[HN Gopher] Hacking India's largest automaker: Tata Motors
___________________________________________________________________
Hacking India's largest automaker: Tata Motors
Author : EatonZ
Score : 247 points
Date : 2025-10-29 01:31 UTC (3 days ago)
(HTM) web link (eaton-works.com)
(TXT) w3m dump (eaton-works.com)
| speckx wrote:
| The fact that they put their AWS secret keys on their website is
| incredible.
| YetAnotherNick wrote:
| Sending it with AES encryption(with the key that the client has
| access to) makes it even worse, as someone knew this shouldn't
| be shared to client yet they shared it anyway.
| horns4lyfe wrote:
| If you've ever worked with Indian outsourcing firms it's not
| quickthrowman wrote:
| That's exactly the kind of work I'd expect from TCS, I'm not
| sure why you are surprised.
| darth_avocado wrote:
| Even more importantly, why do the root keys expose EVERYTHING?
| Do they just have one account for all of their infra?
| Linkd wrote:
| The fact that it's nicely commented is even more so. Check out
| the other environment configs commented out, are they doing
| this by hand? Wild.
| ksynwa wrote:
| So the author got nothing but a thank you out of it? That's a
| shame.
| tehlike wrote:
| At least there was a "thank you".
|
| Some go on to sue such researchers.
| paxys wrote:
| Yup, they said thank you and took action only because this
| was a US-based researcher. Had any Indian dared to do this
| they'd be in for a world of pain. Not through a lawsuit, but
| criminal charges.
| DaSHacka wrote:
| Typical 'payout' for ""responsible"" disclosure.
| sharadov wrote:
| Security for most Indian companies - even conglomerates is a
| joke.
|
| Look at the websites - most look like they've not been upgraded
| since the 90s, with endless popups
| Ylpertnodi wrote:
| > endless popups
|
| Ypu get popups? What are you using to browse? IE5?
|
| I sometimes get 'this site is trying to open another window
| -allow/ block?': answer is always 'No'.
| fakedang wrote:
| Not ad popups, site UI popups.
|
| Another example, financial services publicly traded company
| with a recent 99% profit decline:
|
| https://www.emkayglobal.com/
| renewiltord wrote:
| In site modals.
| alephnerd wrote:
| It's a side effect of pay. Like every other company, you get
| what you pay for, and for organizations that view web security
| as a [edit:] _Cost Center_ (eg. Tata Motors) there 's no
| incentive to pay market rate for a Security Engineer - who in
| India can now demand $60k-100k TCs.
|
| Heck, firms that provide offensive security capabilities to
| Indian PDs can pay $40k-50k after poaching a junior pentester
| or exploit developer from a PD.
| spelk wrote:
| Sorry to be pedantic but I think you mean 'cost center', not
| loss leader (something sold at a loss to attract customers
| into your ecosystem/store). You are entirely right otherwise.
| alephnerd wrote:
| Doh! You are correct! Crossed wires during a meeting
| vrinsd wrote:
| I understand why someone might this this is a pay issue, but
| it's goes beyond that.
|
| Culturually, doing something "well"(quality oriented, mindful
| of end-users) vs. "got it done" (transaction, pragmatic way
| of looking at things) is the heart of why outsourcing to many
| different geographical areas (India included) often results
| in something different than expected.
|
| Also condemning every one in one part of the world as
| thinking one way is certainly not fair or true, but there are
| definitely unmistakable trends.
| alephnerd wrote:
| Becuase it is about pay.
|
| For example, most of the security portfolio that GCP
| provides is developed and product managed out of the Google
| Hyderabad office, as is a fairly major Israeli CNAPP
| product that starts with "A", a large CNAPP from a public
| Israeli-American security company that is directly
| positioned against Wiz, and a major security vuln mgmt and
| redteaming tool used by the DoD, GitHub, and Google. But
| all these employers pay $60k-130k TC for mid-career
| security professionals in India.
|
| We scoop up anyone who is remotely competent at
| transnational firms or startups because we can afford to
| pay Western salaries, and traditional conglomerates in
| India largely do not care about web exploits unless they
| are a web platform first and foremost.
