Bonum Certa Men Certa

The ISO Delusion: Sirius Corporation Demonstrates a Lack of Understanding of Security and Privacy

2FA with 'mobile phone' is not proper security
Especially not when you send passwords and private keys to dodgy third parties that suffer security breaches and lie about it



Summary: Sirius 'Open Source', emboldened by ISO 'paperwork' (certification), lost sight of what it truly takes to run a business securely, mistaking worthless gadgets for "advancement" while compelling staff to sign a new contract in a hurry (prior contract-signing scandals notwithstanding)

A part devoted purely to ISO was last week's focus/work and this week we show some of the company's awful practices when it comes to security. This is the most recent example. It's from this past October and it's likely what got me "flagged" for bollocking. In short, after the contract-signing scandals of 2019 I was apprehensive about signing another unknown contract and moreover consenting to a company-provided spying device (with camera and microphone) being inside my home. My wife was also hesitant; she expressed very strong opposition to this even before I did. "What next?" she said...



"This "mobile phones" strategy it is not about saving money..."My E-mails about company "mobile phones" were discussed with a friend in IRC (personal channel), albeit only after careful redaction. Polite language was used. Facts were adhered to all along. At the bottom of this post the communications are reproduced in full, with clients' names and colleagues' names redacted.

This "mobile phones" strategy it is not about saving money; outsourcing never saves money, it adds a trap for short-term savings. The bills, in turn, gradually increase by a lot and services stop working or get shut down. They cannot even be debugged because they are proprietary (AWS and Google in mind).

"The messages were sent less than 10 minutes apart, obviously coordinated for effect, and there was no room for debate."As the communication below shows, first they sent some 'enticing' message and later they sent an "ASAP" for a contract to sign (for "smart" "phone"). It was likely some sort of waiver. The messages were sent less than 10 minutes apart, obviously coordinated for effect, and there was no room for debate. If the company wants to buy brand new phones while deprecating existing Cisco phones of all staff -- and it won't settle for low-cost phones while at the same time admitting to employees that the company is tight on budget -- then what gives?

But there are deeper, more profound issues at stake here. To give some background, consider what the EFF published last month in relation to NLRB (unions):

How does this work? The NLRB protects the right of workers under Section 7 of the National Labor Relations Act to organize and discuss joining unions with their coworkers without retaliation and the board’s General Counsel rightly suggests that surveillance of workers by their bosses can lead to unlawful retaliation, as well as a chilling effect on workplace speech protected by the NLRA.

“It concerns me that employers could use these technologies to interfere with the exercise of Section 7 rights … by significantly impairing or negating employees’ ability to engage in protected activity—and to keep that activity confidential from their employer,” General Counsel Jennifer Abruzzo said in her letter. She added she will urge the board to act to "protect employees from intrusive or abusive electronic monitoring and automated management practices" that interfere with organizing rights.€  The general counsel's memo serves as a marker for future cases considered by the NLRB. Traditionally, the opinion of the NLRB's general counsel has a significant effect on how the board rules on cases it considers. This means that, should workers wish to file a claim with the NLRB along these lines, the board would take this opinion into account.

While worker privacy has been considered within general consumer privacy bills, workplace privacy rights function differently than those in many other contexts. A worker often cannot walk away from a camera pointed at their workstation. And while a consumer may feel they aren’t really “consenting” to data collection when they use a product or service, they generally have the option to go to a competing product. Workers don’t; saying “no” could cost them their livelihood. Therefore workers are set up to potentially lose certain rights during the workday.€ € € 



At the end of the month the EFF revisited this issue:

Since then, EFF has joined with those in the labor community to learn more about surveillance in the workplace and on work devices, and the effect it has on employees. Particularly as regulators start to pay more attention, and legislators include workers’ privacy in general consumer privacy bills, it’s important to understand the ways that the workplace presents unique challenges in this arena.

