Introduction About Site Map

RSS 2 Feed RSS 2 Feed

Main Page | Blog Index

Sunday, December 11th, 2022, 5:27 am

Pay Sirius Coporation, Get GAFAM Instead

Sirius Open Source pamphlet

Summary: Sirius ‘Open Source’ has adopted shoddy practices that impede audits, undermine security, and subvert proper inspection of the network; outsourcing is not security, and “clown computing” is more like an “acceptable” security breach (giving some shady companies control over your systems and data), but that’s not something today’s Sirius ‘Open Source’ can still grasp (Intel experienced something similar when geeks left)

THE previous part spoke about a lack of real security and today we turn our attention to GAFAM-friendly policies which wrongly assume that VPN or GAFAM mean security. They don’t. VPN, like a firewall, makes false assumptions. And outsourcing assumes that some other companies are in fact security-oriented and respecting of privacy. They’re neither. Sending passwords from one’s local network (already access-restricted on several levels, namely access credentials and IP address) to something like LastPass is beyond insane. But good luck explaining that to people who worship brands instead of technology and find appeal in anything “new” (for no actual reasons other than perceived novelty).

Here is the relevant part of the report sent at the start of this month.

Band-Aid Instead of Robust Policies

Speaking of security breaches, some of the company’s Ubuntu servers are using very old — even way outdated — versions, as noted by the company itself (it’s also controlled by a host in another country, which poses another attack surface issue).

Security isn’t taken seriously enough and VPN is presented as ad hoc Band-Aid. VPN is not the solution, it’s a hallmark or a symptom of neglect at the intranet (internal) level. Firewalling and restrictions, for instance, have unusual exceptions. Since “Google is your friend”, for instance, Google IP addresses are allowed. As if Google never spies or collaborates with spy agencies (or even suffers security breaches). So Sirius VPN does not trust BBC network, but does trust (or whitelists) Google/Alphabet.

The neglect extends outwards, i.e. outside internal infrastructure of Sirius. For instance, in the past some staff transmitted in plain text messages (via E-mails) with passwords to accounts and servers of a very large client that is the target of foreign operations and aggressive spies (political espionage operations of this type are very common with clients such as these).

There are even very recent examples, so there’s no need to go far back; a colleague who is close to management dared suggest — only months ago — that an entire political Web site (including user details, passwords etc.) be migrated by dumping a lot of data into Google Drive, without any encryption either, clearly not comprehending that “Google is your friend” is a laughable fallacy (an understatement; Google is legally obligated, through US Clarifying Lawful Overseas Use of Data Act or CLOUD Act 2018, to give full access to the US government and more).

It wouldn’t be controversial to state that such practices can be off-putting to clients, e.g. when decision makers in Sirius have rather poor grasp or appreciation for privacy and security, let alone critical care by introspection (staff cautioning about this is subjected to gaslighting at best or even outright threats).

If Sirius views itself as a champion of “Alexa” and “OK Google”, then the company should seriously consider a rebrand.

Technical Notes About Comments

Comments may include corrections, additions, citations, expressions of consent or even disagreements. They should preferably remain on topic.

Moderation: All genuine comments will be added. If your comment does not appear immediately (a rarity), it awaits moderation as it contained a sensitive word or a URI.

Trackbacks: The URI to TrackBack this entry is:

Syndication: RSS feed for comments on this post RSS 2

    See also: What are feeds?, Local Feeds

Comments format: Line and paragraph breaks are automatic, E-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Back to top

Retrieval statistics: 21 queries taking a total of 0.128 seconds • Please report low bandwidth using the feedback form
Original styles created by Ian Main (all acknowledgements) • PHP scripts and styles later modified by Roy Schestowitz • Help yourself to a GPL'd copy
|— Proudly powered by W o r d P r e s s — based on a heavily-hacked version 1.2.1 (Mingus) installation —|