Summary: The company that I left this month is breaching several regulations and failing to follow the law; to make matters worse, pointing this out from within the company is impermissible and may very well instigate witch-hunts

THE HOLIDAYS are not over, but we’re still in a relatively quiet period of the year. People are resting. Nevertheless, we’re receiving additional information, which we plan to cover next month. As we shall show, under the guise of “manners” and the veneer of “professional” self-appointed enforcers are lying to people and lying about people. It is highly manipulative and it pits Sirius ‘Open Source’ in conflict with human rights, not just labour regulations and ethical codes.

Shown below is a portion of a month-old report (predating my resignation). It highlights the fact that the company where I worked for since early 2011 had gradually become more and more hostile towards its workers — to the point of false accusations and pathological lying.

Adherence to the Rule of Law and Human Rights

From what can be gathered thus far, the company is shooting from the hip, walking in the dark without any legal guidance. From what’s witnessed and what lawyers have made an assessment of, legal protocols are disregarded or simple breached; the managers don’t go through HR as they did before (impartial), probably due to cost-related overheads and a lack of budget/money in the company’s bank account, as can be seen by failure to comply with very basic legal protocols. Very, very basic stuff.

In a society based on the Rule of Law it is important to ensure, at all times, that laws are being followed, including the freedom of expression. A proper investigative process should be based on law-compliant guidelines rather than made up or twisted as one goes along, based on some personal preferences of a self-appointed investigator. Improvised ‘laws’ aren’t laws but kangaroo courts of theatrical nature with arbitrary routines.

Freedom of speech was in general respected, but only selectively (i.e. rules not equally and consistently applied). Inside work, for instance, some people were allowed to express political opinions, whereas others got reprimanded for making a harmless joke pertaining to Donald Trump (whom the company’s founder supports). Is it the case that some workers have the privilege to express political opinions, whereas some are denied that? Is kinship a recipe for immunity, not just a recruitment fast lane?

In the same vein, management can use very crude language at times, but even reasonably polite words used by ordinary staff are spun as “rude” and staff is forbidden from expressing opinions, based on false pretexts of “manners”.

Does Sirius (still) give anything back to those whose work it is exploiting? Or does it give a shell about Free software communities?

Summary: Sirius ‘Open Source’ is in so much technical, legal, and financial trouble that now it is chasing those who criticise the company, even without naming the company or anyone inside the company; this means that on top of being a ‘parasite’ (preying on Free software with false labeling) the company has become a true enemy of freedom of speech, guarding misbehaving people from their critics

THE company I left is in a state of disarray. The management in question was largely exploiting and seeking to start profiting from (aka ‘monetising’) Free-as-in-freedom software without contributing anything back. In recent years it wasn’t even adopting Free software and instead abandoning it in favour of proprietary spyware. There was no debate about it. It’s a one-way relationship.

Similarly, there was a one-way relationship with staff. People were expected to stay up all night, actually working, while some management in daytime failed to do very basic work, very fundamental tasks. High-tech labour with low-end wages may seem sustainable, but as inflation soars it becomes a stretch. Then, the company as a whole becomes untenable.

This past year I started talking privately about the situation with a friend; names of people and names of companies weren’t included (not even Sirius!), but the company was eager to crush staff, silence staff, and dodge liabilities to staff.

Below we include the second part of an extensive section, which will later be supported by hard evidence.

Sirius urgently needs to rename. It is not doing “Open Source”; instead it rips apart the infrastructure that was Open Source, replacing it with proprietary spyware (for a number of years already; this year the trend accelerated further). “Sirius Open Wash” would be a suitable new name for the company, but maybe it’s too late because the company has no future anyway.

The bullying intensified months ago. Managers basically start with the supposition that all workers are guilty of something and then try to dig for “evidence” to justify the foregone conclusion, making up or exaggerating things while resorting to distortion various rules and regulations (gymnastics in logic), reaching out to things said as far back as 4 years ago (when staff had been subjected to bullying from management).

