Video download link | md5sum cc29a588d814b375a666bda5d567b58f
What Sirius Teaches Us About ISO
Creative Commons Attribution-No Derivative Works 4.0

Summary: Based on my experiences inside Sirius ‘Open Source’ — as I was there for nearly 12 years — I finally tell what I’ve witnessed about ISO certification processes (see ISO wiki for prior experiences)

Sirius ‘Open Source’ taught me a whole bunch of things; some were valuable technical skills, but many were negative experiences that I can finally explain out in the open, expressing in words various ideas that I formed (or formulated) years ago.

The above video concerns ISO and it is relatively long because it covers two parts instead of just one, starting with background and proceeding to real-life examples in the form of redacted E-mails.

The conclusion I reached years ago is that ISO is somewhat of a scam. It creates a barrier that mostly protects monopoly and it makes a lot of money by giving worthless papers, essentially turning managerial ‘religion’ into a fat cash cow. If more people understood the business model of ISO, maybe there would be no ISO anymore.

Summary: Before we proceed to showing how Sirius ‘Open Source’ blatantly ignored security and privacy we wish to show how ISO (see ISO wiki) basically ‘sold’ a certificate to Sirius — this is like a “diploma mill” but something that’s for businesses, not individuals

THIS is today’s second article on this topic. We’ve found some spare time for faster progression and in-depth coverage. As I noted yesterday, my wife had more direct and indirect experience (decades ago) with ISO being a bunch of meaningless hooey. So did I (having stumbled upon classical ‘box tickers’ or worse). Sirius is just another reminder of that. Hence this series and its relevance. It seems like a lot of people in technical fields separately and independently reached the conclusion that ISO is overhyped, overvalued, and mostly a waste of time and money (unless you have a ‘bullshit job’ to justify).

“This isn’t science. It’s like calling “economics” a science. It is not. It’s more like religion.”“My dad complained about the ISO in the 90s,” Ryan said in IRC an hour or so ago. “He constantly made fun of all of their “standards” for management of a company that didn’t mean anything but go on and on. It’s a sort of code so that managers sound smarter than they are. “We’re ISO-Whatever compliant with our handling of the TPS reports.” And the ISO standards can be wrong and never revised. Microsoft implemented the standard for MP3 and so did LAME, and then the result was they were both correct and Windows XP crashed. Part of the standard about what constituted the maximum size for a frame could be calculated one of two ways.Microsoft chose the more constrained way and it resulted in a buffer overflow with some files that crashed Windows Media Player. LAME had chosen the method that resulted in a slightly larger permissible frame size. The outcome was LAME had to be changed to use the Microsoft calculation to avoid crashing Windows, and that meant a reduction in audio quality under some circumstances, with padded bytes instead of data. Later, they changed to use the VBR bit allocator, even in a CBR file, and it mostly avoids the situation by its method of action. It can cleverly use the bit reservoir in ways that the former bit allocator that was only for CBR files couldn’t. Naturally, they never delete anything, so you can still demand the old model. It’s just an absolute nightmare of options switches. It’s the worst thing I’ve ever seen in a utility its size. ISO is kind of the stuff of Pointy Haired Bosses when it comes to Management Theory being standardized.”

Well, this whole “Management Theory” is what we’re dealing with here.

This isn’t science. It’s like calling “economics” a science. It is not. It’s more like religion.

Here’s what happened in Sirius (in mostly logical/chronological order):

Subject: ISO
Date: Mon, 29 Jul 2019 15:47:43 +0100
From: xxxx
To: xxxx

Hey All,

As you know we are going through the ISO processes – I have been asked to gather some information from everyone at Sirius to create a list of all assets used by employees of Sirius whether it belong to the company or the employee so if I can have the item name and serial number that would be great. They have also asked which anti virus you all use.

Are you all able to send me the required information ASAP please?

Thanks,

xxxx

Yes, because a bunch of serial numbers would mean so much! Of people devices at home… for the most part.

“They would nag us to do the same ‘course’ every year, even though it is dumb and we ‘passed’ it already.”A month later came “You have been registered for a Training course – Information Security” (no, not really security but this hoax instead). We’ll deal with that another day…

They would nag us to do the same ‘course’ every year, even though it is dumb and we ‘passed’ it already. This is compliance???

??”This is something that will be done annually for our ISO process,” I was told, “so please complete this on your next shift.”

??Way to waste people’s time, doing and passing a total hoax over and over again (details on why it’s a hoax were covered here before).

