Summary: Data security and system security at Greater London Authority’s Web site haven’t been good; today we share just a couple of examples which help refute statements issued by Greater London Authority after a scandal that had made it to the mainstream media

Y! It really takes a liar to progress to management. The better the liar, the higher up the role.

As I mentioned the other day, there’s somewhat of a blunder since Friday when the news broke:

The following conspicuous statement is worth assessing, as I was working on the sites (various aspects, some microsites too) for 9 years.

You would expect them to say that, wouldn’t you?

As I said on Saturday morning, this has deja vu written all over it.

to give one example (there are more):

It wasn’t Sirius stuff (and certainly wasn’t me) who configured those terribly buggy forms.

As lying bosses at Sirius might say, “it doesn’t look good…”

It’s not the fault of Sirius either, at least not in this case.

The worst part of it is, as far as I’m aware GLA never publicly reported or disclosed this incident (sometimes this is legally required upon discovery or within a number of days, including informing those potentially affected, like people with their identity cards uploaded and widely available to the general public).

This isn’t the only such example.

2 years later even malicious scripts/programs could be uploaded. It was only detected after it had happened. Here are some fragments of old messages:

This is a penalty for not scanning/sanitising uploads/input.

Why am I publishing these (redacted sensibly)? Because lying is wrong and privacy problems are the problem, speaking about them is not the problem. It is the moral thing to do — to point out it is a repeat offender so to speak. There is an obligation here to debunk false assurances, as this has gone on for years already.

Video download link | md5sum 65e2f74fa8f4c609f78e27dd7bf22983
Greater London Authority (GLA) Breaches Not Surprising
Creative Commons Attribution-No Derivative Works 4.0

Summary: The biggest clients of Sirius ‘Open Source’ included Greater London Authority, or GLA for short; GLA is making some shy and bashful faces right now, as there’s negative publicity after a damning incident

THE account sharing (mal)practices at GLA were noted here before. We often shared usernames and passwords (one colleague even sent passwords in plain text by GMail) and last year I cautioned GLA that LastPass had been breached and that Sirius kept GLA passwords in there. The vault was never safe and I protested against the use of LastPass repeatedly for several years (the liar would not listen). I habitually complained about bad security practices and only in 2022 or thereabouts we finally had individual UNIX accounts on the gateway machine rather than a shared account. Imagine the company bragging about ISO compliance while doing all that.

The video above focuses less on account sharing and instead talks about the site, including Drupal. In the distant past we already had severe permission issues (these were pointed out internally), but it remains rather baffling if not flabbergasting that names of sex crimes victims somehow ended on the public Web site. They should not be on any site at all. I explain the Microsoft-centric workflows and how they contribute to the risk. Poor security practices and a lack of proper protocols made the current blunder more or less inevitable. Cowboys shooting from the hip is no way to run a site of a city as important as London.

Video download link | md5sum 1df78d5342750f6e4e11cfa4536aa0da
To Developers, Canonical Not the Same Anymore
Creative Commons Attribution-No Derivative Works 4.0

Summary: A former client of my former employer (we supported postgres for them) has just lost a key developer and then resorted to ‘hijacking’ a project, exploiting the Contributor License Agreement (CLA); yes, Canonical is becoming more “closed”, just like Red Hat, so Free software proponents won’t stick around for much longer

THERE is a familiar sight. The symptoms strike a nerve.

A very short time after I had announced my resignation from Sirius ‘Open Source’ (that was before I even knew about the crimes, which I wrote about today in my personal site), someone from Canonical did the same thing and told a similar story. My wife joked that maybe he was inspired by us, but who can ever prove such a thing?

The video above discusses what happened this month and explains similarities to what happened last year at Sirius ‘Open Source’.

As a reminder, Canonical is a former client of Sirius. It shows it right there in the front page and footer, it’s not a secret:

In any event, days ago Stéphane Graber (Launchpad member since 2005-09-26) resigned from Canonical and it doesn’t look pretty. Consider this original departure message and little other coverage that followed (any further updates clustered here in the future; we didn’t see this in LWN or Phoronix). To quote little coverage we found (from OMG! Ubuntu!): “Stéphane Graber has announced their resignation from Canonical after 12 years of working at the company, mostly on LXD. The decision follows news last week that Canonical has taken the LXD project in-house after years of it existing as a community endeavour under the Linux Containers (LXC) umbrella. Stéphane’s engineering expertise and enthusiasm for LXD (and containers in general) has arguably made them the “face” of LXD. In social media replies to their (somewhat unexpected) decision, many have commented on this and thanked them for their contributions and help over the years.”

“As a reminder, Canonical is a former client of Sirius.”He wrote many blog posts in the official Ubuntu site, albeit not in recent years (nothing since 2019).

“It’s a very bad situation for LXD / LXC due to Microsoft control and influence over Canonical,” one reader told us. We’ve recently shown just how close Canonical was getting to Microsoft, so maybe LXD work (and staff) was being chained to Microsoft’s proprietary surveillance grid.

From what can be gathered between the lines and elsewhere, there’s a leadership issue.

Stéphane Graber later added: “Canonical upper management apparently expects a community project to have the majority of its code contributed by external parties which LXD obviously didn’t. With a team of 10 or so to the engineers, Canonical likely contributed 90% or so of LXD’s code. I do strongly disagree about this being the main metric of the success of a community though…”

Gabriel Reiser responded: “Sad that they no longer understand the open source model and expect the community to get behind uninspiring leadership. LXD will live on. Canonical however, needs to find itself again.”

Maybe they hired the wrong managers, as the video points out. This happened in Sirius. When I left the company nobody in the management used Free/Open Source software. It had been like this for years already.