Bossware has Real Effects on Workers

As white collar remote workers felt bossware breathing down their necks, there was€ more coverage than ever of how employers are monitoring the workforce, and the lasting effects it has on workers' health, safety, livelihood, and collective bargaining rights. Even for remote staff, these stresses affected their mental health and family responsibilities. But it is workers across all fields that have increasingly felt the heat of surveillance, and some of the coverage was propelled by blue collar workers who fought back, from meatpacking facilities to service workers to delivery drivers who experienced increased surveillance as a form of retaliation for wage demands. Neither the ineffectiveness nor the impact on real people calmed employers' desires for increasing means to monitor and control worker behavior, with some even floating a database on worker productivity. Courts and agencies in other countries, like the Netherlands, have been quicker to take on U.S. firms who they allege have violated the human rights of foreign remote workers with demands on their acquiescence to invasive monitoring.



One lingering concern was, those "phones" can be used for spying and we already know the company was spying on workers, as we've demonstrated for nearly 2 months already.

The manager did not bother explaining the decision or how it had been reached; he went completely silent. He was trying to force us to sign something in a rush. Yet again... like in 2019. He also sent us nothing and instead went on a fishing expedition in IRC logs (it seems like nobody gave him a heads-up, as we showed before), only to find nothing but gossip that mentions no names, not even "Sirius". Such stalking by a "thug" isn't acceptable and it's easy to get the impression that it was an act of retaliation in a company where managers are immune or exempted from enforcement (like EPO management). A "phone" would likely become just a tool to "manage" people and there's already years-old track record of bullying by management. A "phone" would be a blunt instrument of coercion by intimidation and humiliation. All the stalking further justifies workers being apprehensive about "mobile" phones at home. In retrospect, we made the right decision when we antagonised/rejected the proposal.

Here is the full correspondence:

Introduction of Company Mobile Phones for the Support Team

Dear All,

This is just to update you that as part of our on-going development and improvement, we will imminently be introducing company mobile telephones for Support Team staff.

Whilst we are also constantly seeking cost savings and efficiency improvements and consequently as you know are looking at significant structural changes in the organisation, we also have significant security obligations for our own compliance and business requirement obligations to our clients.

However, as well as helping with our security compliance we believe this will be a very positive improvement in the ease of use for support telephony. xxxxx will distribute full details and instructions shortly.

Thank you in advance for helping with the smooth introduction of these devices!

Kind regards,

xxxx


9 minutes later another colleague wrote:

Introduction of Company Mobile Phones for Support

Hello Support Team,

With more customers demanding tighter security, the upcoming ISO audit requirements being more strict this coming November, and a general need to ensure you have the right tools for the job, Sirius will now be issuing work mobile phones to Support staff.

This has been under consideration for several years pending the right combination of business, customer, and financial requirements being met for deployment. Whilst the company continues to need to make overall financial savings and to achieve better efficiency, a number of pressing factors have become primary drivers to make this change happen now. (For example, you will be aware of xxxx becoming an increasingly important client of late and the imminent expansion of the support contract with them is key.)

We expect this to be a very positive step for Support Staff and should make a number of key processes more straight forward whilst also enabling key business benefits and security improvements.

Key purposes/benefits of introducing support mobile phones: 1. To enable 2FA and secure authentication for both Sirius and customer environments 2. Separating work and personal devices as a benefit for both work (security) and life-balance (you can turn it off when not on shift) 3. A step towards replacing the legacy Cisco handsets 4. The devices will integrate with the native platform for Google Voice and be a backup/forwarding target for that 5. A backup data connection to work from in case of local internet outage

The company policy on mobile devices and security is currently being updated to reflect this new tool, but please pay particular attention to the following key notes: * The devices will remain the property of the company * The devices must be used solely for work purposes and only by yourself * The devices will be controlled centrally by Sirius, usage will be visible to management * The devices must not leave the UK without prior specific permission from management

You have already agreed to abide by the Sirius IT policy and all usage of the device should be in accordance with this.

Devices will be distributed shortly and will include a Mobile Device Guide to allow a quick set-up. Please read through the Mobile Device Guide asap once available (which will be assigned to you in xxxx) and then agree to the contents and terms, after which your device will be sent out.

