Indian IT Industry

[CalvinH]

I see Agile vs Waterfall debate is product dev vs process apps debate. I dont know much about the product dev side of things but on process apps side we are using a mix of agile and waterfall now with low code PaaS platforms. This is IT side of things. As IT evolves from a order taker to a order maker IT we are increasingly using product development ideas in application development. Focusing on persona based development approaches, prototyping and iterative upgrades.

Salesforce doesnt provide an update once a month. They do it thrice a year.

I have very low expectations from Indian IT leadership. Most of the companies are led by businessmen coming to IT services because it was a better margin/growth business, and they have little ability to do any trans-formative change. Infosys may be an exception where founders are engineering types and they are going back to their roots when in doubt by hiring a CTO as CEO. For rest, the roots take them to profit margins and hence the computer assembler/service company is going back to investing in sunrise sectors of education and healthcare. Heard oil company is looking at its consumer goods BU again.

I would agree with most on the issue about HR head leading the IT company. Lack of genuine leadership in Indian IT services industry is really alarming. Most of the so called successful leadership of Indian IT services companies just got lucky and have contributed little to the success of Indian IT services industry. PPTs won the business and rising tide lifted all the boats. Now , as Singha sar pointed out, when whole industry is looking at a big change they have no tools or aptitude left on how to react. I remember a bunch of SVP in Infosys, who before they were let go by Infosys, boasted about taking business units from USD 100 Million to USD 1 Billion in 5-10 years. Most of them are struggling with making a USD 10 Million company outside Infosys. A lot of them have gone back to other IT services companies. They didn't do anything path breaking before and can't do anything now.

[Singha]

HYDERABAD: India's big IT services companies have ganged up to keep salary of freshers low taking advantage of oversupply of software engineers at the entry level, says industry veteran T V Mohandas Pai.

"That's the problem with Indian IT (industry). Indian IT is not paying its freshers well. And in fact, big companies are coming together talking to each other not to increase their salary," he told PTI.

Reports indicate that as against offers of Rs 2.25 lakh per annum t ..

Read more at:
http://economictimes.indiatimes.com/art ... aign=cppst

[Sachin]

HYDERABAD: India's big IT services companies have ganged up to keep salary of freshers low taking advantage of oversupply of software engineers at the entry level, says industry veteran T V Mohandas Pai.

Companies like Vegetable Oil.Co had started doing this at least three years back. They stopped hiring freshers from any of the top colleges in big cities. They went for campuses in Tier-II and even Tier-III cities. With most of the work being Application Maint. & Support (which involves shifts and week end support), a significant chunk of their package was shift/week end duty allowance . But to be frank, the company had set the expectations with the candidates right on Day 0. Earlier the promises were "cutting edge technology" & "development project", when the hiring was from Tier-I city colleges.

[Neshant]

What are the security implications of the entire nation's data including biometric data going to microsoft and onwards to the NSA?
____________

Microsoft eyes Indian startups for cloud services

http://www.computerworld.com/article/31 ... ml?ref=yfp

[Javee]

Both Europe and US have data residency rules, India can make something similar to that and force the providers to hold data India and make them liable for any unauthorized access by a 3rd party.

[SRoy]

^^

Correct. It is a legal issue only.

How does data goes to USA?
Can MS seize my data kept in Azure cloud hosted one the data centres in India?

As long as Indian law says that my Azure data hosted in Hyderabad or Bengaluru data centres stays in India, I see no issue.

[Marten]

What are the security implications of the entire nation's data including biometric data going to microsoft and onwards to the NSA?
____________

Microsoft eyes Indian startups for cloud services

http://www.computerworld.com/article/31 ... ml?ref=yfp

You have been making these (false) assertions for quite some time. Can you please back up your statements regarding UIDAI with facts? Not even other ministries can access the data! Which US company is part of the operational team? How can terabytes of data be stolen from a completely enclosed system? Please do explain.

Folks, read this to understand the basics of biometric data capture and use in the Indian context. https://uidai.gov.in/images/aadhaar_que ... nswers.pdf
Remember it is already illegal to retain copies of any biometric data plus they will never get access to data within the UIDAI ecosystem.

