back to article Ta-ta, security: Bungling Tata devs leaked banks' code on public GitHub repo, says IT bloke

Staff at Indian outsourcing biz Tata Consultancy Service uploaded a huge trove of financial institutions' source code and internal documents to a public GitHub repository, an IT expert has claimed. Jason Coulls, CTO of food safety testing company Tellspec and a former banking software developer, said he stumbled upon the …

  1. Steve Davies 3 Silver badge
    Facepalm

    Outsource it all To India

    What can go wrong (will go wrong)

    1. Korev Silver badge

      Re: Outsource it all To India

      There appear to be a lot of comments like this around here recently. People should remember that problems with offshoring and/or outsourcing are usually caused by penny-pinching PHBs signing up to crappy agreements. People's location and nationality are not good indicators of competence.

      1. not.known@this.address Bronze badge

        Re: Outsource it all To India

        Korev said " People's location and nationality are not good indicators of competence."

        No, but repeated screw-ups, terrible customer service, staff who cannot understand the difference between a non-technical user and a desktop support tech with 10+ years of experience ("no, switching it off and on FOR THE 4TH TIME in 1 call will not help - the hard drive is making horrible grinding noises and is knackered - I just need a fault reference number to give to the client!"), relentlessly sticking to a script when the user is able to give a perfectly good explanation of what the problem is, etc etc etc... *these* are good indicators of competence, and I've experienced these - and more! - since a bunch of Cowboys (allegedly) Supporting Computers 'onsourced' our hell desk to another continent.

    2. Ian Michael Gumby Silver badge
      Flame

      @Steve Davies 3 Re: Outsource it all To India

      Spot on, however I wonder if El Reg actually understood the significance of the following:

      The documents related to programming work Tata was carrying out for six big Canadian banks, two well-known American financial organizations, a multinational Japanese bank, and a multibillion dollar financial software company.

      Silly me, but shouldn't there be a glass wall between different clients?

      Meaning if I were one of those clients, not only would I give Tata the boot, but also would be getting the team of in house counsel lined up to sue the carp [sic] out of them for violating and sort of MSA and NDA.

      At the same time, this wasn't the work of a single bad programmer, but a concerted effort to share code.

      This also shows not only the lack of professionalism but also calls to question their skills as developers. Which implies Tata is over charging their customers by providing under skilled employees.

      Sorry for the flame, but its more about the situation than anything else.

  2. LDS Silver badge

    Someone who needs SpringConcepts.ppt...

    ... is probably a beginner developer who believes everything today has to be stored on GitHub, he read it on the Internet...

    Anyway whoever still use file names like document_releaseX.Y really needs a version control system and a document management solution - not a public GitHub repo, maybe...

    1. Dan 55 Silver badge
      Holmes

      Re: Someone who needs SpringConcepts.ppt...

      I doubt it was just a beginner developer. This was probably the entire team collaborating on a set of documents.

      And I bet no bank put "Do not upload everything to github" in the contract. If someone did, Tata would probably have gone to Sourceforge instead.

    2. Anonymous Coward
      Anonymous Coward

      Re: Someone who needs SpringConcepts.ppt...

      Just because it's older doesn't mean it doesn't work. I have seen instances of modern document management systems losing history, it can happen. The old ways may be top heavy but it was harder to lose history. Several times when old documents were needed this was because people were too lazy to manage the old versions out; inefficient but it was a life saver.

    3. eriksolo

      Re: Someone who needs SpringConcepts.ppt...

      My guess is that it was someone who was applying for another job and told by someone, somewhere (these days its "everyone, everywhere") that they needed their work on github so potential employers could see their work.

      Oddly enough, most people who demand a Github repository have no idea what they are looking at anyway.

      1. LDS Silver badge

        'so potential employers could see their work'

        Don't know about you, but I wouldn't hire someone who posts his actual employer code and documents on GitHub... unless it's an open source project, and the code is already there.

  3. Anonymous Coward
    Anonymous Coward

    Indian coding and support

    Another fine example.

    1. Adam 52 Silver badge

      Re: Indian coding and support

      We have exactly the same problem with our London devs. In fact it's worse with our London devs - the Indians say "sorry it won't happen again" the London devs say "developing in public is a human right, you're trying to suppress my creative spirit so we're going to carry on doing it and we'll probably leak confidential information again, it's just a risk we have to take."

