Bonum Certa Men Certa

The ISO Delusion: How Sirius Picked Collaboration/Communication Tools That Harm Staff, Harm the Company, and Harm Its Clients

International Organization for Standardization (ISO) brag



Summary: Sirius 'Open Source' has long misused "ISO" to do all sorts of dubious things, including cover-up and frustration of staff; the time has come to explain what happened and maybe eventually report the matter to ISO itself

THOSE who have followed this series carefully enough know that pretty much all the communication tools of Sirius 'Open Source' had been outsourced to proprietary vendors (voice, text etc.) without bothering to ask staff, which complained only after the fact. Too late. It's a decree, not a proposal. Instead of self-hosting Asterisk and relying on Jabber (among other things) the company was sending its workflow to Google, Zoom, Slack (Salesforce) and even Skype (Microsoft) while publicly floating ISO logos.



Over the coming week or so we'll show this ugly façade of a company that still uses the term "Open Source" -- a thing that it is rejecting internally. It's not about doing what clients require; this is about what the company chooses for itself, as it's headed by managers who neither use nor support Open Source. It's a façade.

"It's not about doing what clients require; this is about what the company chooses for itself, as it's headed by managers who neither use nor support Open Source."The Office Manager will be a recurring theme here, as she was part of this façade. What is an Office Manager anyway when the company does not have an actual office? David Graeber's thesis would classify it as a 'bullshit job' [1, 2], probably the "box tickers" kind. To quote Wikipedia, we deal here with "box tickers, who create the appearance that something useful is being done when it is not, e.g., survey administrators, in-house magazine journalists, corporate compliance officers, quality service managers..."

As noted here right from the start (a day after resignation), the company was hardly compliant with anything sensible, including security and ethics. Last year I was asked to study logs for some anti-abortion group (without telling me where those logs had come from). What next? Would I be getting assigned jobs like checking logs for Oath Keepers or Proud Boys, seeing that anti-abortion groups were starting paying for "services" last year? (Off the record)

Anyway, yesterday this good article mentioned LastPass, another company that the stubborn new management decided to hand over to not only our own passwords but clients' too (even private keys!!!), insisting that according to LastPass the LastPass breach wasn't a big deal. Sirius did not even bother resetting passwords after I had repeatedly urged for this to be done (and, as a possible bonus, to dump LastPass altogether). In yesterday's article the author says: "I’d like to talk about some of my experiences with this topic, as well as recent events in the security community."

"Before I describe my experience," he says, "I need to set the stage. My LastPass fun took place around the same time as the infamous Bugcrowd incident with JSBN."

Watch how LastPass handled things: "My first step in esclating was security.txt. No dice. There was no clear security officer or contact information that I could discern from my social network either, so I chose the path of last resort: I contacted their support team."

"Hiring friends and relatives instead of qualified people leads to disaster."So it's more or less like Sirius. No wonder a client said the company was "incompetent". The client said this to a highly incompetent 'manager' who was never supposed to be there in the first place: No clue about technology or about management, just some associate from a former organisation in which a Sirius 'founder' had spent a few years. Hiring friends and relatives instead of qualified people leads to disaster.

Very basic security practices were often disregarded and staff was ignored in spite of technical background. It was like talking to the wall.

At first we had Asterisk internally; then someone decided it would be better to use some outside firm as a supplier and pay the fees. That was still a lot better than a move to a defective "service" and then purchase "phones" that are a security threat, in the hope (likely false hope) that it would 'fix' the issue. We'll come to that another day.

The management kept covering up for repeated failure/s, blaming the staff (victims) instead, never the decision-makers who introduced a faulty/defective alternative but are too vain to admit it, take the blame, and finally undo.

"The management kept covering up for repeated failure/s, blaming the staff (victims) instead, never the decision-makers who introduced a faulty/defective alternative but are too vain to admit it, take the blame, and finally undo."The company's obscene disregard for security would not end there. We've already covered cognition reports being stored on personal machines, then uploaded to AWS (not the client's servers). There was no longer any security protocol in place; no file server for them or for us (GDPR would be screaming!), set aside the fact that the company is no longer "open source" and is basically lying about it. It's more like bragging about ISO while gaslighting people who actually value security.

Not only did the company ignore the warnings from me, it didn't even change passwords, alter providers, or self-host an actual "Open Source" alternative. It kept saying it would (or merely consider this), but those were lies. As we mentioned here before, this wasn't a matter of practicality of cost-savings either; Sirius was getting huge bills for "clown computing" (idle almost all the time but the bills kept growing and growing). Any suggestion of self-hosting, i.e. like before, was dismissed as "hobbyist" by the CEO. So what is to be sold as a service by Sirius? Outsourcing? Well, the company's latest incarnation in LinkedIn does say that.

Tomorrow we'll show some examples of misuse of the company's pretences (ISO, GDPR etc.) for cover-up, censorship etc.

In the meantime, however, consider this E-mail from July 2019 (when the company was setting up a shell in the US, covertly, when signing an NDA with the Gates Foundation):

xxxx wrote on 17/07/2019 17:20: > Hello Roy, > > As you are aware we’re currently going through the process of > implementing ISO 27001 (information security management system). It's > been brought to our attention that you using xxxxx Slack is > unacceptable due to the security of password sharing amongst yourselves. > > During your meeting at the training workshop - I had asked for you to > reconsider as this is a company requirement. > > Moving forward and with the advice from the ISO company this is now > something which needs to be completed by the end of your shift this > evening. Slack is an essential communication tool used by everyone > within the company. > > Would you please confirm the receipt of this email and a reply to this > request.

