Bonum Certa Men Certa

The ISO Delusion: How Sirius Picked Collaboration/Communication Tools That Harm Staff, Harm the Company, and Harm Its Clients

International Organization for Standardization (ISO) brag



Summary: Sirius 'Open Source' has long misused "ISO" to do all sorts of dubious things, including cover-up and frustration of staff; the time has come to explain what happened and maybe eventually report the matter to ISO itself

THOSE who have followed this series carefully enough know that pretty much all the communication tools of Sirius 'Open Source' had been outsourced to proprietary vendors (voice, text etc.) without bothering to ask staff, which complained only after the fact. Too late. It's a decree, not a proposal. Instead of self-hosting Asterisk and relying on Jabber (among other things) the company was sending its workflow to Google, Zoom, Slack (Salesforce) and even Skype (Microsoft) while publicly floating ISO logos.



Over the coming week or so we'll show this ugly façade of a company that still uses the term "Open Source" -- a thing that it is rejecting internally. It's not about doing what clients require; this is about what the company chooses for itself, as it's headed by managers who neither use nor support Open Source. It's a façade.

"It's not about doing what clients require; this is about what the company chooses for itself, as it's headed by managers who neither use nor support Open Source."The Office Manager will be a recurring theme here, as she was part of this façade. What is an Office Manager anyway when the company does not have an actual office? David Graeber's thesis would classify it as a 'bullshit job' [1, 2], probably the "box tickers" kind. To quote Wikipedia, we deal here with "box tickers, who create the appearance that something useful is being done when it is not, e.g., survey administrators, in-house magazine journalists, corporate compliance officers, quality service managers..."

As noted here right from the start (a day after resignation), the company was hardly compliant with anything sensible, including security and ethics. Last year I was asked to study logs for some anti-abortion group (without telling me where those logs had come from). What next? Would I be getting assigned jobs like checking logs for Oath Keepers or Proud Boys, seeing that anti-abortion groups were starting paying for "services" last year? (Off the record)

Anyway, yesterday this good article mentioned LastPass, another company that the stubborn new management decided to hand over to not only our own passwords but clients' too (even private keys!!!), insisting that according to LastPass the LastPass breach wasn't a big deal. Sirius did not even bother resetting passwords after I had repeatedly urged for this to be done (and, as a possible bonus, to dump LastPass altogether). In yesterday's article the author says: "I’d like to talk about some of my experiences with this topic, as well as recent events in the security community."

"Before I describe my experience," he says, "I need to set the stage. My LastPass fun took place around the same time as the infamous Bugcrowd incident with JSBN."

Watch how LastPass handled things: "My first step in esclating was security.txt. No dice. There was no clear security officer or contact information that I could discern from my social network either, so I chose the path of last resort: I contacted their support team."

"Hiring friends and relatives instead of qualified people leads to disaster."So it's more or less like Sirius. No wonder a client said the company was "incompetent". The client said this to a highly incompetent 'manager' who was never supposed to be there in the first place: No clue about technology or about management, just some associate from a former organisation in which a Sirius 'founder' had spent a few years. Hiring friends and relatives instead of qualified people leads to disaster.

Very basic security practices were often disregarded and staff was ignored in spite of technical background. It was like talking to the wall.

At first we had Asterisk internally; then someone decided it would be better to use some outside firm as a supplier and pay the fees. That was still a lot better than a move to a defective "service" and then purchase "phones" that are a security threat, in the hope (likely false hope) that it would 'fix' the issue. We'll come to that another day.

The management kept covering up for repeated failure/s, blaming the staff (victims) instead, never the decision-makers who introduced a faulty/defective alternative but are too vain to admit it, take the blame, and finally undo.

"The management kept covering up for repeated failure/s, blaming the staff (victims) instead, never the decision-makers who introduced a faulty/defective alternative but are too vain to admit it, take the blame, and finally undo."The company's obscene disregard for security would not end there. We've already covered cognition reports being stored on personal machines, then uploaded to AWS (not the client's servers). There was no longer any security protocol in place; no file server for them or for us (GDPR would be screaming!), set aside the fact that the company is no longer "open source" and is basically lying about it. It's more like bragging about ISO while gaslighting people who actually value security.

Not only did the company ignore the warnings from me, it didn't even change passwords, alter providers, or self-host an actual "Open Source" alternative. It kept saying it would (or merely consider this), but those were lies. As we mentioned here before, this wasn't a matter of practicality of cost-savings either; Sirius was getting huge bills for "clown computing" (idle almost all the time but the bills kept growing and growing). Any suggestion of self-hosting, i.e. like before, was dismissed as "hobbyist" by the CEO. So what is to be sold as a service by Sirius? Outsourcing? Well, the company's latest incarnation in LinkedIn does say that.