We certainly would have sued Sirius if it wasn’t so broke and operating through shells, at least one of which registered outside the country.

Text from the report included below:

Roy does not talk about the company where he works, at least not by name. He does not mention people and clients of the company. If Roy discusses that with a friend in some chat outside of work, that’s perfectly within his rights. If the company does something wrong and Roy then discusses it with somebody, that might even be a positive contribution. Nobody should be above criticism. If Roy discusses romantic relationship between colleagues without even naming them, that’s perfectly lawful (there’s no need to twist a romantic relationship as “living arrangement”, covering up for how inadequate that is). As the main issue discussed isn’t the nature of the relationship but the nepotism and abject lack of relevant qualification/s, this is a matter of broader or professional interest. It’s not mere gossip and either way, nobody is named. To be very clear, informal IRC chat with one person is not “social media”; pretending that it is would be considered fact-twisting. IRC has been around since the 1980s, Roy has its own IRC network, and there are no companies or “data broker” chewing up this data. The data is maintained in a privacy-conscious manner on a server managed independently. To some people, very fundamental facts about communication tools leads to evasion of proper understanding, either deliberately or accidentally.

The accusations against Roy mostly latch onto cherry-picking of words, all that while ignoring the underlying substance, which is expressed relatively politely (no expletives, but lots of typos because it’s very informal chat). There seems to be a lot of tit-for-tat over the ‘teat’ (to be clear, the company’s high-paid managers were milking Roy for years; Roy’s salary would have increased with inflation by about 40% in 12 years, but that didn’t happen).

So who’s milking who?

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they’ve long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we’ll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).

Suffice to say, patching is part of the work, including patching one’s own machine. Anything else would be irrational (like blasting people over “commuting” time) because security starts in one’s own domain. And yet, I was being told off by the company’s founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am).
Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

“Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”

I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.

If I cannot observe systems that are monitored and supported, it’s not “unacceptable”. It’s still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).

Acronyms Lingo

Speaking of “GDPR” or “ISO” without even grasping the meaning behind laws and regulations is “cheap talk”. Without comprehension of the issues, this boils down to ‘name-dropping’ (like “GDPR” or “ISO”). Currently, the company would gladly take technical advice from people who openly admit they don’t care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients’ names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren’t reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data — including several incidents staff witnessed where people’s (patients’) privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty

With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. ‘Low level’ staff cannot access systems at a level of user management, so this was demonstrably a ‘high level’ failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company’s infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties — a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of “bad optics”, pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant — a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.

Via Techrights

And why every law school should teach everyone about encryption before any other “IT skills”

HERE IS a disturbing trend which is shared among pretty much all lawyers and other ‘legal’ professionals. I know because I checked. I also know because I saw how my friend, Pamela Jones (the paralegal behind Groklaw), got spooked by the spooks and stopped writing online after she had rejected my offer to use encryption about 8 years ago (saying it would only attract more attention). These are smart people who seem to be ignoring the threat of surveillance even when the threat is out there in the open, thanks to people like Edward Snowden. A lot of what Snowden showed had been known to me for years, but now there is undeniable truth which even the NSA’s chronic lies cannot cover up and shed uncertainty on. Ignorance is no longer a valid excuse.

I currently have a very strong case against a decision from the British government. I am sure I’ll win, the only question is when and at what cost (I have already spent thousands of pounds on it). I am not going to elaborate on it until the case is over, whereupon I will also release sensibly redacted papers (removing personal information) and explain the abuses which I have become aware of and personally suffered from. These abuses have impacted at least 4 people that my solicitor alone (an activist against torture) is working with. Nationwide, therefore, there may be thousands of such victims. It’s hard to say for sure how widespread this type of abuse has become, but one can estimate by extrapolation. In the future I will also file a formal complaint about it, then pressure my Member of Parliament to take action (not just yet).

