Bonum Certa Men Certa
Links 10/12/2022: KDE Development Report and More Gemini Browsers Coming | [Meme] Superheros Don't Need No Stinkin' Updates

Sirius Open SORES: There's a Lot More to Security and Privacy Than Namedropping (e.g. 'ISO' and 'GDPR')

Sirius certificate

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they've long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we'll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).



Suffice to say, patching is part of the work, including patching one's own machine. Anything else would be irrational (like blasting people over "commuting" time) because security starts in one's own domain. And yet, I was being told off by the company's founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am). Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

"Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”


I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.


If I cannot observe systems that are monitored and supported, it's not "unacceptable". It's still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).



Acronyms Lingo



Speaking of "GDPR" or "ISO" without even grasping the meaning behind laws and regulations is "cheap talk". Without comprehension of the issues, this boils down to 'name-dropping' (like "GDPR" or "ISO"). Currently, the company would gladly take technical advice from people who openly admit they don't care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients' names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren't reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data -- including several incidents staff witnessed where people's (patients') privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty



With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. 'Low level' staff cannot access systems at a level of user management, so this was demonstrably a 'high level' failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company's infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties -- a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of "bad optics", pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant -- a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.
Links 10/12/2022: KDE Development Report and More Gemini Browsers Coming | [Meme] Superheros Don't Need No Stinkin' Updates

Recent Techrights' Posts

IBM: We Can't Make 'AI' (Voice Recognition) Do the Work of a McDonald's Teenager, So Let's Try the Same on Saudi Planes
IBM is lost. It's truly lost.
The General Public License (GPL) Inspired the Web's Original Openness/Freedom, According to Tim Berners-Lee
"During the preceding year I had been trying to get CERN to release the intellectual property rights to the Web code under the General Public License (GPL) so that others could use it."
The Real Problem With Rust is Not "Wokeness" (It Never Was)
Don't feed the trolls who attack "Rust People" on political grounds
 