      1. Anonymous Coward
        Anonymous Coward

        Re: Indian coding and support

        Except your London devs will be able to code. Unlike your Indian ones.

        1. Adam 52 Silver badge

          Re: Indian coding and support

          Wow. Actually our Indian devs are awesome; but we hire the best, pay them well (the same as the London ones) and treat them just like any other employee.

          If you treat people badly then you probably won't get good staff, but who's fault is that?

          1. LDS Silver badge

            Re: Indian coding and support

            Far too often the whole offshoring idea is to pay people peanuts to fatten the execs bonuses and stock options. Otherwise often you would have no need to outsource or offshore.

            Then there are the cases when you need more competent people than those locally available, or you need a broader presence around the world, but I guess that's a smaller percentage.

          2. Anonymous Coward
            Anonymous Coward

            Re: Indian coding and support

            Right... could you let us know what products your company works on, so we can perhaps avoid them. Thanks.

          3. Anonymous Coward
            Anonymous Coward

            Re: Indian coding and support

            You clearly don't use TCS then.

        2. Anonymous Coward
          Anonymous Coward

          Really ? Get real.

          "Except your London devs will be able to code. Unlike your Indian ones."

          Not always, the Indians have their faults and idiosyncrasies but so do we and everyone makes mistakes. BA maintain it was a Brit that did it because outsourcing was not the cause. Technical superiority and excellence is required to beat the opposition. It's the same as sport, the best team usually wins.

          If anyone thinks voting Brexit or rejecting outsourcing will save them from a lower cost base then who is deluded? If we insist on raising our living standards by buying cheaper from elsewhere then why should our jobs be any different? If more technicians read economics they would understand why this is a losing battle. As my instructor told us " Get good or get gone!"

          PS I have worked with TCS and seen colleagues outsourced to them.

          1. Korev Silver badge

            Re: Really ? Get real.

            BA maintain it was a Brit that did it because outsourcing was not the cause.

            I think BA said that it was someone in Britain; but didn't go into if it was someone from BA, TCS etc.

          2. Stuart123

            Re: Really ? Get real.

            The BA situation isn't really about who pulled the plug out. It's more about when the plug was pulled out the system stopped. I find it staggering in this day and age that a single data centre can be responsible for a large companies critical systems. The developers are to blame in my opinion, as they should know you don't build systems this way.

        3. anothercynic Silver badge

          Re: Indian coding and support

          Except your London devs will be able to code.
          This kind of perceived technical superiority will always come back to bite you in the posterior... There's an absolutely lovely saying in the English language: Pride comes before the fall.

          1. Anonymous Coward
            Anonymous Coward

            Re: Indian coding and support

            This kind of perceived technical superiority...

            It's not misplaced superiority, but weary irritation. Every big bank I know of who's outsourced development to the Indian code-shops has needed to create a (very expensive) team, often made up with some of the people whose elimination was supposed to be part of the cost saving, to 'review' (i.e. hack until it compiles) the fruits of our Indian consultancies. Until you've seen it, you might not believe just how bad the output is, and how little theses people know or want to learn.

            In the same way that if you're a good financier, why would you work for the Inland Revenue; if you're a good developer, you'd never ever work for a code shop.

      2. macjules Silver badge

        Re: Indian coding and support

        "We have exactly the same problem with our London devs. In fact it's worse with our London devs"

        Not sure where you get that one from. We offshore a lot of development work to around 3 separate countries with code review and management being handled in London to very strict guidelines with full automated unit, security and BDD testing. Missing a carriage return in PHP can cause a module to be rejected, as an example. To my knowledge every agency I encounter in London now have very similar standards set up in their dev environments.

        I do notice that Scotiabank's public-facing website does not exactly conform to any known standards though. Must be a completely new system.

  4. chivo243 Silver badge
    Thumb Up

    "Not my monkeys, not my circus!"

    Hey! That's our catch phrase! We've been using it for years... A colleague has it on a poster which is in Polish.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Not my monkeys, not my circus!"

      "A colleague has it on a poster which is in Polish."

      Like this? The suggestion in Google sources is that it is a Polish proverb.

      1. Anonymous Coward Silver badge
        Boffin

        Re: "Not my monkeys, not my circus!"

        It is indeed an old Polish proverb.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Not my monkeys, not my circus!"