[sanjayc]

What are the security implications of the entire nation's data including biometric data going to microsoft and onwards to the NSA?
____________

Microsoft eyes Indian startups for cloud services

http://www.computerworld.com/article/31 ... ml?ref=yfp

You have been making these (false) assertions for quite some time. Can you please back up your statements regarding UIDAI with facts? Not even other ministries can access the data! Which US company is part of the operational team? How can terabytes of data be stolen from a completely enclosed system? Please do explain.

MongoDB startup hired by Aadhaar got funds from CIA VC arm
http://economictimes.indiatimes.com/art ... aign=cppst

[Marten]

Sanjayc, please explain how this will enable access to the data itself? You do know that installing software is not the same as giving access to data?

[pandyan]

Both Europe and US have data residency rules, India can make something similar to that and force the providers to hold data India and make them liable for any unauthorized access by a 3rd party.

yes, that needs to be explicitly stated in the policy document. Cloud providers typically have to conform to country specific regulations such as these by providing local hosting options and guaranteeing that data does not leave the local site.

[pandyan]

Sanjayc, please explain how this will enable access to the data itself? You do know that installing software is not the same as giving access to data?

+1. worst case is some form of backdoor. MongoDB is a opensource project so if there is a backdoor, we would already know about it.

[negi]

Well we use Mongo ; thing is in older versions by default you can have a Mongo instance up and running without a password and if you know the default port you can get into it pretty easy once you get into the firewall. Mongo now does allow one to implement transparent data encryption using an exterrnal key management store but I am not too sure if all Mongo users take so much care . Having said that I won't be surprised if shortlisting of Mongo for UUID project happened with lot of hands being malish palished simply because just to store binary data (biometrics) and profile information we could have chosen any cheaper DB because not a lot of updates are going to happen (change of address is a once in a while event) so whoever ran this evaluation bought an expensive DB for this requiement. MongoDB production support costs a lot (we did the numbers it is not even funny).

[Neshant]

The only question is when not if the entire database will be stolen... if it hasn't already.

[Marten]

The only question is when not if the entire database will be stolen... if it hasn't already.

And you base your assertion on? Either you have never seen the inside of a data centre or you haven't been exposed to secure installations. Please elaborate the reason instead of providing baseless opinion.

[sum]

Sanjayc, please explain how this will enable access to the data itself? You do know that installing software is not the same as giving access to data?

Marten saar, i was under the same impression but recently my brother was chatting up with one of his buddies who is running a Jio center ( which uses Aadhar as the method to authenticate and provide a new SIM)

He ( and i ) was under the impression that the way it worked was that the Jio center would query with the Aadhar details and would be provided with YES/NO and if all queries returned YES, it was valid. However, the guy( friend of bro) showed that the system was actually giving the entire data of the Addhar number input and the guy was having full access to all the data which was present for the Aadhar number presented.

Brother was stupified and told me the same. So, not sure what really is going on here

[Javee]

I would doubt it will send a yes or no answer. It's a verification and validation system, which means you need to validate the info and verify the identity holder is the same. The question here is not about the basic information, but your biometrics which will not be accessible to Jio.

[Neshant]

As I said, its only a question of when, not if the entire database will be stolen.

The added insanity of involving foreign companies that not only hand over private data of their citizens (without objection) to govt agencies but also implant back doors in hardware products only makes the situation even more worrisome.

These are days where multi-billion dollar companies like Sony cannot even protect themselves against multiple hack attempts aimed at stealing customer credit card info.

I won't mention where but i had a startling insight into the total lack of security on a certain govt website when I accidentally stumbled upon private details of applicants I should not have been seeing. It makes me wonder how likely they are to detect an intrusion let alone prevent one.

