Summary: Sirius ‘Open Source’ has adopted shoddy practices that impede audits, undermine security, and subvert proper inspection of the network; outsourcing is not security, and "clown computing" is more like an "acceptable" security breach (giving some shady companies control over your systems and data), but that's not something today's Sirius ‘Open Source’ can still grasp (Intel experienced something similar when geeks left)
THE previous part spoke about a lack of real security and today we turn our attention to GAFAM-friendly policies which wrongly assume that VPN or GAFAM mean security. They don't. VPN, like a firewall, makes false assumptions. And outsourcing assumes that some other companies are in fact security-oriented and respecting of privacy. They're neither. Sending passwords from one's local network (already access-restricted on several levels, namely access credentials and IP address) to something like LastPass is beyond insane. But good luck explaining that to people who worship brands instead of technology and find appeal in anything "new" (for no actual reasons other than perceived novelty).
Here is the relevant part of the report sent at the start of this month.
Band-Aid Instead of Robust Policies
Speaking of security breaches, some of the company's Ubuntu servers are using very old -- even way outdated -- versions, as noted by the company itself (it's also controlled by a host in another country, which poses another attack surface issue).
Security isn't taken seriously enough and VPN is presented as ad hoc Band-Aid. VPN is not the solution, it's a hallmark or a symptom of neglect at the intranet (internal) level. Firewalling and restrictions, for instance, have unusual exceptions. Since "Google is your friend", for instance, Google IP addresses are allowed. As if Google never spies or collaborates with spy agencies (or even suffers security breaches). So Sirius VPN does not trust BBC network, but does trust (or whitelists) Google/Alphabet.
The neglect extends outwards, i.e. outside internal infrastructure of Sirius. For instance, in the past some staff transmitted in plain text messages (via E-mails) with passwords to accounts and servers of a very large client that is the target of foreign operations and aggressive spies (political espionage operations of this type are very common with clients such as these).
There are even very recent examples, so there's no need to go far back; a colleague who is close to management dared suggest -- only months ago -- that an entire political Web site (including user details, passwords etc.) be migrated by dumping a lot of data into Google Drive, without any encryption either, clearly not comprehending that "Google is your friend" is a laughable fallacy (an understatement; Google is legally obligated, through US Clarifying Lawful Overseas Use of Data Act or CLOUD Act 2018, to give full access to the US government and more).
It wouldn't be controversial to state that such practices can be off-putting to clients, e.g. when decision makers in Sirius have rather poor grasp or appreciation for privacy and security, let alone critical care by introspection (staff cautioning about this is subjected to gaslighting at best or even outright threats).
If Sirius views itself as a champion of "Alexa" and "OK Google", then the company should seriously consider a rebrand.
⬆