|
| Tata Motors - being an automotive company - does not care
| about web development for the same reason GM doesn't as
| well: it isn't tangibly connected to revenue generation. As
| such, they will just contract it out to TCS (a Tata Group
| company, but both are independent of each other) at the
| lowest contract rate possible.
| porridgeraisin wrote:
| That culture at WITCH and WITCh adjacent companies is
| itself a result of the pay.
| Nextgrid wrote:
| Pay should reward doing something _well_ vs merely doing
| something. Of course, this would generally mean you need to
| pay _more_ than the competitor which will happily pay for
| merely doing something. So yes it is about pay.
| alephnerd wrote:
| Also, Indian companies are competing with American and
| Israeli founded or funded companies and startups for the
| same talent.
|
| If you are competent, instead of earning $15k TC working
| for an automotive company, you could demand $40k-70k in
| TC from an MNC or a well funded startup (assuming you
| have the skills to back it up) - and those are the
| numbers my portfolio companies use to target hiring in
| India, as well as what I used previously before I became
| a VC.
| Nextgrid wrote:
| Western companies have the exact same problem though;
| I've dealt with plenty of incompetent people there too
| because the organization does not reward technical
| excellence and quality, so it is completely pragmatic for
| employees to focus their time on the things that _are_
| rewarded (engaging in politics, etc) instead.
|
| During the startup/ZIRP era there might have been people
| doing the "right" thing because they had skin in the game
| thanks to stock options or they were paid just so fucking
| much that they didn't care about putting in the extra
| work. But as total comps go downward (coupled with
| inflation) the output's quality tends to regress to the
| minimum acceptable.
| alephnerd wrote:
| > I've dealt with plenty of incompetent people there too
| because the organization does not reward technical
| excellence and quality
|
| Organizational dysfunction transcends all boundaries, but
| to a certain extent the kind of issues that lead to the
| kind of incident such as the one above happen because the
| affected product (e-Dukaan) is viewed as a cost center by
| Tata Motors.
|
| Sadly, in most cases, a lot of security will always be
| viewed as a cost center and never prioritized unless
| forced to due to insurance, audit, or regulatory
| pressure.
|
| That said, a thesis I've had for a couple years now is
| that if we can successfully shift-left by turning
| security into a DevTool problem as well as an
| organizational problem, we can both reduce remediation
| time as well as build stickiness for security products.
| The AppSec category has definetly adopted this kind of
| mindset.
| trueismywork wrote:
| I dont think there's much culture when the population is
| just overloaded with work and traffic and stress
| sumedh wrote:
| It's absolutely the culture, "Chalta Hai" attitude is the
| culture. (Take it easy, let it go)
| alephnerd wrote:
| Cyber insurance or the threat of litigation after facing
| a severe breach will be the biggest driver for better
| security outcomes organizationally.
|
| For example, both Zerodha and Razorpay have cyber
| insurance and PhonePe and Paytm both cleaned house after
| major incidents years ago.
|
| It's also the same reason CapitalOne revamped security
| after the 2019 breach due to a misconfigured WAF.
|
| Essentially, only the risk of either litigation or
| inability to secure cyber liability insurance will
| motivate Tata Motors to better manage security. And based
| on the JLR incident and their inability to secure
| sufficient cyber insurance, I think Tata Motors will
| clean house internally.
| dyauspitr wrote:
| It is about pay. If you don't have someone working on 5
| different items continuously straining their bandwidth they
| tend to do better work.
| ajdixbd wrote:
| Everyone is saying it's about pay, but India is a low trust
| country (so far as large datasets saying as much can be
| trusted). Anecdotally I have heard the same from my expat
| friends as well.
|
| I'm not saying pay has no influence, but saying culture has
| no influence makes no sense. Even if it was all about pay,
| wealthy Indians choosing to horde their wealth instead of
| distribute it (caste system, etc) is a cultural root for
| the pay problem. The two are so intertwined that it's
| impossible to claim it's black and white.
|
| The current western trend of outsourcing and/or importing
| labor is the real source of this issue. Western businesses
| care only for profit, so they employ cheap labor. Western
| culture is currently much more low trust than it was 50
| years ago, and trending worse. If anything, I think culture
| is the more defining factor - pay is downstream of it.
