Video download link | md5sum 07a2f3b98615ee2d67a59e46c7ac4f8e
ISO as Meaningless Certificates Mill
Creative Commons Attribution-No Derivative Works 4.0

Summary: Sirius ‘Open Source’ has used “ISO” as a catch-all talking point since 2019 in spite of doing illegal, unethical and truly dubious things while failing really badly at security

IN OUR last post we started the first part of several parts about ISO, commencing a separate (sub)series of posts that may take about a week to finish.

Sirius ‘Open Source’ disregards security advice, deems commentary that it lacks security staff to be “defamatory” (actually it’s perfectly factual), and moreover it is ignoring advice from technical people who do have a clue — all this while failing to do basic things like change passwords after a major breach.

If ISO considers that to be “OK”, then that says a lot about ISO.

What if ISO knew the truth?

Summary: There are no proper and truly compliance-driven procedures that are being followed, actively used, or even vaguely specified by poor leadership at Sirius ‘Open Source’; it’s all improvised, hugely deficient, not even remotely compliant, and changes are sometimes made retroactively due to lapses and mistakes (compliance or merely appearance thereof, albeit only “after the act”); eventually there are attempts to shoot the messengers — those who have actually cautioned about those concerning things for several years already

THE “Conclusion” part of the report (a document we’ll publish tomorrow as PDF) is included at the bottom of this post. Worry not, it’s not the end of the series, only the end of this report; we have plenty left to show and to explain after that. We’re eager to show to the world what Sirius ‘Open Source’ Inc./Limited/Corporation truly is.

As a teaser of sorts, consider how poorly the company was handling data and information. It was getting worse over time because skilled people were leaving the company, making way for the “Google is your friend” mantra. This aforementioned mantra was something along the lines of, “trust big companies”, you can give them any data we have. Trust them, they’re big! Sure, they also spy for a government.

Data of high-profile clients, both past and present, was naturally left scattered all over the place, sometimes even outside the country. And to give just one example (there are so many; some will be covered later this month and next month), colleagues have cognition reports and incremental/full load reports on local — as in personal and offsite — machines (this is indirectly related to patients’ data) with no protocol or guidelines for removing these. There’s potentially sensitive data on people’s machines at home and we’ve already witnessed mistakes made by the clients themselves (like patients’ names or similar data showing up by mistake/accident).

THIS SHOULD NEVER HAPPEN!

In a saner world, everything would be uploaded to a firewalled file server located on the client’s own network, accessible in some secure fashion, without the data ever leaving the network, not even metadata. But when a company like Sirius handles its E-mail via AWS and AWS is also the host of OTRS (ticketing), one is expected to just upload files to AWS and transmit the stuff over E-mail (i.e. open relays). No encryption. I was repeatedly told off for using PGP in my E-mails.

There are serious ramifications for data protection and adherence to law, as there are unpatched old machines and perhaps backups that contain such files — a ticking time bomb. And even way after they’re no longer a client (years later), the example above serves to show that the problem does not go away. Not even when the contract ends (or gets terminated).

The sad reality is that the company, Sirius (so-called ‘open source’), is terrified about clients finding out how reckless and incompetent the company gradually became. Clients simply come to assume the reputation earned in past decades persists to date. They’re trusting a company run by a person divorced twice, whose kids refuse to even speak to him. How can deep trust be established with people who (if they get caught) simply pretend nothing bad happened and instead of apologising would rather get aggressive, even combative, to cover up the abuse?

The text below mentions ISO, security incidents, and then the company’s attempts to shoot the messenger (who cautioned about those issues along with many other issues). The in-depth analysis of the witch-hunt will follow after this report is published in full (some time tomorrow).

Conclusion

To summarise, Sirius should simply admit out in the open: “we’ve deviated away from our mission,” and moreover Sirius ignores warnings about security (ISO deserves to know about phonies and posers at security).

Roy internally cautioned about this several times over the years. Later, when some providers suffers security breaches (as Roy predicted) Sirius neither reset the passwords nor left the compromised providers.

To reiterate what was stated at the start, what’s alleged here is factually correct and evidence-backed. No URLs are provided, but URLs can be provided shall they be requested. Brevity still matters and much remains to be told.