[negi]

Gentlemen India does not have strong data privacy laws ; having seen how guys in Jio handle data and including firms like SEBI and CIBIL who use our SW let me tell you data is not as secure as it should be not neccessarily because of the tooling but because of the culture let me put it this way haven't those of you who work in desi cos in India ever wondered how come every other chap on the floor knows your CTC ? People talk here in fact HR does everything what a HR is not supposed to do . Mota bhai's company in fact had managed to get loads of competitor customer data on CDs for running their tests . One fundamental issue is no one looses a job in event of a data breech hell you won't even know if there was a breech in the first place (I know it for a fact that is how Jio chaps had customerr data from so many of their competitors ). Demographic data sells on streets for pennies be it the PAN card shop on nukkad ; the attendant who manages Doctor's patient, the builder whom you bought your apartment from and even the chap who printed your wedding card they have all sold your data to credit card or home loan companies , Jio to sabka baap hai.

[Marten]

All of you folks are conflating your concerns regarding the Indian IT scenario, the fears regarding information security with the core issue here -- whether UIDAI data is secure or not. Please read - http://uidai.gov.in/images/authDoc/whit ... livery.pdf, then look up the API: https://uidai.gov.in/images/FrontPageUp ... pi_1_6.pdf and then comment.

Most of the comments are hand waving without any real insights into the possible issues.

Neshant, sorry to say but your only argument is that some corporation somewhere was unable to stop a data breach, how can the GoI do it then? That only reflects your concern. While it is a valid concern, it is false in nature. The data cannot simply be uploaded from two secure centers. I encourage you to face the fear by reading instead of mindlessly repeating the same thing ala AAP stalwarts. Am sure a smart guy like you can easily figure out the apparatus in place.

Please understand a secure govt. data center does not operate like a civilian setup. As an example of civilian setups that also maintain Govt data, look up the Verizon center in VA (NS are also co-located here) is one such place that is guaranteed to open your minds to the really deep layers of protection in place for critical data. Or look up Iron Mountain and see how many companies and federal agencies use the dcs to protect their data.

I also encourage you to try and approach the UIDAI owned and operated Data center at Hebbal or in Haryana. No doubt there is a large possibility of gaps in implemenation of policy across any Indian venture -- but it does not preclude professional run and maintained setups like UIDAI from being secure. IOW, please do look up and try to find data breach possibilities before making up your mind.

[Marten]

Sanjayc, please explain how this will enable access to the data itself? You do know that installing software is not the same as giving access to data?

Marten saar, i was under the same impression but recently my brother was chatting up with one of his buddies who is running a Jio center ( which uses Aadhar as the method to authenticate and provide a new SIM)

He ( and i ) was under the impression that the way it worked was that the Jio center would query with the Aadhar details and would be provided with YES/NO and if all queries returned YES, it was valid. However, the guy( friend of bro) showed that the system was actually giving the entire data of the Addhar number input and the guy was having full access to all the data which was present for the Aadhar number presented.

Brother was stupified and told me the same. So, not sure what really is going on here

Sum, they have an AUA agency license, meaning they have access to demographic data - to validate against the documents presented by the applicant. When you say entire data, biometrics is NOT included in the same. The full aadhaar number will also be present on the copy of the card itself, right? The authenticaion mechanism is such that it can only give Yes or No answers for the biometric matching -- there is absolutely NO way for exernal access to the biometrics. I mean Zero chance because the APIs do not carry such data back in their response, plus the data used to validate is an encrypted format that even on decryption can only be understood by the vendor system that itself is operated by UIDAI. The vendor too has zero access to the data (most importantly, the identity is completely unknown to the vendor) so no one can really use the biometric data itself.

More details here: https://authportal.uidai.gov.in/web/uid ... entication

[putnanja]

In India, there is no concept of privacy, of data or anything else I have seen these bank representatives handle PAN card copies of customers haphazardly, leaving it everywhere. The HR folks are no better, seen HR folks casually leave all documents with salary details, PAN/Aadhar details etc on their desk in cubicles and walk out for coffee etc. In multiple restaurants, I have had waiters ask me for my credit card PIN( and I tell them to bring the machine to me). During the demonetization lines in front of ATM, I have seen people in my company give out debit cards and PIN and ask support staff to withdraw money for them by standing in line, and this in a software company! There is no culture of privacy here, many of you have might have been asked by random uncle/aunts how much salary you make, and about your expenses and savings etc

[Vikas]

Forget Aam Abdul, I have seen Form16, Pan, Aadhar and Passport copies scattered all around the Photocopy machines in top notch IT Companies. So who is scared of Data breach. Not we Indians

[arshyam]

Gentlemen India does not have strong data privacy laws ; <snip>

Fixed that for you saar, hope you don't mind. cheers!