| enugu wrote:
| Don't want to get into low quality generalizations in
| your post except to note tahta casual Google search will
| show you that Tata group is one of the most
| philantropically oriented groups. Which of course,
| doesn't excuse this issue.
| f311a wrote:
| > $60k-100k TC
|
| Really? I think your numbers for the local marker are
| overestimated.
| alephnerd wrote:
| For our portfolio companies, we are fine paying for quality
| instead of quantity.
|
| Giving a Rs 60-80 lakh TC offer in BLR or HYD makes it
| easier to identify and hire good talent, and ik peer
| security firms (private and public) that are product first
| are offering similar TC offers in BLR, HYD, and NCR.
|
| On top of that, there has been a reverse brain drain going
| on since the COVID layoffs in early 2020, so if we want to
| poach good talent that returned to India from the US, we
| need to be able to offer Western salaries, otherwise they'd
| either decide to help their former employer open a GCC or
| they'd start their own startup.
|
| Realistically, I'd say a $35k-60k TC offer gets you the 50
| to 75th percentile in talent in much of India for security,
| but most product-first companies tend to hire for quality
| not quantity, and depending on size of FDI and the state, a
| company can get a $10k-20k per head subsidy which makes it
| easier to offer higher salaries without impacting our
| bottom line.
|
| That said, if you are being hired to be a SOC, a generic
| pentester, or a "detection engineer" you'd be lucky to
| break the $20k TC mark tbh, but the SOC-to-SWE or
| Pentester-to-SWE conversions have been our most successful
| ones because it's easier to build a product for security
| teams when your engineers were former security
| practitioners.
|
| That said, the salary pressures for getting good talent in
| India is high simply because we're competing with Google,
| Microsoft, Citadel, Nvidia, etc for similar kind of talent
| within India.
|
| Earning $70k-90k TC in Hyderabad or Bangalore is doable
| with 10 YoE if you have the right profile (the right jobs,
| work experience, track record, and luck). Heck, this is why
| companies like Zscaler have been hiring in Tier 1.5/2
| cities like Pune or Chandigarh instead because you can get
| away with paying $35k-50k TCs for the kind of talent that
| would demand a $70k-90k TC in BLR or HYD.
| spaceman_2020 wrote:
| The customer portal of India's largest insurer with a marketcap
| of $63B has literally not changed even once in the 14 years
| that I've been using it to pay my policy premiums
| thelastgallon wrote:
| Related: Jaguar Land Rover hack cost UK economy an estimated $2.5
| billion, report says:
| https://news.ycombinator.com/item?id=45668008
|
| The 'tech' for both these is by guess who? TCS!
|
| Edit: For those who don't know the relation. Tata[1] is a
| conglomerate, which owns both Tata Motors (Jaguar, Land Rover)
| and also TCS (Tata Consultancy Services)
|
| [1] https://en.wikipedia.org/wiki/Tata_Group
| cjs_ac wrote:
| TCS also contracts for Marks & Spencer, and the Co-op, both of
| which were also taken offline by hacking earlier this year.
| Mistletoe wrote:
| At what point is it more believable that these are inside
| jobs done on purpose vs. incompetence? I guess that's just
| Hanlon's Razor though.
| cjbgkagh wrote:
| I have heard there is a growing trend of hackers paying
| kickbacks to insiders, certainly makes hacking easier.
| CommanderData wrote:
| Having worked with Indian consultancy firms for over 10
| years. I can safely say security attitudes and practices
| haven't changed much.
|
| There's always this culture of taking shortcuts at the
| expense of security and quality.
| cjbgkagh wrote:
| One of the problems with incompetence, of which there are
| many, is that it gives bad actors space to operate. From
| a security point of view I don't think the distinction
| matters all that much.
|
| That said, the situations I've head about were from
| affiliate ransomware attacks that didn't make the news
| because the backup worked. It's difficult to keep things
| secure from highly motivated internal bad actors. I've
| been told it's an increasing trend but have not heard
| much about it publicly.
| d1sxeyes wrote:
| The challenge is this though: companies that are
| outsourcing to these consultancy firms put them against
| each other in RFPs that incentivise whatever behaviour
| can get them to the lowest bid.
