01.30.23
Posted in Deception, Free/Libre Software, ISO, Security at 8:20 pm by Dr. Roy Schestowitz
“The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy.”
–Martin Luther King, Jr.
Summary: The mentality or the general mindset at Sirius ‘Open Source’ was not compatible with that of security conscientiousness and it seemed abundantly clear that paper mills (e.g. ISO certification) cannot compensate for that
THIS will be the last daily part before we transition to more irregular or infrequent postings, ending with a grand summary some time late in February. This series will never end entirely as we continue to learn more and more things from its readers (yes, many people have been reading it, including past staff).
Today’s important addition is some hard evidence that Sirius was outsourcing passwords; even the partner of the manager admits issues to that effect, e.g. in “Handover to shift 3 – 18/02/2022″ it was noted they had “Sent out Sirius passwords for Monit via LassPass”. In “Handover to shift 1 – 03/08/2021″ it was said that “Apparently the problems with my account are down to a corrupted share key. Will need help from an admin to fix this at a time when I don’t need access to Sirius shared folders.”
Why are we sending our own credentials and clients’ credentials to a third party? This party is controversial for many reasons, including its chain of ownership and jurisdiction, set aside security breaches.
In “Handover to shift 1 – 27/08/2021″ it said: “Got xxxx to remove me from all shared folders so that LastPass support can reset my share key.”
Notice we were also having technical problems; the outsourcing solved nothing and merely created more problems.
In “Handover to shift 3 – 16/08/2022″ (just months ago): “Fiddling with my browser settings because Google Voice didn’t ring when xxxxx did a test call.”
“I didn’t want to leave an employer where I had worked for so long, but it seemed clear time was running out and the company was sinking/drowning while deflecting the blame.”Again, outsourcing the telephone system meant more problems. All of us were having these problems, but managers ended up doubling down on their mistake, moving what’s left of Asterisk (that actually worked!) to what kept failing and failing and failing. Such insane policy-making, detached from any fact- or evidence-based analysis, dooms companies. I raised concerns about this internally more times than I can recall. I received support from colleagues when I complained. They felt the same way, but with criticism not welcomed by managers who make mistakes it proved to be an exercise in futility. An arrogant management is management that’s unable to listen and correct mistakes, with recklessness and stinginess that will inevitably cost the company existing and potential clients (they cannot get through to us on the phone!).
If you notice those patterns in your workplace, consider leaving. I didn’t want to leave an employer where I had worked for so long, but it seemed clear time was running out and the company was sinking/drowning while deflecting the blame*.
As a bit of quick background, Sirius wasn’t always this bad. In the last few weeks or months that I spent in the company (especially the last 2 weeks) I witnessed all sorts of very worrying things; lately, for instance, due to budget or understaffing issues, some qualified and well-equipped staff was passed over (not asked to cover slots) and instead the CEO covered shifts which he could not really do. He lacks access credentials, skills, and tools. In effect, clients were given the wrong impression someone qualified monitored their systems. They’d be wrong to assume this. We basically lied to them. Again.
“It was time to leave Sirius. I had planned this for a long time; it wasn’t about money but about morals.”It is important to stress that qualified staff was available instead (my wife was available), but one can speculate that the CEO, who had moved from Bristol to London, couldn’t keep up with living expenses/costs (his own company’s account has only loose change) and needed extra cash and thus let himself reach out to the Sirius cookie jar. That’s just a hunch. We’re guessing. There’s very little in the public record (hiding past employment, previous education etc.), but as we showed in December he registered his own company at some accountancy’s address and there’s almost no money in the bank account. Should he cover jobs/slots he is unable to cover? The so-called ‘founder’ did the same at least once. Handovers started coming from high-level management. Those people didn’t even have login credentials for clients’ machines!
It was time to leave Sirius. I had planned this for a long time; it wasn’t about money but about morals. Money is a separate issue; if I worked since 1998, would I receive the salary of 25 years ago? Would I want to be associated with such a company 25 years down the line? It’s not the same company at all!
In 2022 the company was going under due to the loss of its largest client; the company was not lying about its financial situation but rather made it seem less gloomy than it really was (same to the clients, to assure and reassure them, just so that they’re confident we wouldn’t go under midway or halfway through the contract).
“The sad thing is that looking back we don’t miss anything except a few colleagues.”As we noted here before, there was a severe “dogfooding” deficit; the company spoke about “Open Source” while refusing to use it internally. It actively replaced Free/Open Source software that had been working just fine for over a decade. Instead of being a good example for the workers and the clients, the company went out of its way to cheat and mislead. And instead of making workers familiarised with the products the company claims to support, the company moved staff away from such products. If you are in control of your own stack, then you have to learn how to maintain it. In turn, you can help others do the same. We’re sending mixed messages to clients if we’re outsourcing everything.