??Notice the threats being sent to ALL staff:

Hi All,

As you will all be aware we have been implementing new policies and procedures in order to become ISO 9001 and ISO 27001 compliant. Part of this entailed changing our HR company to xxxx who use the online portal Atlas to provide an easier method to roll out training. I have checked and there is still a substantial amount that has still not been completed.

ALL training sent out by myself needs to be passed and completed by the _*25th November 2019*_. This is to ensure we meet our deadline for the final stage of ISO audits.

Failure to comply with this request may result in disciplinary action. For those of you that have completed the training, please ignore this message and thank you.

Kind Regards,

xxxx

“Failure to comply with this request may result in disciplinary action,” it says. They kept making veiled and explicit threats. Sometimes this culminated in actual bullying, false accusations, and blame-shifting witch-hunts.

Of course the portals failed to even work properly. For instance:

> ALL training sent out by myself needs to be passed and completed by the
> _*25th November 2019*_. This is to ensure we meet our deadline for the
> final stage of ISO audits.

I was able to open all the documents and read them. The animated things,
or training sessions, get stuck. I tried each one of them about 5 times
(>each<) and they get stuck somewhere along the way. I tried this on
multiple machines. Rianne told she too had some difficulties.

I will try again on my next shift, but these technical issues do merit a
mention. They also rely on plugins Adobe no longer supports, posing
security risk (an issue aside from the bugs).

Kind regards,

[Roy]

Her answer was: “Have you tried using a different web browser?”

Of course she wasn’t using GNU/Linux or anything “Open Source”. This does not constitute an actual solution.

In 2020 the following was sent:

——– Forwarded Message ——–
Subject: xxxx – Things to do
Date: Thu, 26 Nov 2020 11:38:01 +0000
From: xxxx
To: xxxx
CC: xxxx

Hi All,

In October I issued Linux Training via xxxx. Can you all please ‘acknowledge’ this on your portal to show that you have opened and read it.

I also need you to ensure ALL training modules issued on xxxx i.e information security and documents issued i.e IMS Awareness presentation have been completed by the end of your next shift.

It is essential these tasks are carried out prior to our ISO Audit next week.

Kind Regards,

Well, those training modules and ISO guidelines weren’t even followed by Sirius. We gave examples of this before. In some cases, there were efforts to meet standards only after a certificate had been granted.

Sheesh. I’m not supposed to say this in public, am I?

What did those audits mean anyway? What did the above “ISO Audit” actually check? That the cookie drawer is properly locked when Office staff goes to retrieve some hot chocolate milk from the machine?

“In the next few parts we’ll show what Sirius did in practice, not in theory, and what it told staff, not ISO auditors.”Some other messages were banal. They indicated a certificate had been granted (in other words, Sirius basically bought one) after minimal so-called ‘audits’ and staff sending a bunch of numbers from the back of computers (as if that means anything at all).

ISO is a joke. When it comes to this administrivia, ISO created just another ‘cash cow’ for itself.

In the next few parts we’ll show what Sirius did in practice, not in theory, and what it told staff, not ISO auditors. It’s one heck of a clusterf**k with the company’s data scattered all over the place. That includes clients’ data, even private keys and passwords.

Summary: Sirius ‘Open Source’ has long used “ISO” — and sometimes “GDPR” — as catch-all excuses for all sorts of nonsensical policies; does ISO realise the degree to which it is being misused by incompetent ‘box tickers’?

“The ISO will basically standardize anything they’re paid to even if it’s impossible for anyone else to implement the standard, for any reason,” Ryan said in IRC yesterday. “They’re a corrupt group that will do anything for money.”

To make matters worse, ISO facilitated epic Microsoft corruption. ISO still enables crime. It didn’t seem to mind it or worry about it. It only worried about the impact on its image/reputation. The EPO‘s management also habitually uses “ISO” to distract from the EPO’s crimes. We covered several examples several years ago. “The ISO hoards “standards” and won’t let you read them for free,” Ryan said moments ago. “So on top of patents, things only Microsoft can implement, etc. There’s this. Unless you tore apart LAME’s source code and tried to write new documentation for MP3, you can’t share high level documents with anyone. I doubt that the paywall is a huge cash cow for them. You still can’t share the official MP3 specification. The source code to LAME or Helix are the specification you can see without ponying up almost $300 iirc for a specification that describes it at a high level. By looking at source code, you can’t clearly understand every part of it unambiguously unless you’re a Mentat or something. The developers of LAME buy the PDFs but how much revenue is five people buying PDFs? Or maybe a dozen people even?”