In regards to the weak accusations leveraged to avoid paying compensation to Roy and Rianne, here again is the gist of the underlying issue/s:

1. no due process
2. no evidence presented (or claims merely alluded to without context/link)
3. gross accusation inflation
4. guilt by association (identical letter, too)
5. the company has a history doing this to couples, e.g. one blind colleague based in Germany; it was very serious and it went to court (cost the company or its Directors — the founder and his wife — a lot of money, went on for a long time, settled at the end)

The document is far from complete. Roy and Rianne have documents, have screenshots, links to official documents from Companies House etc.

Summary: The Sirius ‘Open Source’ management made the decision (without any consultation with the staff affected) to outsource key operations to foreign, third-party entities that are subjected to the US government’s prying eyes and several of the National Security Agency’s programs; this affected clients as well (usually without their awareness, let alone consent)

THIS is the last part of the third section of a report I left with the company before leaving at the start of this month. There will be a lot more information about this scandal next month. Recent E-mails are appended below (with certain stuff redacted for privacy’s sake).

I cautioned about this repeatedly (for about 4 years) and suffered retribution, threats, and more. Nothing has improved since then.

As just a little sample, please see the E-mails at the bottom (recent); shared in the future will be some longer E-mails about this issue.

But first… the report.

The morale around that time was low, set aside COVID-19 becoming a growing problem, along with lock-downs. Roy noted that in order to comply with the law he cannot post clients’ details on the Slack network. So he chose to obey the regulations and the law, in line with security standards. Stuff like “hi” is probably considered OK and safe enough for Slack, but not addresses, passwords etc. Things have not improved since, as the final section notes again (with examples).

This long section, along with written messages as evidence, is very important. Bad leadership worsened the corporate climate and changed how people viewed the company from within, if not from the outside as well.

This document now proceeds to a discussion about the latest and maybe the final blow. The company already had capacity issues (not enough staff to cover shifts) and now it’s even worse.

Roy and Rianne hoped to prevent a ‘death spiral’ and ironically enough it seems like the company wants to accelerate its own ‘death spiral’, due to tactless, insensitive remarks.

One of many messages to that effect — messages which I was sending for years to highlight the problem. Of course nothing was done about this; usually there was not even as much as a reply. Hush hush as a company-wide policy…

This one is from August of this year:

Date: Tue, 30 Aug 2022 09:00:50 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317
 Thunderbird/1.0.2 Mnenhy/0.7.4.0
From: Roy Schestowitz
Subject: Handover to Shift 2 (30/08/22)
To: [whole team]

[...]

https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen

users need to change all the passwords they have there and not keep them
there if they value real security not paper mills.

Another one from August of this year:

Date: Thu, 11 Aug 2022 03:10:53 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317
 Thunderbird/1.0.2 Mnenhy/0.7.4.0
Content-Language: en-US
From: Roy Schestowitz
Subject: Slack admits to leaking hashed passwords for five years
To: [whole team]
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

https://nakedsecurity.sophos.com/2022/08/08/slack-admits-to-leaking-hashed-passwords-for-three-months/

Does not surprise me at all. They only admit this because they got
caught, hence they need to spin this somehow, belittling the severity,
just as LastPass did after several blunders (it had suffered a breach).
The way forward is self-hosting and encrypting things (on server one
controls, not leasing).

Video download link | md5sum 9615f8b17fcd94145474e78b9654c947
Sirius as Just an Account
Creative Commons Attribution-No Derivative Works 4.0

Summary: Sirius ‘Open Source’ has turned into a virtual company; it’s just some AWS account with a bunch of people working on their personal computers (not company computers) from home; even accounting is missing in action (MIA), failing to correctly pay a salary for about a quarter and sometimes missing pension contributions — an indication of extreme negligence or gross mismanagement

THE potentially frustrating vision of “clown computing” is that all computing is centralised, even more so than in the mainframe era. Back in the golden age of mainframes the companies at least got their own mainframes, which could be maintained by locally-sourced and privately-employed staff.

Sadly, the company I left this month is almost entirely centralised — albeit not within itself but rather the opposite. There are virtually no assets left in the company, not even a server or a chair.