|
| Inevitably quality suffers. Until customers start
| awarding business based on something other than the
| number at the bottom, this kind of thing will continue.
| jacquesm wrote:
| It's perfectly believable. Whether it is more believable or
| not is a toss up. If you employ such a large number of
| people there are bound to be a couple of bad apples, and
| unless you have _very_ good internal processes and
| monitoring it isn 't all that hard to imagine someone doing
| something they shouldn't be doing. But absent hard evidence
| that it happened that way it interesting speculation but no
| more than that, besides, it can be impossible to
| distinguish between the two even if you have evidence of an
| inside job that looks like incompetence!
| zdragnar wrote:
| Based on my experience working alongside TCS, incompetence
| seems far more likely. If we'd asked for a back door, we'd
| have gotten a solid wall.
|
| Then again, my experience may have left me a little jaded.
| tencentshill wrote:
| When you pay your support employees so little, it's not
| difficult for someone from a wealthier place to bribe them.
| fencepost wrote:
| Note that M&S dropped TCS in July following the recovery. htt
| ps://www.ft.com/content/289ec371-2ed4-425a-9bd0-c34e6db39...
| and elsewhere.
| thousand_nights wrote:
| > M&S chair, told MPs that hackers had used "sophisticated
| impersonation" to gain entry "involving a third party."
|
| 20 bucks says this sophisticated impersonation was social
| engineering a $5/hour outsourced customer support employee
|
| > The attack is expected to lower operating profits by up
| to PS300mn this year.
|
| that's not counting the reputation and brand damage. M&S is
| seen as a premium retailer and this whole hack made them
| seem utterly incompetent and unreliable
|
| > had decided to opt for another service provider after the
| process had completed
|
| i wonder where this other provider is based. i think i'm
| gonna place another 20 bucks on this.
|
| > The retailer continues to use the Indian group for other
| services.
|
| lol.
| fuzztester wrote:
| >that's not counting the reputation and brand damage. M&S
| is seen as a premium retailer and this whole hack made
| them seem utterly incompetent and unreliable
|
| >>The retailer continues to use the Indian group for
| other services.
|
| >lol.
|
| >is seen
|
| lol. a lot of things are seen as blah blah. doesn't mean
| they are blah blah.
|
| google is seen as a world leading tech company. yet see
| how HNers regard them (except those desperate for FAANG
| salaries).
|
| If they hired their vendors without due diligence, they
| may be incompetent and unreliable themselves. On the
| other hand:
|
| >> M&S chair, told MPs that hackers had used
| "sophisticated impersonation" to gain entry "involving a
| third party."
|
| If the impersonation was sophisticated, maybe it was not
| so much the fault of TCS?
|
| If it was a Western company, would you talk / think the
| same?
|
| Nahi. Non. Nein. Nyet. Nada.
|
| lol.
| fuzztester wrote:
| >20 bucks says this sophisticated impersonation was
| social engineering a $5/hour outsourced customer support
| employee
|
| 0 bucks says this below list of data breaches is much
| much more devastating. 0 bucks, because I don't have to
| bet on it, unlike you, because it's true:
|
| >https://en.wikipedia.org/wiki/List_of_data_breaches
|
| >This is a list of reports about data breaches, using
| data compiled from various sources, including press
| reports, government news releases, and mainstream news
| articles. The list includes those involving the theft or
| compromise of 30,000 or more records, although many
| smaller breaches occur continually. Breaches of large
| organizations where the number of records is still
| unknown are also listed. In addition, the various methods
| used in the breaches are listed, with hacking being the
| most common.