Why?
Why write articles?
Microsoft-Connected Publisher Spinning XBox's Death Spiral (It's Dying Fast) as a Strength and Something Deliberate
"Microsoft’s big gaming pivot"
Slop is Rare by Now
A year ago slop was so abundant that we did a whole series about it, and it was daily
Links 21/12/2025: U.S. Strikes in Syria, "Epstein Files Photos Disappear From Government Website"
Links for the day
Gemini Links 21/12/2025: Labrador Retriever of Lagrange's Developer Dies From Cancer, Political Philosophy, and "Getting to Inbox Zero"
Links for the day
Microsoft is Becoming Irrelevant: The Case of Georgia
Not Georgia Tech
Sirius Open Source is Now Imminently Dead (Struck Off)
compulsory strike-off
Dr. Richard Stallman, Invited by LibreTech Collective, is Giving a Public Talk in Georgia Tech Next Month (Scheller College of Business)
They can probably squeeze about 400 people into this room
25 Years of Activism for GNU/Linux
My passion for GNU/Linux brought a lot of contentment
Africa, Where Microsoft Used De Facto Slaves to Pretend to be "AI", Chatbots Usage is 0.2% of Measured Online Traffic
Judging by recent trends in Africa, many "Windows PCs" are being converted into GNU/Linux computers
New Drone Footage Shows IBM is Dead (Parts of It)
The people who participated in IBM when IBM actually mattered probably have boasting rights, unlike people who work for IBM today
Michael Larabel Adds Slop Category to Phoronix, Quickly Realises That It's Worthless
Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)
After 35 Years the World Wide Web, HTML, and HTTP Are Proprietary
HTTP/2 added a lot of complexity (it's just a Google protocol, based on SPDY originally), many image formats are proprietary and patented, HTML got 'replaced' by Java-Scripts [sic], and many URLs (the URL system was created in the early 90s) are just long strings for proprietary 'webapps'
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, December 20, 2025
IRC logs for Saturday, December 20, 2025
The Register MS Has Lowered Its Standards Considerably
Incidentally, we've only just noticed that "US editor for The Register since July 2025" has not been active for 4 weeks already
Scamfarms, Spamfarms, and Slopfarms in "Linux" Clothing
Today, Linux searches in Google News produced no slop at all. That's an improvement.
Did Bill Gates Lobby to Blur the Face of the Young Woman He Openly Braces (and Who Isn't His Wife)?
"This photo of of Microsoft co-founder Bill Gates with a woman whose face is blurred out is just one of 68 more photos and documents released today."
Links 20/12/2025: Microsoft Ruins Televisions, 'Epstein Files' Deeply Sanitised (to Protect Particular Culprits)
Links for the day
Gemini Links 20/12/2025: Merry Christmas 2025 and Running a Factorio Headless Server on FreeBSD with the Linuxulato
Links for the day
With 10 Days Left, the Free Software Foundation (FSF) Has Already Raised Close to $300,000 This Winter
they're besieged by despicable corporations and very despicable people
2025 in Numbers
What was very good about this year is that we truly got "into the rhythm" of publishing
More Microsoft Layoffs Coming Soon
When I spoke about Microsoft layoffs (routinely) I got very viciously attacked by Microsoft boosters
My Humble Assessment of the Future of Red Hat, A Company That IBM is Flushing Down the Loo
GNU/Linux will be OK without Red Hat, but shaping the future of it matters because we don't want companies like Valve (DRM) to set the agenda
Probably the Least Useful Gadgets, Ever
as if a "smart" thing worn on the wrist is the "new Rolex"
Former Manager at IBM Research (Yorktown) Says Why IBM is Doomed and the Anonymous Tipline (Speak Up) is a Trap
IBM isn't willing to change or to address internal issues
Links 20/12/2025: Fentanylware Becomes CheeTok and "Why Roomba Died"
Links for the day
Linux Foundation: Richard Stallman Developed Only a Software Licence
We already criticised this report several times last night
Impulsive Writing, Quotas, and Keeping Things as Concise as Feasible
A 10-word sentence being read by a million people can have the same impact or magnitude (exposure-wise) as a million-word book being read by just 10 people
Gemini Links 20/12/2025: Christmas Songs, Storms, and Old Web
Links for the day
Coming to Grips With a Lack of Future at IBM
Red Hat's future doesn't look bright under the auspices as they seem right now
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, December 19, 2025
IRC logs for Friday, December 19, 2025
Links 20/12/2025: Media Layoffs, a Third of Online Traffic is Bots
Links for the day
Barbados: Significant Gains for GNU/Linux
over 5% if one counts ChromeOS as well
Very Shallow LLM Slop for IBM Disguised as Journalism About a "Plan to Train 5 Million Learners in India by 2030" (Unverified Figures With Very Distant Future Date/Year)
The Web has become somewhat of a laughing stock
'Linux' Foundation: The Foundation Has Almost Nothing to Do With Linux, It Just Misuses the Name "Linux"
Only a tiny portion of the Foundation's budget actually goes to Linux
Austria vs GAFAM
another win against GAFAM
Microsoft Has Purchased Another Linux Foundation Seat
From the latest (new) report
No Electronics, No Clocks, No Phones
We're meant to think that more gadgets will make life easier
Gemini Links 19/12/2025: Great Website Rebuild of 2025 and Running OpenBSD in a Hostile Environment
Links for the day
Google News Helps Slopfarms (What's Left of Them)
Lately we've noticed that nothing in the RSS feeds we follow is burping out slop
Links 19/12/2025: Privacy International's Reports and Russian Assets in EU
Links for the day
Today, The Register MS is Parroting Marketing Spam for Ponzi Scheme ("AI") in Exchange for Money
The Register MS should be held accountable when the bubble pops
Red Hat Senior Engineering Manager Leaves (or Gets Pushed Out by IBM) After Nearly 20 Years at the Company
The recent massive wave of IBM layoffs impacted Red Hat and so will the next (impending, Q1) wave
Why We Got Told by Insiders That Almost Everyone at EPO Reads Techrights and Many at IBM Track IBM RAs Via Techrights
In a nutshell, we cover topics almost no other site dares touch
IBM Research Shutting Down Labs, Lots of Workers Laid Off (Even Days Before Christmas in Devout Catholic Country)
Heartless, soulless company
Links 19/12/2025: Windows TCO in NHS, "Locked Out of Apple Account Due to Gift Card"
Links for the day
Nearly Three Months Have Passed Since EPO Cocainegate and the EPO's Management Still Refuses to Talk About It
But it's clearly aware of it
Richard Stallman Explains Why Software Patents Are Really Bad and Very Much Unnecessary
"The relationship between patents and products varies between the fields"
The Copycats of the FSF Have Serious Problems
If you care about Software Freedom, then support the real thing
Once Again, Just in Time for Christmas, UEFI and Its Boot System Turn Out to be a Giant Bug Door (Also a Microsoft Remote Kill Switch)
This industry - even academia - has been deeply compromised
In Activism and Journalism, If You're Ineffective They Ignore You, When You Become Effective They Stalk and Harass You, Failing That They Threaten You
"the Wikileaks effect"
Google Has Begun Linking to commandlinux.com in Google News, But It Seems to be a Slopfarm
This is not innovation, it's sloppiness, laziness, and a modern form of plagiarism
Microsoft Reportedly Tries to Cause Top-Level Managers to Resign If they Don't Participate in the Ponzi Scheme
Apparently even executives who don't play along are given marching orders
Microsoft, Over 120 Billion Dollars in Debt, Prepares Next Round of Mass Layoffs (After Christmas)
Microsoft is not managing to pay back its debt
Links 19/12/2025: Scam Altman Humiliates Self in Public, Climate Alarm Sounded, Egyptian Economist Convicted Over "Social Control Media Posts Critical of the Government"
Links for the day
You Can Get Work Done With Lean Software
obviously!
"The War on Privacy" is Real
"He Built a Privacy Tool. Now He’s Going to Prison."
The Cost of Being Influential
The "tech world" and its monopoly enforcer (patent system) are sleepwalking into autocracy
More Shutdowns and Layoffs at IBM
if someone covers correct but suppressed information, then people will make an effort to find it
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, December 18, 2025
IRC logs for Thursday, December 18, 2025
EPO Violates Laws to Profit More From Invalid Patents, Then Cuts the Budget Allocated to Staff
taking away what was already promised to staff
Only a Few Examples of LLM Slop Found, Mostly via Google News
Is it fair to say that sites learned LLM slop does not offer any real value?