I am not Indian but I work for a large Tata like IT firm. This hit way too close to home. There a lot of cultural issues here that comes down to management being rewarded if things are done cheaply and discouraging any agency or self-realization by the developers. If I saw this in the US, I’d walk out. They literally don’t have that option as there’s a 90 day salary clawback if they do. Some general thoughts:
- Most management has a non-tech background. So they get what they want to hear and don’t want to hear what’s wrong.
- Thinking this coming from the same team or from the same company is wrong. They silo developers like crazy. There likely was an API developer, an Office 365 developer, frontend developer (so specific it is down to the framework or stack!) and the developers themselves will not touch anything they aren’t “certified “ in.
- I have been in meetings on $100 million projects where they will seriously argue over the cost of sendgrid. Eventually this will come down to no one having “sendgrid experience”
And some developer saying they can do it in Office365.
- Security team will get the first cut in budget since it should “already be secure.”
- You are likely talking over the head of the nephew hired to do security for this. Will the government or anyone sue them? No, so why is this guy bugging us.
Developers aren’t encouraged to develop but get tickets out and not question them. The manga is “It wasn’t in the requirements” all the way down the chain.
I work with smart developers out of India but it is not a culture of innovation. This kind of work is treated like a call center. Don’t go off script, stick your little problem domain, if we aren’t failing we are winning.
> I have been in meetings on $100 million projects where they will seriously argue over the cost of sendgrid. Eventually this will come down to no one having “sendgrid experience” And some developer saying they can do it in Office365.
Reading this in your comment was physically painful.
There was a car dealer (Honda affiliate) I had the unfortunate "pleasure" of dealing with back in the mid-late 2000s that stored finance applications by numeric incrementing ids. I never did report it, but I was able to pull up a bunch of sensitive info (SSN, DOB, names, addresses) on folks living in NJ. (I didn't report it because bug bounties weren't really a thing back then and the CFAA was).
I managed to get my application removed, but the vulnerability existed for several years until they updated to a new system. The new system also appeared to have some vulnerabilities, but I never invested time to figure it out. I just did not do business with that dealer ever again, and I'm super wary about car dealerships and finance applications these days...I usually get my financing from elsewhere even if it means a bit higher of a payment...thankfully my vehicle is paid off.
There is a huge missing niche for trusted intermediaries of identity information. We’ve been working on this at https://cerebrum.com in a different niche (background checks), but this comment just triggered a slew of ideas…
The security blunders are obviously horrible, but MAYBE explained by inexperienced developers tasked with something way beyond their understanding.
But how on earth did anyone approve storing confidential customer documents in an email account? This seems to indicate there's nobody in charge that understands anything about how to run this business. And if it's a subsidiary or outsourcing partner, it also shows that nobody has ever audited this business.
This is criminally negligent behavior from the company owners, and whoever is contracting them to do this work.
> But how on earth did anyone approve storing confidential customer documents in an email account?
Given the competence shown here, I doubt anyone approved anything. Most likely saving sent mail was a feature of whatever mail server they're using and it was a byproduct of the dumb decision to use an actual account for a "noreply" address.
I saw a fairly large estate agency system that bcc’d every outgoing email from their system to a shared account everybody then synced to Outlook. It was part audit log, part debugging tool, part database backup.
They changed when they realised employees were taking all their customers’ details to new jobs.
The most salient element of this story is that it is business trade secretes (such as customer lists) that motivate enterprises far more than customer privacy.
A friend who's taken Visa's data confidentiality training several times notes that customer data is secondary to Visa's own marketing campaign details.
Yikes! This an unusual exploit since it both has an absolutely massive impact (literally access to everything on SharePoint and Outlook??), with a relatively straightforward vector (just looking at client side JavaScript).
One nit: I'd rather see people redact sensitive data with solid blocks instead of blurs in screenshots. Can't be too careful!
Yes and no. AFAIK it provides controls to ensure a certain level of privacy (with serious flaws IMO).