Comment or conclusion from my wife: “My personal view is, when the company changes its mission and vision, that’s a red flag, followed by the exodus of many, e.g. colleagues, managers, and even interns — and that is also another thing. Life in general isn’t going to revolve around work and money, that isn’t the essence of it. The feeling of freedom and fulfillment are most rewarding and that’s something which I haven’t felt for a long time until I left my job.”

rofessor Larry Lessig, best known for Creative Commons, stepped aside and let Ito run the thing. He said he’d spend the next decade or period of his life battling political corruption, instead, seeing it was getting in his way all the time.

I myself left my job at age 40. Prior to that I had worked since my mid teens (on and off when I was younger and was a student) and I intend to spent all my time campaigning not just for Software Freedom but also for justice, seeing how rotten the system is. As readers of this blog know (ought to be well aware after hundreds of blog posts on this subject here), the crimes of Sirius ‘Open Source’ enjoy impunity or protection from the state. Every level at the state refuses or fails to hold criminals accountable! From what can be gathered, several people were involved in this crime, it was not just one “rotten apple”. It was the company’s head Mark Anthony Taylor, his then-wife Kelly Fitter Taylor, and Louise Catherine Laura Menezes, who assisted with payroll and likely helped produce lying payslips to staff.

At Sirius, many dubious, illegal, and unethical things were done, but strategically it is better to first focus 100% on the crimes. We have MANY avenues still left to explore/exhaust.

Pursuing this can take a lot of time, but it is very important. In order not to let this distract me from my main activities I’ve made this plan: record videos, write articles as priority #1, catch up with chats (all forms, not just IRC as medium) once an hour unless urgent, Daily Links focus only on Free software (FOSS), plus any other links only when idle or when extra time becomes available.

This month, July 2023, is expected to be a record month in terms of the number of blog posts, not counting the ones in schestowitz.com. Every Tuesday I try to keep up with mortality numbers, seeing that the “media” we have here refuses to even acknowledge we have a health crisis.

schestowitz.com will continue to be quite active and maybe finish 3,000 blog post by year’s end.

Summary: The London Municipality, also known as Greater London Authority (GLA), turns its back on people who worked on its computer systems for nearly a decade; it’s not convenient to deal with victims of a crime, especially when the crime was committed on GLA’s watch while GLA was sponsoring the perpetrators of the crime

THE series about crimes of Sirius ‘Open Source’ is far from over. What we have here a formerly OK company that even funded the Free Software Foundation (FSF) for a couple of years turning into a criminal organisation, taking bribes in secret from Bill Gates (under an NDA) while besieging and bullying its own staff. This must be treated as a criminal matter, not a civil matter. Arrests should be made as soon as possible.

But what happens when the perpetrators of the crimes are connected to the British government, not just local authorities but also Home Office? Then it gets a little… “tricky”… or “complicated” for them to handle. It’s almost like they’re asked to investigate themselves and hold themselves accountable.

As a recap, so far I’ve contacted:

1. Greater Manchester Police (repeatedly insisting I defer to Action Fraud after nearly 40 minutes on the phone)
2. Action Fraud (4 weeks, no action)
3. My MP contacting Action Fraud (4 weeks, no response)
4. GLA (London Municipality), whose computer systemd I’ve worked on since 2013
5. ECVCU Victim Contact/City of London Police
6. The equivalent of the ombudsman next

It should be strongly emphasised that:

1. I’m not the only victim. Men and women I worked with are also victims.
2. None of the steps above resulted in any real progress, except proving that this whole “law enforcement” system is trash
3. The perpetrators of the pension fraud crime (other crimes aside) got in touch with me personally and did not deny committing the crime

About 5 days ago I sent the following message to GLA, especially senior people there (they know me in person):

City of London Police Does Not Protect GLA Staff Victimised by the Employer

Two weeks ago I wrote to you regarding Action Fraud not taking action and not even replying to my MP upon escalation. After I sent the E-mail to GLA all of a sudden I received a mostly template-like message from the City of London Police E-mail system (ECVCU Victim Contact) and the Sirius Director who was in charge at the time contacted me not denying the abuses but basically trying to discourage me from pursuing criminal enforcement. I assume City of London Police messaged me because you had asked them to. Maybe they even contacted the above-mentioned Director because she contacted me at 2AM.

I responded to the police twice, but they are not even replying (not responding to my second message for 7 days as of this morning) — that’s basically consistent with my prior experiences. Nobody from GLA bothered to even reply to me, despite me working for GLA for many years while my employer (your contractor) defrauded my colleagues and I. There are many victims here, not one. I am therefore going to escalate this higher than GLA (Sirius worked for government departments above GLA) and perhaps the media too.

It does not look good that GLA does not take crime seriously, even crimes committed against its own people, despite GLA being in charge of the police (Sirius is based in London [1,2]).

_____________
[1] https://find-and-update.company-information.service.gov.uk/company/11014042
[2] https://find-and-update.company-information.service.gov.uk/company/03633198

These messages were definitely received, as there were even auto-responders:

Not only did they never respond. No real action has been taken to remediate things. GLA is swimming in money, it exploits people who do technical work overnight at 13-14 pounds per hour, and when it turns out those people were defrauded GLA just looks the other way. This won’t end well. We’re escalating this further and former colleague speak of legal action. Seeing how GLA and the police handled this, they’re even worse than the pension firms.

It goes till June 30 2023 as of this week:

Total (first half, H1): 310,838

Same for 2019 H1: 273,151

opened up this page (updated this morning after a week), expecting that over time general wellbeing will improve, but guess what… after WHO told us the pandemic had been relegated we’re still seeing a high number of deaths in England and Wales:

Before COVID-19 it’s about 9.1k a week for the latest week.

Now it’s 10.3k