P.S. when GoI thinks nothing of using a personal gmail account for official work (which can be hosted on any server anywhere in the world), that should tell you the level of security awareness. Neshant saar can shibber about UIDAI data (I will read Marten saar's link), but that's the end of a long chain of gov comms that has already been hoovered into NSA's data computers from the big amriki orgs. UIDAI is probably the "close the stable door after the horse has (long since) bolted"

[Javee]

I mean if we talk conspiracies, then the hoard of American companies that do business here in automotive, insurance, banking, capital markets, IT, Telecom so on will give their employee/customer information to their govt at the drop of a hat. They dont need to build backdoors in mongoDB for that

[negi]

^ We are not talking about consipracies no one is saying UUID project will sell data ; we are talking facts which are more fundamental than UUID project itself i.e. data security and privacy are areas which are not even on agenda when we see projects implemented in India and I say this with knowdlege of how LIC, CIBIL, ICICI Lombard, HDFC , JIO , AB group store customer data . Many of these projects don't even do penetration testing because budgets are low just because their custoemr facing webpages are down or slow does not mean they are secure.

[arshyam]

^^ Even bank homepages with few exceptions are not encrypted. The log in page is, thank god, but if the home page is not encrypted, I could be clicking on a "log in" link from a phishing site made to look like the bank's homepage. How would the average user know the diff? I check the security cert before typing in my creds, but 99.99% of people there won't. The saving grace is the 2-FA implemented on all account withdrawals and online purchases, so one can manage along.

A few months back, I was shopping around to open a bank account. HDFC was the most convenient, but I didn't go there because they were using a 112-bit encryption for their log in page. That's right, 112 bit encryption in 2016! Aren't there any minimum standards for such things? Apparently not, the only requirement is that the bank should use HTTPS. That said, the much maligned Axis, the tottering PSU called IOB and ICICI do a good job with their websites. 256-bit encryption end-to-end. But this lack of standardization for customer protection is worrying. More worrying is that the GoI has not publicly talked about fixing any of this. I believe there is an 'IT' ministry, wonder what they are up to. Will write to them and see.

But overall data management and privacy in India is a joke. For example, something as mundane as the highways FasTag toll pass needs KYC with ID proof - do you believe a toll plaza guy will treat it properly? BS. I will pay cash and cause congestion in the toll booth. Banks - less said the better. They turn around and sell the data to each other and keep calling you with one offer or the other, DNC registry be damned.

[Marten]

The tall minar has been shaky for a while. With Takla filling up their moat, it looks likely that FK will sell within a year.
Flipkart scales down new office lease

India's biggest e-commerce company is now looking to lease just 0.83 million sqft office space, down from an initial agreement of 3 million sqft

[Singha]

http://timesofindia.indiatimes.com/comp ... 290242.cms

snapdeal lays of around 20% and founders to take 0 pay

[KJo]

http://timesofindia.indiatimes.com/comp ... 290242.cms

snapdeal lays of around 20% and founders to take 0 pay

BENGALURU/GURGAON: As online marketplace Snapdeal started laying off employees on Wednesday , the company co-founders Kunal Bahl and Rohit Bansal sent out an email to employees admitting that they took multiple wrong decisions over the last two-three years amid the funding frenzy and that it was time to course correct.

Funding was abundant so they began hiring like crazy? I am shocked that so many people (esp desis) don't understand that good times are when you get stronger and better internally and position yourself for when bad times come (and they always do come). It's the typical grasshopper vs ant story.

[vipins]

Not able to find Cyber warfare thread.
Ministry of Electronics and Information Technology (MeitY) launches Cyber Swachhta Kendra - Botnet Cleaning and Malware Analysis Centre

http://www.cyberswachhtakendra.gov.in/security-tools.html
Free for all ,also have a M-Kavach for mobile devices!!