Tomorrow we'll show some examples of misuse of the company's pretences (ISO, GDPR etc.) for cover-up, censorship etc.

In the meantime, however, consider this E-mail from July 2019 (when the company was setting up a shell in the US, covertly, when signing an NDA with the Gates Foundation):

xxxx wrote on 17/07/2019 17:20: > Hello Roy, > > As you are aware we’re currently going through the process of > implementing ISO 27001 (information security management system). It's > been brought to our attention that you using xxxxx Slack is > unacceptable due to the security of password sharing amongst yourselves. > > During your meeting at the training workshop - I had asked for you to > reconsider as this is a company requirement. > > Moving forward and with the advice from the ISO company this is now > something which needs to be completed by the end of your shift this > evening. Slack is an essential communication tool used by everyone > within the company. > > Would you please confirm the receipt of this email and a reply to this > request.

Hi,

Currently, all our sensitive communications end up on the server of a large corporation in another country, where this data can get sold. It included NHS stuff. This too is a problem as we need to be Open Source not only in name and I've been waiting for xxxxx to set up Matrix or similar for me to join. It has been months and I think it's essential for our company to demonstrate it takes security seriously. I can set up an Open Source alternative myself if that helps.

Regards,


Of course I only received more threats for this, rather than be listened to. Of course "information security" and Slack are incompatible concepts. As we shall revisit shortly, let's just say Slack suffered yet another data breach shortly thereafter, vindicating me. Did the management listen? Did it react? Of course not.

After some more threats I was compelled to give up, at least temporarily:

xxxx wrote: > Hello Roy, > > As I have expressed in my previous email and in all communication that > Slack is an essential communication tool used by everyone within the > company at the moment. We all should be there. > > This is a direct management requirement and instruction and it needs to > be implemented immediately.

I have just created the Slack account.

It would still be useful to know the timeline for moving to an Open Source alternatives. Slack has no business model other than spying at the moment, as media repeatedly points out.

Regards,


Regarding "I've been waiting for xxxxx to set up Matrix or similar for me to join," I was receiving false promises from the CEO, naming two people who would set up a Free software alternative like Riot/Mattermost. One of them left the company (as I had previously warned the manager) and another never implemented the change. Sirius management was just lying all along.

"Now, after so many years, Sirius is another disgrace or a black eye to ISO."We'll revisit Slack another day and we shall deal with each of these blunders in turn. ISO is a joke if it grants certification to companies which behave in this way, set aside how superficial the requirements are. 15 years ago Microsoft bribed a lot of firms and organisations to rig ISO; and ISO, in turn, was OK with it. Now, after so many years, Sirius is another disgrace or a black eye to ISO. No wonder clients suffered security breaches. They weren't even informed of how poorly Sirius had handled/managed security.

Recent Techrights' Posts

The Future of the World Wide Web is Just 'Webapps' in Chrome, Not Web Pages in One's Browser of Choice
The monoculture gets worse, not better
EPO Corruption is a Real Threat to the European Union (EU). The EPO Helps Russia. If It Does Not Reform or Reboot, It Can Contribute to the Collapse of the EU and UPC (Which Was Never Legal or Even Constitutional, It's a Captured Kangaroo Court Controlled by the Patent Litigation Industry).
second-largest institution in Europe
Linux is Becoming Non-free Software and the So-called 'Linux' Foundation Likes It That Way (It's Fronting for Companies That Violate the GPL, the Licence of Linux)
What's happening here is, they rip off people using their "stolen" (GPL-violating) product
Red Hat: Thank You, Microsoft. Here's Your Paid-for Puff Pieces From Our Media Partner!
Sort of like "money laundering" (or funnelling of bribes) for bribed "journalists"
 
