Bonum Certa Men Certa

Sirius Open SORES: There's a Lot More to Security and Privacy Than Namedropping (e.g. 'ISO' and 'GDPR')

Sirius certificate

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they've long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we'll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).



Suffice to say, patching is part of the work, including patching one's own machine. Anything else would be irrational (like blasting people over "commuting" time) because security starts in one's own domain. And yet, I was being told off by the company's founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am). Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

"Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”


I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.


If I cannot observe systems that are monitored and supported, it's not "unacceptable". It's still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).




Acronyms Lingo



Speaking of "GDPR" or "ISO" without even grasping the meaning behind laws and regulations is "cheap talk". Without comprehension of the issues, this boils down to 'name-dropping' (like "GDPR" or "ISO"). Currently, the company would gladly take technical advice from people who openly admit they don't care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients' names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren't reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data -- including several incidents staff witnessed where people's (patients') privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty



With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. 'Low level' staff cannot access systems at a level of user management, so this was demonstrably a 'high level' failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company's infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties -- a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of "bad optics", pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant -- a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.

Recent Techrights' Posts

Jamie Zawinski Complained About Wayland, Then Decided to Give It a Go, Now Complains Again About Wayland
Ask IBM (Red Hat) why it's worth throwing so much away just for Wayland fanaticism
Russia Set to Ban Facebook?
If WhatsApp is made to "leave", that means Facebook or "Meta".
Taking Stock of a Good and Productive Week
We shall now be taking a break, unpacking the new hard drive (8 TB), and making backups of everything
Ageism in Tech
Your protocol is "old"...
 
