Summary: Following this morning’s example of lying to clients at Sirius ‘Open Source’ let’s examine how the daytime team, i.e. self-appointed “management”, fails to deliver work which was promised (Sirius promised a project months ago, but nothing got done) and ‘low-level’ staff took the brunt; are managers doing anything at all? What are they doing all day long? Pretending to be busy? Collecting their salaries? Pushing around people who work all night long and actually possess technical skills?

As shown yesterday (or around midnight), managers at Sirius are directing staff to lie to clients and sometimes also lie to the staff. This is a highly toxic workplace climate. It compels good people to abandon good principles. Meanwhile, the ‘bosses’ are not — or barely — responding to E-mails (clients’, staff E-mails…), not doing basic accounting properly (not paying pensions sometimes!), so what on Earth do they even do all day long? Are they testing the position of their chairs?

Based on company meetings (2022) and public disclosures from the same year one can imagine the situation is rather dire; these show that there’s barely any money in the bank (we’ll show evidence at a later point in the series).

It’s hard to know what exactly happens behind the scenes (no transparency), but there’s maybe a ‘race condition’ against clients’ payments (revenue and salaries for staff). While almost understandable, this means that the company starts doing potentially illegal things when it comes to finance (we’ve mentioned stuff like a lack of payslips).

There are many other dodgy aspects we’ll explain at a later point, e.g. nepotism and contract-signing at ‘gunpoint’ (the concept will be properly explained some other day).

Nighttime staff at Sirius is working hard for a very small salary. It’s only reasonable to expect management to do the same. Moreover, meeting clients’ deadlines or expectations is rather fundamental (the previous parts mentioned SLAs).

In reality, however, everything is reversed; those who are failing at their jobs try to finger-point elsewhere and outwards. They aren’t subjected to any inside or outside scrutiny (e.g. for failing to attract good clients). To hide their incompetence they resort to spying, dirt-digging, and misdirection of blame, in essence improvising with the “law” and basically flinging lots of crap, hoping something might stick to an anti-adhesive frying pan. Last month we decided that “enough is enough” and below is one example among many more that exist. It shows how a project (not the nighttime staff’s) wasn’t being delivered for a very long time.

More Examples of Poor Service Delivery

More recently, there were more incidents of vastly delayed responses. Management received escalations but took no action. Rianne was covering the daytime shift when this (heavily-redacted) ticket was reported (note dates):

June 30, 2022

- Ticket#1013535 — RE: ?????????????????

Ticket acknowledged, escalated to ????????????????? because we may need ?????????????????. for this. The certificate, on the other hand, is valid and has not yet expired. Perhaps we can start looking for errors in that idp process log files?

---

July 17, 2022

Ticket#1013535 — RE: ?????????????????

Emailed ????????????????? regarding the priority of this ticket.

Dear ?????????????????,

This ticket has been open for over two weeks. Support/????????????????? conducted an initial investigation into the reported issue, but we have yet to contact the customer to provide our analysis or recommendations on the matter. When was ????????????????? available to investigate the problem?

---

July 30, 2022

Ticket#1013535 — RE: ?????????????????

The URL is now working: ?????????????????.
Support has not had the opportunity to update the client (no word other than acknowledging the ticket and conducting some research). I have asked ????????????????? if we can close this ticket quietly.

Hello, ?????????????????.

The URL that they reported as broken is now fully operational: ?????????????????.
I’m not sure when this problem was fixed. Support has not had the opportunity to update the client (no word other than acknowledging the ticket and conducting some research). I guess we’ll just close this ticket quietly.

---

October 16, 2022

Ticket#1013535 — RE: ?????????????????

????????????????? – is working for me without connecting to the VPN. Same result as what ????????????????? was getting.

As far as Rianne can remember, she brought this ticket to ?????????????????’s attention on Slack on that day (June 30th), but as usual ????????????????? is a very busy man and ????????????????? is not a big client, so it’s not of high priority. One can easily notice how long this ticket remained open/unattended/unnoticed for. This went on for so long (until October). As far as one can tell (based on what’s last known), this is still an outstanding ticket. It was open until the very last day Rianne was working in Sirius.

