nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Ta-ta, security: Bungling Tata devs leaked banks' code on public GitHub repo, says IT bloke

Silver badge
Facepalm

Outsource it all To India

What can go wrong (will go wrong)

26
2
Silver badge

Re: Outsource it all To India

There appear to be a lot of comments like this around here recently. People should remember that problems with offshoring and/or outsourcing are usually caused by penny-pinching PHBs signing up to crappy agreements. People's location and nationality are not good indicators of competence.

6
11
Silver badge
Flame

@Steve Davies 3 Re: Outsource it all To India

Spot on, however I wonder if El Reg actually understood the significance of the following:

The documents related to programming work Tata was carrying out for six big Canadian banks, two well-known American financial organizations, a multinational Japanese bank, and a multibillion dollar financial software company.

Silly me, but shouldn't there be a glass wall between different clients?

Meaning if I were one of those clients, not only would I give Tata the boot, but also would be getting the team of in house counsel lined up to sue the carp [sic] out of them for violating and sort of MSA and NDA.

At the same time, this wasn't the work of a single bad programmer, but a concerted effort to share code.

This also shows not only the lack of professionalism but also calls to question their skills as developers. Which implies Tata is over charging their customers by providing under skilled employees.

Sorry for the flame, but its more about the situation than anything else.

14
0

Re: Outsource it all To India

Korev said " People's location and nationality are not good indicators of competence."

No, but repeated screw-ups, terrible customer service, staff who cannot understand the difference between a non-technical user and a desktop support tech with 10+ years of experience ("no, switching it off and on FOR THE 4TH TIME in 1 call will not help - the hard drive is making horrible grinding noises and is knackered - I just need a fault reference number to give to the client!"), relentlessly sticking to a script when the user is able to give a perfectly good explanation of what the problem is, etc etc etc... *these* are good indicators of competence, and I've experienced these - and more! - since a bunch of Cowboys (allegedly) Supporting Computers 'onsourced' our hell desk to another continent.

0
0
LDS
Silver badge

Someone who needs SpringConcepts.ppt...

... is probably a beginner developer who believes everything today has to be stored on GitHub, he read it on the Internet...

Anyway whoever still use file names like document_releaseX.Y really needs a version control system and a document management solution - not a public GitHub repo, maybe...

20
1
Silver badge
Holmes

Re: Someone who needs SpringConcepts.ppt...

I doubt it was just a beginner developer. This was probably the entire team collaborating on a set of documents.

And I bet no bank put "Do not upload everything to github" in the contract. If someone did, Tata would probably have gone to Sourceforge instead.

18
0
Anonymous Coward

Re: Someone who needs SpringConcepts.ppt...

Just because it's older doesn't mean it doesn't work. I have seen instances of modern document management systems losing history, it can happen. The old ways may be top heavy but it was harder to lose history. Several times when old documents were needed this was because people were too lazy to manage the old versions out; inefficient but it was a life saver.

1
1

Re: Someone who needs SpringConcepts.ppt...

My guess is that it was someone who was applying for another job and told by someone, somewhere (these days its "everyone, everywhere") that they needed their work on github so potential employers could see their work.

Oddly enough, most people who demand a Github repository have no idea what they are looking at anyway.

3
0
LDS
Silver badge

'so potential employers could see their work'

Don't know about you, but I wouldn't hire someone who posts his actual employer code and documents on GitHub... unless it's an open source project, and the code is already there.

2
0
Anonymous Coward

Indian coding and support

Another fine example.

18
3
Silver badge

Re: Indian coding and support

We have exactly the same problem with our London devs. In fact it's worse with our London devs - the Indians say "sorry it won't happen again" the London devs say "developing in public is a human right, you're trying to suppress my creative spirit so we're going to carry on doing it and we'll probably leak confidential information again, it's just a risk we have to take."

7
17
Anonymous Coward

Re: Indian coding and support

Except your London devs will be able to code. Unlike your Indian ones.

14
10
Silver badge

Re: Indian coding and support

Wow. Actually our Indian devs are awesome; but we hire the best, pay them well (the same as the London ones) and treat them just like any other employee.

If you treat people badly then you probably won't get good staff, but who's fault is that?

29
1
LDS
Silver badge

Re: Indian coding and support

Far too often the whole offshoring idea is to pay people peanuts to fatten the execs bonuses and stock options. Otherwise often you would have no need to outsource or offshore.

