2025: "Microsoft Store" Gets Increasingly Hostile, "Cracking Abandonware DRM"
Links for the day
Gemini Links 18/08/2025: Summer "Gone" and Web Reposts in Gemini
Links for the day
Microsoft's Windows in Gabon: Still Moving Down
What is this Unknown? Who knows...
Links 18/08/2025: LLM Reputation Damaged, Australia Catches Google Foul Play
Links for the day
Geeks Like GNU/Linux
The technical community seems to be consolidating and rallying around GNU/Linux
GNU/Linux is 486 in Ireland
4.86% that is
End of Reliable Media
it makes the world a worse place, it renders the Web a misinformation machine
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, August 17, 2025
IRC logs for Sunday, August 17, 2025
GitHub Won't Last Much Longer
Many things at Microsoft are going to go the way of the Skype (or "dodo"). GitHub will be among those.
We've Never Used Large Language Model (LLM)
we just never used an LLM
"Secure Boot" is a Security Problem, Not a Solution
These people don't try to improve security but to undermine security
Gemini Links 18/08/2025: Retro and Endless Escape from the WWW
Links for the day
Working Whilst Away From Home
Decades ago being away meant all sorts of problems associated with workflows and connectivity
The Next Version of Windows Will Always be the Best (for Microsoft)
It's worse and slower over time
"End of the Smartphone Era" According to Jeffrey Epstein's Key Enabler
They call it "sour grapes"
Links 17/08/2025: Strike Downs Air Canada, Postmortems of Putin's Red Carpet Summit
Links for the day
Links 17/08/2025: Slow Tools and Enshittification of YouTube
Links for the day
Don't Talk to Bullies
This serious matter is still being examined by British authorities
Links 17/08/2025: "The Performance of Power" and "My Undesirable Friends"
Links for the day
Growing Our Reach
Our goal was never "hits"
The Russian Vision of Technology
Russia's surveillance is very extensive
Sooner or Later Almost Everyone Will Know "AI" is Just a Go-To, Misused, Misapplied, and Grossly Overused Term of Liars and Con Jobs Who Ride a Ponzi Scheme
At the expense of people gullible enough to "invest" in this or take salaries/bonuses in the form of "stock" (tied to a Ponzi scheme)
The Register MS Has Begun Using Slop Images
It's not clear when it started; but it's definitely getting worse [...] Worst of all are 'articles' about slop that are themselves slop
Reddit Funded by Microsoft
Reddit is merely a filter and we knows who controls that filter (using money)
When It Comes to Technology, Mozilla and Firefox Are Illiberal
Last month in Planet Debian we saw one more person explaining to everyone how to "turn off" DRM in Firefox and hide the pop-up/s
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, August 16, 2025
IRC logs for Saturday, August 16, 2025
The Open Source Initiative Has Many Scandals, We'll Try to Summarise Them All
Open Source Initiative (OSI) hates facts
Open Source Initiative (OSI), Wikipedia, Molly De Blanc, and Censorship/Reputation Laundering
OSI is like SPLC. The old name remains, the mission changed
Gemini Links 17/08/2025: Misunderstanding "Geminiverse" and Let's Encrypt
Links for the day
Links 17/08/2025: Breaches, Layoffs, and Scams
Links for the day