[Singha]

A friend had gone for a exploratory intview with snapdeal. He said while fkart did have a sound tech team , snapdeal had a lot of big talking 26yo vp types who were going on about building cloud sw.

Ultimately some adult supervision is needed in startups too

Not good. Sad.

https://www.quora.com/What-is-it-like-t ... t-Snapdeal

[KJo]

A friend had gone for a exploratory intview with snapdeal. He said while fkart did have a sound tech team , snapdeal had a lot of big talking 26yo vp types who were going on about building cloud sw.

Ultimately some adult supervision is needed in startups too

These days everyone wants to be Steve J or Mark Z. Silicon Valley is hyped up in India as being an awesome place where you start a company, go IPO and roll in $$$.
Reminds of this fellow I worked with who came from TCS Chennai. He was a contractor at PeechaKaroCo and a Websphere admin and was arrogant as hell . Arrogant for what? Who knows. He probably knew the admin interface well and had permissions, and we had to go through him so thought it made him special. He would rude on calls on install day. But at least this fellow knew something compared that the joker who tells me at 1am on install night that he had never seen the admin interface before.
So this guy quit TCS and started his company in Chennai. I am connected to him on FB so I see him posting pictures of him and some boys and girls in this rented space working on a white board drawing pictures and diagrams and everyone looking very intellectual. Within a few months, he had shut down and was sending me emails on Linkedin with links to his "product" and wanting me to send him money as "investment" so he could sell his thing and double my investment. Hmm sure. The link had some flashy video about how this would make a dent in the universe etc. Now I see that he is working in Mumbai as a "Solution Architect". I guess to his credit he tried.

[Marten]

I see you have all the necessary keywords to help KJo attain a fine froth.

In hindsight, a lot of folks must think of failed entrepreneurs as dumb for having failed. I lost the equivalent of a nice house in Mumbai but quickly hopped back, and spent some more of my hard earned money into another failed attempt. Still remember the smirks from ex-colleagues who thought I was nuts to try something and waste good hard earned money in this newfangled technology thingie.

[arshyam]

KJo saar, aren't you ever bored by the non-stop TCS bhajanam? Serious question.

[Sridhar K]

Marten saar, i was under the same impression but recently my brother was chatting up with one of his buddies who is running a Jio center ( which uses Aadhar as the method to authenticate and provide a new SIM)

He ( and i ) was under the impression that the way it worked was that the Jio center would query with the Aadhar details and would be provided with YES/NO and if all queries returned YES, it was valid. However, the guy( friend of bro) showed that the system was actually giving the entire data of the Addhar number input and the guy was having full access to all the data which was present for the Aadhar number presented.

Brother was stupified and told me the same. So, not sure what really is going on here

Sum, they have an AUA agency license, meaning they have access to demographic data - to validate against the documents presented by the applicant. When you say entire data, biometrics is NOT included in the same. The full aadhaar number will also be present on the copy of the card itself, right? The authenticaion mechanism is such that it can only give Yes or No answers for the biometric matching -- there is absolutely NO way for exernal access to the biometrics. I mean Zero chance because the APIs do not carry such data back in their response, plus the data used to validate is an encrypted format that even on decryption can only be understood by the vendor system that itself is operated by UIDAI. The vendor too has zero access to the data (most importantly, the identity is completely unknown to the vendor) so no one can really use the biometric data itself.

More details here: https://authportal.uidai.gov.in/web/uid ... entication

Marten
I agree that the UiDAi API returns 17 fields based on the aadhar number and not the biometric data. However. for ekyc, JIO, iDfc bank etc have fingerprint scanners attached to mobile phone and the fingerprint is validated against the one in the server. The 17 field data plus the fingerprint now is available to the likes of jio and the banks. My kB has implemented this solution for a couple of banks and now one more bank is in the pipeline.

[Singha]

A james bond type could make fake fingerprints on plastic film and use biometric access into laptop cellphone bmw etc...