Warm regards,


To the first message I responded: "If this is about facilitating MFA, please provide phones with batteries that can be detached/removed in order to ensure the risk introduced isn't greater than the risk lowered."

The response was:

Hi Roy,

What risk are you suggesting we address by opting for mobile phones with a removable battery?

These devices are almost extinct, with only a few options. They also tend to be lower spec'd and poorer performing as you can see here: https://www.androidauthority.com/best-android-phones-removable-battery-697520/

Further to our discussion this morning, I cannot see a reason for us to make this a priority at this point.

Regards, xxxx


I responded to the longer message as follows:

> Hello Support Team,

Hi,

> With more customers demanding tighter security, the upcoming ISO audit > requirements being more strict this coming November, and a general need > to ensure you have the right tools for the job, Sirius will now be > issuing work mobile phones to Support staff. > > This has been under consideration for several years pending the right > combination of business, customer, and financial requirements being met > for deployment. Whilst the company continues to need to make overall > financial savings and to achieve better efficiency, a number of pressing > factors have become primary drivers to make this change happen now. (For > example, you will be aware of xxxx becoming an increasingly > important client of late and the imminent expansion of the support > contract with them is key.)

We still need a wiki page for them. ;-)

> We expect this to be a very positive step for Support Staff and should > make a number of key processes more straight forward whilst also > enabling key business benefits and security improvements. > > Key purposes/benefits of introducing support mobile phones: > 1. To enable 2FA and secure authentication for both Sirius and customer > environments

When I saw the previous message I responded with "If this is about facilitating MFA, please provide phones with batteries that can be detached/removed in order to ensure the risk introduced isn't greater than the risk lowered."

It's understandable that some of these schemes do not support a landline.

> 2. Separating work and personal devices as a benefit for both work > (security) and life-balance (you can turn it off when not on shift)

Not applicable to me as I don't use such a device.

> 3. A step towards replacing the legacy Cisco handsets

The Cisco handsets have worked well for almost a decade. They were always more reliable than Google Voice.

> 4. The devices will integrate with the native platform for Google Voice > and be a backup/forwarding target for that

We already have a dedicated computer for Google Voice. Plus, it has several fallbacks in place.

> 5. A backup data connection to work from in case of local internet outage

I think we still have a USB dongle for this somewhere. A SIM card should be enough to facilitate it. Our connection has generally been reliable for years.

> The company policy on mobile devices and security is currently being > updated to reflect this new tool, but please pay particular attention to > the following key notes: > * The devices will remain the property of the company > * The devices must be used solely for work purposes and only by yourself > * The devices will be controlled centrally by Sirius, usage will be > visible to management

It seems like sole purpose of it will be 2FA. Any simple phone that can do SMS can handle robust 2FA. Anything "apps" can introduce more risks.

> * The devices must not leave the UK without prior specific permission > from management > > You have already agreed to abide by the Sirius IT policy and all usage > of the device should be in accordance with this. > > Devices will be distributed shortly and will include a Mobile Device > Guide to allow a quick set-up. Please read through the Mobile Device > Guide asap once available (which will be assigned to you in xxxx) > and then agree to the contents and terms, after which your device will > be sent out.

If, as stated above, I "already agreed to abide by the Sirius IT policy and all usage of the device should be in accordance with this," then why do I need to sign an additional document? Anyway, I think this needs to be discussed with staff. I wasn't told anything about this until today and it seems like a lot of resources are spent on just an MFA appliance.

Regards.


I tried to speak to them over the telephone, knowing from experience that they would likely not bother replying.

First colleague: Managed to get to him over the phone to discuss the matter.

Second colleague: Tried to avoid talking to me about it over the phone, using obviously fake excuses.

But the point isn't about a "phone" per se. As we'll show over the next few days, the company was failing at the very basics and putting not only its own systems at risks but also clients'.

