Does/did this happen in your company too? If so, read on…

Summary: Sirius ‘Open Source’ has not been keeping up with skills required to self-host, instead demonising/denouncing them as “hobbyist” (actual quote from the CEO) and eventually relaying almost everything to proprietary vendors that put gates and walls on Free software

TODAY we continue a couple of parts that deal with security and privacy issues at Sirius Open Source [sic] — a company that still says “Open Source” although it often recommends to clients that they adopt proprietary things.

Enough has been said already about the nature of the hypocrisy, the double standards, the dishonest marketing, lack of principles, and even some truly unethical clients. Below is part of the report deposited before my wife and I left the company¹.

Outsourcing Concerns

Colleagues at Sirius have long worked weekends (unlike client’s staff, which is typically off work on holidays and weekends; there’s no 24/7/365 cover). Some of them finished or started working but could not access an essential gateway machine. When the client does something like an update or makes a release the IP addresses will change, so whenever there is an incident Sirius staff can’t restart, forcibly reboot or investigate the machines, that is unless — or otherwise — Sirius staff are informed (or wiki/documentation becomes up to date again). From what is known, this is more of this particular client’s choice, but Sirius lacks a loophole and that is why Sirius may seem sloppy or slow to update/notify their workers/employees.

This is a typical example of a lack of top-down coordination. How are staff expected to carry out duties if managers don’t do their part or fail to understand how these systems work? In fact, when outsourcing to any third party, this may be inevitable; the people who ‘manage’ the machines have almost no control over them. They merely rent some server space and the hypervisor may change over time, introducing unforeseen but unavoidable complication. This means server can become unavailable, with no resort at all (like accessing the datacentre/s). Back in 2011 and for several years after that Sirius had its own server racks and managed its own instances.

Sirius keeps recommending the outsourcing to proprietary software like AWS and Cloudflare, resulting (sometimes) in a lot of problems. Sirius itself pays in AWS bills almost as much as a small salary. Becoming an AWS ‘reseller’ makes Sirius far less competitive and vastly less unique; companies like these, including Rackspace, have their own support. They have their own ambitions of controlling everything themselves. Companies like Sirius should not become transient migrators. Sirius used to offer its own hosting.

This is one of many issues with “cloud computing”, including AWS, which also caused significant downtimes for that client (hours-long outages) — a client that used to have far more control over the hosting. When it comes to certification, the company actively encourages learning “cloud computing” stuff instead of “Open Source” stuff.
______
¹ Many more details will be given, along with further analysis, when the whole report is published. Probably in January.

Just published: Chinese vaccine comparisons

Description:

Chinese and Western vaccines compared

https://www.bbc.co.uk/news/world-asia-china-63855508

Big changes, all of a sudden

Live with the virus

Vice-premier, Sun Chunlan

China entering a new situation

Virus ability to cause disease weakening

Lifting most severe Covid policies

End of quarantine camps

People can isolate at home

No more family separations

Close contacts not taken to camps

Strict ban on blocking fire exits

No need to show tests for venues

Less rules on internal travel

Lateral flow tests to replace PCR tests in most areas

Lockdowns continue in smaller more targeted areas

Foreign travel soon

Cases, 30,000 +

Now

Everyone will be exposed

Will the medical system will be overwhelmed?

National Health Commission

All localities, focus on improving the vaccination rate of people aged 60-79,

accelerating the vaccination rate of people aged 80 and above,

and making special arrangements

Prof Ivan Hung, Hong Kong University

The main way for China to exit Covid with the least damage is via vaccination and three doses of vaccination is a must

Hopefully before Chinese New Year (January 22) Rabbit

Sinopharm

Strategic Advisory Group of Experts on Immunization (SAGE)

https://www.who.int/news-room/feature-stories/detail/the-sinopharm-covid-19-vaccine-what-you-need-to-know

The vaccine is safe and effective for all individuals aged 18 and above.

Individuals may choose to delay vaccination for 3 months following the infection.

An inactivated vaccine with adjuvant

(that is routinely used in many other vaccines)

with a documented good safety profile, including in pregnant women.

Symptomatic SARS-CoV-2 infection and efficacy against hospitalization 79%

Does it prevent infection and transmission?

No substantive data

Does it work against new variants of SARS-
CoV-2 virus?

SAGE currently recommends using this vaccine

Not yet been evaluated in the context of circulation of widespread variants of concern.

How does this vaccine compare to other vaccines already in use?

We cannot compare the vaccines head-to-head,

(different approaches taken in designing the respective studies)

but overall, all of the vaccines that have achieved WHO Emergency Use Listing,

are highly effective in preventing severe disease and hospitalization due to COVID-19.