Then there are the cases when you need more competent people than those locally available, or you need a broader presence around the world, but I guess that's a smaller percentage.

11
0
Anonymous Coward

Re: Indian coding and support

Right... could you let us know what products your company works on, so we can perhaps avoid them. Thanks.

5
2
Anonymous Coward

Really ? Get real.

"Except your London devs will be able to code. Unlike your Indian ones."

Not always, the Indians have their faults and idiosyncrasies but so do we and everyone makes mistakes. BA maintain it was a Brit that did it because outsourcing was not the cause. Technical superiority and excellence is required to beat the opposition. It's the same as sport, the best team usually wins.

If anyone thinks voting Brexit or rejecting outsourcing will save them from a lower cost base then who is deluded? If we insist on raising our living standards by buying cheaper from elsewhere then why should our jobs be any different? If more technicians read economics they would understand why this is a losing battle. As my instructor told us " Get good or get gone!"

PS I have worked with TCS and seen colleagues outsourced to them.

0
0
Silver badge

Re: Really ? Get real.

BA maintain it was a Brit that did it because outsourcing was not the cause.

I think BA said that it was someone in Britain; but didn't go into if it was someone from BA, TCS etc.

8
0
Silver badge

Re: Indian coding and support

"We have exactly the same problem with our London devs. In fact it's worse with our London devs"

Not sure where you get that one from. We offshore a lot of development work to around 3 separate countries with code review and management being handled in London to very strict guidelines with full automated unit, security and BDD testing. Missing a carriage return in PHP can cause a module to be rejected, as an example. To my knowledge every agency I encounter in London now have very similar standards set up in their dev environments.

I do notice that Scotiabank's public-facing website does not exactly conform to any known standards though. Must be a completely new system.

2
0
Bronze badge

Re: Indian coding and support

Except your London devs will be able to code.
This kind of perceived technical superiority will always come back to bite you in the posterior... There's an absolutely lovely saying in the English language: Pride comes before the fall.

3
2
Anonymous Coward

Re: Indian coding and support

You clearly don't use TCS then.

1
0

Re: Really ? Get real.

The BA situation isn't really about who pulled the plug out. It's more about when the plug was pulled out the system stopped. I find it staggering in this day and age that a single data centre can be responsible for a large companies critical systems. The developers are to blame in my opinion, as they should know you don't build systems this way.

3
0
Anonymous Coward

Re: Indian coding and support

This kind of perceived technical superiority...

It's not misplaced superiority, but weary irritation. Every big bank I know of who's outsourced development to the Indian code-shops has needed to create a (very expensive) team, often made up with some of the people whose elimination was supposed to be part of the cost saving, to 'review' (i.e. hack until it compiles) the fruits of our Indian consultancies. Until you've seen it, you might not believe just how bad the output is, and how little theses people know or want to learn.

In the same way that if you're a good financier, why would you work for the Inland Revenue; if you're a good developer, you'd never ever work for a code shop.

5
0
Silver badge
Thumb Up

"Not my monkeys, not my circus!"

Hey! That's our catch phrase! We've been using it for years... A colleague has it on a poster which is in Polish.

10
0
Anonymous Coward

Re: "Not my monkeys, not my circus!"

"A colleague has it on a poster which is in Polish."

Like this? The suggestion in Google sources is that it is a Polish proverb.

5
0
Bronze badge
Boffin

Re: "Not my monkeys, not my circus!"

It is indeed an old Polish proverb.

5
0
Anonymous Coward

Re: "Not my monkeys, not my circus!"

Reminds me of many years ago when our company introduced the Crosby "Quality" regime.

At first people were raising reports for existing problems outside their control. Then they started to complain that they never saw any resulting "Corrective Action".

Management solved that by a decree that anyone who raised a problem - became the "owner" to progress it. Overnight the number of problems being reported plummeted - as everyone took the Pink Spaceship approach to an S.E.P.

4
0
Anonymous Coward

Re: "Not my monkeys, not my circus!"

There are a lot of Polish in Toronto and I suspect I've met the one that passed this phrase onto the author having shared a beer with both of them.

1
0
Silver badge

The names of the affected clients have been withheld, for now

El Reg thinking of a making a little money here?

4
0
Silver badge
Windows

Geezer's blog posts

http://coulls.blogspot.co.uk/2017/05/how-do-you-fix-mobile-banking-in-canada.html

Is it true that having urls embedded in the code of the application but not obfuscated in any way is really a major security issue? I'm guessing the queries sent to the server side of the application constitute the threat.