Finally, below is one more incident that shows one client that got truly pissed off. There are many redactions, but if scrutiny arises or one of those implicated are interested, we’ve got the full conversation. It’s meticulously documented for support.

The short story is, Sirius promised a project and didn’t deliver it, so the client began to chase Sirius. This is an example where a client has no idea who really works in Sirius e.g. in-house or associates (the Web site misleads about who actually works in Sirius):

Re: [Ticket#1013727] ?????????????????

10/08/2022

Hi ?????????????????,

I hope you are well.

Since our last meeting a month ago, we are already planning and working to update our infrastructure to Ubuntu 22.04LTS and so MySQL servers 8.

In the last few days we recorded performance issues on our master server.

I would like to ask if you can speedup your proposal for your execution and evaluation of MySQLtuner on our master/slave servers as suggested by ?????????????????. We must maintain our systems stable and reliable until the migration to MySQL8. (estimated by end of this months). Moreover, will give us the opportunity to setup the new servers with the right parameters.

Best regards

?????????????????

---

06/09/2022

Hi ?????????????????, ????????????????? and ?????????????????,

I think we have a very bad [this word was highligted and bold in the actual message] case of an important piece of work becoming urgent. We have had 5 database issues that have caused issues and outages in the last 4 weeks, including one yesterday.

My understanding was that in the meeting on 7th July, two months ago, you had agreed to prepare an estimate for running mysqltuner on our system. We are now in a situation where things have become critical and our ability to make system changes based on the results of this work is closing. Any changes need to be specified, developed, and tested and that usually take weeks to perform.

Please can you make arrangements for someone to assist ????????????????? on the the execution and/or analysis of mysqltuner urgently (today or tomorrow)? [highlighted and bold in the actual message...emphasizing the urgency.]

Thanks,

?????????????????

---

Hi ?????????????????,

????????????????? and ????????????????? have both escalated the urgency of this issue and many apologies that we haven’t addressed this faster.

We will of course support the urgent work on this mini-project and will just let any paperwork catch-up. ????????????????? is available.

?????????????????, could you please confirm your availability the rest of this afternoon and tomorrow from 2pm and we will find something that fits?

Many thanks,
?????????????????

09/09/2022

?????????????????, we would like to run that process in stage first – but we do not seem to have access

---

Can anyone on Sirius call me on the phone, please?

I cannot be helpful in this way.

?????????????????

---

Hi ?????????????????,

As below, ????????????????? is going to run this now and attach the output as soon as finished. Would you still like someone to call you?

We can do that now if you’d still like a call.

Thanks,
?????????????????

---

Hi ?????????????????,

it was no longer necessary when ????????????????? confirmed that you were able to access to the system and run the command requested. I have been very confused when ????????????????? said ” – but we do not seem to have access -”

Many thanks to ?????????????????.

Best regards

?????????????????

---

Hi all,

what exactly the problem is? You should have access to ?????????????????.

?????????????????

This is a very recent example. The client said: “My understanding was that in the meeting on 7th July, two months ago, you had agreed to prepare an estimate for running mysqltuner on our system.”

More than two months later there’s no progress.

Summary: Service Level Agreements (SLAs) or service-level agreements weren’t met by Sirius ‘Open Source’; it was often the fault of the management, but it will never admit this

THE series has thus far not given many concrete examples; nor did it name any clients. It’s never the intention to name any clients at all. This series is not about clients of Sirius. However, to demonstrate some of the failures this past year, consider the following examples from the internal report.

Examples

In recent years, in addition to the above, colleagues were compelled to become less honest with clients, all for the sake of saving face. In fact, there are countless examples of ‘cover-up’, but the following portion gives just one example (with redaction for privacy reasons).

Client chasing Sirius twice:

May I have an update on this please? I am on holiday next week and would have liked this resolved.

Thank you.

Kind regards,
?????????????????.

Later:

Just realised that this is still outstanding, any news please?