|
| >Most reported breaches are in North America, at least in
| part because of relatively strict disclosure laws in
| North American countries.[citation needed] 95% of data
| breaches come from government, retail, or technology
| industries.[1] It is estimated that the average cost of a
| data breach will be over $150 million by 2020, with the
| global annual cost forecast to be $2.1 trillion.[2][3] As
| a result of data breaches, it is estimated that in first
| half of 2018 alone, about 4.5 billion records were
| exposed.[4] In 2019, a collection of 2.7 billion identity
| records, consisting of 774 million unique email addresses
| and 21 million unique passwords, was posted on the web
| for sale.[5] In January 2024, a data breach dubbed the
| "mother of all breaches" was uncovered.[6] Over 26
| billion records, including some from Twitter, Adobe,
| Canva, LinkedIn, and Dropbox, were found in the
| database.[7][8] No organization immediately claimed
| responsibility.[9]
|
| >In August 2024, one of the largest data security
| breaches was revealed. It involved the background check
| databroker, National Public Data and exposed the personal
| information of nearly 3 billion people.[10]
| silisili wrote:
| > M&S is seen as a premium retailer and this whole hack
| made them seem utterly incompetent and unreliable
|
| Hiring TCS to begin with made them seem utterly
| incompetent and unreliable.
|
| Let them fail and be a warning to other companies trying
| to cheap out on IT.
| harvey9 wrote:
| I doubt many people shopping for a sandwich and an
| unfashionable suit will be thinking about the M&S hack.
| spaceman_2020 wrote:
| Very realistically, why shouldn't these developers be replaced
| by AI? The anti-AI argument I've always seen here is that AI is
| bad at security. But human developers at orgs like TCS don't
| seem...any better?
| lazide wrote:
| The issue with folks like TCS is organizational. They don't
| have to be this terrible, they intentionally structure what
| they are doing so their end product is terrible this way.
|
| And people hire them and pay them for it!
|
| The real issue is the last part. It's why they can also get
| away with what they do.
|
| Maybe they'll replace their line devs with AI, but Indian
| devs are pretty cheap and are much more satisfying to yell at
| by Indian managers, so....
| rdtsc wrote:
| > October 23, 2023: They confirm receipt and are working on
| taking action. After this date and up until January 2, 2024,
| there were various back and forth emails trying to get Tata
| Motors to revoke the AWS keys. I am not sure if something was
| lost in translation, but it took a lot of pestering and specific
| instructions to get it done.
|
| Wow, they had to go out of their way and plead with Tata Motors
| to fix their own shit. I can only admire their patience. Can't
| say I would be that patient.
| spprashant wrote:
| This is embarrassing.
| fakedang wrote:
| I'll just leave this here:
|
| > September 1, 2023: Tata Motors shared with CERT-IN (who then
| shared with me) that the issues are remediated. September 3,
| 2023: I confirm only 2/4 issues were remediated and the AWS keys
| were still present on the websites, and active. October 22, 2023:
| After no updates and finding the AWS issues still not remediated,
| I send over some more specific steps on what must be done.
| October 23, 2023: They confirm receipt and are working on taking
| action. After this date and up until January 2, 2024, there were
| various back and forth emails trying to get Tata Motors to revoke
| the AWS keys. I am not sure if something was lost in translation,
| but it took a lot of pestering and specific instructions to get
| it done.
|
| Stay classy TCS.
| paxys wrote:
| This shouldn't be a surprise for anyone who has worked with TCS
| contractors in the past.
| yahoozoo wrote:
| Superpower by 2027.
| debarshri wrote:
| This is a pessimistic comment.
|
| I'm a cofounder of a data and identity security startup operating
| specifically in APAC. Data security in india a joke.
|
| I would argue even with DPDPA, RBI C-Site and cyber resilience
| framework from SEBI, it is just going to not happen here.
|
| The list PAN card the blog is taking about is probably already
| leaked by some other services.
|
| The recent flipkart cash on delivery scams [1] are example of how
| your personal information is just out there in wild in india,
| open for exploitation.
|
| There are lot of who do security in good faith (often driven by
| compliance) and lot of them are our customers too but I hope to
| see rest of indian tech ecosystem take security seriously.
|
| [1]
| https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
| alephnerd wrote:
| I've dealt with Indian companies for security sales and I'd say
| the newer generation of companies like Razorpay (YC W15) are
| decent at SecOps, but the older and more established companies
| suck at it and will continue to suck at it until there is a
| tangible regulatory incentive to enhance security postures.
|
| It also appears to be a side effect of compensation - why would
| mid-career security professional want to earn [?]15 LPA TC
| working for a legacy corporation if they have the skills to
| land at a security MNC that can afford to pay [?]35-50 LPA in
| TC.