Now, let’s deal with the key issue — or ‘beef’ — of this post. As in any legal case, papers are being sent back and forth, often electronically. It’s a practical thing to do because of speed (instantaneous for images and text). The stuff which the solicitor and I have already exchanged over E-mail is known about to the respondent, which has copies (this includes a request for appeal). Some stuff does not necessarily need to stay under the table, especially when it is accessible to both sides. Just as one requires no anonymity when purchasing a flight ticket (because the ticket itself already eliminates any chances of anonymity), for some documents it is fine to be visible to the opponent. There is not much to lose there.

But then there’s more sensitive stuff, like strategy.

Lawyers and barristers should always send sensitive stuff encrypted and sent over securely (to secure client-solicitor privacy/privileges). E-mail is one of the least secure methods of transferring data. It’s almost as thought it was designed for surveillance and profiling/linking people, but in reality it just got exploited by spooks and the protocols never adapted to counter these inherent deficiencies (encrypted mail still exposes the identity of the sender and recipient/s). Face-to-face or snail mail are better because bugging is hard and in the latter case it’s hard to achieve un-obtrusively, e.g. opening envelopes and re-sealing them. Since GCHQ and some government departments (e.g. Home Office) work together on increasing surveillance, right now under the guise of ‘emergency’ as if we’re in wartime, we can assume — pessimistically — that they may be studying the cases against them based on interception and preparing themselves based on this prior knowledge, or increased awareness. This is of course not acceptable, but then again, we already know that obeying the law is not our government’s best strength. That’s a debate for another day. In another circumstance one could probably chat or write about these issues (I know that my solicitor too advocates human rights at some capacity), but this is not the subject of this post.

As one who write prolifically on issues of national security, I have good reasons to suspect I have no privacy, unless technical measures are taken to protect it. I encrypt mail where possible. But I depend on others doing the same. Encryption is not a one-end preference, it needs to be agreed on and embraced by both ends.

People don’t want to jeopardise a case by unnecessarily giving away strategic arguments to the opposing side; I have seen people (usually in the US, some of whom I know online) on whom subversive means were used (illegal actions by those in power) to intimidate, harass, libel, etc. Completely bogus charges can be made up and hyped up in the media, framing of a person is very common (digitally too), and drainage of one’s resources through legal fees is also a common tactic of vendetta.

Any solicitor who wants to take on the government of his/her country absolutely must learn to encrypt. But this should not be limited to cases like these. Several months ago it turned out that the US government had spied on a US law firm which was working to advise a foreign nation on trade negotiations (this is a corporate matter). We know these types of abuses do happen in the West, so lawyers must learn to protect themselves. Unless they can sue to stop these practices (illegal actions by their government), they will need to adopt technical means of overcoming these dangers.

Perhaps I have become too cynical or too pessimistic when it comes to my government obeying the rule of law, but based on some recent revelations, the record supports me. We are living at times of lawlessness for the rich and powerful and oppression (through tyrannical laws and overreach) for the rest.

ookies and cross-site connections help track Internet users in ways far worse than most people realise. People assume that when they visit a particular site then it is this site alone which knows about them. Moreover, they assume that they are logged off and thus offer no identifying details. In reality, things are vastly different and it is much worse when public service sites act as “traps” that jeopardise privacy. A site that I recently looked at (as part of my job) does seem to comply with some of the basic rules, but new advisories are quite strict. To quote: “The UK government has revised the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.”

The BBC coverage of this indicates that “[t]he law says that sites must provide “clear and comprehensive” information about the use of cookies…”

Regulating cookies is not enough. ISPs too can store data about the Web surfer and, as Phorm taught us, they sometimes do. They sell information about people.

In more and more public sites, HTTPS/SSL is supported and cookies remain within the domain that is “root” in the sense that the visitors intended to visit only this one domain (despite some external bits like Twitter timelines in the sidebars/front page. Loading up Twitter.com, even via an API, might help a third party track identities). Shown in the following image is the large number of cookies used when one accesses pages from Google/GMail (even without having a GMail account).

Although SSL is now an integral part of this service (since the security breaches that Windows caused), privacy is not assured here. Although they don’t swap cookies across domain visitors, Google’s folks do track the user a great deal and they have many cookies in place (with distant expiry date) to work with.

Information on how Google will use cookies is hard to obtain, and the problem is of course not unique to Google cookies. Most web browsers automatically accept cookies, so it is safe to assume that about 99% of people (or more) will just accept this situation by default. If a site had provided visitors information about cookies, permitted secure connections (secure to a man in the middle) and not shared information about its visitors, contrary to the EU Commission which foolishly wanted to put spyware (Google Analytics) in pages, then there is at least indication of desire to adhere to best practices.

Cookies are not malicious by design as they are necessary for particular features, but to keep people in the dark about the impact of cookies on privacy is to merely assume that visitors don’t care and won’t care about the matter. And that would be arrogant.

To make some further recommendations, privacy should be preserved by limiting the number of direct connection to other sites. Recently, I have been checking the source of some pages to see if there’s any HotLinking that’s unnecessary in public sites, which would be a privacy offense in the sense that it leave visitors’ footprints on another site. Outbound links can help tracking, but only upon clicking. The bigger issues are things like embedded objects that invoke other sites like YouTube. HotLinking, unlike Adobe Trash, cannot result in quite the same degree of spying (Google knows about IP address and individual people). If all files can be copied locally, then the problem is resolved. Who operates linked sites anyway? If it’s a partner of a sister site, then storing files remotely might be fine, but with AWS growing in popularity, Amazon now tracks a lot of sites, e.g. through image hosting.

Sites like Google, Facebook (FB) and Twitter, if linked or embedded onto a Web page, can end up taking a look at who’s online at the site. All it takes from the visitor is the loading of a page, any page for that matter. FB is often criticised for the “like” button too (spyware). JavaScript (JS) has made the spying harder to keep track of; it would be best practice to perhaps offer JS-free pages by default, which limits viewing by a third party assuming those scripts invoke something external. Magpie RSS can help cache copies of remote data locally and then deliver that to the visitor without the visitor having to contact another server when loading up the primary target site. Some sites these days have you contact over 10 different domains per pageload. It’s the downside of mashup, and it extends to particular browser components too (those which “phone home”, but the user usually had more control over them than over known and unpredictable page source). Google and Microsoft uses their cookie to track people at both levels – browser and in-page (sometimes under the guise of “security”, babysitting and warning about “bad” sites you visit). Facebook and Twitter only do the latter and a lot of people don’t welcome that. Facebook, notoriously, profiles people (e.g. are they closeted gay? Is there fertility/erectile dysfunction? Any illnesses the person obsesses over?) and then sells this data to marketing firms and partners, reportedly Microsoft too.

Public sites have different regulations applied to them because many people are required to visit them (e.g. paying taxes), it is not a choice, not to mention the sovereignty principles (e.g. should Google know who and when and how European citizens access their government sites which they themselves paid for?).

In society there is a lot of ransom going on — a lot of ransom people do not regonise or will never be known or reported. This relies primarily in information, unless there is a physical hostage situation (where the prison is at danger of mortal harm). But the bottom line is, those who have the potential to embarrass others possess a lot of power, so there is a fundamental issue of civil liberties at stake. This is why, among several reasons, the TSA agents stripping off (literally or figuratively, or in scanner) is a way of dehumanising and thus weakening the population, normalising indecency and maybe returning us to memories of some human tragedies. The privacy people have is tied to their indignity, worth, and sense of self/mutual respect. Privacy is not a luxury; it is an important tenet of society. Society will suffer if privacy is altogether lost.

^AT_EX helps render for a variety of output types including posters and Web pages, not just A4 sheets. As a typesetting language it is very powerful, but for advanced functionality it requires additional packages, included in the preamble. It appears as though GIF animations are not supported in L^AT_EX despite the fact that, if exported as Web pages for instance, the notion of animation makes sense. This is a shame really and if someone knows of a workaround, please leave a comment. I am currently writing a 400-page report which is a comprehensive summary of what I am doing and without animations it might be hard to express what is going on. For example compare the following triplet of static and dynamic (which HTML is happy with):