Hi,

Currently, all our sensitive communications end up on the server of a large corporation in another country, where this data can get sold. It included NHS stuff. This too is a problem as we need to be Open Source not only in name and I've been waiting for xxxxx to set up Matrix or similar for me to join. It has been months and I think it's essential for our company to demonstrate it takes security seriously. I can set up an Open Source alternative myself if that helps.

Regards,


Of course I only received more threats for this, rather than be listened to. Of course "information security" and Slack are incompatible concepts. As we shall revisit shortly, let's just say Slack suffered yet another data breach shortly thereafter, vindicating me. Did the management listen? Did it react? Of course not.

After some more threats I was compelled to give up, at least temporarily:

xxxx wrote: > Hello Roy, > > As I have expressed in my previous email and in all communication that > Slack is an essential communication tool used by everyone within the > company at the moment. We all should be there. > > This is a direct management requirement and instruction and it needs to > be implemented immediately.

I have just created the Slack account.

It would still be useful to know the timeline for moving to an Open Source alternatives. Slack has no business model other than spying at the moment, as media repeatedly points out.

Regards,


Regarding "I've been waiting for xxxxx to set up Matrix or similar for me to join," I was receiving false promises from the CEO, naming two people who would set up a Free software alternative like Riot/Mattermost. One of them left the company (as I had previously warned the manager) and another never implemented the change. Sirius management was just lying all along.

"Now, after so many years, Sirius is another disgrace or a black eye to ISO."We'll revisit Slack another day and we shall deal with each of these blunders in turn. ISO is a joke if it grants certification to companies which behave in this way, set aside how superficial the requirements are. 15 years ago Microsoft bribed a lot of firms and organisations to rig ISO; and ISO, in turn, was OK with it. Now, after so many years, Sirius is another disgrace or a black eye to ISO. No wonder clients suffered security breaches. They weren't even informed of how poorly Sirius had handled/managed security.

Recent Techrights' Posts

Weaponisation of For-Profit Dockets - Part I: Hiding Behind Lawyers (or Guns for Hire) After Abusing Many People and Even Strangling Women While Microsoft Paid Salaries
This whole thing is very typical of the Microsoft and Bill Gates mindset
From EPO to "MAGA Regime": A Shift Away From Reality to Fake News and False Metrics
Disbelief in itself isn't a bad thing; but the problem is that people are taught to believe rich people in suits more than they believe others
Skype is Officially Dead Today and This is Why People Should Use Free Software Instead (Goodbye, Microsoft)
It's also a good reminder of why people should move to GNU/Linux
'Simple Articles' in MyGemini Just One of Many New 'Sites' in Geminispace
Geminispace has grown fast lately; it's turning 6 next month
 
Links 06/05/2025: LLMs/Chatbots Attract More Scrutiny (Getting Worse Over Time), PwC Has Many Layoffs
Links for the day
Thanks for listening. How can this Morse feed be further improved?
Right now any and all feedback on the audio would be helpful
statCounter: Bing's Market Share Lower Right Now Than It Was When LLM Hype Began (With "Bing Chat")
If anybody gains at Google's expense in search, it is BRICS' alternatives such as Yandex
Gemini Links 06/05/2025: Failure and Proxmox Cluster
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, May 05, 2025
IRC logs for Monday, May 05, 2025
Links 05/05/2025: TikTok Still a Romanian Woe/Foe, Signal Perils Showing
Links for the day
Gemini Links 05/05/2025: Debian and GNOME and a "Welcome to Simple Articles"
Links for the day
Links 05/05/2025: US Economy Shrinks, US Presidency Spreading Deepfakes
Links for the day
Links 05/05/2025: Breaches, Environment, and Conflicts
Links for the day
SUSE the Company Now Uses LLM Slop to 'Write' Its Blog, What Does That Tell Us About SUSE?
There are many giveaways
Richard Stallman is in Alicante Today to Give a Talk, Czech Republic in Two Days (Wednesday)
Of course he can deliver the talk in Spanish
Gemini Links 05/05/2025: XL Bullies and Luddites
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, May 04, 2025
IRC logs for Sunday, May 04, 2025
Links 04/05/2025: Science, Conflicts, and Monopolies
Links for the day
GNU/Linux Above 7% in Bulgaria, Rising Just Like in Most of Europe
Up to 7%, not counting Chromebooks
Data Shows Largest EU Economies Shifting to GNU/Linux
all-time highs
statCounter Says Only One in 6 Web-Connected Clients in Hungary Are Using Windows, iOS Almost Bigger Than Windows Now
Hungary is a cautionary tale in the world of European (or Russian) politics
Many Reports About Microsoft's Financial Report/Performance Are False, Fake News, Churnalism/Parroting, and LLM Slop (Machine-Generated Lies)
Even if you see a thousand sites saying that Microsoft is performing well ask yourself why the company is rushing to fire tens of thousands of workers and cancelling datacentres
Links 04/05/2025: FCC Turning Into MAGA’s Censoring Machine, SEC Pressured to Delist Chinese Companies
Links for the day
Gemini Links 04/05/2025: Historical Artifacts and Date Calculations in POSIX Shell
Links for the day
In the First 3 Months of 2025 GAFAM Debt Rose by More Than $14.4 Billion
That's based on their official statements
10-Step Strategy to Get BRETT WILSON LLP ("Gun for Hire"), Microsoft's Serial Strangler, and the Serial Defamer to Compensate Techrights and Tux Machines for Years of SLAPPs and Abusive Litigation
There's no room or capacity for forgiveness here; enablers and protectors of crime need to be scuttled and pay up in full
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, May 03, 2025
IRC logs for Saturday, May 03, 2025