Bonum Certa Men Certa

Sirius Open Source: Secure Only 'on Paper'

Sirius Open Source pamphlet



Summary: Sirius ‘Open Source’ has adopted shoddy practices that impede audits, undermine security, and subvert proper inspection of the network; outsourcing is not security, and "clown computing" is more like an "acceptable" security breach (giving some shady companies control over your systems and data), but that's not something today's Sirius ‘Open Source’ can still grasp (Intel experienced something similar when geeks left)

THE previous part spoke about a lack of real security and today we turn our attention to GAFAM-friendly policies which wrongly assume that VPN or GAFAM mean security. They don't. VPN, like a firewall, makes false assumptions. And outsourcing assumes that some other companies are in fact security-oriented and respecting of privacy. They're neither. Sending passwords from one's local network (already access-restricted on several levels, namely access credentials and IP address) to something like LastPass is beyond insane. But good luck explaining that to people who worship brands instead of technology and find appeal in anything "new" (for no actual reasons other than perceived novelty).



Here is the relevant part of the report sent at the start of this month.




Band-Aid Instead of Robust Policies



Speaking of security breaches, some of the company's Ubuntu servers are using very old -- even way outdated -- versions, as noted by the company itself (it's also controlled by a host in another country, which poses another attack surface issue).

Security isn't taken seriously enough and VPN is presented as ad hoc Band-Aid. VPN is not the solution, it's a hallmark or a symptom of neglect at the intranet (internal) level. Firewalling and restrictions, for instance, have unusual exceptions. Since "Google is your friend", for instance, Google IP addresses are allowed. As if Google never spies or collaborates with spy agencies (or even suffers security breaches). So Sirius VPN does not trust BBC network, but does trust (or whitelists) Google/Alphabet.

The neglect extends outwards, i.e. outside internal infrastructure of Sirius. For instance, in the past some staff transmitted in plain text messages (via E-mails) with passwords to accounts and servers of a very large client that is the target of foreign operations and aggressive spies (political espionage operations of this type are very common with clients such as these).

There are even very recent examples, so there's no need to go far back; a colleague who is close to management dared suggest -- only months ago -- that an entire political Web site (including user details, passwords etc.) be migrated by dumping a lot of data into Google Drive, without any encryption either, clearly not comprehending that "Google is your friend" is a laughable fallacy (an understatement; Google is legally obligated, through US Clarifying Lawful Overseas Use of Data Act or CLOUD Act 2018, to give full access to the US government and more).

It wouldn't be controversial to state that such practices can be off-putting to clients, e.g. when decision makers in Sirius have rather poor grasp or appreciation for privacy and security, let alone critical care by introspection (staff cautioning about this is subjected to gaslighting at best or even outright threats).

If Sirius views itself as a champion of "Alexa" and "OK Google", then the company should seriously consider a rebrand.

Recent Techrights' Posts

Morale at Microsoft Sinking, More Layoffs Expected, Stock Buybacks Blasted
controversial because they should really be illegal
The Kubecost Acquisition Does Not Show IBM is Rich, It Shows It Wants to Distract From Mass Layoffs Happening This Week (Thousands Laid Off in the Dark)
So-called "news deserts" have become a national and international phenomenon (not local/regional)
 
IBM Likely Breaking Several Laws With Latest 'Secret' Mass Layoffs
Never sign an NDA
Gemini Links 19/09/2024: Emacs Wiki and China, IRC Chatting
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, September 18, 2024
IRC logs for Wednesday, September 18, 2024
Links 18/09/2024: Web Server Survey Shows Microsoft Down Again, Omkhar Arasaratnam Leaves Microsoft-connected OpenSSF
Links for the day
Links 18/09/2024: Gaming Layoffs and New Openwashing by Linux Foundation
Links for the day
Gemini Links 18/09/2024: Home, Ashram, and Markdoc
Links for the day
[Meme] Think. Positive. Saturate the Media.
IBM: Layoffs? What layoffs?
IBM Has Been Lobbying for Software Patents, It's Not the Free Software Community's Ally
The ancient company has been lobbying for these patents for decades already
Over Half a Day Later the Media Still Doesn't Cover Thousands of Layoffs at IBM
Not even a single news site bothered to investigate and report this? Not even one?
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 17, 2024
IRC logs for Tuesday, September 17, 2024
IBM Befriends and Exploits the Biggest Enemy of Software Freedom (Software Patents)
Software Patents and IBM in Today's News
Many Workers Quietly Leave Microsoft, the Company is Running Out of Money (Too Much Debt and Now Massive Buybacks to Keep the Shares From Collapsing While Hiding Humongous Losses)
I've heard of people who just decided to quit Microsoft. They could not handle the anxiety.
Links 17/09/2024: Volkswagen Layoffs May Exceed 15,000, Sean ‘Diddy’ Combs Arrested
Links for the day
Gemini Links 17/09/2024: Re-framing of Priorities and Journalists
Links for the day
The Linux Foundation is Associating Linux With Scams and With Scam Sites Right Now (Like the Wife of Jim Zemlin Did)
they profit from the sellouts
Mass Layoffs at IBM Today, Just Like Prominent Rumours Said Upfront
past couple of hours
Google's YouTube Already Blocking People Who Block Ads
YouTube feels like it's dying
Links 17/09/2024: More on Microsoft Cuts and XBox Backward Compatibility Issues
Links for the day
IBM is Acting No Better Than Patent Trolls, Preying on Smaller Companies by Suing Them With Software Patents
No Red Hat employee should tolerate this aggression by the employer
Something Has Gone Very Wrong at iTWire
"iTWire has descended into marketing spam"
The Hallmark of a Dying Company Running Low on Money (But Still Trying to Hide That)
Microsoft should look into selling red markers
UEFI 'Secure' Boot Has Put Security at Risk, Suggests New Report
We're vindicated once again
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 16, 2024
IRC logs for Monday, September 16, 2024
Links 17/09/2024: China Sanctions and Breadth of Latest Microsoft Layoffs Elaborated Upon
Links for the day
Gemini Links 17/09/2024: Small Improvements in Carbon Capture and Pseudo-Productivity In Java
Links for the day