The sad thing is that looking back we don’t miss anything except a few colleagues. The management destroyed its own credibility in one day. A humiliating letter with photos of my wife and I (yes, he’s stalking), random clippings from public IRC logs, and even a photo of a koala bear have nothing to do with the company’s operations.
As noted at the start, this series isn’t ending or hibernating; it’ll carry on, albeit at a slower pace. █
____
* To give one memorable example of blame-shifting, less than a year ago I received a ‘rebuttal’ to my informal report which said: “So someone from xxxx LLC called, but not authorised for out of hours support. We need to receive clearer instructions if calls we receive on that account are not from xxxx clients.” I put ‘rebuttal’ in scare quotes because it did nothing to refuse what I had said. A manager wrote: “I just wanted to correct a couple of points from Roy’s previous handover below. 1. Unfortunately, the highlighted call in the xxxxx section was incorrectly triaged. We can see from the audit log that this call came through on the US Reception telephone line and not on the xxxx support line. This was highly likely to have been a sales enquiry rather than a support call but insufficient information was gathered for us to be certain.” So whose fault was it? Then there was this lie: “As far as I’m aware, there has been nothing but positive feedback about these notes so far but do please let me know if anybody else has any concerns at all or if there is anything we could to to improve them. The overwhelming majority of you have handled xxxxx calls excellently and I’m very grateful for your work on this. I am also always happy to offer any additional support that may be needed with our processes and policy.” Actually, it was abundantly clear from what colleagues said (sometimes publicly) that they too had issues and many uncertainties. The problem was coordination at the top, as well as terrible tooling provided to staff by clueless managers.
Permalink
Send this to a friend
01.25.23
Posted in Deception, Free/Libre Software, ISO, Servers at 9:39 pm by Dr. Roy Schestowitz
Probably the final week of this series
Summary: Sirius ‘Open Source’ has failed to sell what it was actually good at; instead it hired unqualified people and outsourced almost everything
THIS is the part of this series where we focus on examples of Sirius failing on technical merits and compliance/conformance. Eventually we decided to show redacted E-mails on ISO along with my copied messages to management regarding bollocking and how it all started, me asking for an apology etc. Being accredited or recognised isn’t the same as being capable and potent. As I mentioned in the very first post in this series, when I joined the company it was different beyond recognition. The company had its own hosting (in its own premises). In 2022 we were suffering habitual outages as we don’t control our systems anymore (Slack, AWS downtimes were common; in prior years clients that relied on Clownflare also suffered outages due to Clownflare rather than their own hosting). To make matters worse, there were security breaches and the company ignored them. I kept bringing that to management’s attention, only to be ignored or rebuffed. Remember this hoax of Citation/Atlas was covered in Techrights years ago. Sirius does not teach its staff real security and does not hire people who understand or value security.
“Sirius does not teach its staff real security and does not hire people who understand or value security.”The company had a bizarre trajectory of moving from self-hosted (e.g. Asterisk), then outsourced (but still Free software, ‘managed’ Asterisk), then outsourced proprietary spyware like Google Voice. If “Open Source has won” and if Free software is becoming more widely used, then why is Sirius going in the exact opposite direction of what it was advocating? This is a management decision. It’s not the fault of technical staff — the staff which all along opposed this.
Notice the practice of password outsourcing. Here’s a direct quote sent in a request to me personally: “Put the WordPress credentials (admin user, etc) in a lastpass note and share it with xxxxx (securely, within lastpass) and we’ll be setting up a very temporary and basic portal to share info across the team, to help keep everyone better updated given how Absolutely Mentally Busy it is right now. It’s entirely for internal use when on the VPN.”
“It’s not the fault of technical staff — the staff which all along opposed this.”It’s another example of mishandling access credentials inside third parties (Slack, LastPass etc.), oftentimes not just rejecting “Open Source” but actively ripping apart Open Source things that work, replacing them with technically inferior and likely illegal (in some cases, due to data protection) proprietary stuff.
The management did even worse than this; it failed to do very basic things, such as sending payslips and sometimes paying the pension provider. Instead they made colourful excuses, so I decided to take photographs of letters from the pension provider, recalling those blunders and deciding that it’s worth discussing belatedly (and maybe add E-mails also; there were loads of E-mails about payslips, not just pensions, spanning different years from 2018 until the present day; there were phonecalls too, but those aren’t recorded).
The management was also bad at communication and correspondence. See the example below (2019):
Subject: Re: I need these tickets dealt with by support
Date: Thu, 3 Oct 2019 11:15:56 +0100
From: Rianne Schestowitz xxxxxxx
To: xxxxxxx
CC: xxxxxxx
Hi xxxxxxx,
I responded to this email last weekend. Please check your inbox. If you
haven’t received it, I can send it again.