[SRoy]

Reminds of this fellow I worked with who came from TCS Chennai. He was a contractor at PeechaKaroCo and a Websphere admin and was arrogant as hell . Arrogant for what? Who knows. He probably knew the admin interface well and had permissions, and we had to go through him so thought it made him special. He would rude on calls on install day. But at least this fellow knew something compared that the joker who tells me at 1am on install night that he had never seen the admin interface before.
So this guy quit TCS and started his company in Chennai. I am connected to him on FB so I see him posting pictures of him and some boys and girls in this rented space working on a white board drawing pictures and diagrams and everyone looking very intellectual. Within a few months, he had shut down and was sending me emails on Linkedin with links to his "product" and wanting me to send him money as "investment" so he could sell his thing and double my investment. Hmm sure. The link had some flashy video about how this would make a dent in the universe etc. Now I see that he is working in Mumbai as a "Solution Architect". I guess to his credit he tried.

Well the guy got lucky to be a "Solution Architect". What solution a "Websphere Admin" has delivered is anybody's guess.

Had offers from lot of these types to create a "startup" with whatever imaginary product that they had in mind. Well its always been they will do strategy, planning, marketing and sales. And I'll need do the technical stuff and would get a fancy technical position in return. Had the good sense to smell such BS and say a polite no.

[KJo]

KJo saar, aren't you ever bored by the non-stop TCS bhajanam? Serious question.

All true stories saar. There are so many, it is unbelievable.

Another true story is in 1977, top honcho FC Kohli at an emerging TCS was trying to recruit my dad to some top post there. He interviewed my dad at Memphis Airport on the day Elvis Presley died in Memphis. But my dad wanted to return to desh and start his own company which he eventually did.

Those were the glory days when they hired quality people rather than the bulk body dumping they do nowadins.

[KJo]

I see you have all the necessary keywords to help KJo attain a fine froth.

In hindsight, a lot of folks must think of failed entrepreneurs as dumb for having failed. I lost the equivalent of a nice house in Mumbai but quickly hopped back, and spent some more of my hard earned money into another failed attempt. Still remember the smirks from ex-colleagues who thought I was nuts to try something and waste good hard earned money in this newfangled technology thingie.

No, if you read my post, I give him credit for trying. I was actually quite impressed when he started out and was posting information. But then what made me wonder was all the publicity posts of him at his desk and at the whiteboard etc.

Marten Khan you are a smart guy, just team up with RB and SIngha and with a good idea, you will be successful!

But you are right, a lot of people in desh think and even laugh at people who try something and fail. Another reason why we as a people like to play it safe. On that, it is better in the US. But hopefully things are changing like so much other improvements.

[Marten]

Sum, they have an AUA agency license, meaning they have access to demographic data - to validate against the documents presented by the applicant. When you say entire data, biometrics is NOT included in the same. The full aadhaar number will also be present on the copy of the card itself, right? The authenticaion mechanism is such that it can only give Yes or No answers for the biometric matching -- there is absolutely NO way for exernal access to the biometrics. I mean Zero chance because the APIs do not carry such data back in their response, plus the data used to validate is an encrypted format that even on decryption can only be understood by the vendor system that itself is operated by UIDAI. The vendor too has zero access to the data (most importantly, the identity is completely unknown to the vendor) so no one can really use the biometric data itself.

More details here: https://authportal.uidai.gov.in/web/uid ... entication

Marten
I agree that the UiDAi API returns 17 fields based on the aadhar number and not the biometric data. However. for ekyc, JIO, iDfc bank etc have fingerprint scanners attached to mobile phone and the fingerprint is validated against the one in the server. The 17 field data plus the fingerprint now is available to the likes of jio and the banks. My kB has implemented this solution for a couple of banks and now one more bank is in the pipeline.

We must meet Saar. Please drop me a line at marten dot brf at chacha. In any case, the banks do have ALL of your data and your money and your signature. Whatever they need is right on hand, and they would not have this data if they were not trusted agencies. One of the tenets of authentication is that the data being used for auth cannot be stored within your system. You can enroll the person separately with their consent, but the auth biometrics cannot be stored. Is that condition being violated? It is now an act of parliament after all.