          Reminds me of many years ago when our company introduced the Crosby "Quality" regime.

          At first people were raising reports for existing problems outside their control. Then they started to complain that they never saw any resulting "Corrective Action".

          Management solved that by a decree that anyone who raised a problem - became the "owner" to progress it. Overnight the number of problems being reported plummeted - as everyone took the Pink Spaceship approach to an S.E.P.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Not my monkeys, not my circus!"

            There are a lot of Polish in Toronto and I suspect I've met the one that passed this phrase onto the author having shared a beer with both of them.

  5. Gordon Pryra

    The names of the affected clients have been withheld, for now

    El Reg thinking of a making a little money here?

  6. keithpeter
    Windows

    Geezer's blog posts

    http://coulls.blogspot.co.uk/2017/05/how-do-you-fix-mobile-banking-in-canada.html

    Is it true that having urls embedded in the code of the application but not obfuscated in any way is really a major security issue? I'm guessing the queries sent to the server side of the application constitute the threat.

    Icon: Clueless end user who does not make use of any form of online banking out of a natural tendency to prefer face2face transactions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Geezer's blog posts

      > Is it true that having urls embedded in the code of the application but not obfuscated in any way is really a major security issue?

      No. Not sure why he has a problem with it. Although having them easily accessible definitely makes things easier for attackers, the whole point of good security practice is that if you have your shit together then people hitting your API end points isn't a problem.

      Security by obscurity isn't really a best practice approach. ;)

      1. keithpeter
        Windows

        Re: Geezer's blog posts

        "No. Not sure why he has a problem with it."

        @AC: I suspected that would be the answer.

    2. Anonymous Coward
      Anonymous Coward

      Re: Geezer's blog posts

      "Clueless end user who does not make use of any form of online banking out of a natural tendency to prefer face2face transactions."

      The banks in our large-ish UK town have adopted machines to handle most counter transactions for retail customers - with a floor walker to show people how to use them. Any "commercial" customer's other transactions are serviced by a single teller.

      1. keithpeter
        Coat

        Re: Geezer's blog posts

        Yup, the lad with the iPad and the chip'n'pin thingy. He always points out that I can get identical services from home. I always point out that by coming in and queuing up and accessing the system via a member of bank staff, the liability for any subsequent security issues is clear.

        Coat: annual gas check done, off out to dodge the smart meter salesman

        1. Anonymous Coward
          Anonymous Coward

          Re: Geezer's blog posts

          I had to take a relatively large (just over £1k) sum of money for the business to our local HSBC bank to deposit it. It was the proceeds of a charity raffle and I went with a colleague for security who then stood outside the bank smoking. When I walked into the branch there was the floorwalker and several empty but open counters. I suspect that not looking my finest clothing wise because I was to be chasing cables in the basement later he decided to pounce on me. He indicated that I could use the machines to make my deposit and said all I needed was my bank card. Confused when I said I didn't have one he told me he would order me one immediately. I explained that I didn't bank with them the business I worked for did and I was there to make a deposit with the paying in book. Only then was I allowed near the counters and only after I said I needed to actually have the book stamped - company policy.

          The girl who counted the cash by hand told me they saw less and less people because everyone was pushed towards the machines. When I asked why she did it by hand and then scales (my deposit was all notes) she said they were too tight fisted to buy electronic counters. As I'm leaving the floorwalker with no one else to attack asks me who I bank with and then tries to tempt me away from Lloyds. He failed miserably though when I explained that I had private banking with Lloyds for which they don't charge me. "We can't match that" he grumped "They must really like you".

          When asked in a Lloyds branch why I didn't do something on-line that I had come into the branch to do I said because I'm supposedly one of your better customers. I also explained that I trusted the private banking call centre in Leeds more than I did internet banking.

          1. Anonymous Coward
            Anonymous Coward

            Re: Geezer's blog posts

            I agree. If I don't like it I will keep move banks till one of them decides having a human in place is a good plan. NatWest just closed my local branch, so I closed my account. I know they are likely to win in the long run and we will then have to pay through the nose, until then I am a customer and the customer is always king.

            1. Anonymous Coward
              Anonymous Coward

              Re: the customer is always king.

              A mere customer?

              Go one better: I'm a member of my bank, and therefore I own part of it (for what practical good that does me); it's a building society.

              1. macjules Silver badge

                Re: the customer is always king.