|
| Ofc, it's us foreign investors who are able to afford those
| higher TCs ;) - especially if we can convert someone who was
| mid-career in the US but had to return to India due to family
| or visa issues.
|
| It reminds me of how the Israeli security scene was 10-15 years
| ago, with similar problems around compensation and brain drain
| to MNC offices.
| connectsnk wrote:
| Are there any open source tools that scans the code and detects
| such gaffes
| UltraMagnus wrote:
| Not open source, but I have used this before, and they have a
| very generous free tier: https://www.gitguardian.com/monitor-
| internal-repositories-fo...
|
| You install their Github app and give them access to your
| Github repo (private repos are ok too) and they run a Github
| workflow when each PR is submitted scanning for secrets that
| should not be in the code. Really happy with how their product
| works.
| unsungNovelty wrote:
| If you weren't aware of it... There is a world of static
| application security tools (SAST) which can help you. Add them
| to your text editor/ci/cd to use them.
|
| https://owasp.org/www-community/Source_Code_Analysis_Tools
| vivzkestrel wrote:
| stupid question, can we not make a regex for searching API keys
| for particular APIs and do a brute force scan across the
| internet
| richbell wrote:
| There are a number of products and open source tools that do
| this. Look up "secret scanning".
| EatonZ wrote:
| TruffleHog: https://trufflesecurity.com/trufflehog
|
| I worked for them a little bit and their product is really
| impressive and works great.
| heretoread9000 wrote:
| trufflehog is a good starting point, then bake in your own
| simple regex into your github actions or equivalent and make it
| part of your test suite
| driverdan wrote:
| I'm curious, why wait so long to publish this? The incident was
| in 2023.
| coldfoundry wrote:
| This might be the first time I felt disappointed and sad reading
| an article like this. The commented username and password felt
| like something from an early 2000s tv show with the tech guy
| doing "hacking".
|
| Wonder how many others stumbled upon this prior, and makes me
| also wonder how many other sites have things like this hidden in
| plain sight. Insane.
| alephnerd wrote:
| This may look "boring" or "uninspired" but this is what real
| cybersecurity and "hacking" looks like.
|
| In most cases, security and QA are essentially two sides of the
| same coin - and this is why I get pissed when devs treat
| testing and QA as bulls**t, becuase even a relatively simple
| XSS attack or cred misconfig can have a massive impact.
| hvb2 wrote:
| This has nothing to do with testing. This is a lack of
| training.
|
| I would say they need to 'think like an attacker' at least
| some of the time. But this is still too high of a bar.
|
| I think this is really a problem of rewarding people when
| they finish things. One way or the other. It works, so on to
| the next project...
| sumedh wrote:
| > This has nothing to do with testing.
|
| A good QA can catch/test such security issues although most
| of such work is given to a dedicated pen tester to find
| weakness in the platform.
| alephnerd wrote:
| As someone who has been a SWE, PM, and VC in the
| cybersecurity space and constantly meets with CISOs as well
| as has formerly been a security practitioner (I should get
| back to using HackerOne again for fun), I can safely say
| that the overwhelming majority of security incidents are
| due to some form of misconfig because development and code
| review are orthogonal to proactive security checks.
|
| Shift-left was supposed to fix that but it failed because
| the primary persona to sell ended up becoming the CISO
| again, and not trying to find a way to make security
| ownership a Dev and QA responsibility as well (this is
| largely organizational).
| hannofcart wrote:
| > As recently seen with Intel, there seems to be a trend where
| developers will do this pointless client-side decryption. When
| the client has the key, it's strange that anyone would think that
| would be secure.
|
| I stay and work in India. Yesterday, as part of a VAPT audit by a
| third party auditor, the auditors "recommended" that we do
| exactly this. I wonder if this directive comes as part of some
| outdated cyber security guidelines that are passed around here?
| Not entirely sure.
|
| When I asked them about how I'd pass the secret to the client to
| do the client side encryption/decryption without that key being
| accessible to someone who is able to MITM intercept our HTTPS
| only API calls anyway, the guy basically couldn't understand my
| question and fumbled around in his 'Burp' suite pointing
| exasperatedly to how he is able to see the JSON body in POST
| requests.
