Introduction About Site Map

XML
RSS 2 Feed RSS 2 Feed
Navigation

Main Page | Blog Index

Archive for the ‘General’ Category

Security Problems at Sirius ‘Open Source’

Video download link | md5sum ac3236ee212e511a0874c1eecac90893
Insecure About Security Status
Creative Commons Attribution-No Derivative Works 4.0

Summary: At Sirius ‘Open Source’, which we left 8 days ago, security had been neglected for years; at the moment the company brags about “ISO” and other three- (or four-) letter acronyms, but many of the basic practices are conveniently ignored

THE sad reality is that when it comes to security many people and corporations prey on perception rather than reality. They indulge in what they can tell the public (or clients). For instance, Microsoft uses media “plugs” to pretend Microsoft is some sort of security expert with many security gurus whilst actively pursuing back doors for the NSA and others. In my latest job (almost 12 years) I witnesses customers suffering security breaches; we’re not meant to tell people about clientele covering up such incidents because it might result in fines or erosion of confidence.

orse yet, highlighting that some company is failing when it comes to security (as happened at Twitter earlier this year; their security chief had become a whistleblower) is seen as the real problem; in healthy workplaces the problem would be security lapses, not the people who talk about them.

Aside from the above video I still have plenty to say and to show (without infringing the privacy or people or naming any companies).

Patching My Work PC (at Sirius Open Source) ‘Absolutely Unacceptable’?

Sirius certificate

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they’ve long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we’ll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).

Suffice to say, patching is part of the work, including patching one’s own machine. Anything else would be irrational (like blasting people over “commuting” time) because security starts in one’s own domain. And yet, I was being told off by the company’s founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am).
Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

“Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”

I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.

If I cannot observe systems that are monitored and supported, it’s not “unacceptable”. It’s still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).


Acronyms Lingo

Speaking of “GDPR” or “ISO” without even grasping the meaning behind laws and regulations is “cheap talk”. Without comprehension of the issues, this boils down to ‘name-dropping’ (like “GDPR” or “ISO”). Currently, the company would gladly take technical advice from people who openly admit they don’t care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients’ names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren’t reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data — including several incidents staff witnessed where people’s (patients’) privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty

With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. ‘Low level’ staff cannot access systems at a level of user management, so this was demonstrably a ‘high level’ failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company’s infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties — a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of “bad optics”, pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant — a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.

Sirius Corporation’s Openwashing

Published yesterday: The Rule of Law or the Rule of Lie
Published yesterday: The Rule of Law or the Rule of Lie

Many countries throughout the world strive to uphold the rule of law–where no one is above the law; where everyone is treated equally under the law; where everyone is held accountable to the same laws; where there are clear and fair processes for enforcing laws; where there is an independent judiciary; and where human rights are guaranteed for all.

Summary: Sirius ‘Open Source’ is still the official name of the company, but the company isn’t really ‘Open Source’ anymore; it’s not a viable company either, it’s run by only a handful of people

THE previous part of the report was entitled “Rules for Thee and Not for Me”, hence the above article. Deception and misapplied rules (or selectively enforced rules) became all too common at Sirius ‘Open Source’, a company we left exactly one week ago. It was too much to bear and criticism had become impermissible. Colleagues were compelled to lie to clients, which had become less and less ethical. Sirius itself was rapidly moving away from “Open Source” (the words in its own name!) or abandoning Free software; there was no room for debate or discussion about that.

Below is the relevant part of the report we left last week (internally, just before leaving).


Openwashing Ltd.

It may seem absurd that a CEO of “Sirius Open Source” uses only Non-Open Source software, also known as proprietary software, i.e. in practice he rejects Open Source (championing macOS, Chrome and not Chromium, lots of “cloud” things that are proprietary and exceedingly privacy-infringing), but this is what we have come to expect in a company building a facade based on past branding/reputation rather than the present. This point was covered earlier.

As an aside, lately the company posted links to anti-FSF defamation tabloids via the company’s Twitter account (Roy and Rianne did not comment but only took note), even though 1.5 decades earlier the company had financially supported the FSF. What happens when a company does not understand what it sells it may end up advocating Windows/WSL (helping Microsoft’s attack on GNU/Linux) or even using Windows with some ‘Linux’ thing in VirtualBox instead of the real thing? Welcome to Openwashing Ltd. formerly known as Sirius Open Source. There might even be some Open Source people inside the company. Might. Maybe…

Sirius Open Source swag“Sirius Open Source” should be about more than the branding. People who actually use Free/Open Source software know that it is doable and know how to implement as well as recommend it (like the founder did; he gave many talks on the matter). Contrariwise, people who don’t use Free/Open Source software simply insist it’s not doable and sometimes say things like “this is just how the world works”. This kind of defeatism paralyses a company that built its whole image around “Open Source” (even paying to advertise itself accordingly), which needs to be championed for ‘Team Sirius’ to distinguish themselves (there’s plenty of competition; niches or sub-segments are simpler to complete for). Sirius as a company must not resort to false marketing, using the brand “Open Source” while in fact openwashing, neither caring about freedom nor using an OS (operating system) that adheres to freedom or autonomy and sometimes sends a lot of sensitive data to firms in foreign states. That includes some of the core clients’ data.