                Do you know what the banks define a 'customer' as? Someone stupid enough to trust them with their money, with no questions asked.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: the customer is always king.

                  "Do you know what the banks define a 'customer' as?"

                  A shareholder. A person using their banking services is merely an exploitable resource.

  7. Anonymous Coward
    Anonymous Coward

    V0.1

    The Solution Architecture, and most of those other documents are 0.x....

    Having worked with outsource providers before, we always approved and finalised documentation prior to development - otherwise you get the inevitable change requests from scope creep and change. Quality was always hit and miss so scoping the work package correctly with the outsource partner was always required.

  8. JimboSmith Silver badge

    I don't online bank for this very reason, I don't trust the banks not to screw it up.

  9. Anonymous Coward
    Anonymous Coward

    Hahaha

    Hahahahahahahha

    This laugh is 100% real.

  10. Korev Silver badge

    Public vs Private Github repo?

    Is it possible that this Dev was thinking that s/he was using a private repo on Github and accidentally uploaded to a public one?

    My organisation uses a similar provider and I'm paranoid that one day I'll dump some private code into a public one.

    1. anothercynic Silver badge

      Re: Public vs Private Github repo?

      I'm sorry, but even a private Github repo is *not* the right place to park sensitive (especially when it comes to a financial institution) data. Run your own Git server that's backed up somewhere else...

      1. Korev Silver badge

        Re: Public vs Private Github repo?

        I 100% agree.

    2. Ian Michael Gumby Silver badge
      Boffin

      @Korev, Re: Public vs Private Github repo?

      You do realize that just parking client's material off the client site could be illegal?

      If any of the Financial institutions considers the code to be trade secrets... you have a crime of theft.

      At a minimum, you most definitely have multiple breaches of the contracts per institution.

      This could cost Tata a boatload of money.

  11. Sitaram Chamarty

    apparently not even auxiliary data

    Disclaimer: I am a TCS employee.

    It appears that the filenames were more like the names of the customers the presentations were made for, rather than *data* pertaining to the customers themselves. I therefore suspect a lot of the content may have been the same (i.e., present to customer A, modify slightly, rename, present to customer B).

    It's still a pretty stupid thing to do, but thank God it wasn't stupidER, I guess!

    Unfortunately, I was one of the people shouting from the rooftops (a few years ago) that we need unfettered github access, so I'm getting a wee bit of -- good-natured, don't worry! -- ribbing for this!

    But then, I couldn't do without this access. I estimate that a good percentage of the commits for gitolite are made at work and I push them from my work laptop, simply due to how I divide my time.

    Sitaram

    PS: gitolite is a fairly popular access control system for git that is used by Fedora, kernel.org, Gentoo, and several other open source projects, and probably thousands of others

    And yes, I intentionally mentioned it, in a shameless and blatant attempt to suggest that if you've heard of it, or even better, used it, then *you* at least won't generalise about TCS :-)

    1. Anonymous Coward
      Anonymous Coward

      Re: apparently not even auxiliary data

      Doesn't matter.

      You create a presentation for a client, its usually a work product for which the client owns. (YMMV depending on the contract ...)

      I knew for years that American Express was using MapR. Due to my contract(s) I was unable to say anything publicly about it.

  12. Anonymous Coward
    Anonymous Coward

    FFS

    Posting anonymously as I used to work on the Scotiabank account through IBM and have seen things (the horror, the horror...)

    First of all, there is a quality issue with bringing outsourced teams from another place (currently, it's India) be that through IBM Canada or directly by the bank as part of diversity hiring needs, etc.

    This is not a racist statement - it's fact.

    Outsourced teams will and do cut corners to save money - and having worked in India for many years, there is a malaise there - a level of mid-management there that act like feudal lords and treat the programmers / architects / tech resources as serfs. Accordingly, turnover is higher than the US/Canada (can't speak of the UK as I haven't worked there) which results in candidates who aren't well trained because they've been hired in a hurried fashion to be seat-fillers or because they haven't been brought upto speed yet.

    As some of you already may have experienced, hiring on the basis of diversity does not get the best candidate on a technical level. Nepotism does thrive - human nature, tribalism, etc.

    Work ethics based on place of origin also come into play - some follow the West Point 'duty, honor, country' creed, others not so much.

    Just like any other nationality, I've worked with some excellent folks from India and some people who were so bad, I wanted to slit my wrists to avoid the sheer stupidity.