Icon: Clueless end user who does not make use of any form of online banking out of a natural tendency to prefer face2face transactions.

2
0
Anonymous Coward

Re: Geezer's blog posts

> Is it true that having urls embedded in the code of the application but not obfuscated in any way is really a major security issue?

No. Not sure why he has a problem with it. Although having them easily accessible definitely makes things easier for attackers, the whole point of good security practice is that if you have your shit together then people hitting your API end points isn't a problem.

Security by obscurity isn't really a best practice approach. ;)

3
0
Anonymous Coward

Re: Geezer's blog posts

"Clueless end user who does not make use of any form of online banking out of a natural tendency to prefer face2face transactions."

The banks in our large-ish UK town have adopted machines to handle most counter transactions for retail customers - with a floor walker to show people how to use them. Any "commercial" customer's other transactions are serviced by a single teller.

1
0
Silver badge
Coat

Re: Geezer's blog posts

Yup, the lad with the iPad and the chip'n'pin thingy. He always points out that I can get identical services from home. I always point out that by coming in and queuing up and accessing the system via a member of bank staff, the liability for any subsequent security issues is clear.

Coat: annual gas check done, off out to dodge the smart meter salesman

10
0
Silver badge
Windows

Re: Geezer's blog posts

"No. Not sure why he has a problem with it."

@AC: I suspected that would be the answer.

2
0
Anonymous Coward

Re: Geezer's blog posts

I had to take a relatively large (just over £1k) sum of money for the business to our local HSBC bank to deposit it. It was the proceeds of a charity raffle and I went with a colleague for security who then stood outside the bank smoking. When I walked into the branch there was the floorwalker and several empty but open counters. I suspect that not looking my finest clothing wise because I was to be chasing cables in the basement later he decided to pounce on me. He indicated that I could use the machines to make my deposit and said all I needed was my bank card. Confused when I said I didn't have one he told me he would order me one immediately. I explained that I didn't bank with them the business I worked for did and I was there to make a deposit with the paying in book. Only then was I allowed near the counters and only after I said I needed to actually have the book stamped - company policy.

The girl who counted the cash by hand told me they saw less and less people because everyone was pushed towards the machines. When I asked why she did it by hand and then scales (my deposit was all notes) she said they were too tight fisted to buy electronic counters. As I'm leaving the floorwalker with no one else to attack asks me who I bank with and then tries to tempt me away from Lloyds. He failed miserably though when I explained that I had private banking with Lloyds for which they don't charge me. "We can't match that" he grumped "They must really like you".

When asked in a Lloyds branch why I didn't do something on-line that I had come into the branch to do I said because I'm supposedly one of your better customers. I also explained that I trusted the private banking call centre in Leeds more than I did internet banking.

9
0
Anonymous Coward

Re: Geezer's blog posts

I agree. If I don't like it I will keep move banks till one of them decides having a human in place is a good plan. NatWest just closed my local branch, so I closed my account. I know they are likely to win in the long run and we will then have to pay through the nose, until then I am a customer and the customer is always king.

4
0
Anonymous Coward

Re: the customer is always king.

A mere customer?

Go one better: I'm a member of my bank, and therefore I own part of it (for what practical good that does me); it's a building society.

2
0
Silver badge

Re: the customer is always king.

Do you know what the banks define a 'customer' as? Someone stupid enough to trust them with their money, with no questions asked.

0
0
Anonymous Coward

Re: the customer is always king.

"Do you know what the banks define a 'customer' as?"

A shareholder. A person using their banking services is merely an exploitable resource.

0
0
Anonymous Coward

V0.1

The Solution Architecture, and most of those other documents are 0.x....

Having worked with outsource providers before, we always approved and finalised documentation prior to development - otherwise you get the inevitable change requests from scope creep and change. Quality was always hit and miss so scoping the work package correctly with the outsource partner was always required.

1
0
Bronze badge

I don't online bank for this very reason, I don't trust the banks not to screw it up.

4
1
Anonymous Coward

Hahaha

Hahahahahahahha

This laugh is 100% real.

0
0
Silver badge

Public vs Private Github repo?

Is it possible that this Dev was thinking that s/he was using a private repo on Github and accidentally uploaded to a public one?

