Especially not when you send passwords and private keys to dodgy third parties that suffer security breaches and lie about it

Summary: Sirius ‘Open Source’, emboldened by ISO ‘paperwork’ (certification), lost sight of what it truly takes to run a business securely, mistaking worthless gadgets for “advancement” while compelling staff to sign a new contract in a hurry (prior contract-signing scandals notwithstanding)

A part devoted purely to ISO was last week’s focus/work and this week we show some of the company’s awful practices when it comes to security. This is the most recent example. It’s from this past October and it’s likely what got me “flagged” for bollocking. In short, after the contract-signing scandals of 2019 I was apprehensive about signing another unknown contract and moreover consenting to a company-provided spying device (with camera and microphone) being inside my home. My wife was also hesitant; she expressed very strong opposition to this even before I did. “What next?” she said…

My E-mails about company “mobile phones” were discussed with a friend in IRC (personal channel), albeit only after careful redaction. Polite language was used. Facts were adhered to all along. At the bottom of this post the communications are reproduced in full, with clients’ names and colleagues’ names redacted.

This “mobile phones” strategy it is not about saving money; outsourcing never saves money, it adds a trap for short-term savings. The bills, in turn, gradually increase by a lot and services stop working or get shut down. They cannot even be debugged because they are proprietary (AWS and Google in mind).

As the communication below shows, first they sent some ‘enticing’ message and later they sent an “ASAP” for a contract to sign (for “smart” “phone”). It was likely some sort of waiver. The messages were sent less than 10 minutes apart, obviously coordinated for effect, and there was no room for debate. If the company wants to buy brand new phones while deprecating existing Cisco phones of all staff — and it won’t settle for low-cost phones while at the same time admitting to employees that the company is tight on budget — then what gives?

But there are deeper, more profound issues at stake here. To give some background, consider what the EFF published last month in relation to NLRB (unions):

How does this work? The NLRB protects the right of workers under Section 7 of the National Labor Relations Act to organize and discuss joining unions with their coworkers without retaliation and the board’s General Counsel rightly suggests that surveillance of workers by their bosses can lead to unlawful retaliation, as well as a chilling effect on workplace speech protected by the NLRA.

“It concerns me that employers could use these technologies to interfere with the exercise of Section 7 rights … by significantly impairing or negating employees’ ability to engage in protected activity—and to keep that activity confidential from their employer,” General Counsel Jennifer Abruzzo said in her letter. She added she will urge the board to act to “protect employees from intrusive or abusive electronic monitoring and automated management practices” that interfere with organizing rights.  The general counsel’s memo serves as a marker for future cases considered by the NLRB. Traditionally, the opinion of the NLRB’s general counsel has a significant effect on how the board rules on cases it considers. This means that, should workers wish to file a claim with the NLRB along these lines, the board would take this opinion into account.

While worker privacy has been considered within general consumer privacy bills, workplace privacy rights function differently than those in many other contexts. A worker often cannot walk away from a camera pointed at their workstation. And while a consumer may feel they aren’t really “consenting” to data collection when they use a product or service, they generally have the option to go to a competing product. Workers don’t; saying “no” could cost them their livelihood. Therefore workers are set up to potentially lose certain rights during the workday.   

At the end of the month the EFF revisited this issue:

Since then, EFF has joined with those in the labor community to learn more about surveillance in the workplace and on work devices, and the effect it has on employees. Particularly as regulators start to pay more attention, and legislators include workers’ privacy in general consumer privacy bills, it’s important to understand the ways that the workplace presents unique challenges in this arena.

Bossware has Real Effects on Workers

As white collar remote workers felt bossware breathing down their necks, there was more coverage than ever of how employers are monitoring the workforce, and the lasting effects it has on workers’ health, safety, livelihood, and collective bargaining rights. Even for remote staff, these stresses affected their mental health and family responsibilities. But it is workers across all fields that have increasingly felt the heat of surveillance, and some of the coverage was propelled by blue collar workers who fought back, from meatpacking facilities to service workers to delivery drivers who experienced increased surveillance as a form of retaliation for wage demands. Neither the ineffectiveness nor the impact on real people calmed employers’ desires for increasing means to monitor and control worker behavior, with some even floating a database on worker productivity. Courts and agencies in other countries, like the Netherlands, have been quicker to take on U.S. firms who they allege have violated the human rights of foreign remote workers with demands on their acquiescence to invasive monitoring.