AFAIK it does not do much, if anything to punish breaches caused by incompetence. I have not heard of of any cases where companies were fined for breaches.
Not the whole of Europe. The EEA and the UK has legislation based on it what has not yet diverged significantly.
Let’s also appreciate that a monitoring email endpoint that was designed more or less as a communication worker/agent/runner has been abandoned and was basically matastasizing. That tells me that they aren’t monitoring email utilization or any other compensatory mechanism for identifying anamolous behavior - eg “hey why is email alias costing us [multiple of others]/month in storage”
“The noreply account could be the most important account in an organization because it could potentially have a record of everything they have ever sent to customers”
Readit News
- Most management has a non-tech background. So they get what they want to hear and don’t want to hear what’s wrong.
- Thinking this coming from the same team or from the same company is wrong. They silo developers like crazy. There likely was an API developer, an Office 365 developer, frontend developer (so specific it is down to the framework or stack!) and the developers themselves will not touch anything they aren’t “certified “ in.
- I have been in meetings on $100 million projects where they will seriously argue over the cost of sendgrid. Eventually this will come down to no one having “sendgrid experience” And some developer saying they can do it in Office365.
- Security team will get the first cut in budget since it should “already be secure.”
- You are likely talking over the head of the nephew hired to do security for this. Will the government or anyone sue them? No, so why is this guy bugging us.
Developers aren’t encouraged to develop but get tickets out and not question them. The manga is “It wasn’t in the requirements” all the way down the chain.
I work with smart developers out of India but it is not a culture of innovation. This kind of work is treated like a call center. Don’t go off script, stick your little problem domain, if we aren’t failing we are winning.
Reading this in your comment was physically painful.
This is what you get, ladies and gentlemen, without unions and labour right.
Coming soon, to us too.
Are you speaking of the EU? The US has at-will employment and most software developers are not unionized.
To a T.
I managed to get my application removed, but the vulnerability existed for several years until they updated to a new system. The new system also appeared to have some vulnerabilities, but I never invested time to figure it out. I just did not do business with that dealer ever again, and I'm super wary about car dealerships and finance applications these days...I usually get my financing from elsewhere even if it means a bit higher of a payment...thankfully my vehicle is paid off.
https://eaton-works.com/2023/06/06/honda-ecommerce-hack/
Dead Comment
Btw, schedule is spelt with a c after the s.
But how on earth did anyone approve storing confidential customer documents in an email account? This seems to indicate there's nobody in charge that understands anything about how to run this business. And if it's a subsidiary or outsourcing partner, it also shows that nobody has ever audited this business.
This is criminally negligent behavior from the company owners, and whoever is contracting them to do this work.
Given the competence shown here, I doubt anyone approved anything. Most likely saving sent mail was a feature of whatever mail server they're using and it was a byproduct of the dumb decision to use an actual account for a "noreply" address.
They changed when they realised employees were taking all their customers’ details to new jobs.
A friend who's taken Visa's data confidentiality training several times notes that customer data is secondary to Visa's own marketing campaign details.
Hopefully they at least took the Base64 password out of the error log. I'm sure they did. Right? !?
One nit: I'd rather see people redact sensitive data with solid blocks instead of blurs in screenshots. Can't be too careful!
There should be a legal framework that holds companies liable for certain level of security mishandling when it comes to private customer data.
Dead Comment
AFAIK it does not do much, if anything to punish breaches caused by incompetence. I have not heard of of any cases where companies were fined for breaches.
Not the whole of Europe. The EEA and the UK has legislation based on it what has not yet diverged significantly.
Persistent power being one of these.
Can't wait til there's enough electricity in India to where hacks become a primary concern.
They're laying down 100k kilometesr of fiber optic per a month and 350 5g cell sites per day.
Deleted Comment
“The noreply account could be the most important account in an organization because it could potentially have a record of everything they have ever sent to customers”