Many thanks,
Rianne
–
Rianne Schestowitz, NOC Extension 2834423
Sirius – stress free technology
http://www.siriusopensource.com
t: xxxxxxx
> Hi,
>
> I need these tickets dealt with by support.
>
> 1. Ticket#108642: Roy or xxxxxxx need to answer about security.
> 2. Ticket#108813: Replied with more questions. Can’t reproduce the
> error so far. Back with Support, awaiting feedback.
> 3. (Multiple) Tickets relating to masking – Code fix done, Release done
> and in live. Check with each client once data reimported. Support
> team can do this. xxxxxxx have already confirmed it works.
>
> 1. Ticket#108833: Already fixed, just needs a fresh xxxxxxx import.
> 2. Ticket#108769: The masking fix is done, we just need to schedule a
> reload.
>
>
>
> xxxxxxx xxxxxxx
> Sirius – stress free technology
> http://www.siriusopensource.com
> Tel: xxxxxxx
This was the year bullying against staff started, not too long after Gates Foundation money had landed under an NDA and something called Sirius Open Source Inc. was quietly formed in the state of Washington (where Microsoft and Gates are).
“Inaction and retaliation led to what became of it, spilling the beans out in public.”We spent nearly a month explaining what I had already written internally before resigning; we remembered to publish the entire PDF at the end (crossposted in my personal site too) as it is important to emphasise that I raised most of these concerns for years inside the company. Inaction and retaliation led to what became of it, spilling the beans out in public. I never did anything even remotely like this with any of my past employers. █
Permalink
Send this to a friend
Posted in Deception, ISO at 1:28 am by Dr. Roy Schestowitz
Video download link | md5sum 826d1eaa331010c952d7b97f3736f836
ISO Certification Did Nothing
Creative Commons Attribution-No Derivative Works 4.0
Summary: The real-world threats faced by private companies or non-profit organisations aren’t covered by the ISO certification mill; today we publish the last post on this topic before proceeding to some practical examples
WORKING for a company that publicly and openly boasts 2 ISO certifications means that expectations (or perception) can be compared to reality. At Sirius ‘Open Source’, where I had worked since 2011, I saw all sorts of poor security practices, even in more recent years when ISO certifications were bragged about to existing/potential clients.
“Free software is a pragmatic choice, but when managers use proprietary software they go not ‘get’ that.”There is no point trying to deflect the attention to accuser. At the moment the company is too broke for workers to sue (and eventually truly win in a monetary sense); it’s also too broke for its clients to sue. Winning in court against an insolvent company would be a Pyrrhic victory. What matters here is the truth. It can hopefully caution others.
We still have quite a bit left to cover. We’re going to cite practical examples of stuff being done to the detriment of privacy and security of staff, not to mention clients. Free software is a pragmatic choice, but when managers use proprietary software they go not ‘get’ that. █
Permalink
Send this to a friend
01.24.23
Posted in Bill Gates, ISO, Microsoft at 9:42 pm by Dr. Roy Schestowitz
Summary: What happens when your medical records/data are accessible to a company based abroad after a mysterious NDA with the Gates Foundation? The International Organization for Standardization (ISO) does not mind.
Permalink
Send this to a friend
Posted in Deception, Free/Libre Software, ISO, Security at 9:27 pm by Dr. Roy Schestowitz
The International Organization for Standardization (ISO) certification process means almost nothing. It’s just a glorified brand. Deep inside many people and organisations know it.
Dilbert on ISO 9000 Certification in 1996 (there are also 21 for ISO 9001)
Summary: Sirius ‘Open Source’ was good at gloating about “ISO” as in ISO certification (see our ISO wiki to understand what ISO truly is; ISO certification needs to be more widely condemned and exposed) while signing all sorts of dodgy deals and lying to clients (some, like the Gates Foundation, were never mentioned because of a mysterious NDA); security and privacy were systematically neglected and some qualified as criminal negligence (with fines/penalties likely an applicable liability if caught/reported)
THE past few days were spent explaining ISO certification in relation to Sirius. The next few days will be spent giving an example or a sub-set of examples of how Sirius handled sensitive data. It probably hasn’t improved at all since I left last month.
For some essential background, Sirius Open Source Inc. (not SIRIUS CORPORATION LIMITED) was grabbing Gates Foundation money back in 2019 — all this while registering in the US for this “first US client”, letting Windows users who adore surveillance get involved in decision-making while outsourcing more and more of what’s left of the company to dubious companies with NSA connections.