|
| Most of the security people we've met here, from what I can tell
| are really clueless. Internally, we call these guys "burp babies"
| (worse than "script kiddies") who just seem to know how to follow
| some cookie cutter instructions on using the Burp suite.
| sayamqazi wrote:
| I am a pretty cookie cutter developer. We just make glorified
| CRUDs and I have tried to convince the engineering director
| hundreds of times that "There is no use of encrypting and
| decrypting localstorage with a key thats sitting right inside
| the client code." Yet they keep insisting on it in the code-
| quality checklist.
| overtomanu wrote:
| I guess they think it results in some kind of security by
| obscurity... Maybe ward off lazy beginner hackers..
| tonyhart7 wrote:
| lmao
|
| burp suite babies is crazy work
| iainmerrick wrote:
| You're right, of course, but this reminds me of when Chrome
| didn't obscure your passwords when looking at its autofill
| settings. The developers argued that it would just be security
| by obscurity -- if somebody has access to your computer when
| it's unlocked, they can do anything they want, so obscuring
| your passwords does nothing.
|
| The counter-argument is, even if it's not perfectly secure,
| that extra bit of friction before you can see the passwords is
| useful, and may just save your bacon if a casual thief has
| access to your computer for a few seconds.
|
| The Chrome team eventually saw sense and added some client-side
| password protection.
|
| As long as you don't _only_ have client-side protections, of
| course (and maybe your clueless auditors were making that
| mistake).
| halJordan wrote:
| He's definitely wrong. If you want to see why this is wrong
| you should look at what Kaspersky had to do to unravel
| Operation Triangulation. They did, eventually, succeed but
| the absolute nightmare they went through should simply inform
| you why its a good thing.
| EatonZ wrote:
| Appreciate the insight!
| halJordan wrote:
| Assuming that youve been mitm'd is a different violation of
| trust. And when you break your own assumptions, well of course
| nothing makes sense. Were i the burp baby i would've asked why
| you think we should not defend against literally any other side
| channel because maybe they broke tls.
| qwertytyyuu wrote:
| Woah Tata is everywhere, weren't they also the biggest youtube
| channel?
| sreetamdas wrote:
| I believe you're talking about T-Series? pretty sure they are
| not related
| defraudbah wrote:
| give this Uri Said by Deepak Gupta
| pkphilip wrote:
| If there any any TCS employees on Hackernews, please show this
| post to your management. This is beyond embarrassing on so many
| levels.
| zkmon wrote:
| Users in India wouldn't care that much about privacy of their
| data as much as the Western folks do. This reduces the importance
| of this whole episode and I don't think this news flashed across
| TV screens or caused a debate anywhere.
|
| India is a karma society. Karma doesn't mean upvotes. It means,
| you get what you destined for, or what you deserve. People take
| things in their stride and keep moving, while keeping their eyes
| wide open. When you are moving through a jungle, there is no
| point in blaming thorns or getting angry on wild animals.
| inavida wrote:
| So basically you are saying that India is a society that is
| still soaked in an ideology that justifies the special
| privileges of temple staff and tells peasants that being a
| sharecropper in a rent for protection racket is their own
| fault, so hand it over, and moreso that you approve. You sound
| like every temple staff worker ever. Grow up.
| zkmon wrote:
| Go out into rural India and ask someone if they care about
| someone knowing their contact details. Same with 90% of city
| folks. By the way, growing up may not be so cool. For you.
| chisleu wrote:
| Total tangent, but I got to ride in some of these on a recent
| trip to India and I was really impressed with the build quality
| and utilitarian usefulness of the design.
| fred_is_fred wrote:
| He would have had better results if he said "do the needful" in
| his first email to them.
| guluarte wrote:
| protip: never trust the client
| guluarte wrote:
| btw... some urls in this image contains js with vulnerabilities
| https://eaton-works.com/cdn-cgi/imagedelivery/VwwCqBIYNXeyNQ...
|
| https://imgur.com/a/ybFcY5Y
|
| https://imgur.com/Pf7ywbK
___________________________________________________________________
(page generated 2025-11-01 23:01 UTC)