"Journalism in Twitter" is a Paradox
"I am writing an article" is not the same as "I am writing a set of tweets" (usually random thoughts and unverified assertions, citing other unverified assertions)
Playing Social Control Media 'Games' Instead of Writing Articles
someone will need to run two sites. One is "In Support of Richard Stallman", which is run by oneself, and other is "Stallman Support".
The Patent Litigation 'Industry' Controls the European Patent Office (Vendor Capture) and Everyone Suffers, Even the European Union
Today we relay an EPO publications dated just 4 days ago (this past Tuesday)
No, Mr. "Journalist", You Might be Corrupt (But Denying It to Yourself and to Others to Pacify Your Consciousness)
"Journalists" like the label because it makes the job sound like an honourable profession and they're presumed objective
Stop Glorifying Murderers, They Aren't Helping Anybody
Murder isn't the solution. Murder is a problem.
Europe's "Manhattan Project" Should be Abandoning Microsoft, Moving Everything to Free (Libre) Software
At the moment, Microsoft draws much of its budget from taxpayers
Gemini Links 14/12/2024: Minor Thing About git and jujutsu
Links for the day
Links 14/12/2024: Adobe's Shares Collapse, Apple Publishes Fake News With LLMs
Links for the day
Links 14/12/2024: ChatGPT Down, Microsofter Bracing for Layoffs
Links for the day
Gemini Links 13/12/2024: Firing at Work, jujutsu, and Gemini Mode
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, December 13, 2024
IRC logs for Friday, December 13, 2024
Links 13/12/2024: British Journalism Awards and Censorship by Copyright Misuse
Links for the day
Gemini Links 13/12/2024: "Virtue Signaling", Gopher, HTML and the 90s Web Aesthetic
Links for the day
Links 13/12/2024: Military Buildup Around Taiwan, More Health Problems Associated With Social Control Media Illuminated
Links for the day
Maybe - and Hopefully - More News Sites Will Go "Static" (More New Material Published But Established Pages Served Directly From the File System)
Keeping things simple and light is important for the sake of scaling
[Meme] Vendor Capture for 'Civility's Sake'
"I CoCed him already"
[Teaser] The EPO is Still Calling Monopolies "Products"
Coming soon
Anonymity for Sources
At the moment we can learn about stories in person or in encrypted voice chat
What Topics We Prioritise
On fishing for topics to cover
Why We Cover the Topics That We've Long Focused on (by Choice)
We'll continue to cover suppressed issues because such issues are usually obstructed
[Meme] The Reasonable Man
"The reasonable man adapts himself to the world"
Oligarch-Owned Media Twists the Narrative and Demands More Surveillance
Corruption is the real issue here
Windows Falls to Single-Digit "Market Share" in Benin
Windows has fallen even further
[Meme] Doing Online Activism in Social Control Media
Dictators have always loved lists
Gemini Links 13/12/2024: Creative Moods, Berkeley DB, and More
Links for the day
Microsoft Windows Falls to New All-Time Low in Guatemala (Less Than a Quarter)
When it comes to operating systems, we don't think we've mentioned it before
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, December 12, 2024
IRC logs for Thursday, December 12, 2024
[Meme] Leave My /home Alone
A new version of Systemd
There's a New Version of Lagrange (Gemini Reader) and Its Developer is Making an IDE/Editor
I share or reciprocate almost anything I can through Gemini Protocol
International Troll Alert by Helen Plews
Helen Plews from Cybershow has this new article
Nick's Job at OSI: Promote Microsoft, Promote Proprietary Software
This is what Microsoft pays him to do
[Meme] Award-Winning Back-stabbing Opportunists
part of the rebel alliance
The FSF (Free Software Foundation, Inc.) Can Reach Its Funding Goal of $400,000. This Bothers the Imposters and Foes of the FSF.
Software Freedom is something we must perpetually fight for
Azerbaijan Rejects Microsoft
Azerbaijan seems to have very little interest in Microsoft
Linux Foundation Pays for LLM Slop (Puff Pieces Made by Bots) About the Linux Foundation
The so-called Linux Foundation is responsible for the production of spam and slop
[Meme] You Just Grab Him by the CoC
Sponsors of Python Software Foundation... "You don't like Python's corporate sponsor?"
Explaining What Deb Nicholson Does to the Python Software Foundation
Of course the OSI, which Nicholson also occupied, still helps Microsoft attack copyleft
IBM Said to Be Firing People Days Before Christmas
IBM is entering taboo territories
Microsoft Falls to Just 11% in Ivory Coast
Microsoft tried hard to catch up in mobile
General Consultative Committee (GCC) Meeting at the European Patent Office (EPO) Shows Existing Problems
the "real problems" and why "digitalisation" doesn't solve them
Links 12/12/2024: Shell Settles With Greenpeace, DOJ Whistleblower Pilot Program
Links for the day
Gemini Links 12/12/2024: AuraGem TV and Advent of Code 2024
Links for the day
Fake "Linux" News, Produced by Microsoft Chatbots in 'Brittany Day' or "LinuxSecurity" Clothing
She's back at it
Microsoft OSI Promoting GitHub, Which is Proprietary and a Massive GPL Violator
OSI works for Microsoft, speaks for Microsoft, promotes proprietary software
Links 12/12/2024: Another 'Self-driving' Cars Dead End, Infowars Sale Blocked by Court
Links for the day
Links 12/12/2024: "Hey Hi" Hype Debunked, ActivityPub and Gemini Software on Same Server
Links for the day
Google Has Only Solidified Its Search Monopoly in Africa Since Microsoft's Chatbot/LLM Hype Started
Africa is basically a "Failed Market" to Microsoft
[Teaser] EPO is Running Out of Brains
EPO has been in the business of offering fake patents
South Korea Has Its Own Alternative to IBM's Proprietary RHEL
Owing to the Open Enterprise Linux Association (OpenELA)
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, December 11, 2024
IRC logs for Wednesday, December 11, 2024