> As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure.
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
I am a pretty cookie cutter developer. We just make glorified CRUDs and I have tried to convince the engineering director hundreds of times that "There is no use of encrypting and decrypting localstorage with a key thats sitting right inside the client code." Yet they keep insisting on it in the code-quality checklist.
My guess - he’s avoiding political risk. If something goes bad, it’s better to say “it was encrypted but they got the keys” than to defend data wasn’t encrypted.
It’s semantics in terms of actual difference to an attacker, but it’s a world of difference when explaining to executives.
You’re right, of course, but this reminds me of when Chrome didn’t obscure your passwords when looking at its autofill settings. The developers argued that it would just be security by obscurity -- if somebody has access to your computer when it’s unlocked, they can do anything they want, so obscuring your passwords does nothing.
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
He's definitely wrong. If you want to see why this is wrong you should look at what Kaspersky had to do to unravel Operation Triangulation. They did, eventually, succeed but the absolute nightmare they went through should simply inform you why its a good thing.
Assuming that youve been mitm'd is a different violation of trust. And when you break your own assumptions, well of course nothing makes sense. Were i the burp baby i would've asked why you think we should not defend against literally any other side channel because maybe they broke tls.
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
Very realistically, why shouldn't these developers be replaced by AI? The anti-AI argument I've always seen here is that AI is bad at security. But human developers at orgs like TCS don't seem...any better?
The issue with folks like TCS is organizational. They don’t have to be this terrible, they intentionally structure what they are doing so their end product is terrible this way.
And people hire them and pay them for it!
The real issue is the last part. It’s why they can also get away with what they do.
Maybe they’ll replace their line devs with AI, but Indian devs are pretty cheap and are much more satisfying to yell at by Indian managers, so….
> October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
Sending it with AES encryption(with the key that the client has access to) makes it even worse, as someone knew this shouldn't be shared to client yet they shared it anyway.
It's a side effect of pay. Like every other company, you get what you pay for, and for organizations that view web security as a [edit:] Cost Center (eg. Tata Motors) there's no incentive to pay market rate for a Security Engineer - who in India can now demand $60k-100k TCs.
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
I understand why someone might this this is a pay issue, but it's goes beyond that.
Culturually, doing something "well"(quality oriented, mindful of end-users) vs. "got it done" (transaction, pragmatic way of looking at things) is the heart of why outsourcing to many different geographical areas (India included) often results in something different than expected.
Also condemning every one in one part of the world as thinking one way is certainly not fair or true, but there are definitely unmistakable trends.
Sorry to be pedantic but I think you mean 'cost center', not loss leader (something sold at a loss to attract customers into your ecosystem/store). You are entirely right otherwise.
I do also wonder if this is because Indian security engineers can get good remote jobs working for American companies who are much more profitable than Indian companies. It places non-startup Indian companies in an odd position.
The customer portal of India's largest insurer with a marketcap of $63B has literally not changed even once in the 14 years that I've been using it to pay my policy premiums
Yup, they said thank you and took action only because this was a US-based researcher. Had any Indian dared to do this they'd be in for a world of pain. Not through a lawsuit, but criminal charges.
Readit News
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
It’s semantics in terms of actual difference to an attacker, but it’s a world of difference when explaining to executives.
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
burp suite babies is crazy work
The 'tech' for both these is by guess who? TCS!
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
[1] https://en.wikipedia.org/wiki/Tata_Group
And people hire them and pay them for it!
The real issue is the last part. It’s why they can also get away with what they do.
Maybe they’ll replace their line devs with AI, but Indian devs are pretty cheap and are much more satisfying to yell at by Indian managers, so….
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
Deleted Comment
Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
Culturually, doing something "well"(quality oriented, mindful of end-users) vs. "got it done" (transaction, pragmatic way of looking at things) is the heart of why outsourcing to many different geographical areas (India included) often results in something different than expected.
Also condemning every one in one part of the world as thinking one way is certainly not fair or true, but there are definitely unmistakable trends.
Really? I think your numbers for the local marker are overestimated.
Ypu get popups? What are you using to browse? IE5?
I sometimes get 'this site is trying to open another window -allow/ block?': answer is always 'No'.
Another example, financial services publicly traded company with a recent 99% profit decline:
https://www.emkayglobal.com/
Some go on to sue such researchers.
Deleted Comment