    Someone used the right acronym to describe that mid-management bunch - PHB's - can't agree more.

    Back to the topic at hand, I'm rather concerned with what this bunch of devs did - and more so at their not getting it as a big deal.

    Even worse is the head in the sand attitude of the big banks.

    CIBC & Scotia are both terrible when it comes to things like this. And guess what, they're the ones who outsource a lot more by comparison.

    1. Ian Michael Gumby Silver badge
      Boffin

      @AC ... Re: FFS

      Outsourced teams will and do cut corners to save money - and having worked in India for many years, there is a malaise there - a level of mid-management there that act like feudal lords and treat the programmers / architects / tech resources as serfs.

      That's a cultural thing. I've seen it from on-shore Indian managers. While this isn't across the board, its a high percentage.

  13. Anonymous Coward
    Anonymous Coward

    And yet CA banks adopted chip-cards long before the US

    Go figure!

    (Scotiabank's physical security was just as bad. Decades ago, I noticed my VISA card missing after a purchase at Business Depot. The first fraudulent purchase was at a gas station next door to Depot. Then came a dozen fraudulent purchases at the same clothing store 20 km away (by a female and my male name is on the card). Scotiabank security kept pestering me about my sister-in-law, who lived 150 km away. (Sigh)

    1. Ian Michael Gumby Silver badge
      Boffin

      Re: And yet CA banks adopted chip-cards long before the US

      That has nothing to do with it.

      The US already had a large infrastructure in place and they looked at the cost of moving to chip and pin versus the losses (theft) that they had at the time. The cost of moving was higher. So they didn't move.

      When there was more data theft and fraud such that the cost of moving was cheaper, the US moved.

      That's pretty much the gist of it.

  14. Mark 65 Silver badge

    Advantageous?

    The data is a boon for rival organizations developing similar features

    Not sure if data from Tata would ever be useful

  15. a_yank_lurker Silver badge

    Real Problem

    The various PHBs have not figured out (probably never will) that most of an organization's IT functions should remain in house, done by direct, permanent, employees. This is the only scenario that allows for the most control of the information, data, and code. This is especially critical for privacy issues. The third party company may or may not have all the proper controls required by various national data privacy laws. Medical data laws are similar but not identical to financial data laws. I am reasonably familiar with one (HIPPA) and only have a vague awareness of financial but I work in the medical industry.

    Employees of the third party company first loyalty is the company paying them not the client, as it should be.

    1. Anonymous Coward
      Anonymous Coward

      Re: Real Problem

      "HIPPA"

      It may be hip, or even hippy, but what the heck is it?

      Maybe you are familiar with that acronym HIPPA - whatever it is, but certainly not with the Health Insurance Portability and Accountability Act 1996 (aka HIPAA)... So much for claims of exertise by familiarity...

    2. Ian Michael Gumby Silver badge
      Boffin

      @Yank Re: Real Problem

      I am familiar with HIPPA and several different countries banking laws.

      Its interesting to point out that none of the files shown on the screen shot included code, but were presentations made to different clients.

      So while no data was compromised, (No shock there.) there was client specific information. The presentations are work products and should be owned by the client where TATA doesn't have the right to reuse them. (Note: This could be added to the contract, IBM does this all the time with their Type III contracts.)

      I have a friend who tossed Mu Sigma from the account because he couldn't trust them to not reuse proprietary algorithms at other clients. The whole point is that many Enterprises are starting to learn that moving offshore may not be the best news. However... it will take many years to right this. Note that if there is another disruptive technology.. it could increase the speed of moving away from offshoring.

      Of course if there is a case for a massive lawsuit against a company because there was a massive error done by the offshore team.. It could happen faster.

  16. Peter Quodling

    I am reminded of a software development group that I worked with the USA - they were shut down and outsourced to India - the indian people assured that they were up to the task (this was O/S level and Device driver stuff). There are a few online forums for that platform - all of a sudden, they start getting new members with Half Indian names (like Charles kutrapali), and are asking the most basic questions, as well as some very specific ones. An Associate had a major bug report outstanding and one of the questions was the same as appeared from the new Indian Forum member - So, his query was responded to in very specific language, and lo-and-behold - that was almost word for word, what my Associate received as information on his bug fix. That group is now back in the hands of a US Team of SW Engineers.