One lingering concern was, those “phones” can be used for spying and we already know the company was spying on workers, as we’ve demonstrated for nearly 2 months already.

The manager did not bother explaining the decision or how it had been reached; he went completely silent. He was trying to force us to sign something in a rush. Yet again… like in 2019. He also sent us nothing and instead went on a fishing expedition in IRC logs (it seems like nobody gave him a heads-up, as we showed before), only to find nothing but gossip that mentions no names, not even “Sirius”. Such stalking by a “thug” isn’t acceptable and it’s easy to get the impression that it was an act of retaliation in a company where managers are immune or exempted from enforcement (like EPO management). A “phone” would likely become just a tool to “manage” people and there’s already years-old track record of bullying by management. A “phone” would be a blunt instrument of coercion by intimidation and humiliation. All the stalking further justifies workers being apprehensive about “mobile” phones at home. In retrospect, we made the right decision when we antagonised/rejected the proposal.

Here is the full correspondence:

Introduction of Company Mobile Phones for the Support Team

Dear All,

This is just to update you that as part of our on-going development and improvement, we will imminently be introducing company mobile telephones for Support Team staff.

Whilst we are also constantly seeking cost savings and efficiency improvements and consequently as you know are looking at significant structural changes in the organisation, we also have significant security obligations for our own compliance and business requirement obligations to our clients.

However, as well as helping with our security compliance we believe this will be a very positive improvement in the ease of use for support telephony. xxxxx will distribute full details and instructions shortly.

Thank you in advance for helping with the smooth introduction of these devices!

Kind regards,

xxxx

9 minutes later another colleague wrote:

Introduction of Company Mobile Phones for Support

Hello Support Team,

With more customers demanding tighter security, the upcoming ISO audit requirements being more strict this coming November, and a general need to ensure you have the right tools for the job, Sirius will now be issuing work mobile phones to Support staff.

This has been under consideration for several years pending the right combination of business, customer, and financial requirements being met for deployment. Whilst the company continues to need to make overall financial savings and to achieve better efficiency, a number of pressing factors have become primary drivers to make this change happen now. (For example, you will be aware of xxxx becoming an increasingly important client of late and the imminent expansion of the support contract with them is key.)

We expect this to be a very positive step for Support Staff and should make a number of key processes more straight forward whilst also enabling key business benefits and security improvements.

Key purposes/benefits of introducing support mobile phones:
1. To enable 2FA and secure authentication for both Sirius and customer environments
2. Separating work and personal devices as a benefit for both work (security) and life-balance (you can turn it off when not on shift)
3. A step towards replacing the legacy Cisco handsets
4. The devices will integrate with the native platform for Google Voice and be a backup/forwarding target for that
5. A backup data connection to work from in case of local internet outage

The company policy on mobile devices and security is currently being updated to reflect this new tool, but please pay particular attention to the following key notes:
* The devices will remain the property of the company
* The devices must be used solely for work purposes and only by yourself
* The devices will be controlled centrally by Sirius, usage will be visible to management
* The devices must not leave the UK without prior specific permission from management

You have already agreed to abide by the Sirius IT policy and all usage of the device should be in accordance with this.

Devices will be distributed shortly and will include a Mobile Device Guide to allow a quick set-up. Please read through the Mobile Device Guide asap once available (which will be assigned to you in xxxx) and then agree to the contents and terms, after which your device will be sent out.

Warm regards,

To the first message I responded: “If this is about facilitating MFA, please provide phones with batteries that can be detached/removed in order to ensure the risk introduced isn’t greater than the risk lowered.”

The response was:

Hi Roy,

What risk are you suggesting we address by opting for mobile phones with a removable battery?

These devices are almost extinct, with only a few options. They also tend to be lower spec’d and poorer performing as you can see here: https://www.androidauthority.com/best-android-phones-removable-battery-697520/

Further to our discussion this morning, I cannot see a reason for us to make this a priority at this point.