Recent Techrights' Posts

Bing Has Run Out of Time and Microsoft Might Dismantle It (Save a Financial Miracle)
How much more of investors' money is Microsoft willing to throw in the trash?
Microsoft is Dying in Africa
Based on the Central African Republic, which "is around the same size as France"
Microsoft Needs to be Banned From Contracts, Including Government Contracts, Not Just for Security Failings But for Criminal Negligence, Corruption, and Fatal Cover-ups
How many deaths will it take for Microsoft to face real, effective scrutiny rather than kid gloves treatment?
 
[Meme] Not Your Typical IRC Troll and Harasser
I say, let's punch nazis...
GNU/Linux's Journey in Qatar: From 0.1% to Over 3%
Windows is no longer an important contender there
Secret Contracts and Corpses
The media pretends it's just some generic "IT" issue, but it is not
Statement on Antisemitism in Our IRC Network and in Social Control Media
In an ideal world nobody would have to be banned from IRC
Gemini Links 14/06/2024: Ads vs. Content, Why Aliases Are Har
Links for the day
Vista 11 Has Fallen in Switzerland, a Country That is More Microsoft Friendly Than Most of Europe
GNU/Linux rose to its highest level there in almost half a decade
[Meme] Microsoft in Africa
Are you telling me Windows is now down to 1% 'market share' in some countries?
Management of the European Patent Office Misleads Staff on Views of the Office's Staff Committee
The EPO as a workplace very rapidly deteriorates
[Meme] Newer is Worse
"They say those are New Ways of Working (NWoW); New does not mean better, it is worse"
Links 14/06/2024: Violence, Famines, and Montana Has More Cows Than People
Links for the day
Microsoft Telecom Layoffs, Facebook Layoffs in Africa: A Month After Microsoft's Mass Layoffs in Lagos (Nigeria) Facebook/Meta Does the Same and Microsoft is Now Retreating and Quitting an Entire Sector! (Affirmed Networks and Metaswitch)
Disasters in the making for GAFAM. Money down the drain.
Papua New Guinea: GNU/Linux Growing, Windows Down Below 15%
it seems indisputable there's headway and momentum
"Planets" Cannot Replace Social Control Media, They're Very Much Akin to It (Censorship Hubs, Gatekeepers)
Don't be subjected to gaslighting; make your own OPML file
Topics That Truly Irritate and Consistently Infuriate the Microsofters (Whenever We Cover These)
Censoring uncomfortable information is a difficult activity that has its limits, even in Reddit
Honduras: Vista 11 Down, GNU/Linux Up
Valve sees GNU/Linux as bigger than Apple's MacOS
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, June 13, 2024
IRC logs for Thursday, June 13, 2024
LibrePlanet 2024 and the Lost Video/Audio of Talks
After the event was over someone informed us that due to technical issues they had lost (or failed to acquire) recordings of the talks
Choosing Between Options to Outsource to Evades the Best Solution (Self-Hosting)
Most users don't need this sort of complexity
IBM Layoffs at Kyndryl
This can soon spill over to Red Hat
Turkmenistan: GNU/Linux Leaps Past 5% This Month?
This is how statCounter sees it
Watch This Space
what matters most is not the volume or quantity of publications but their underlying depth and quality
Short Downtimes, Planned Maintenance
Hypervisor maintenance is planned
Links 13/06/2024: Ongoing Sharp Increases in Deaths, Mediterranean Diet Linked to 23% Lower Risk of Death in Women
Links for the day
Gemini Links 13/06/2024: Linuxing of the Dell Laptop and Deep Dive into the World of the OpenEarth Foundation
Links for the day
New Highs for Android in Haiti (Nearly 80%), Microsoft Windows at Only 4%
that's Android at another new high and very close to 80% (it now seems inevitable)
[Meme] How Stefano Maffulli (and Microsoft's Own OSI Insiders) Make Money
Milking what's left of the OSI by attacking its very mission - something that more people now recognise
Mobs Don't Get the Job Done (Mob Leaders Have Lost Credibility/Visibility, Job, or Both)