Comparison with Western vaccines

Pfizer original paper

https://www.nejm.org/doi/full/10.1056/NEJMoa2034577

https://www.nejm.org/doi/suppl/10.1056/NEJMoa2034577/suppl_file/nejmoa2034577_appendix.pdf

BNT162b2 was 95% effective in preventing Covid-19

Later analysis from

Efficacy and effectiveness of covid-19 vaccine – absolute vs. relative risk reduction

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9115787/

AAR, Pfizer, during the trial period,

0.84%

AAR

https://patient.info/news-and-features/calculating-absolute-risk-and-relative-risk

Absolute risk of a disease is your risk of developing the disease over a time period.

Five to six-months update, AAR

BNT162b2 3.7%

mRNA1273 (Moderna-NIH) 4.9%

Summary: Sirius ‘Open Source’ has adopted shoddy practices that impede audits, undermine security, and subvert proper inspection of the network; outsourcing is not security, and “clown computing” is more like an “acceptable” security breach (giving some shady companies control over your systems and data), but that’s not something today’s Sirius ‘Open Source’ can still grasp (Intel experienced something similar when geeks left)

THE previous part spoke about a lack of real security and today we turn our attention to GAFAM-friendly policies which wrongly assume that VPN or GAFAM mean security. They don’t. VPN, like a firewall, makes false assumptions. And outsourcing assumes that some other companies are in fact security-oriented and respecting of privacy. They’re neither. Sending passwords from one’s local network (already access-restricted on several levels, namely access credentials and IP address) to something like LastPass is beyond insane. But good luck explaining that to people who worship brands instead of technology and find appeal in anything “new” (for no actual reasons other than perceived novelty).

Here is the relevant part of the report sent at the start of this month.

Band-Aid Instead of Robust Policies

Speaking of security breaches, some of the company’s Ubuntu servers are using very old — even way outdated — versions, as noted by the company itself (it’s also controlled by a host in another country, which poses another attack surface issue).

Security isn’t taken seriously enough and VPN is presented as ad hoc Band-Aid. VPN is not the solution, it’s a hallmark or a symptom of neglect at the intranet (internal) level. Firewalling and restrictions, for instance, have unusual exceptions. Since “Google is your friend”, for instance, Google IP addresses are allowed. As if Google never spies or collaborates with spy agencies (or even suffers security breaches). So Sirius VPN does not trust BBC network, but does trust (or whitelists) Google/Alphabet.

The neglect extends outwards, i.e. outside internal infrastructure of Sirius. For instance, in the past some staff transmitted in plain text messages (via E-mails) with passwords to accounts and servers of a very large client that is the target of foreign operations and aggressive spies (political espionage operations of this type are very common with clients such as these).

There are even very recent examples, so there’s no need to go far back; a colleague who is close to management dared suggest — only months ago — that an entire political Web site (including user details, passwords etc.) be migrated by dumping a lot of data into Google Drive, without any encryption either, clearly not comprehending that “Google is your friend” is a laughable fallacy (an understatement; Google is legally obligated, through US Clarifying Lawful Overseas Use of Data Act or CLOUD Act 2018, to give full access to the US government and more).

It wouldn’t be controversial to state that such practices can be off-putting to clients, e.g. when decision makers in Sirius have rather poor grasp or appreciation for privacy and security, let alone critical care by introspection (staff cautioning about this is subjected to gaslighting at best or even outright threats).

If Sirius views itself as a champion of “Alexa” and “OK Google”, then the company should seriously consider a rebrand.

Video download link | md5sum ac3236ee212e511a0874c1eecac90893
Insecure About Security Status
Creative Commons Attribution-No Derivative Works 4.0

Summary: At Sirius ‘Open Source’, which we left 8 days ago, security had been neglected for years; at the moment the company brags about “ISO” and other three- (or four-) letter acronyms, but many of the basic practices are conveniently ignored

THE sad reality is that when it comes to security many people and corporations prey on perception rather than reality. They indulge in what they can tell the public (or clients). For instance, Microsoft uses media “plugs” to pretend Microsoft is some sort of security expert with many security gurus whilst actively pursuing back doors for the NSA and others. In my latest job (almost 12 years) I witnesses customers suffering security breaches; we’re not meant to tell people about clientele covering up such incidents because it might result in fines or erosion of confidence.

orse yet, highlighting that some company is failing when it comes to security (as happened at Twitter earlier this year; their security chief had become a whistleblower) is seen as the real problem; in healthy workplaces the problem would be security lapses, not the people who talk about them.

Aside from the above video I still have plenty to say and to show (without infringing the privacy or people or naming any companies).