“While I’m not going to report this as a former insider, I do wish to explain what’s at stake here, at least as a cautionary tale.”The problem here is that Sirius had British clients with their clients’ data on the systems. Some was medical data. What does the law say about access from another country and why was Google (American company) getting/drowning in legal hot waters for involvement in the NHS?
What’s more, it’s not clear if ISO 9001 certifiation allows personal computers at home, purchased and maintained by staff along with many other uses and applications, to be used as work machines (deemed “Secure”? Really???). Remember that, as we noted repeatedly in the past, the managers never bothered supplying the staff with anything; the company does not even provide a chair and a desk, as already explained in length here (mostly back in December). Did that pass muster at ISO’s cash register (ISO just wants the money)?
“ISO doesn’t care; it has no quality control of its own; its workers are like corporate staff and they might not even care anyway; they got the money, and that’s what’s important to ISO.”Well, maybe in the ISO forms the company can pretend that those computers were supplied by the company to staff when in fact the staff receives almost nothing from the company except a very old phone (Cisco-branded, Ethernet only; maybe 2 decades old).
While I’m not going to report this as a former insider, I do wish to explain what’s at stake here, at least as a cautionary tale. ISO doesn’t care; it has no quality control of its own; its workers are like corporate staff and they might not even care anyway; they got the money, and that’s what’s important to ISO. Many questions remain, e.g. which actual shell was the certification for? Do they realise they deal with a hydra or a polymorphous entity here (some of its shells are based in another continent, without actual boundaries within the company)? Even the pension schemes seem to be struggling to keep track and they need to be lectured on how the company splits and then illegally compels staff to sign papers without legal advice (nor proper understanding), as we noted here before. It was covered a lot roughly one week ago.
“To be clear, NHS was not a client, except indirectly (contractors).”And sure, many lessons are to be learned outside the company, too. If regulators could find E-mails, they would not struggle to see incriminating stuff (we plan to add examples to the wiki), including NHS medical data “oopsies” (admission on the record, too), even for people do not consent to data sharing. ISO probably doesn’t care. As we said several times already, ISO only cares about money. With ‘anonymisation’ not working, accidents aside, there’s a big scandal brewing under the surface, but then again the privatisation of the NHS would likely misplace the blame. The media has several examples of known incidents and it’s a very big deal because the NHS has been pushing towards it, moreover offering to send some of this data abroad.
To be clear, NHS was not a client, except indirectly (contractors). But if someone wishes to find some major scandal/blunder, we welcome further investigation, i.e. people can do what ISO ‘cannot’ do because it would discredit ISO.
“There are 2 problems to track,” an associate noted, “one is the scam of the ISO 9000 certification. The other is the destruction of ISO as an organisation by Microsoft.” █
Permalink
Send this to a friend
Posted in Deception, Free/Libre Software, ISO at 12:22 am by Dr. Roy Schestowitz
Video download link | md5sum cc29a588d814b375a666bda5d567b58f
What Sirius Teaches Us About ISO
Creative Commons Attribution-No Derivative Works 4.0
Summary: Based on my experiences inside Sirius ‘Open Source’ — as I was there for nearly 12 years — I finally tell what I’ve witnessed about ISO certification processes (see ISO wiki for prior experiences)
Sirius ‘Open Source’ taught me a whole bunch of things; some were valuable technical skills, but many were negative experiences that I can finally explain out in the open, expressing in words various ideas that I formed (or formulated) years ago.
“If more people understood the business model of ISO, maybe there would be no ISO anymore.”The above video concerns ISO and it is relatively long because it covers two parts instead of just one, starting with background and proceeding to real-life examples in the form of redacted E-mails.
The conclusion I reached years ago is that ISO is somewhat of a scam. It creates a barrier that mostly protects monopoly and it makes a lot of money by giving worthless papers, essentially turning managerial ‘religion’ into a fat cash cow. If more people understood the business model of ISO, maybe there would be no ISO anymore. █
Permalink
Send this to a friend
01.23.23
Posted in Deception, ISO, Standard at 9:24 pm by Dr. Roy Schestowitz
Summary: As we’re hoping to demonstrate throughout the week, ISO certification is, in practice, worse than worthless (just a waste of small businesses’ resources, much like patents); call it the ‘ISO tax’, an artificial barrier to entry that boils down to money
Permalink
Send this to a friend
Posted in Deception, ISO at 9:19 pm by Dr. Roy Schestowitz
Achievement unlocked
Summary: ISO is a phony authority; it makes business by issuing mostly worthless paperwork that wastes people’s time and accomplishes nothing (except making ISO in rich Switzerland even richer)
Permalink
Send this to a friend
« Previous entries Next Page » Next Page »
Content is available under CC-BY-SA