Regards,
xxxx

I responded to the longer message as follows:

> Hello Support Team,

Hi,

> With more customers demanding tighter security, the upcoming ISO audit
> requirements being more strict this coming November, and a general need
> to ensure you have the right tools for the job, Sirius will now be
> issuing work mobile phones to Support staff.
>
> This has been under consideration for several years pending the right
> combination of business, customer, and financial requirements being met
> for deployment. Whilst the company continues to need to make overall
> financial savings and to achieve better efficiency, a number of pressing
> factors have become primary drivers to make this change happen now. (For
> example, you will be aware of xxxx becoming an increasingly
> important client of late and the imminent expansion of the support
> contract with them is key.)

We still need a wiki page for them.

> We expect this to be a very positive step for Support Staff and should
> make a number of key processes more straight forward whilst also
> enabling key business benefits and security improvements.
>
> Key purposes/benefits of introducing support mobile phones:
> 1. To enable 2FA and secure authentication for both Sirius and customer
> environments

When I saw the previous message I responded with “If this is about
facilitating MFA, please provide phones with batteries that can be
detached/removed in order to ensure the risk introduced isn’t greater
than the risk lowered.”

It’s understandable that some of these schemes do not support a landline.

> 2. Separating work and personal devices as a benefit for both work
> (security) and life-balance (you can turn it off when not on shift)

Not applicable to me as I don’t use such a device.

> 3. A step towards replacing the legacy Cisco handsets

The Cisco handsets have worked well for almost a decade. They were
always more reliable than Google Voice.

> 4. The devices will integrate with the native platform for Google Voice
> and be a backup/forwarding target for that

We already have a dedicated computer for Google Voice. Plus, it has
several fallbacks in place.

> 5. A backup data connection to work from in case of local internet outage

I think we still have a USB dongle for this somewhere. A SIM card should
be enough to facilitate it. Our connection has generally been reliable
for years.

> The company policy on mobile devices and security is currently being
> updated to reflect this new tool, but please pay particular attention to
> the following key notes:
> * The devices will remain the property of the company
> * The devices must be used solely for work purposes and only by yourself
> * The devices will be controlled centrally by Sirius, usage will be
> visible to management

It seems like sole purpose of it will be 2FA. Any simple phone that can
do SMS can handle robust 2FA. Anything “apps” can introduce more risks.

> * The devices must not leave the UK without prior specific permission
> from management
>
> You have already agreed to abide by the Sirius IT policy and all usage
> of the device should be in accordance with this.
>
> Devices will be distributed shortly and will include a Mobile Device
> Guide to allow a quick set-up. Please read through the Mobile Device
> Guide asap once available (which will be assigned to you in xxxx)
> and then agree to the contents and terms, after which your device will
> be sent out.

If, as stated above, I “already agreed to abide by the Sirius IT policy
and all usage of the device should be in accordance with this,” then why
do I need to sign an additional document? Anyway, I think this needs to
be discussed with staff. I wasn’t told anything about this until today
and it seems like a lot of resources are spent on just an MFA appliance.

Regards.

I tried to speak to them over the telephone, knowing from experience that they would likely not bother replying.

First colleague: Managed to get to him over the phone to discuss the matter.

Second colleague: Tried to avoid talking to me about it over the phone, using obviously fake excuses.

But the point isn’t about a “phone” per se. As we’ll show over the next few days, the company was failing at the very basics and putting not only its own systems at risks but also clients’.

Summary: Before we proceed to showing how Sirius ‘Open Source’ blatantly ignored security and privacy we wish to show how ISO (see ISO wiki) basically ‘sold’ a certificate to Sirius — this is like a “diploma mill” but something that’s for businesses, not individuals

THIS is today’s second article on this topic. We’ve found some spare time for faster progression and in-depth coverage. As I noted yesterday, my wife had more direct and indirect experience (decades ago) with ISO being a bunch of meaningless hooey. So did I (having stumbled upon classical ‘box tickers’ or worse). Sirius is just another reminder of that. Hence this series and its relevance. It seems like a lot of people in technical fields separately and independently reached the conclusion that ISO is overhyped, overvalued, and mostly a waste of time and money (unless you have a ‘bullshit job’ to justify).