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they’ve long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we’ll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).

Suffice to say, patching is part of the work, including patching one’s own machine. Anything else would be irrational (like blasting people over “commuting” time) because security starts in one’s own domain. And yet, I was being told off by the company’s founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am).
Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

“Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”

I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.

If I cannot observe systems that are monitored and supported, it’s not “unacceptable”. It’s still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).

Acronyms Lingo

Speaking of “GDPR” or “ISO” without even grasping the meaning behind laws and regulations is “cheap talk”. Without comprehension of the issues, this boils down to ‘name-dropping’ (like “GDPR” or “ISO”). Currently, the company would gladly take technical advice from people who openly admit they don’t care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients’ names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren’t reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data — including several incidents staff witnessed where people’s (patients’) privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty

With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. ‘Low level’ staff cannot access systems at a level of user management, so this was demonstrably a ‘high level’ failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company’s infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties — a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of “bad optics”, pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant — a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.

Video download link | md5sum 1c4d7edce11724db5d55abfa26d673b2
Sirius Compromise of Integrity
Creative Commons Attribution-No Derivative Works 4.0

Summary: Sirius ‘Open Source’ has resorted to finger-pointing that distracts from the real culprits and covers up the real issues; a week ago I left my job after it had become too much to bear

Integrity of staff and reputation of people in the company where I worked apparently does not matter. For instance, lying to clients is an ethical breach, no matter how profitable it may seem at the time. Some of these clients are themselves unethical, but we don’t wish to name clients in this series. We only focus on Sirius ‘Open Source’ or Sirius Corporation.

The video above goes through the latest two parts of the series, which cover two aspects from the report we had left a day before resigning. There’s much to be said about the Code of Conduct-like nature of some of the policies; never dare accuse management of lying, even if it is objectively lying. The issue or the pesky person will be perceived to be anyone who opposes lies.

Published yesterday: The Rule of Law or the Rule of Lie

Many countries throughout the world strive to uphold the rule of law–where no one is above the law; where everyone is treated equally under the law; where everyone is held accountable to the same laws; where there are clear and fair processes for enforcing laws; where there is an independent judiciary; and where human rights are guaranteed for all.

Summary: Sirius ‘Open Source’ is still the official name of the company, but the company isn’t really ‘Open Source’ anymore; it’s not a viable company either, it’s run by only a handful of people

THE previous part of the report was entitled “Rules for Thee and Not for Me”, hence the above article. Deception and misapplied rules (or selectively enforced rules) became all too common at Sirius ‘Open Source’, a company we left exactly one week ago. It was too much to bear and criticism had become impermissible. Colleagues were compelled to lie to clients, which had become less and less ethical. Sirius itself was rapidly moving away from “Open Source” (the words in its own name!) or abandoning Free software; there was no room for debate or discussion about that.

Below is the relevant part of the report we left last week (internally, just before leaving).

Openwashing Ltd.

It may seem absurd that a CEO of “Sirius Open Source” uses only Non-Open Source software, also known as proprietary software, i.e. in practice he rejects Open Source (championing macOS, Chrome and not Chromium, lots of “cloud” things that are proprietary and exceedingly privacy-infringing), but this is what we have come to expect in a company building a facade based on past branding/reputation rather than the present. This point was covered earlier.

As an aside, lately the company posted links to anti-FSF defamation tabloids via the company’s Twitter account (Roy and Rianne did not comment but only took note), even though 1.5 decades earlier the company had financially supported the FSF. What happens when a company does not understand what it sells it may end up advocating Windows/WSL (helping Microsoft’s attack on GNU/Linux) or even using Windows with some ‘Linux’ thing in VirtualBox instead of the real thing? Welcome to Openwashing Ltd. formerly known as Sirius Open Source. There might even be some Open Source people inside the company. Might. Maybe…

“Sirius Open Source” should be about more than the branding. People who actually use Free/Open Source software know that it is doable and know how to implement as well as recommend it (like the founder did; he gave many talks on the matter). Contrariwise, people who don’t use Free/Open Source software simply insist it’s not doable and sometimes say things like “this is just how the world works”. This kind of defeatism paralyses a company that built its whole image around “Open Source” (even paying to advertise itself accordingly), which needs to be championed for ‘Team Sirius’ to distinguish themselves (there’s plenty of competition; niches or sub-segments are simpler to complete for). Sirius as a company must not resort to false marketing, using the brand “Open Source” while in fact openwashing, neither caring about freedom nor using an OS (operating system) that adheres to freedom or autonomy and sometimes sends a lot of sensitive data to firms in foreign states. That includes some of the core clients’ data.