their demands weren't met
Montenegro: GNU/Linux "Proper" at Over 6%
Windows is down to record lows
Links 13/06/2024: Overpopulation Woes, Best Buy Lays Off More Employees
Links for the day
Nationwide Eventually Did Listen
Miles better than their original nonresponse
The Corruption of Open Source Initiative (OSI), a Front Group of Microsoft and GAFAM, Openwashing Proprietary Things and Even Plagiarism, GPL Violations
Stefano Maffulli (and Microsoft's staff that works with him) basically profits from anti-FOSS
In Malawi, Windows Down to 10%, GNU/Linux Growing
it's not a small country
[Meme] Featuritis
Newer is not always better
"AI" Tech Bubble
How much "hype quotient" does this whole "hey hi" (AI) thing have left in it?
Links 13/06/2024: Science, Politics, and Gemini
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 12, 2024
IRC logs for Wednesday, June 12, 2024
Gemini Links 12/06/2024: The Rodent Revolution and Adding Twisty Puzzles
Links for the day
Links 12/06/2024: Ukraine War Updates and Many Patents Being Subjected to Squashing Bounties
Links for the day
Ireland Last to Report Election Results
Daniel Pocock's involvement in Australian politics goes back to his university days
Never Sleeps, Never Slumbers
We're going to try to improve not just in quantity but also in quality
[Meme] The Purpose of Life is to Find a Desk
dogs have desks
EPO Has Gotten So Bad That Workers Need to Ask to be Allocated a Desk (at Work)
Wow!!!! An “allocated workplace”!!
Tux Machines Parties Going Well Do Far
Cross-posted from Tux Machines
In Many Countries, Both Large and Small, Vista 11 is Losing Market Share (Despite New PCs Coming Preloaded With It)
One need not even consider large nations in isolation
By "Going Public" the Raspberry Pi Ensures It'll No Longer Serve the Public
It'll be owned and controlled by whatever people wish to control it
Dave Wreski Also Plays the Bot Game (Chatbot) at LinuxSecurity to Fake 'Articles' About "Linux"
How much longer can they fool search engines (SEO) and readers?
[Meme] Indisputable Success
MICROSOFT buys shares of MICROSOFT
Links 12/06/2024: 'Hey Hi' (AI) Bubble Imploding Already, Danish Media Threatens to Sue OpenAI
Links for the day
Links 11/06/2024: Floods in Germany and Brazil, Political Violence
Links for the day
Gemini Links 12/06/2024: Sketching Plants, OpenBSD Pubnix
Links for the day
"2025 the year of Linux on the Desktop"
Charlie Stross quote
In Bahrain, Historically Low on GNU/Linux Adoption, Things Change for the Better
They have some people who understand Free software
Daniel Pocock Received Twice as Many Votes as Andreas Tille (Debian Project Leader After 2024 Election)
From the media yesterday...
Debian is Built by Hundreds of Volunteers and 524 Irish People Voted for Daniel Pocock
524 in that area went to the polling station to vote Daniel Pocock (Ind)
[Meme] RMS is 'Too Old', Says Company Run by a Person 5 Years His Junior (Ginni Rometty) and 10 Years His Junior (Arvind Krishna)
Never again?
[Meme] Women in Computer Science
Grace Hopper, Ada Lovelace etc.
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 11, 2024
IRC logs for Tuesday, June 11, 2024
Togo: GNU/Linux Growing Fast This Year, Now Measured at 6%
Sending Bill Gates with a suitcase to bribe African officials isn't enough anymore
Free Software Projects Need to Chase Away Men Who Attack Women Rather Than The Women Who Complain
A just society holds people accountable rather than covers up such blunders
Improving the Image of Women in Free Software by Hiring and Promoting the Proficient Ones
Million's shaman background isn't the problem, or even the superstitious ghost-chasing. The problem is that she has absolutely no background in Free software.
They Say Cash is King
People who value their freedom will pay with cash any time they can
'Team Microsoft' Wants to Leverage Our Popularity as a Weapon Against Us
In the past 2 days we published 64 articles and served over a million HTTP/S requests