Here’s one example from Sirius: Nothing to do with ISO, yet “ISO” gets mentioned all the time — the go-to excuse for everything. Any terrible policy…. such as classic “bullshit jobs” (making lists of tickets aside from the ticketing system, for no actual purpose other than to keep us extra busy).

Skip to the bold bits for the ‘short’ story or the gist:

Ticket Review – This is priority and compulsory

——– Forwarded Message ——–
Subject: Re: Ticket Review – This is priority and compulsory
Date: Fri, 31 May 2019 12:45:09 +0100
From: xxxxx

xxxx,

Support is contracted to work 8 hours. This time should be used productively for the company’s requirements and business needs. And right now business needs this report from every shift to update the clients. We are also going through quality control for ISO purposes [Ed: emphasis ours]. This makes it even more important.

This is how your shift should really go:

1. Start shift
2. Read Handover
3. Respond to any emails
4. Ticket review
5. As and when new tickets are added to xxxx – enter these onto the relevant ticket review reports on the fileserver for each customer – whilst doing the ticket review, update if status has changed to either open – ongoing OR closed.6. Work on tickets/check monitoring etc for rest of your shift
7. Write detailed handover and send
8. Finish shift

It is not an unreasonable requirement from management.

If you have anymore issues email me directly or xxxx and do not cc anyone else as I don’t want a long email thread which is going to take focus away from objective.

Kind Regards,

xxxx

> xxxx wrote:
>
> I’m sorry you don’t want my input, but I think this is a very important point that needs making. The trouble is that I can’t see how this is going to improve the amount of tickets that we have open at the moment. What is needed is for each of us to actually work on the tickets.
>
> On 31-05-2019 11:35, xxxxx wrote:
>
>> Hi xxxx,
>> The status box requires open/ ongoing or closed. It doesn’t require details.
>> Please read my email again and follow instructions.
>> This is compulsory and required from each of you.
>> This really is not open for discussion.
>
> [...]
>
>> wrote:
>>
>> I understand. But it would be helpful for me if you would would
>> clarify what exactly is required by a Ticket Review. For me,
>> there’s no point writing largely irrelevant or obvious comments
>> at the bottom of each ticket. What is needed is to actually work
>> on each ticket and resolve it so it can be closed.

Well, that stopped getting done when they decommissioned our last server. So that clearly had nothing to do with “ISO”. The management lied to us and misused the “ISO” straw man.

Does ISO deserve to know this?

Another unqualified “manager” did the same with “GDPR”. To provide some context (2020 E-mails):

> Hi Roy,
>
> Why was this handover sent at 1:03 am – your shift is meant to be
> finished at 1:30 am.
>
> What is the reason for this?

Again, I think this is a misunderstanding. Check the past 8 years’ worth
of handovers at 1-1:30am. Look at the time pattern.

Did you send a similar message to all my NOC colleagues as well?

Regards,

She didn’t ‘get’ the message. I did nothing wrong at all. We all did the same thing even close to a decade earlier. She wrote:

Hi Roy,

Why did you leave your shift at 1:14 am (Tuesday 3rd March 2020)?
Your shift is meant to be until 1:30 am.
There was no prearranged time change request with management or request to leave 15 mins early in writing from you in our records.

I am concerned with this issue. Would you kindly clarify?

I responded again:

> Hi Roy,
>
> Thanks for your email.
>
> I raised these questions yesterday as I noticed that you said bye on
> your slack convo at 1:14 am (I have sent you a screen shot in previous
> email) that made me investigate further and I came across your handover
> times. Hence all these questions.
>
> We would request you to complete your full shift as prescribed and not
> leave early in future.

My handover times are not different from my colleagues’.

Can you explain further please?

Regards,

I responded yet again:

> Hi Roy,
>
> Why did you leave your shift at 1:14 am (Tuesday 3rd March 2020)?
> Your shift is meant to be until 1:30 am.
> There was no prearranged time change request with management or request
> to leave 15 mins early in writing from you in our records.
>
> I am concerned with this issue. Would you kindly clarify?

This is a very surprising message.

For the 9+ years I’ve been in the company we all (always) handed over at
1 to 1:30am, often leaving before 1:30. The above is not at all out of
the ordinary. For any of us…

Regards,

At this point, bearing in mind the previous year’s bullying by her, I kept a copy of the message as a reference (HR, hired by Sirius, advised me to keep copies of key correspondence due to perceived witch-hunts).