    1. Queasy Rider

      Half Indian names

      Have noticed the same thing when searching MS for help. Canned answers are totally useless.

      1. GrapeBunch Bronze badge

        Re: Half Indian names

        "Have noticed the same thing when searching MS for help. Canned answers are totally useless."

        Agree, MS Help is useless. MS hired tech writers to compose Help files for the software. However, since the software and its associated help files get released simultaneously, the tech writers are working from software specs, not from final version software, nor would it be efficient to let mere writers ask questions of the software producers. See where this is going? This disaster is compounded by other factors. Of course, once you have a help entry established for a question, bean counters say it's hardly economical to hire another team to do the same work again. That's why Help for 21st century Windows can look like it was written (in ignorance) for Windows 95. Not a candy mint? Please consult your system administrator.

        PS I have never worked for MS. The above is from inference.

        1. Anonymous Coward
          Anonymous Coward

          Re: Half Indian names

          > ... nor would it be efficient to let mere writers ask questions of the software producers.

          Efficiency be damned. Make sure the writers can ask the dev's, and get a useful result, otherwise the written docs will be shit. Leading to unnecessary support expenses, bad reputation, etc.

          Keeping software devs away from the doc production is rarely a good idea.

    2. eriksolo

      That happened to someone on a Solaris / Sun Microsystems / Oracle forum I read and post at a few years ago.

      Forum member's job, and actual whole department was outsourced to India. He was looking for work and had more time to spend on the forums and suddenly new members joined. They first started out with Solaris basics and then it moved onto more detailed questions and finally the new members quoted directly from the documentation our older member wrote himself (that was proprietary) and he realized he had been helping the people who replaced him.

      So, he had a bit of fun with them "answering their questions the best he could".

      1. Anonymous Coward
        Anonymous Coward

        So, he had a bit of fun with them "answering their questions the best he could".

        Yeah, don't overdo it on the /bin/rm -rf . though.

  17. GrapeBunch Bronze badge

    IANAP

    I am not a proper programmer. Any code I provide, real programmers will think: "Is that some sort of awkward pseudo code?" Anyway, I scanned the linked article down to the red ink before going to bed. In the sweet befuddlement of waking up the next day I was dreaming of Hester History. Deep Hestory. I remembered from the days when you had to fit the OS, the program(me) code, and the program's own space into 64K RAM, that you'd never have a list of resources all starting with "https://www.somebank.ca/...". No, you'd define the quoted part as $BaseAddr and make up each resource name as $BaseAddr & "whatever" on the fly, this economizing (ResourceListLength% - 1) * (BaseAddrLengthInBytes%) bytes of precious RAM. Well, almost. Less pretentious than "asymptotically". The year was 1979.

    I also remembered the Deep Hester of 194? (before my time, honest) when they were able to decode the Enigma messages but not in the 24-hour expiry of each Enigma code--until somebody (and I like to think it was one of the chess players because this is the kind of thing that a chess player should notice, rather than one of the math geniuses who get the lion's share of the credit) noticed that one military clerk liked to begin each message with "Hail Hester" (Godwin forfend what he really wrote) and using that repeated pattern they were able to decode the messages in less than 24 hours and bingo, Coventry was saved from total destruction. Oops.

    So using $BaseAddr not only makes the compiled code slimmer, it also eliminates the repeated-handle fulcrum into de-obfuscating the code-that-you-want-to-hide. Returning to the linked article, I noticed that the author Coulls made that same points, inter alia, though in very different words. Whether this actually makes a tinker's cuss of difference to cybersecurity I know not, but one gets a warm fuzzy feeling to use Hestory to pretend to delve into some of the Great Problems facing Mankind in these Troubled Times.</billhocks>

  18. Anonymous Coward
    Anonymous Coward

    Hail Offshoring!

    It has proven that offshoring hell of issues like quality, commitments and availability of dependent resources however the management in the big companies don't give a sh!t. This also has severely impacted local job market with less number of jobs and decreasing pay rates.

  19. suparious

    Very little to do with Canadian culture

    What I learned from this article, it that off-shore development firms like the one from India that is mentioned, is where you will find the lax security and cultural differences.

    There is no surprise at all about that statement.

    If there is any cultural difference between Canada and US, it would be all the socialist/communist laws in Canada that make developing our own code a cost prohibitive activity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019