Does/did this happen in your company too? If so, read on…

Summary: Sirius ‘Open Source’ has not been keeping up with skills required to self-host, instead demonising/denouncing them as “hobbyist” (actual quote from the CEO) and eventually relaying almost everything to proprietary vendors that put gates and walls on Free software

TODAY we continue a couple of parts that deal with security and privacy issues at Sirius Open Source [sic] — a company that still says “Open Source” although it often recommends to clients that they adopt proprietary things.

Enough has been said already about the nature of the hypocrisy, the double standards, the dishonest marketing, lack of principles, and even some truly unethical clients. Below is part of the report deposited before my wife and I left the company¹.

Outsourcing Concerns

Colleagues at Sirius have long worked weekends (unlike client’s staff, which is typically off work on holidays and weekends; there’s no 24/7/365 cover). Some of them finished or started working but could not access an essential gateway machine. When the client does something like an update or makes a release the IP addresses will change, so whenever there is an incident Sirius staff can’t restart, forcibly reboot or investigate the machines, that is unless — or otherwise — Sirius staff are informed (or wiki/documentation becomes up to date again). From what is known, this is more of this particular client’s choice, but Sirius lacks a loophole and that is why Sirius may seem sloppy or slow to update/notify their workers/employees.

This is a typical example of a lack of top-down coordination. How are staff expected to carry out duties if managers don’t do their part or fail to understand how these systems work? In fact, when outsourcing to any third party, this may be inevitable; the people who ‘manage’ the machines have almost no control over them. They merely rent some server space and the hypervisor may change over time, introducing unforeseen but unavoidable complication. This means server can become unavailable, with no resort at all (like accessing the datacentre/s). Back in 2011 and for several years after that Sirius had its own server racks and managed its own instances.

Sirius keeps recommending the outsourcing to proprietary software like AWS and Cloudflare, resulting (sometimes) in a lot of problems. Sirius itself pays in AWS bills almost as much as a small salary. Becoming an AWS ‘reseller’ makes Sirius far less competitive and vastly less unique; companies like these, including Rackspace, have their own support. They have their own ambitions of controlling everything themselves. Companies like Sirius should not become transient migrators. Sirius used to offer its own hosting.

This is one of many issues with “cloud computing”, including AWS, which also caused significant downtimes for that client (hours-long outages) — a client that used to have far more control over the hosting. When it comes to certification, the company actively encourages learning “cloud computing” stuff instead of “Open Source” stuff.
______
¹ Many more details will be given, along with further analysis, when the whole report is published. Probably in January.

Summary: In Sirius ‘Open Source’, neither Open Source nor security got taken seriously enough. Siriusly! And one cannot point this out to managers as this infuriates them (it harms a false perception they’ve long cultivated).

TODAY we turn our attention to bad security practices, including poor privacy and unbridled outsourcing of Sirius. There will be numerous parts about these aspects and we’ll provide some examples in the future when dealing with proprietary software, introduced by the company itself while tearing down its very own Free software-based infrastructure (which had been put there when the company still had geeks in the office; heck, the company used to have an actual office!).

Suffice to say, patching is part of the work, including patching one’s own machine. Anything else would be irrational (like blasting people over “commuting” time) because security starts in one’s own domain. And yet, I was being told off by the company’s founder for patching my PCs while I was on shift despite the fact that there are several such machines (if one encounters an error, then one can rely on another machine) and this is about actual security.

It took me a while to find E-mail regarding this, as it dates back nearly 4 years. My redacted response below:

I have just caught up with E-mail (resting and other things since 9am).
Sorry for the delay in responding.

Roy,

I have read your shift’s handover notes where I find this from you:

“Quiet shift, so I took the time to update my whole system. Something broke nagstamon for me, briefly, but I managed to fix it. In the meantime I used the Nagios/Icinga Web interface.”

I use 3 laptops in parallel to do my job, so this was one in three and Nagios remains accessible regardless. nagstamon is an alternative to it (sound alerts) and I wanted to bring it up to date for security reasons. As I do often, to avoid breaches.

This is *absolutely unacceptable*.

If I cannot observe systems that are monitored and supported, it’s not “unacceptable”. It’s still very much necessary. But still, looking back, there are many serious (Sirius) issues that were shared in the report below (more to come in the next parts).