Links 20/07/2025: Fending Off BRICS and US Government Attacks Its Own Media (Like China and Russia)
Links for the day
Framed by social control media: Alex Belfield, Voice of Reason
Reprinted with permission from Daniel Pocock
Gemini Links 20/07/2025: Summertime and OCC25 Wrap-up
Links for the day
Slopwatch: Planet Ubuntu, LinuxSecurity, and More
former "Linux" blogs which basically became slopfarms
Links 20/07/2025: More GAFAM Lawsuits, Layoffs, and SLAPPs
Links for the day
Nice Recovery (From Actual Fire) by PCLinuxOS, New Version of PCLinuxOS Released, Now Top of DistoWatch
PCLinuxOS is a community-driven distro
More Microsoft Shutdowns That Mostly Slipped Under the Radar
Remember what happened to books 'sold' by Microsoft?
Microsoft Lunduke Still Fighting Cancel Culture With... Cancel Culture
There will be no "winners" in such 'debates'
The History of Daily Links and Politics
"I support Wayland, but I also support abortion..."
Microsoft is at 0% "Market Share" in Most Areas
Depending on the taxonomy chosen, there may be dozens of categories other than desktops and laptops
"The moment MSFT stock fails to start tumbling, that’s the beginning of another corporate giant going under."
There are far more layoffs at Microsoft than at Intel, but you would not get this impression based on Wall Street media
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, July 19, 2025
IRC logs for Saturday, July 19, 2025
Gemini Links 19/07/2025: Git For Authors and Filtered Antenna
Links for the day
UEFI 'Secure' Boot Abuses by Microsoft to be Brought Up in the UK High Court in 3 Months
we'll seek compensation
Next Year It'll Be Half a Decade Since the Fall of Freenode (and IRC is Still Doing OK)
Our IRC network is still accessible using the exact same software that ran in Windows 3.x
Lupa Will Soon Know of 3,100+ Active Gemini Capsules
And some people in the "Small Web" try to tell us that Gemini is dying?
The Slopfarms Are Taking Real News Articles and Replacing Them With Lies Generated by Machines
Bluntly speaking, Fagioli is nothing short of an online scammer
Links 19/07/2025: Techtarget to Cull 10% of Staff, New Threats to Free Press in the US (Home of Dangerous and Violent Stranglers From Microsoft)
Links for the day
Gemini Links 19/07/2025: "Climate Justice” and Forking Programs
Links for the day
What Wayland and Microsoft/IBM systemd Have in Common
focus on what IBM (Red Hat) is pushing while running over critics.
Linux Already Has About 60% of the "Market"
"When mentioning the client side," opines an associate, "it is essential to recite the list of other markets where Microsoft is negligible or a no-show. It is repetitive to do so, but it needs saying -- often."
In Norway, Android/Linux Has Just Hit All-Time High (First Time Since 2020), GNU/Linux Already Very Prevalent
Despite its small population size, Norway gave us Qt and many other things
Finland (and NATO) Must Move to GNU/Linux and Dump Microsoft Even Faster
"Microsoft is not a technology problem, it is a staffing problem."
Microsoft's Mass Layoffs Very Wide-Ranging, Media Focused on Gaming Though Microsoft Mass-Firing Lawyers and "AI" Staff (Contradicting Its Supposed "Investment" in "AI")
Microsoft plans to fire almost half a thousand people in legal roles
2012 Article About the Free Software Foundation Blasting Canonical/Ubuntu Over Adoption of "Secure" Boot (Microsoft's Remote Control Over GNU/Linux Since PCs' Power-on)
By Katherine Noyes (article has since then became 404, not found)
The Microsofters We Sued Helped Microsoft Make GNU/Linux 'Expire' This Year
"Linux and Secure Boot certificate expiration"
linuxconfig.org Joins linuxtechlab.com and Others, Becomes a Slopfarm With Fake Linux 'Articles' (LLM Slop)
They contain "linux" in their domain names, but they are just slopfarms
Links 19/07/2025: Microsoft Cuts in China and Wall Street Journal Sued for Reporting on Jeffrey Epstein
Links for the day
Debian Can Dump Blind Users Because I am Not Blind
the sort of mentality we're up against
Fascistic Policies Got 'Normalised' in 'Public Office'. Let's Not Let the Same Happen in 'Tech'.
Political discourse typically guides what's "normal" and what "good citizens" should believe/feel
The European Patent Office Cannot Attract Proficient Patent Examiners Who Master Their Domain
They are enablers and facilitators of corruption
Yes, Your Mastodon Instance Will Also Shut Down
Few people run a one-person instance in the Fediverse
The Demise of GAFAM Necessitates Greater and Broader Awareness
Morale at Microsoft is really bad
Free Software Foundation Reaches 75% of Funding Goal
Not bad for this "Fosschild"
Slopwatch: 7 New Examples of Fake 'Linux' Slop Pieces (Plagiarism With Misinformation)
Serial Sloppers need to be shunned
Links 19/07/2025: Kapo-berg Settles, Software Patents Challenged
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, July 18, 2025
IRC logs for Friday, July 18, 2025
Links 18/07/2025: Peace With PKK and Connie Francis Dies
Links for the day
Gemini Links 18/07/2025: Alhena 5.1.8 and Bornhack 2025
Links for the day
How to Top Up a "Limited Liability" With Even More Limitations (Dodging Accountability in the UK)
Some people call it a "shell game". Sometimes it's done for tax evasion purposes.
Free Software Foundation, Inc. (FSF) Inches Towards 75% of Fund-Raising Target
Will the cutoff date be extended again?
Gemini Space (or Geminispace) Grows, But Usage of Certificate Authority Let's Encrypt Drops Further
Ideally, all Gemini capsules should use self-signed certificates
Links 18/07/2025: More Microsoft Layoffs in Activision, The New Stack (Sponsored by Microsoft) Complains About Openwashing
Links for the day
Gemini Links 18/07/2025: OCC25 Gnus for Reading Usenet and RSS Feeds, Small Web Updates
Links for the day
[Meme] 9AM Meeting at Brett Wilson LLP
Brett Wilson LLP in space
Listing as Staff People Who Left the Company More Than Six Years Earlier
There are apparently no laws against that
Brian Fagioli Shovels Up LLM Slop (Plagiarism) Onto Slashdot, Then Uses Slashdot for Affirmation or as Badge of Honour
Notice how some of his latest slop is presented ("as featured on Slashdot")
Social Control Media Productivity
Snapping photos of the bone
The Law Firm SLAPPing Us For the Microsofters Lost 72% of Its Tangible Assets in the Past Year, According to Its Own Reports
That might help explain why they're willing to tolerate serial stranglers from Microsoft as clients
Slopwatch: LinuxSecurity.com Slopfarm and Slopfarms Propped Up by Google News
"As LLM slop is foisted onto the WWW in place of knowledge and real content, it now gets ingested and processed by other LLMs, creating a sort of ouroboros of crap."
Links 18/07/2025: Weather Events and Health Hazards
Links for the day
Microsoft's All-Time Low in Finland
Microsoft is in a freefall
Security: Shane Wegner & Debian statement of incompetence
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 17, 2025
IRC logs for Thursday, July 17, 2025