My organisation uses a similar provider and I'm paranoid that one day I'll dump some private code into a public one.

2
0
Bronze badge

Re: Public vs Private Github repo?

I'm sorry, but even a private Github repo is *not* the right place to park sensitive (especially when it comes to a financial institution) data. Run your own Git server that's backed up somewhere else...

16
0
Silver badge

Re: Public vs Private Github repo?

I 100% agree.

2
0
Silver badge
Boffin

@Korev, Re: Public vs Private Github repo?

You do realize that just parking client's material off the client site could be illegal?

If any of the Financial institutions considers the code to be trade secrets... you have a crime of theft.

At a minimum, you most definitely have multiple breaches of the contracts per institution.

This could cost Tata a boatload of money.

6
0

apparently not even auxiliary data

Disclaimer: I am a TCS employee.

It appears that the filenames were more like the names of the customers the presentations were made for, rather than *data* pertaining to the customers themselves. I therefore suspect a lot of the content may have been the same (i.e., present to customer A, modify slightly, rename, present to customer B).

It's still a pretty stupid thing to do, but thank God it wasn't stupidER, I guess!

Unfortunately, I was one of the people shouting from the rooftops (a few years ago) that we need unfettered github access, so I'm getting a wee bit of -- good-natured, don't worry! -- ribbing for this!

But then, I couldn't do without this access. I estimate that a good percentage of the commits for gitolite are made at work and I push them from my work laptop, simply due to how I divide my time.

Sitaram

PS: gitolite is a fairly popular access control system for git that is used by Fedora, kernel.org, Gentoo, and several other open source projects, and probably thousands of others

And yes, I intentionally mentioned it, in a shameless and blatant attempt to suggest that if you've heard of it, or even better, used it, then *you* at least won't generalise about TCS :-)

7
1
Anonymous Coward

Re: apparently not even auxiliary data

Doesn't matter.

You create a presentation for a client, its usually a work product for which the client owns. (YMMV depending on the contract ...)

I knew for years that American Express was using MapR. Due to my contract(s) I was unable to say anything publicly about it.

0
0
Anonymous Coward

FFS

Posting anonymously as I used to work on the Scotiabank account through IBM and have seen things (the horror, the horror...)

First of all, there is a quality issue with bringing outsourced teams from another place (currently, it's India) be that through IBM Canada or directly by the bank as part of diversity hiring needs, etc.

This is not a racist statement - it's fact.

Outsourced teams will and do cut corners to save money - and having worked in India for many years, there is a malaise there - a level of mid-management there that act like feudal lords and treat the programmers / architects / tech resources as serfs. Accordingly, turnover is higher than the US/Canada (can't speak of the UK as I haven't worked there) which results in candidates who aren't well trained because they've been hired in a hurried fashion to be seat-fillers or because they haven't been brought upto speed yet.

As some of you already may have experienced, hiring on the basis of diversity does not get the best candidate on a technical level. Nepotism does thrive - human nature, tribalism, etc.

Work ethics based on place of origin also come into play - some follow the West Point 'duty, honor, country' creed, others not so much.

Just like any other nationality, I've worked with some excellent folks from India and some people who were so bad, I wanted to slit my wrists to avoid the sheer stupidity.

Someone used the right acronym to describe that mid-management bunch - PHB's - can't agree more.

Back to the topic at hand, I'm rather concerned with what this bunch of devs did - and more so at their not getting it as a big deal.

Even worse is the head in the sand attitude of the big banks.

CIBC & Scotia are both terrible when it comes to things like this. And guess what, they're the ones who outsource a lot more by comparison.

18
0
Silver badge
Boffin

@AC ... Re: FFS

Outsourced teams will and do cut corners to save money - and having worked in India for many years, there is a malaise there - a level of mid-management there that act like feudal lords and treat the programmers / architects / tech resources as serfs.

That's a cultural thing. I've seen it from on-shore Indian managers. While this isn't across the board, its a high percentage.

3
0
Anonymous Coward

And yet CA banks adopted chip-cards long before the US

Go figure!

(Scotiabank's physical security was just as bad. Decades ago, I noticed my VISA card missing after a purchase at Business Depot. The first fraudulent purchase was at a gas station next door to Depot. Then came a dozen fraudulent purchases at the same clothing store 20 km away (by a female and my male name is on the card). Scotiabank security kept pestering me about my sister-in-law, who lived 150 km away. (Sigh)

1
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing