Outsource it all To India
What can go wrong (will go wrong)
Staff at Indian outsourcing biz Tata Consultancy Service uploaded a huge trove of financial institutions' source code and internal documents to a public GitHub repository, an IT expert has claimed. Jason Coulls, CTO of food safety testing company Tellspec and a former banking software developer, said he stumbled upon the …
There appear to be a lot of comments like this around here recently. People should remember that problems with offshoring and/or outsourcing are usually caused by penny-pinching PHBs signing up to crappy agreements. People's location and nationality are not good indicators of competence.
Korev said " People's location and nationality are not good indicators of competence."
No, but repeated screw-ups, terrible customer service, staff who cannot understand the difference between a non-technical user and a desktop support tech with 10+ years of experience ("no, switching it off and on FOR THE 4TH TIME in 1 call will not help - the hard drive is making horrible grinding noises and is knackered - I just need a fault reference number to give to the client!"), relentlessly sticking to a script when the user is able to give a perfectly good explanation of what the problem is, etc etc etc... *these* are good indicators of competence, and I've experienced these - and more! - since a bunch of Cowboys (allegedly) Supporting Computers 'onsourced' our hell desk to another continent.
Spot on, however I wonder if El Reg actually understood the significance of the following:
The documents related to programming work Tata was carrying out for six big Canadian banks, two well-known American financial organizations, a multinational Japanese bank, and a multibillion dollar financial software company.
Silly me, but shouldn't there be a glass wall between different clients?
Meaning if I were one of those clients, not only would I give Tata the boot, but also would be getting the team of in house counsel lined up to sue the carp [sic] out of them for violating and sort of MSA and NDA.
At the same time, this wasn't the work of a single bad programmer, but a concerted effort to share code.
This also shows not only the lack of professionalism but also calls to question their skills as developers. Which implies Tata is over charging their customers by providing under skilled employees.
Sorry for the flame, but its more about the situation than anything else.
... is probably a beginner developer who believes everything today has to be stored on GitHub, he read it on the Internet...
Anyway whoever still use file names like document_releaseX.Y really needs a version control system and a document management solution - not a public GitHub repo, maybe...
I doubt it was just a beginner developer. This was probably the entire team collaborating on a set of documents.
And I bet no bank put "Do not upload everything to github" in the contract. If someone did, Tata would probably have gone to Sourceforge instead.
Just because it's older doesn't mean it doesn't work. I have seen instances of modern document management systems losing history, it can happen. The old ways may be top heavy but it was harder to lose history. Several times when old documents were needed this was because people were too lazy to manage the old versions out; inefficient but it was a life saver.
My guess is that it was someone who was applying for another job and told by someone, somewhere (these days its "everyone, everywhere") that they needed their work on github so potential employers could see their work.
Oddly enough, most people who demand a Github repository have no idea what they are looking at anyway.
We have exactly the same problem with our London devs. In fact it's worse with our London devs - the Indians say "sorry it won't happen again" the London devs say "developing in public is a human right, you're trying to suppress my creative spirit so we're going to carry on doing it and we'll probably leak confidential information again, it's just a risk we have to take."
Far too often the whole offshoring idea is to pay people peanuts to fatten the execs bonuses and stock options. Otherwise often you would have no need to outsource or offshore.
Then there are the cases when you need more competent people than those locally available, or you need a broader presence around the world, but I guess that's a smaller percentage.
"Except your London devs will be able to code. Unlike your Indian ones."
Not always, the Indians have their faults and idiosyncrasies but so do we and everyone makes mistakes. BA maintain it was a Brit that did it because outsourcing was not the cause. Technical superiority and excellence is required to beat the opposition. It's the same as sport, the best team usually wins.
If anyone thinks voting Brexit or rejecting outsourcing will save them from a lower cost base then who is deluded? If we insist on raising our living standards by buying cheaper from elsewhere then why should our jobs be any different? If more technicians read economics they would understand why this is a losing battle. As my instructor told us " Get good or get gone!"
PS I have worked with TCS and seen colleagues outsourced to them.
The BA situation isn't really about who pulled the plug out. It's more about when the plug was pulled out the system stopped. I find it staggering in this day and age that a single data centre can be responsible for a large companies critical systems. The developers are to blame in my opinion, as they should know you don't build systems this way.
This kind of perceived technical superiority...
It's not misplaced superiority, but weary irritation. Every big bank I know of who's outsourced development to the Indian code-shops has needed to create a (very expensive) team, often made up with some of the people whose elimination was supposed to be part of the cost saving, to 'review' (i.e. hack until it compiles) the fruits of our Indian consultancies. Until you've seen it, you might not believe just how bad the output is, and how little theses people know or want to learn.
In the same way that if you're a good financier, why would you work for the Inland Revenue; if you're a good developer, you'd never ever work for a code shop.
"We have exactly the same problem with our London devs. In fact it's worse with our London devs"
Not sure where you get that one from. We offshore a lot of development work to around 3 separate countries with code review and management being handled in London to very strict guidelines with full automated unit, security and BDD testing. Missing a carriage return in PHP can cause a module to be rejected, as an example. To my knowledge every agency I encounter in London now have very similar standards set up in their dev environments.
I do notice that Scotiabank's public-facing website does not exactly conform to any known standards though. Must be a completely new system.
Reminds me of many years ago when our company introduced the Crosby "Quality" regime.
At first people were raising reports for existing problems outside their control. Then they started to complain that they never saw any resulting "Corrective Action".
Management solved that by a decree that anyone who raised a problem - became the "owner" to progress it. Overnight the number of problems being reported plummeted - as everyone took the Pink Spaceship approach to an S.E.P.
Is it true that having urls embedded in the code of the application but not obfuscated in any way is really a major security issue? I'm guessing the queries sent to the server side of the application constitute the threat.
Icon: Clueless end user who does not make use of any form of online banking out of a natural tendency to prefer face2face transactions.
> Is it true that having urls embedded in the code of the application but not obfuscated in any way is really a major security issue?
No. Not sure why he has a problem with it. Although having them easily accessible definitely makes things easier for attackers, the whole point of good security practice is that if you have your shit together then people hitting your API end points isn't a problem.
Security by obscurity isn't really a best practice approach. ;)
"Clueless end user who does not make use of any form of online banking out of a natural tendency to prefer face2face transactions."
The banks in our large-ish UK town have adopted machines to handle most counter transactions for retail customers - with a floor walker to show people how to use them. Any "commercial" customer's other transactions are serviced by a single teller.
Yup, the lad with the iPad and the chip'n'pin thingy. He always points out that I can get identical services from home. I always point out that by coming in and queuing up and accessing the system via a member of bank staff, the liability for any subsequent security issues is clear.
Coat: annual gas check done, off out to dodge the smart meter salesman
I had to take a relatively large (just over £1k) sum of money for the business to our local HSBC bank to deposit it. It was the proceeds of a charity raffle and I went with a colleague for security who then stood outside the bank smoking. When I walked into the branch there was the floorwalker and several empty but open counters. I suspect that not looking my finest clothing wise because I was to be chasing cables in the basement later he decided to pounce on me. He indicated that I could use the machines to make my deposit and said all I needed was my bank card. Confused when I said I didn't have one he told me he would order me one immediately. I explained that I didn't bank with them the business I worked for did and I was there to make a deposit with the paying in book. Only then was I allowed near the counters and only after I said I needed to actually have the book stamped - company policy.
The girl who counted the cash by hand told me they saw less and less people because everyone was pushed towards the machines. When I asked why she did it by hand and then scales (my deposit was all notes) she said they were too tight fisted to buy electronic counters. As I'm leaving the floorwalker with no one else to attack asks me who I bank with and then tries to tempt me away from Lloyds. He failed miserably though when I explained that I had private banking with Lloyds for which they don't charge me. "We can't match that" he grumped "They must really like you".
When asked in a Lloyds branch why I didn't do something on-line that I had come into the branch to do I said because I'm supposedly one of your better customers. I also explained that I trusted the private banking call centre in Leeds more than I did internet banking.
