Bonum Certa Men Certa

Sirius Open SORES: There's a Lot More to Security and Privacy Than Namedropping (e.g. 'ISO' and 'GDPR')

Sirius certificate

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they've long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we'll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).



Suffice to say, patching is part of the work, including patching one's own machine. Anything else would be irrational (like blasting people over "commuting" time) because security starts in one's own domain. And yet, I was being told off by the company's founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am). Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

"Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”


I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.


If I cannot observe systems that are monitored and supported, it's not "unacceptable". It's still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).




Acronyms Lingo



Speaking of "GDPR" or "ISO" without even grasping the meaning behind laws and regulations is "cheap talk". Without comprehension of the issues, this boils down to 'name-dropping' (like "GDPR" or "ISO"). Currently, the company would gladly take technical advice from people who openly admit they don't care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients' names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren't reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data -- including several incidents staff witnessed where people's (patients') privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty



With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. 'Low level' staff cannot access systems at a level of user management, so this was demonstrably a 'high level' failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company's infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties -- a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of "bad optics", pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant -- a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.

Recent Techrights' Posts

Red Hat QA Team "Had Shrunk by Half Over the Past Year." (After IBM Divestment)
If Red Hat's workforce is being moved to the East, then RHEL can become a national security problem
 
Gemini Links 04/09/2025: Digital Minimalism and Social Control Media
Links for the day
IBM's GNU/Linux Divestment, Based on Hard But Anecdotal Evidence (IBM Fails to Recognise How Much Money It Made and Can Still Make From "Linux")
Love us or hate us, a lot of what we've been saying about Red Hat under IBM turns out to be rather accurate
Links 04/09/2025: Massive Microsoft Staff Cuts (Barely Reported), "Strange Conspiracy Theory Is Reportedly Spreading Inside OpenAI"
Links for the day
Activists Can Win, But Keep an Eye on the Ball and on the Trophy
GitHub is dying, it was a loss-making trap, not free hosting
Gemini Links 04/09/2025: Katrina Remembered, Distracted Driving, and Virtual Economics
Links for the day
At This Point It's No Longer Matthew Garrett But People Who Fund Matthew Garrett (or Companies That Fund His SLAPPs Against My Wife and I)
The only thing worse than misogynists are misogynists who fail to respect other people's right to go on holiday
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, September 03, 2025
IRC logs for Wednesday, September 03, 2025
The UEFI 9/11 - Part VI - This Serious Harm Was Planned for Over a Decade, Not an Accident or Merely Some Misfortune
The term "Serious Harm" is legally meaningful here
GNOME Unfit for Diversity and Inclusion
GNOME's leadership is using "bad words"
Brodie Robertson Addressing the Recently-Discovered Comments
Most people probably knew nothing about this until he wrote a response
Slopwatch: "Open Source" and "Linux" News Faked, Made by Bots and Entered Into Google News
Spam combined with slop about "Linux" has entered Google News
Links 03/09/2025: Microsoft Causes Mass Layoffs Outside Microsoft Also, "Google Can Keep Paying for Firefox Search Deal"
Links for the day
Gemini Links 03/09/2025: calendar.txt, Alhena 5.3.1, and ROOPHLOCH
Links for the day
The Theory That the Man From McKinsey, Whom Red Hat Took From Microsoft a Month Ago as Executive, Wants 'Efficiency' (Lower Salaries)
So far... no "official" word
When Your Site's Articles Are Being 'Cheapened' by Slop as Feature Images
Dr. Farnell should become an advisor to The Register MS
Certificate Authority Let's Encrypt Drops to Only Half a Dozen Capsules and 0.2% of the Whole in Geminispace, Self-Signed is the Way to Go
It used to have hundreds, according to Lupa
Doing to Red Hat What They Already Did (and Still Do) to IBM
there seems to be a drive to hire cheaper staff, and it may be led by somebody Red Hat hired from Microsoft
Links 03/09/2025: Salesforce's Latest Mass Layoffs, 93% in Large Poll at The Register MS Say UK Government Should Dump Microsoft
Links for the day
Preparations for Our 19th Anniversary Have Already Begun
When we get back we'll probably sort out some balloons and venue for the next party
Pleased After 2 Years With team.blue
Moving from a Content Management System (CMS, dynamic) to a Static Site Generator (SSG) was a wise decision that made life so much easier
The Free Software Foundation (FSF) is Being Attacked by Organisations Jealous of Its Principled Stance and Longevity
Nobody is perfect, but imperfection does not instantaneously imply sinister intent
If You Reject the Google Verdict in the US, Then You Should Also Reject the "Modern" Web (Do Something About It)
Gemini Protocol is still open; it cannot be hijacked or subverted because it's frozen by design and by intention
Open Source Initiative IRS Filing: Almost All the Money is Corporate, Stefano Maffuli (Executive Director) Takes About a Quarter of That Money for Openwashing of "AI" Ponzi Scheme
OSI is currently little but a PR/marketing agency of Microsoft
Many People Are "Leaving" Red Hat, Even High-Level Managers
Something is definitely going on at Red Hat
Techrights Has Been Subjected to Calls of Violence (and Death Threats), It Never Condoned Violence
I have no sympathy for people who call violence "free speech" and then get in trouble
Condoning Violent Behaviour and "Free Speech"
perhaps Microsoft Lunduke lost touch with what constitutes violence
Takeaway From the Google Verdict: GAFAM Has Too Much Control (Even Over the US Government and Courts With Government Appointees)
Many people feel disappointed but hardly surprised by the verdict
The Free Software Foundation (FSF) Turns 40 in One Month
As noted a few days ago, several times in fact, many people now recognise the importance of the FSF's mission, even if most people don't know what the FSF is
Many Microsoft "Assets" Are Fabricated Baloney (to Game the Numbers)
At times it seems like what we deal with are many weak patents (on algorithms), valuations or speculations based on hype ("hey hi"), and stocks held by Microsoft and its own staff
"Voluntary" Layoffs at Microsoft (to Game the Numbers, Sugar-Coating a Crisis)
"Employees interested have until the end of October to volunteer."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 02, 2025
IRC logs for Tuesday, September 02, 2025
Links 02/09/2025: Oligarch Tech and Text Encoding Concerns in Ada
Links for the day
"Internal Changes at Red Hat / IBM"
It seems like quite a few people are leaving
Confirmed in French Media: Mass Layoffs (10% Culled) in Microsoft France
Now some reports in French
"People on LinkedIn Saying That They've Left Red Hat."
We already saw signs of it a month ago and named some of the people
Gone With the BRICs (or BRICS): "Linux 8" in Cuba
GAFAM must be worried
Telecompaper Reports Microsoft to Reduce the Workforce by Another 10% (in France)
Imagine what this will do to staff's morale
Microsoft in Freefall in Finland
Can Finland eradicate Windows from all its infrastructure, including core operations that are sensitive to sabotage by cracking?
Google's Chrome Passes 70% and Web Standards Are Dying
The Web is quickly becoming devoid of any standards
India is Back to Windows 8 (Market Share Down to 8%) as Android Soars to a New Record High
For Microsoft, India is a runaway market
Slopwatch: Plagiarism and Ponzi Scheme, Bubble About to Burst Entirely, Admits Goldman Sachs
the hype that Google News and The Register MS actively participate and profit from
Links 02/09/2025: SCO Summit and Russia Suspected Of Jamming GPS
Links for the day
Gemini Links 02/09/2025: Mediterranean Marriage and Staying Connected at 35,000 Feet
Links for the day
The Register MS Says "AI Web Crawlers Are Destroying Websites", So Why Does The Register MS Help 'AI' Companies? (Spoiler: Money)
People need to call out The Register MS on its hypocrisy
Slopfarms Already Peaked, They Will Die When Slop Companies Run Out of Money to Borrow
slopfarms will lack an actual "engine"
Links 02/09/2025: Attacks on Unions, Microsoft TCO, and DDoSing a Growing Problem
Links for the day
Why We Publish Information About the SLAPPs (But Not About the Legal Process), an Abuse of Process by Americans Trying to Silence Critics of Their Employer, Microsoft
It doesn't take thousands of pages to explain something simple
Internet Relay Chat Didn't Fall Off a Cliff
IRC will turn 40 in less than 3 years from now
The UEFI 9/11 - Part V - This is Not a Drill (Disable "SecureBoot" Now)
A "9/11" Coming
There's No Obligation to Speak to Anybody
The very fact that "bkuhn" is till spending time in social control media says a lot about his poor judgment
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 01, 2025
IRC logs for Monday, September 01, 2025
Microsoft Trying to Force People to Resign (Amid Mass Layoffs) a Strategy That Takes Its Toll
Microsoft seems to be circling down the drain and the "final flush" will be the moment the "hey hi" (AI) bubble implodes completely
Google Simply Cannot Be Trusted
Only fools would trust GAFAM
Admission That a Third Party (or Parties) Funds the SLAPPs Against Techrights
This can end up costing them over a million dollars
Modifying and Writing One's Own Computer Programs is Not a Crime (or: Google Proves That Stallman Was Right)
We're generally gratified to see so many positive mentions of him
Why We Stopped Publishing Videos (for Now)
We'll probably get back to videos one day, but it's hard to say when or to what extent
What Animal Rights Activism Teaches Us About Sympathy and Focus
It's possible to believe that the planet is warming, that we must do something about it, and still eat eggs and butter