A Fake Company of Fake Size

Video download link | md5sum ac5cf18cb5c1fad3ccb5b3325e730dd2
Disguised as Open
Creative Commons Attribution-No Derivative Works 4.0

Summary: A deeper look at the way Sirius Open Source presents itself to the public (including prospective and existing clients); This is clearly not the company that I joined nearly 12 years ago

THE company in question may not matter as much as the general pattern, as based on recent discussions it seems like several of the abuses are common and can be seen in other companies. But Sirius is the only example that I know well enough as an insider. Moreover, it’s important that it markets itself as “Open Source” and “stress-free”; nothing could be further from the truth.

As noted in the above video (taking stock of yesterday’s posts), the company intentionally fails to remove past workers from sites of Sirius — all in the interest of “looking big!” while the company is minuscule and basically on the brink. Many companies do this (“skeleton crews”), but this one I can attest to personally.

We’ve thus far left out any speculation. We are sticking to facts. It doesn’t look good at all and the way we were treated compels us to speak out.

We don’t know if middle management is rogue or just doing exactly what the founder (no longer CEO) wants, but either way, the outcome is really bad, both for staff and for clients. We can safely assume the founder needs to pay a lot of money to the former wives and the kids (two wives, 4 daughters), but he seems to be dodging payments to them by ‘hiding’ in the US. He does not seem to be settled too well in the US, judging by his lodging on video (not even properly dressed up sometimes). Will support for Donald Trump offer any moral redemption? How many people would trust such leadership anyway?

Authorities in Florida Caution About Correlation Between Some COVID-19 Vaccines and Heart Attacks in Young Males

This is why proper clinical trials and studies need to precede mass administration

“This analysis found there is an 84% increase in the relative incidence of cardiac-related death among males 18-39 years old within 28 days following mRNA vaccination.”

COVID-19 Florida

New NHS Data: COVID-19 Hospitalisations at Start of October 2022 Are 3+ Times Worse Than in 2020 and Twice as Bad as Last Year

Late release of data notwithstanding (and missing data from Scotland), here we see how bad things have gotten. Compare new confirmed cases in the first 5 days (we don’t have a week yet) of October, split over the 3 years:

2020

5-10-2020 14,218
04-10-2020 9,966
03-10-2020 9,820
02-10-2020 11,719
01-10-2020 11,444

2021

05-10-2021 32,268
04-10-2021 36,476
03-10-2021 27,137
02-10-2021 21,873
01-10-2021 24,134

2022

05-10-2022 5,990
04-10-2022 9,098
03-10-2022 10,249
02-10-2022 8,400
01-10-2022 6,441

Now compare to hospitalisations:

2020

03-10-2020 386
02-10-2020 371
01-10-2020 368
30-09-2020 328
29-09-2020 310
28-09-2020 308

2021

03-10-2021 577
02-10-2021 549
01-10-2021 520
30-09-2021 552
29-09-2021 625
28-09-2021 596

2022

03-10-2022 1,344
02-10-2022 1,262
01-10-2022 1,091
30-09-2022 870
29-09-2022 1,158
28-09-2022 1,134

Hospital ecalation

Hospitalisation rate up 33% in the past week alone.

Meanwhile Google is purging many voices in YouTube. Here’s an hours-old video about symptoms:

The numbers of cases go up sharply, based on the ZOE health study:

cases-zoe

Based on 2021 infections (data), we still — or currently — have about 4,000 more people scarred with “Long COVID” every day. Recovery isn’t enough to avoid long-term health problems.

Long COVID ZOE

Latest Evidence That COVID-19 is Spreading Faster in England This Autumn

And it wasn’t this bad 1 and 2 years ago.

COVID-19 spreads faster

Retrieval statistics: 21 queries taking a total of 0.200 seconds • Please report low bandwidth using the feedback form
Original styles created by Ian Main (all acknowledgements) • PHP scripts and styles later modified by Roy Schestowitz • Help yourself to a GPL'd copy
|— Proudly powered by W o r d P r e s s — based on a heavily-hacked version 1.2.1 (Mingus) installation —|