Acronyms Lingo

Speaking of “GDPR” or “ISO” without even grasping the meaning behind laws and regulations is “cheap talk”. Without comprehension of the issues, this boils down to ‘name-dropping’ (like “GDPR” or “ISO”). Currently, the company would gladly take technical advice from people who openly admit they don’t care about privacy. So instead Sirius falls back onto formalities and processes rather than any real grasp of the underlying issues. Sirius track record will be demonstrable based on recommendations from past clients; with or from at least two clients we might only get an alarming reminder that their systems suffered a security breach while we supported them. The clients’ names are, as usual, omitted here, but this is very well documented. There may have been more security incidents that were hidden or concealed both from clients and from Sirius staff. Considering the atmosphere of secrecy and hostility towards inquisitive staff, it seems likely more incidents occurred but weren’t reported at all (or reported very selectively).

Speaking of formalities and processes rather than actual substance, the company Sirius was pursing ISO certification only amid some issues with NHS and its highly sensitive medical data — including several incidents staff witnessed where people’s (patients’) privacy was accidentally compromised, either by Sirius or by the client (personally identifiable data divulged). To make matters worse, many times data was not being shredded like it was supposed to and the client complained. If better leadership was in place, this would not have happened, jeopardising the credibility of staff.

Account Management Practices and Data Sovereignty

With quite a lot of clients, and several can be vividly recalled, Sirius failed to remove access credentials (or accounts) for staff that had already left Sirius. ‘Low level’ staff cannot access systems at a level of user management, so this was demonstrably a ‘high level’ failure. Sometimes clients complained about such gross incompetence (if clients could even figure out who still works for Sirius; remember that Sirius misled them, as shall be noted again later) and potential security breach by former and possibly disgruntled Sirius staff, but nobody (as far as we know) was being held accountable. The aforementioned sections noted that accountability only ever works in this hypocritical and vertically-inconsistent fashion. Double standards became the new company standard, enshrined covertly but not formally. Managers never offered the courtesy of taking full responsibility. Too much pride to acknowledge mistake and lapses.

As the above shows, there are endemic problems caused by mismanagement or a lack of charismatic-yet-humble leadership (maladministration), maybe even a lack of staff that possesses ample experience managing a team of more than one person. These are very essential skills which mandate suitable recruitment. It may not be cheap, but it is vital.

Sirius has user credentials scattered all over the place, not all in OpenLDAP as done in the past (when more competent people managed the company’s infrastructure). This will, inevitably, result in epic blunders. That keeps happening. Again and again. In fact, user credentials management at Sirius has been partly outsourced to third parties — a taboo subject. No more GOsa, go USA (most data and authentication sent across the Atlantic).

The motivations seem petty, e.g. sharing accounts to save money despite clear security requirements that exist to explicitly not do this. Is ISO being treated as merely a box-ticking exercise, not followed up by any potent audits? If so, are we entitled to brag about some ISO compliance? Any time Roy attempted to bring up the subject the management became paranoid and threatening. This sort of resistance to ethical and moral objection would be strongly discouraged in companies capable of self-appraisal.

A colleague once mentioned in an E-mail that some colleagues may have needed to share an account with another person, all in the name of saving money. This kept happening for years despite such ISO requirements supposedly being fully in force. Account sharing was sometimes imperative, as individual accounts did not exist. In other words, all colleagues use the same username for some tasks; sometimes this was only belatedly addressed, partially and virtually post hoc.

Password management in the company has long been a painful affair. From non-secure connections to a lack of VPN for access to passwords the company moved to outsourcing. This was a case of “bad optics”, pragmatic issues aside. Sirius could self-host similar software that was Free and Open Source software, but the company had a mindset of outsourcing almost everything to proprietary offerings from another country. As noted separately, Roy raised alarm over this several times, noting or pointing out actual data breaches of a very large scale, but no action was subsequently taken. The assurances were empty and arguably arrogant — a refusal to listen to vigilant security experts who extensively covered those issues for decades. Asking a company itself whether it suffered a security breach and what the severity truly is like asking an American president what happened in the Oval Room.