Thank you.

Kind regards,
?????????????????.

Sirius staff:

EXTERNAL EMAIL: Do not trust links or attachments without checking.

Sorry ?????????????????, the person looking into this has gone on maternity leave so this ticket must have been missed. As far as I’m aware the disk will be replaced by ????????????????? as its under warranty but we need to know the serial number of the failed disk. Is this something you could give us?

Thanks,

Sirius staff to Sirius CEO:

Hi ?????????????????,

Can I be honest with him and say I did flag it up but people were too busy? Or something else?

Thanks,

For brevity’s sake, this one example may suffice for now.

To be clear, there’s lots of wrong stuff here, more so than ‘wrong’ staff, as this makes pertinent staff look bad, even staff that does good work, causing staff to feel dishonest, in effect lying to oneself and lowing personal credibility among clients. This point will be revisited in the last section.

Nobody wishes to believe he or she works in a company that deceives the press, the clients, and even its own workers. False promises, false explanations and fictional excuses contribute to a climate of suspicion and distrust. A year ago there were unfulfilled expectations of weekly updates about what the company was doing; it only took about a week for such promises to fade away.

Tomorrow we’ll give examples of failing to meet Service Level Agreements (SLAs) or failing in other aspects.

Video download link | md5sum 1fe1eded7d9f86eb35d52fa67e17003e
Sirius Does Not Understand Overnight Work
Creative Commons Attribution-No Derivative Works 4.0

Summary: The company that goes by the name Sirius ‘Open Source’ perhaps feels like even employees are almost like volunteers or people to be (re)sold cheaply to rich clients for hard labour done overnight

THE above video is a lot longer than expected, but it hopefully does capture some of the nature of my job (since February 2011). This year it got yet worse because a person with connections to management suggested lowering the salary of people who work night shifts — people who saw no increase in salary for well over a decade! The conflict of interest here goes further than this, but that’s a subject to be covered another day.

To make matters worse, one colleague who came from a foreign and relatively poor country was paid only 21,000 pounds per year (less than peers who do exactly the same role) for a technical overnight job despite having a Masters Degree and having a lot of experience (seniority). He lives near London, so this kind of salary is barely a living wage. Seems exploitative. Is the company milking technical people?

Desk for Sirius? Who owns what?

Summary: The previous part in the Sirius ‘Open Source’ series showed the financial issues at Sirius; to make matters worse, the company does not provide any means for work to its NOC staff (except an ancient Cisco phone, about 20 years old and bought second hand through eBay)

THE articles that we published about the EPO showed that as horrible and autocratic António Campinos has been, at least the Office chipped in and covered expenses for home working, such as ergonomic chairs. At Sirius, however, the company pays for nothing of that sort. Not for desk, chair, computer, and so on. Workers are on their own; technical problems with a work device? That’s your problem. That’s your device. The company won’t cover it. Then they impose bloatware on staff — software that ordinary machines cannot run (yes, staff did complain; it was a common problem) or can barely run. Does the company help procure suitable hardware? No. Was it asked about it? Yes.

Here is an internal report circulated in the company earlier this month (a day prior to departure):

Remote Workers’ Procurement and Other Costs

Equipping staff with suitable assets is a basic, very basic, requirement. Roy has covered the legal aspects of that for many years in his Web sites. In Sirius, the company failed to equip home workers (“work-from-home” staff) with any computers or chairs or anything required to do the work. The managers expect staff to pay for purchasing and maintenance of all work equipment at their own expense in their own time. There’s no IT department to help with computer issues or even issue a replacement.

To make matters worse, bloated software which requires very powerful and expensive computers was introduced some years ago. Roy and colleagues also complained about this bloat, but that fell on deaf ears (Roy internally suggested the company can purchase suitable equipment or cover the costs of that). That’s aside from the very low (by market standards) salary, adding further burden. More on financial aspects shall be discussed later.

In recent months workers began observing that Sirius had customers with no way to access their systems. So how are workers supposed to deal with tickets they receive? There was expectation of dealing with queries by using “Google” to throw some answer at a client (as if the client cannot access Google), otherwise find an associate or escalate. It was starting to get hard to even tell apart clients and non-clients, as documentation was scarce and outdated to the point where clients were vaguely described and their status was unclear. Sentences like “Google is your friend” were said inside the company (Google is surveillance, it’s not a friend) and our skillset ought not rely on using search engines, following a textual script (like clerical staff in a call centre), or mere escalation to some other company. As noted before, many associates are at best loosely connected to the company and are in effect third parties.

About a year ago Roy faced disciplinary action over something unjust (to him). Instead of an independent, impartial tribunal acting as arbitrator it was likely the culprits judging the incident, then resorting to cover-up/distortion over the sequence of events to pass to the blame to ‘low-level’ staff. This started to become a typical modus operandi, which dated back several years, as a later section will explain in detail.

These issues turned out to be more widespread as staff managed to communicate with one another. For instance, lots of people were having phone issues. The company did not admit this; individual people reported it, then there was blaming of the people unable to use a defective “service” that keeps changing and breaking things that previously worked. Instead of admitting this migration was a mistake and acknowledging prior warning were given, there was only further entrenchment. More details will be given in the last section.

Video download link | md5sum 998661b08883fcceda48a018ad44c466
Sirius Treats Some Tech Staff Like Peasants
Creative Commons Attribution-No Derivative Works 4.0

Summary: Shortchanging technical staff seems like common practice, but some companies push that very far; As noted last night in this meme, Sirius ‘Open Source’ really does not like this series; but it was forewarned for years already about several issues (before trying to witch-hunt the messenger), including the rights of staff and the standards of pay

THE early parts of this series explained how things were in 2011 and prior to that year. Sirius had generously (or for self-promotional purposes) given money to KDE and to the FSF. It also recruited high-calibre staff which certainly received a decent salary.

When it comes to the NOC, things were different. As we shall see and show later, NOC staff was treated as disposable; no wonder staff turnover was very high there (for a position occupied by 4 or 5 people we’ve had about 20 members of staff already). When recruitment went on the official (but internal) wiki of the company compared NOC staff to “monkeys”. For the same number of hours covered I could easily earn 5 times as much in another company, so surely I’m no “monkey”… my solace was, once upon a time we did in fact support Free/libre software. It felt like an ethical job.

The salary I received in 2011 was higher (per hour) than at the time I left, in spite of being more than 11.5 years apart. How did this happen? How many employers fail or refuse to keep up with inflation (at the very least)? Set aside promotion ladders that typically come with increments in base pay.

Either way, the company really does not want me to talk about this. Last night it sent me a letter after more than 10 days of complete silence. What did the letter say? It is described in the video above, but the impression one gets is that it’s a low-grade censorship attempt. It almost looks like the company “Sirius Open Source” is trying to ‘bribe’ us, basically saying something like (not actual quote), remove all those articles and we’ll pay you for some holidays (that we never took). Well, we’re not sellouts, we won’t stop, and the Sirius ‘UK’ CEO (pretending to be based in two continents) does not seem to grasp what he’s dealing with. Paying (shall we say ‘bribing’?) while making veiled threats is legally bad and makes the company look even worse. Better to just say nothing than send frivolous letters. For sure we’ll return to this at the end of the series, probably some time next month.

Network Operations Center by Alan Levine the from United States. This file is licensed under the Creative Commons Attribution 2.0 Generic license.

Summary: The company Sirius ‘Open Source’ paid way below the market standards even back in 2011; incredibly enough, payment increments were discarded in spite of inflation and even travel expenses weren’t always reimbursed

THE signs that a company isn’t functioning are probably universal; one can find many stories about startups that never pay staff or always make verbal promises with delays… until they become insolent (then, recovering the stolen salary is impossible). “Wage theft” as it’s sometimes called it very common in small companies, but Sirius was never that bad. Having said that, as we shall show next month, the financial situation was dire and staff was expected to adapt accordingly. It was hard to compel people to work extra hours; some of them had already worked very strange hours under unusual conditions.