I agree. If I don't like it I will keep move banks till one of them decides having a human in place is a good plan. NatWest just closed my local branch, so I closed my account. I know they are likely to win in the long run and we will then have to pay through the nose, until then I am a customer and the customer is always king.
The Solution Architecture, and most of those other documents are 0.x....
Having worked with outsource providers before, we always approved and finalised documentation prior to development - otherwise you get the inevitable change requests from scope creep and change. Quality was always hit and miss so scoping the work package correctly with the outsource partner was always required.
You do realize that just parking client's material off the client site could be illegal?
If any of the Financial institutions considers the code to be trade secrets... you have a crime of theft.
At a minimum, you most definitely have multiple breaches of the contracts per institution.
This could cost Tata a boatload of money.
Disclaimer: I am a TCS employee.
It appears that the filenames were more like the names of the customers the presentations were made for, rather than *data* pertaining to the customers themselves. I therefore suspect a lot of the content may have been the same (i.e., present to customer A, modify slightly, rename, present to customer B).
It's still a pretty stupid thing to do, but thank God it wasn't stupidER, I guess!
Unfortunately, I was one of the people shouting from the rooftops (a few years ago) that we need unfettered github access, so I'm getting a wee bit of -- good-natured, don't worry! -- ribbing for this!
But then, I couldn't do without this access. I estimate that a good percentage of the commits for gitolite are made at work and I push them from my work laptop, simply due to how I divide my time.
PS: gitolite is a fairly popular access control system for git that is used by Fedora, kernel.org, Gentoo, and several other open source projects, and probably thousands of others
And yes, I intentionally mentioned it, in a shameless and blatant attempt to suggest that if you've heard of it, or even better, used it, then *you* at least won't generalise about TCS :-)
You create a presentation for a client, its usually a work product for which the client owns. (YMMV depending on the contract ...)
I knew for years that American Express was using MapR. Due to my contract(s) I was unable to say anything publicly about it.
Posting anonymously as I used to work on the Scotiabank account through IBM and have seen things (the horror, the horror...)
First of all, there is a quality issue with bringing outsourced teams from another place (currently, it's India) be that through IBM Canada or directly by the bank as part of diversity hiring needs, etc.
This is not a racist statement - it's fact.
Outsourced teams will and do cut corners to save money - and having worked in India for many years, there is a malaise there - a level of mid-management there that act like feudal lords and treat the programmers / architects / tech resources as serfs. Accordingly, turnover is higher than the US/Canada (can't speak of the UK as I haven't worked there) which results in candidates who aren't well trained because they've been hired in a hurried fashion to be seat-fillers or because they haven't been brought upto speed yet.
As some of you already may have experienced, hiring on the basis of diversity does not get the best candidate on a technical level. Nepotism does thrive - human nature, tribalism, etc.
Work ethics based on place of origin also come into play - some follow the West Point 'duty, honor, country' creed, others not so much.
Just like any other nationality, I've worked with some excellent folks from India and some people who were so bad, I wanted to slit my wrists to avoid the sheer stupidity.
Someone used the right acronym to describe that mid-management bunch - PHB's - can't agree more.
Back to the topic at hand, I'm rather concerned with what this bunch of devs did - and more so at their not getting it as a big deal.
Even worse is the head in the sand attitude of the big banks.
CIBC & Scotia are both terrible when it comes to things like this. And guess what, they're the ones who outsource a lot more by comparison.
Outsourced teams will and do cut corners to save money - and having worked in India for many years, there is a malaise there - a level of mid-management there that act like feudal lords and treat the programmers / architects / tech resources as serfs.
That's a cultural thing. I've seen it from on-shore Indian managers. While this isn't across the board, its a high percentage.
(Scotiabank's physical security was just as bad. Decades ago, I noticed my VISA card missing after a purchase at Business Depot. The first fraudulent purchase was at a gas station next door to Depot. Then came a dozen fraudulent purchases at the same clothing store 20 km away (by a female and my male name is on the card). Scotiabank security kept pestering me about my sister-in-law, who lived 150 km away. (Sigh)
Biting the hand that feeds IT © 1998–2019