The Manchester experience, going ‘online’ for ‘apps’ (so-called ‘self-service’) because who need services anyway?

With “mom” at Manchester Town Hall

IRST time? My bad. Second? Your fault. Unlike the old saying, “fool me once, shame on you…” (twice… me)

What’s all this commotion about? Is it about privacy? Accessibility? Adherence to law? Or all the above?

Right about now many rules and laws are flouted and violated. In the name of “emergency”… a public health crisis. Perfect justification?

Courts have apparently decided that the equivalent of a telephone call is “trial”; governments are waging an accelerated war on cash, as well. I often wonder if here in Britain we changed the coins (rendering old ones worthless and obsolete) to artificially reduce the money supply; it would be helpful to know how many “old coins” there are compared to “new ones”. The thinking is, maybe they try to impose financial surveillance by “going digital” with scarcity of physical money added to the mix… or removed from circulation.

What’s wrong with digital payments? Apparently a lot of people don’t know or never really thought about it, even in this age of so-called ‘surveillance capitalism’ and mass surveillance without warrant, let alone suspicion or probable cause.

Many who reject digital payments (or “smart” or “touchless” or whatever buzzwords they make up next year) are being framed/painted and sometimes ridiculed as Luddites. That’s kind of funny considering the fact that it’s usually the most technical people who reject technology in payments (so-called ‘novelty’ like “swiping cards” that are little but a piece of plastic with a primitive, cheap chip glued to them). All that insecure chipping and pinning is hardly novel; it’s decades-old ‘technology’ (same for so-called ‘smart’ meters and ‘self-service’ checkout; it could be done decades ago, including the touchscreens, in effect an erosion of customer services or outsourcing of the work to customers).

In reality, it’s the ‘non-techs’ who swallow it all, thinking they’ll seem “techy” for swiping and paying $2,000 for a so-called ‘phone’, compensating for their lack of understanding of where all that data goes and how it’s (mis)used.

The deterioration of our lives is now driven by technology; we were promised technology would make things easier (like doing our laundry, shortening the working days/hours etc.) but in practice people work harder and for longer hours than ever before. People are even being contacted by their bosses well outside working hours. Is this progress?

This brings me to the latest rant. On December 10^th 2020 my wife and I went to Manchester Town Hall (temporarily housed partially in Heron House across the road, below GCHQ, as he main building undergoes renovation/overhaul). We went to their office, as explained in the official site, at the specified time with all the documents and a laptop (as required for communication and exchange of details), only to be told the service is not available due to COVID but can instead be done at the Post Office.

Alright then…

So we went to the Post Office, only to be told they don’t do any of that and at least two people had been similarly misdirected earlier in the same day!

What on Earth is going on? ‘Ping-pong’ with people?

So we went back to Town Hall, only to face a different person, who barely even apologised for the misdirection and used “COVID” as a catch-all excuse, instead suggesting contacting the Home Office or urging us to use some Android “app” (which is out of the question).

What if we were disabled or blind? What about options that are paper-based?

This is a terrible regression which actually predates (in part) the pandemic. An “app-only” government would be a travesty for many reasons; like rendering you a non-citizen for refusing to carry around a so-called ‘phone’ that tracks your movement more closely than RFID.

Is COVID a valid excuse here? Hardly. Because apparently, according to information we received from a representative at the Town Hall, this has gone on since March and there’s no projected date or resumption. According to our solicitor, the whole “app” thing was already pushed well before March. They literally want people to take selfies of themselves and then send that to the Home Office, then send sensitive documents over ‘phones’ with back doors.

This isn’t the future; this is not “innovation” but degradation of services spun as “smart” and convenient.

Nothing is as convenient as an informed person interacting with you, dealing with the papers for you, checking the authenticity and ensuring everything is done properly right there on the spot.

I am not a lawyer, I don’t know the pertinent laws and sections, but I know enough to say that the government cannot demand people do those sorts of things with “apps” or digital devices. There must be a fallback. Leaving people ‘hanging’ for almost a year citing “health and safety” cannot be excused because of the COVID-19 pandemic; for several months during summer people could go to pubs and restaurants, so surely Town Hall could facilitate face-to-face (with masks on) meetings.

I will carry on chasing Town Hall next year and will report again.