Funds of the company were increasingly redirected to wasteful things, clients were occasionally undercharged, and sometimes even the staff took the brunt of the waste. Today, as well as in tomorrow’s part, we shall revisit some examples of that, citing a report we left this month, just before leaving the company.

Financial Aspects Revisited

As noted above, the current AWS fees are extraordinary and as shall be shown later, an ordinary staff salary is almost laughable. For technical people working at hours like these, including weekends and holidays, the salary would typically be double or treble the “market standard” (which for technical people is rather high). To observe that ordinary employees of Walmart (the world’s largest employer) get paid more than someone who works around the clock, even on holidays, doing technical work, is just unbelievable. In many US states a starter salary for Walmart staff is around $30,000 and some Support Team staff at Sirius receives 21,000 British pound, i.e. only a little above minimum wage. It’s important to stress that in Sirius the management never experiences those erratic sorts of rotas, including mid-week rotations (moving between 5:30PM-1:30AM to 1:00AM-9:00AM and then back again). People at Walmart don’t work overtime or in weekends (if they do, they get paid double or more) and don’t have the same skillset. Some don’t have college/university degrees (or student debt to pay). How can Sirius justify this, especially the lack of increase in salaries, not just adjusted for level of seniority (or length of service) but also inflation? This impedes recruitment prospects. As noted earlier, it is essential to attract “new blood” for the company to remain operational, and later on it will be noted that basic equipment is not being provided either. Employees need to pay for their work equipment and more. This makes Sirius like a low-cost supplier of cheap labour. At Walmart, there is at least a chance of career progression, e.g. supervisor roles and above. Walmart employees don’t receive urgent calls when they’re out for family time away from town, asking for immediate help with some technical matters due to an incident. In Sirius, even low-paid staff was subjected to that. Even getting a holiday approved has become quite hard and sometimes approval is received only a day prior (with a substitute unsuitable to actually fulfil the job). That’s not enough time to make meaningful travel plans.

From clear recollection, the company has a track record of not paying full travel expenses to some colleagues and one may have sued the company over it, based on another colleague. In Roy’s case too, several trips to Leicester (to meet a potential client) around 2014 were never covered (train expenses totaling about 140 pounds). Despite repeated reminders from Roy and repeated assurances from the management (or no reply), Roy never received his expenses reimbursed for either of those trips. At some point Roy simply gave up pursuing that as Roy felt like it required a lot of nagging. Again, where is the accountability for it? That was 8 years ago and still overdue. If not a matter of stinginess, this is a case of gross incompetence and injustice. After about a year it became embarrassing to even bring up the subject again. It’s akin to what’s known as “wage theft” but applicable to travel (long-distance journey) expenses rather than remuneration. This was still several years before vindictive managers started manufacturing fake ‘cases’ against particular members of staff in a rather psychopathic fashion (never bothering to even apologise later, as any truly mature person would do). Habitually the company would distort what employees actually said, either on the record or off the record, to manipulate or trick people into saying things, hinged upon loaded statements or distortion thereof. This will be discussed in this document’s final section.

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they’ve long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we’ll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).

Suffice to say, patching is part of the work, including patching one’s own machine. Anything else would be irrational (like blasting people over “commuting” time) because security starts in one’s own domain. And yet, I was being told off by the company’s founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am).
Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

“Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”

I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.

If I cannot observe systems that are monitored and supported, it’s not “unacceptable”. It’s still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).

Acronyms Lingo

Speaking of “GDPR” or “ISO” without even grasping the meaning behind laws and regulations is “cheap talk”. Without comprehension of the issues, this boils down to ‘name-dropping’ (like “GDPR” or “ISO”). Currently, the company would gladly take technical advice from people who openly admit they don’t care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients’ names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren’t reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data — including several incidents staff witnessed where people’s (patients’) privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty

With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. ‘Low level’ staff cannot access systems at a level of user management, so this was demonstrably a ‘high level’ failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company’s infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties — a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of “bad optics”, pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant — a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.