“This isn’t science. It’s like calling “economics” a science. It is not. It’s more like religion.”“My dad complained about the ISO in the 90s,” Ryan said in IRC an hour or so ago. “He constantly made fun of all of their “standards” for management of a company that didn’t mean anything but go on and on. It’s a sort of code so that managers sound smarter than they are. “We’re ISO-Whatever compliant with our handling of the TPS reports.” And the ISO standards can be wrong and never revised. Microsoft implemented the standard for MP3 and so did LAME, and then the result was they were both correct and Windows XP crashed. Part of the standard about what constituted the maximum size for a frame could be calculated one of two ways.Microsoft chose the more constrained way and it resulted in a buffer overflow with some files that crashed Windows Media Player. LAME had chosen the method that resulted in a slightly larger permissible frame size. The outcome was LAME had to be changed to use the Microsoft calculation to avoid crashing Windows, and that meant a reduction in audio quality under some circumstances, with padded bytes instead of data. Later, they changed to use the VBR bit allocator, even in a CBR file, and it mostly avoids the situation by its method of action. It can cleverly use the bit reservoir in ways that the former bit allocator that was only for CBR files couldn’t. Naturally, they never delete anything, so you can still demand the old model. It’s just an absolute nightmare of options switches. It’s the worst thing I’ve ever seen in a utility its size. ISO is kind of the stuff of Pointy Haired Bosses when it comes to Management Theory being standardized.”

Well, this whole “Management Theory” is what we’re dealing with here.

This isn’t science. It’s like calling “economics” a science. It is not. It’s more like religion.

Here’s what happened in Sirius (in mostly logical/chronological order):

Subject: ISO
Date: Mon, 29 Jul 2019 15:47:43 +0100
From: xxxx
To: xxxx

Hey All,

As you know we are going through the ISO processes – I have been asked to gather some information from everyone at Sirius to create a list of all assets used by employees of Sirius whether it belong to the company or the employee so if I can have the item name and serial number that would be great. They have also asked which anti virus you all use.

Are you all able to send me the required information ASAP please?

Thanks,

xxxx

Yes, because a bunch of serial numbers would mean so much! Of people devices at home… for the most part.

“They would nag us to do the same ‘course’ every year, even though it is dumb and we ‘passed’ it already.”A month later came “You have been registered for a Training course – Information Security” (no, not really security but this hoax instead). We’ll deal with that another day…

They would nag us to do the same ‘course’ every year, even though it is dumb and we ‘passed’ it already. This is compliance???

??”This is something that will be done annually for our ISO process,” I was told, “so please complete this on your next shift.”

??Way to waste people’s time, doing and passing a total hoax over and over again (details on why it’s a hoax were covered here before).

??Notice the threats being sent to ALL staff:

Hi All,

As you will all be aware we have been implementing new policies and procedures in order to become ISO 9001 and ISO 27001 compliant. Part of this entailed changing our HR company to xxxx who use the online portal Atlas to provide an easier method to roll out training. I have checked and there is still a substantial amount that has still not been completed.

ALL training sent out by myself needs to be passed and completed by the _*25th November 2019*_. This is to ensure we meet our deadline for the final stage of ISO audits.

Failure to comply with this request may result in disciplinary action. For those of you that have completed the training, please ignore this message and thank you.

Kind Regards,

xxxx

“Failure to comply with this request may result in disciplinary action,” it says. They kept making veiled and explicit threats. Sometimes this culminated in actual bullying, false accusations, and blame-shifting witch-hunts.

Of course the portals failed to even work properly. For instance:

> ALL training sent out by myself needs to be passed and completed by the
> _*25th November 2019*_. This is to ensure we meet our deadline for the
> final stage of ISO audits.

I was able to open all the documents and read them. The animated things,
or training sessions, get stuck. I tried each one of them about 5 times
(>each<) and they get stuck somewhere along the way. I tried this on
multiple machines. Rianne told she too had some difficulties.

I will try again on my next shift, but these technical issues do merit a
mention. They also rely on plugins Adobe no longer supports, posing
security risk (an issue aside from the bugs).

Kind regards,

[Roy]

Her answer was: “Have you tried using a different web browser?”

Of course she wasn’t using GNU/Linux or anything “Open Source”. This does not constitute an actual solution.

In 2020 the following was sent:

——– Forwarded Message ——–
Subject: xxxx – Things to do
Date: Thu, 26 Nov 2020 11:38:01 +0000
From: xxxx
To: xxxx
CC: xxxx

Hi All,

In October I issued Linux Training via xxxx. Can you all please ‘acknowledge’ this on your portal to show that you have opened and read it.

I also need you to ensure ALL training modules issued on xxxx i.e information security and documents issued i.e IMS Awareness presentation have been completed by the end of your next shift.

It is essential these tasks are carried out prior to our ISO Audit next week.

Kind Regards,

Well, those training modules and ISO guidelines weren’t even followed by Sirius. We gave examples of this before. In some cases, there were efforts to meet standards only after a certificate had been granted.

Sheesh. I’m not supposed to say this in public, am I?

What did those audits mean anyway? What did the above “ISO Audit” actually check? That the cookie drawer is properly locked when Office staff goes to retrieve some hot chocolate milk from the machine?

“In the next few parts we’ll show what Sirius did in practice, not in theory, and what it told staff, not ISO auditors.”Some other messages were banal. They indicated a certificate had been granted (in other words, Sirius basically bought one) after minimal so-called ‘audits’ and staff sending a bunch of numbers from the back of computers (as if that means anything at all).

ISO is a joke. When it comes to this administrivia, ISO created just another ‘cash cow’ for itself.

In the next few parts we’ll show what Sirius did in practice, not in theory, and what it told staff, not ISO auditors. It’s one heck of a clusterf**k with the company’s data scattered all over the place. That includes clients’ data, even private keys and passwords.

Video download link | md5sum 07a2f3b98615ee2d67a59e46c7ac4f8e
ISO as Meaningless Certificates Mill
Creative Commons Attribution-No Derivative Works 4.0

Summary: Sirius ‘Open Source’ has used “ISO” as a catch-all talking point since 2019 in spite of doing illegal, unethical and truly dubious things while failing really badly at security

IN OUR last post we started the first part of several parts about ISO, commencing a separate (sub)series of posts that may take about a week to finish.

Sirius ‘Open Source’ disregards security advice, deems commentary that it lacks security staff to be “defamatory” (actually it’s perfectly factual), and moreover it is ignoring advice from technical people who do have a clue — all this while failing to do basic things like change passwords after a major breach.

If ISO considers that to be “OK”, then that says a lot about ISO.

What if ISO knew the truth?

Summary: There are no proper and truly compliance-driven procedures that are being followed, actively used, or even vaguely specified by poor leadership at Sirius ‘Open Source’; it’s all improvised, hugely deficient, not even remotely compliant, and changes are sometimes made retroactively due to lapses and mistakes (compliance or merely appearance thereof, albeit only “after the act”); eventually there are attempts to shoot the messengers — those who have actually cautioned about those concerning things for several years already

THE “Conclusion” part of the report (a document we’ll publish tomorrow as PDF) is included at the bottom of this post. Worry not, it’s not the end of the series, only the end of this report; we have plenty left to show and to explain after that. We’re eager to show to the world what Sirius ‘Open Source’ Inc./Limited/Corporation truly is.

As a teaser of sorts, consider how poorly the company was handling data and information. It was getting worse over time because skilled people were leaving the company, making way for the “Google is your friend” mantra. This aforementioned mantra was something along the lines of, “trust big companies”, you can give them any data we have. Trust them, they’re big! Sure, they also spy for a government.

Data of high-profile clients, both past and present, was naturally left scattered all over the place, sometimes even outside the country. And to give just one example (there are so many; some will be covered later this month and next month), colleagues have cognition reports and incremental/full load reports on local — as in personal and offsite — machines (this is indirectly related to patients’ data) with no protocol or guidelines for removing these. There’s potentially sensitive data on people’s machines at home and we’ve already witnessed mistakes made by the clients themselves (like patients’ names or similar data showing up by mistake/accident).

THIS SHOULD NEVER HAPPEN!

In a saner world, everything would be uploaded to a firewalled file server located on the client’s own network, accessible in some secure fashion, without the data ever leaving the network, not even metadata. But when a company like Sirius handles its E-mail via AWS and AWS is also the host of OTRS (ticketing), one is expected to just upload files to AWS and transmit the stuff over E-mail (i.e. open relays). No encryption. I was repeatedly told off for using PGP in my E-mails.

There are serious ramifications for data protection and adherence to law, as there are unpatched old machines and perhaps backups that contain such files — a ticking time bomb. And even way after they’re no longer a client (years later), the example above serves to show that the problem does not go away. Not even when the contract ends (or gets terminated).

The sad reality is that the company, Sirius (so-called ‘open source’), is terrified about clients finding out how reckless and incompetent the company gradually became. Clients simply come to assume the reputation earned in past decades persists to date. They’re trusting a company run by a person divorced twice, whose kids refuse to even speak to him. How can deep trust be established with people who (if they get caught) simply pretend nothing bad happened and instead of apologising would rather get aggressive, even combative, to cover up the abuse?

The text below mentions ISO, security incidents, and then the company’s attempts to shoot the messenger (who cautioned about those issues along with many other issues). The in-depth analysis of the witch-hunt will follow after this report is published in full (some time tomorrow).

Conclusion

To summarise, Sirius should simply admit out in the open: “we’ve deviated away from our mission,” and moreover Sirius ignores warnings about security (ISO deserves to know about phonies and posers at security).

Roy internally cautioned about this several times over the years. Later, when some providers suffers security breaches (as Roy predicted) Sirius neither reset the passwords nor left the compromised providers.

To reiterate what was stated at the start, what’s alleged here is factually correct and evidence-backed. No URLs are provided, but URLs can be provided shall they be requested. Brevity still matters and much remains to be told.

In regards to the weak accusations leveraged to avoid paying compensation to Roy and Rianne, here again is the gist of the underlying issue/s:

1. no due process
2. no evidence presented (or claims merely alluded to without context/link)
3. gross accusation inflation
4. guilt by association (identical letter, too)
5. the company has a history doing this to couples, e.g. one blind colleague based in Germany; it was very serious and it went to court (cost the company or its Directors — the founder and his wife — a lot of money, went on for a long time, settled at the end)

The document is far from complete. Roy and Rianne have documents, have screenshots, links to official documents from Companies House etc.

Summary: The Sirius ‘Open Source’ management made the decision (without any consultation with the staff affected) to outsource key operations to foreign, third-party entities that are subjected to the US government’s prying eyes and several of the National Security Agency’s programs; this affected clients as well (usually without their awareness, let alone consent)

THIS is the last part of the third section of a report I left with the company before leaving at the start of this month. There will be a lot more information about this scandal next month. Recent E-mails are appended below (with certain stuff redacted for privacy’s sake).

I cautioned about this repeatedly (for about 4 years) and suffered retribution, threats, and more. Nothing has improved since then.

As just a little sample, please see the E-mails at the bottom (recent); shared in the future will be some longer E-mails about this issue.

But first… the report.

The morale around that time was low, set aside COVID-19 becoming a growing problem, along with lock-downs. Roy noted that in order to comply with the law he cannot post clients’ details on the Slack network. So he chose to obey the regulations and the law, in line with security standards. Stuff like “hi” is probably considered OK and safe enough for Slack, but not addresses, passwords etc. Things have not improved since, as the final section notes again (with examples).

This long section, along with written messages as evidence, is very important. Bad leadership worsened the corporate climate and changed how people viewed the company from within, if not from the outside as well.

This document now proceeds to a discussion about the latest and maybe the final blow. The company already had capacity issues (not enough staff to cover shifts) and now it’s even worse.

Roy and Rianne hoped to prevent a ‘death spiral’ and ironically enough it seems like the company wants to accelerate its own ‘death spiral’, due to tactless, insensitive remarks.

One of many messages to that effect — messages which I was sending for years to highlight the problem. Of course nothing was done about this; usually there was not even as much as a reply. Hush hush as a company-wide policy…

This one is from August of this year:

Date: Tue, 30 Aug 2022 09:00:50 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317
 Thunderbird/1.0.2 Mnenhy/0.7.4.0
From: Roy Schestowitz
Subject: Handover to Shift 2 (30/08/22)
To: [whole team]

[...]

https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen

users need to change all the passwords they have there and not keep them
there if they value real security not paper mills.

Another one from August of this year:

Date: Thu, 11 Aug 2022 03:10:53 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317
 Thunderbird/1.0.2 Mnenhy/0.7.4.0
Content-Language: en-US
From: Roy Schestowitz
Subject: Slack admits to leaking hashed passwords for five years
To: [whole team]
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

https://nakedsecurity.sophos.com/2022/08/08/slack-admits-to-leaking-hashed-passwords-for-three-months/

Does not surprise me at all. They only admit this because they got
caught, hence they need to spin this somehow, belittling the severity,
just as LastPass did after several blunders (it had suffered a breach).
The way forward is self-hosting and encrypting things (on server one
controls, not leasing).

Video download link | md5sum 9615f8b17fcd94145474e78b9654c947
Sirius as Just an Account
Creative Commons Attribution-No Derivative Works 4.0

Summary: Sirius ‘Open Source’ has turned into a virtual company; it’s just some AWS account with a bunch of people working on their personal computers (not company computers) from home; even accounting is missing in action (MIA), failing to correctly pay a salary for about a quarter and sometimes missing pension contributions — an indication of extreme negligence or gross mismanagement

THE potentially frustrating vision of “clown computing” is that all computing is centralised, even more so than in the mainframe era. Back in the golden age of mainframes the companies at least got their own mainframes, which could be maintained by locally-sourced and privately-employed staff.

Sadly, the company I left this month is almost entirely centralised — albeit not within itself but rather the opposite. There are virtually no assets left in the company, not even a server or a chair.

Does/did this happen in your company too? If so, read on…

Summary: Sirius ‘Open Source’ has not been keeping up with skills required to self-host, instead demonising/denouncing them as “hobbyist” (actual quote from the CEO) and eventually relaying almost everything to proprietary vendors that put gates and walls on Free software

TODAY we continue a couple of parts that deal with security and privacy issues at Sirius Open Source [sic] — a company that still says “Open Source” although it often recommends to clients that they adopt proprietary things.

Enough has been said already about the nature of the hypocrisy, the double standards, the dishonest marketing, lack of principles, and even some truly unethical clients. Below is part of the report deposited before my wife and I left the company¹.

Outsourcing Concerns

Colleagues at Sirius have long worked weekends (unlike client’s staff, which is typically off work on holidays and weekends; there’s no 24/7/365 cover). Some of them finished or started working but could not access an essential gateway machine. When the client does something like an update or makes a release the IP addresses will change, so whenever there is an incident Sirius staff can’t restart, forcibly reboot or investigate the machines, that is unless — or otherwise — Sirius staff are informed (or wiki/documentation becomes up to date again). From what is known, this is more of this particular client’s choice, but Sirius lacks a loophole and that is why Sirius may seem sloppy or slow to update/notify their workers/employees.

This is a typical example of a lack of top-down coordination. How are staff expected to carry out duties if managers don’t do their part or fail to understand how these systems work? In fact, when outsourcing to any third party, this may be inevitable; the people who ‘manage’ the machines have almost no control over them. They merely rent some server space and the hypervisor may change over time, introducing unforeseen but unavoidable complication. This means server can become unavailable, with no resort at all (like accessing the datacentre/s). Back in 2011 and for several years after that Sirius had its own server racks and managed its own instances.

Sirius keeps recommending the outsourcing to proprietary software like AWS and Cloudflare, resulting (sometimes) in a lot of problems. Sirius itself pays in AWS bills almost as much as a small salary. Becoming an AWS ‘reseller’ makes Sirius far less competitive and vastly less unique; companies like these, including Rackspace, have their own support. They have their own ambitions of controlling everything themselves. Companies like Sirius should not become transient migrators. Sirius used to offer its own hosting.

This is one of many issues with “cloud computing”, including AWS, which also caused significant downtimes for that client (hours-long outages) — a client that used to have far more control over the hosting. When it comes to certification, the company actively encourages learning “cloud computing” stuff instead of “Open Source” stuff.
______
¹ Many more details will be given, along with further analysis, when the whole report is published. Probably in January.