To quote the Office Manager on “GDPR” (message redacted a little):

Hi Roy,

When on the 3rd shift (17:30 – 01:30) your shift finishes at 01:30 not beforehand.

xxxx simply requested that you comply with your correct working hours as we could see on slack and your time tracker that you have not been working up until the end of your shift. This isn’t an unreasonable request and doesn’t need to be questioned, its quite simple, finish your shift on time.

I understand the handover being sent over between 01:00 – 01:30 as that allows the colleague next on shift the opportunity to read the handover and discuss anything with you.

On another note, if you can please keep these emails within the company – I can see you have responded/cc’d from your personal email. With GDPR being very important, I do not want any of our client/Sirius data being available on your personal email so its essential to keep work-related correspondence to work emails.

I hope this clears everything up for you.

Kind Regards,

xxxx

I also said:

>> Hi Roy,
>>
>> Thanks for your email.
>>
>> I raised these questions yesterday as I noticed that you said bye on
>> your slack convo at 1:14 am (I have sent you a screen shot in previous
>> email) that made me investigate further and I came across your handover
>> times. Hence all these questions.
>>
>> We would request you to complete your full shift as prescribed and not
>> leave early in future.
>
> My handover times are not different from my colleagues’.
>
> Can you explain further please?

I have received no reply for a day.

I am used to that.

This is not the first time I get unwarranted bollocking and it’s the
kind of thing that can drive away experienced and crucial colleagues
over time.

What I did wasn’t wrong; it doesn’t hurt to get an apology for trying to
shame me in front of the CEO for something I did which was not wrong.

Kind regards,

Of course she never bothered to apologise. She just vanished. Her sidekick had to audacity to say that slang like “bollocking” was rude, ignoring how rude the bullying was and instead focusing on style and choice of words (that British slang isn’t even rude, unlike “bullocks”). It should be noted that the bullying did not start and stop in 2019; it carried on well into 2020. The above example is one of several.

In summary, what we deal with here is two people bullying staff. They’re not qualified for any management role, but they seem to enjoy the ‘thrill’ of pretending that they are. It would become a more persistent problem as new imposters would attempt to cover up the company’s gross understaffing, e.g. a person without knowledge and ill-equipped or unequipped on the beat, pretending to cover a NOC shift or offer a service (that’s the CEO).

The company was lying to clients.

Remember that this is a company where there’s no chance at progression except through nepotism (like family/kinship and sex). At the moment it’s very hard to know what happens in the company, but that’s hardly different from how it was before, as a cabal was working behind the scenes and behind our backs, scheming to do all sorts of illegal things while lying to us (about who left, who was becoming a client and so on)

Sirius has a culture of extreme secrecy, even for insiders. Someone needs to show the ‘dirty laundry’.

In closing, to quote Ryan again (as other than Microsoft’s OOXML crimes there’s the MPEG cartel ISO controversy): “The ISO is still impeding LAME because someday they’ll lose all of the people who understand the code and then someone will have to fix it up to continue working. I’d argue that you almost can’t have standards with ISO. You have to publish them without ISO into the public domain to truly call them standards. People should get these Public Domain documents and decide whether it’s a standard themselves or not, like ZIP or Opus. You’ll notice they didn’t go to the ISO with Opus. They went to the IETF. The IETF standard, you can read. You can read every draft copy too so you know how it changed along the way if you care to. The ISO won’t give you drafts of a standard even if you pay so there’s no seeing how the process evolved. The ISO is probably even nasty in ways that I can’t fathom. But the ones that I know of are bad enough. FhG was not happy about LAME, I can tell you that much. Not happy at all. Even though it made MP3 hugely popular. They don’t acknowledge it even once on their Web site, even their little “MP3 History” museum, which I don’t even think mentions music piracy either. So that’s kind of like “Wikipedia-izing the History of MP3″. We’ll just gloss over Napster and LAME. Wasn’t important. Not gonna go how the format would have failed completely. We marketed it brilliantly and it was a hit out of the ballpark based on secret documents and patents, and ISO. Secret documents, patents, and ISO are in the way of progress, constantly, and the secret documents and ISO can be cut out of the process a lot easier than reforming the patent system.”

How about “ISO” being leveraged to lie to staff?

New video:

Description:

There are excess deaths throughout Europe and in all age groups.

EuroMOMO Bulletin, Week 2, 2023

https://www.euromomo.eu

This week

Pooled EuroMOMO, all-cause mortalit
Elevated level of excess mortality,
overall and in all age groups.
Data from 25 European countries or subnational regions
Average levels from pre 2020

https://actuaries.org.uk/news-and-media-releases/news-articles/2023/jan/17-january-23-cmi-says-2022-had-the-worst-second-half-for-mortality-since-2010/

Mortality rates in 2022 compare to 2019 at different ages

2022, mortality, 7.8% higher for ages 20-44

In the UK, the second half of 2022

26,300 excess deaths,

compared to 4,700 in the first half of 2022

The number of deaths registered in England & Wales in week 1 of 2023

30% more deaths (3,437) than expected (2023 versus 2019)

Dataset, Deaths by vaccination status, England

https://www.ons.gov.uk/peoplepopulationandcommunity/birthsdeathsandmarriages/deaths/datasets/deathsbyvaccinationstatusengland

Old: Data Contradiction Means Office for National Statistics (ONS) Began Shamelessly Lying About Number of Dead People

n Tuesday at around 10AM (i.e. 24 hours from now) we’ll get some more mortality numbers from ONS (in proprietary Microsoft formats only), but in the meantime it’s increasingly hard to trust their output. As just noted, I’ve not received any clarification or response from them (they ask people to give them up to 10 days) and some already file formal complaints because ONS is deceiving the public, feeding the media intentionally incomplete or misleading data. Well, the public will need to keep chasing them to avoid being left in the dark.

peaking to pension schemes can be a massive waste of time. They are good at amassing people’s money and little other than that. Last week I spent over half an hour on the phone with Standard Life. They could not locate my pension! Nothing helped. They sent me to “Web sites” and I spent a weekend trying to find papers from 12 years ago. Now, with all the references and codes, they still say there is no record of those. Not my name, not the scheme number… nothing!

And they tried to send me astray to some “Web site”… as if that would work better than a person from the company on the phone, with full access to all the people and relevant systems. This is corporate greed in action.

Having spoken to 3 pension providers so far this month, I’m beyond appalled by the state of that industry, which the government blindly protects (to maintain ‘calm’). In its financial filings in Companies House, one such provider cautioned about its state in light of “COVID-19″ and “War in Ukraine”.

If myself, a tech-literate person, struggles to locate such things, then what about old people who don’t use technology and barely use the telephone? What about relatives of dead people, whose pension funds they don’t even know by name (or number)? The government’s pension tracker does not even work. I tried it about 4 times. It doesn’t even bring up a complete list of companies. This is incredible!

So my advice to all people, in the UK if not elsewhere too, call your pension provider to actually affirm the accounts are actually there as stated. Do not take anything for granted. Study the financial state of those schemes; in some countries it is publicly accessible for free, e.g. via Companies House in the UK.

The government can try to blame this on Russia or “an act of nature” (Wuhan virus), but the bottom line is, people’s economic lifelines aren’t safe and nobody in the media seems to be talking about it. Maybe they worry it would cause a panic and a run on the bank (or on pension schemes; people emptying their pension funds would open a whole new jar of worms, such as old people who suddenly lack a pension and rely on the government for food and heating… some already get called the “working poor” and rely on food banks).

The global system of finance is failing more and more people over time. The capital has been captured by the few.

I eventually found a “lead” (after more than half an hour spoken to a lady called Leah Brown at Standard Life). She suddenly could (unlike her colleagues) see the pension was moved to another provider in 2016. She did not, however, say which company did this and was very evasive about the whole thing, hoping to deflect to the Pension Regulator while acknowledging they almost never sent me any communications about anything. This seems to have become “normal”; they don’t inform people of anything.

In summary, they more or less lied to me about having nothing on their system about my account; upon escalation they suddenly knew the year of some change, less than 7 years ago (when you phone them up they say they retain the full audio of calls for up to 7 years, so why can’t they retain that much in actual records of pension schemes?).

To be continued…

Video download link | md5sum 07a2f3b98615ee2d67a59e46c7ac4f8e
ISO as Meaningless Certificates Mill
Creative Commons Attribution-No Derivative Works 4.0

Summary: Sirius ‘Open Source’ has used “ISO” as a catch-all talking point since 2019 in spite of doing illegal, unethical and truly dubious things while failing really badly at security

IN OUR last post we started the first part of several parts about ISO, commencing a separate (sub)series of posts that may take about a week to finish.

Sirius ‘Open Source’ disregards security advice, deems commentary that it lacks security staff to be “defamatory” (actually it’s perfectly factual), and moreover it is ignoring advice from technical people who do have a clue — all this while failing to do basic things like change passwords after a major breach.

If ISO considers that to be “OK”, then that says a lot about ISO.