217 comments

[ 7.6 ms ] story [ 370 ms ] thread
Their entire cybersecurity page is just a bunch of gibberish. It's like someone slapped together buzzwords and phrases until they filled a word count.
Oh gosh... TCP/IP is a resilient protocol and would route around any countr(y/ies) opting for modern standards. The world would continue to spin.

I didn't say "puppy mill" regarding infosys... So.... Its just another puppy mill :)

https://en.m.wikipedia.org/wiki/Puppy_mill

As you were :p

I really wish this surprised me. The number of people who completely understand the stack they are working on is shrinking, even as the size of the stack grows.

The power of computing is such that every organization on the planet is forced to lower the bar to get people who are marginally competent, even if they lack attention detail and cannot be relied on to solve problems of this sort. This kind of leak is the result.

In a world where all the problems are wrapped in containers and ever increasing bloat, it takes a lot of discipline to understand the stack, if that’s even the proper term anymore.
Even just understanding "the stack" if you're using a cheap Linux VM and admining it directly is a heavy lift for most devs.
I don’t think there are any people who understand the full stack. I don’t think anyone like that has existed in computing in a very long time.

It’s truly impossible for a single human to actually understand the physics of electronics, the world of CPU micro-architecture, packet shuffling network equipment, the nuance of CSS, and the never ending complexity of UI/UX design.

The only way this statement could be accurate is if you arbitrarily start cutting parts of the “stack” out.

If "full stack" means electronics up to JS, then there are probably quite a few people who can work at all those levels. Although a minority, at least they can understand a "fuller" stack than most, unfortunately.
I disagree, it takes lots of time but it is possible.

Personal example: I have an electronics engineering degree that was 1 semester short of a physics degree, so I learned quantum mechanics, electromagnetic field theory, transistors, and how to create a CPU (I even created a CPU out of simple gates and way too much wire wrapping). I love computer software, so I learned assembly, how to write compilers and operating systems, and libraries. I have configured network hardware and written network software at various levels. I've also used CSS and implemented UI/UX. I've written code in many programming languages, including JavaScript, Python, C, C++, Java, Ruby, Rust, Common Lisp, and Scheme. I eventually got a Computer Science degree as well.

None of these things are magic, and the info is relatively easy to get. You simply have to keep learning and be willing to try new things. It can be fun, too.

Yes, today it can be helpful to specialize at any particular time in your life. But I think it's best to use that as a launching pad to branch out.

Jack of all trades, master of none. I don't think it's bad at all: at least you can specialise at something (quicker) whenever the need arises.
It's relatively easy to learn a new language (for example) when you think, "this is like x, this is like Y, etc."

I guess my key point is that you always need to keep learning, and don't box yourself in too much. Ideas from elsewhere will show up... being aware of them makes it easier to use them and be ready for them.

I dispute this: I do not think you need to understand the whole stack to know using what effectively is "god mode" access is bad practice.

Even if I pretend I don't know anything about AWS, if somebody handed me credentials with access called "FullAdminAccess" and told me to use them for my little script that only needs read-only access to S3 I would be extremely skeptical.

The reality is that the culture at Infosys seems to place zero value on security of customer data.

>Even if I pretend I don't know anything about AWS, if somebody handed me credentials with access called "FullAdminAccess" and told me to use them for my little script that only needs read-only access to S3 I would be extremely skeptical.

If you ask for an access key for your little script and get one, you usually only check if it works for your case and not always check if it has any other access, so I can easily see it happening without proper access controls.

It might not necessarily be the developer who's at fault, my point is more that somebody in the chain knew the request was for S3 read access and the key was for FullAdminAccess.

At my job the alarm bells would be ringing and they would bring this up, but Infosys doesn't seem to have a culture that promotes that kind of security awareness.

I agree, but that tells me you are much more detail oriented than many developers I've worked with. Most devs at the 70-100k a year range are phoning it in 9-5 and only check exactly the boxes a PM and QA person make them check. I very rarely see developers who are in the standard deviation below median make that kind of check. These are good productive developers who get lots of tickets done.
When do companies finally start adopting the `security.txt` proposal (see https://securitytxt.org). Would have made a big difference!

EDIT: That GitHub user is gone for good.

I'd really like to see a bugs.txt as well. The amount of large sites I have repeatable bugs on with no way to report the is frustrating.
Wow. Really crazy. I know it was not right to revoke the key, he touched into their system. He probably broke someone’s production.

But it was also absolutely the right thing to do. A god mode key floating around for over a year unrevoked, with real human beings’s medical data on the other side… I am glad the post author revoked the key. It is probably too little too late but they did close that door and maybe saved someone some pain: not the negligent development team, but a real patient and human being, perhaps many of them.

The lesson here is that there are things worse than downtime. Yeah the site being down is bad but hey, what's worse? Leaking PII all over the place.
I tried to highlight this in the post, but the key is a personal user one tied to an email, and the worst that I expect would happen would be that some training scripts break.

If this was a production key or something that seemed like it would cause financial harm/downtime, I would have never deleted it.

Honestly, with this level of competence I wouldn't be surprised if the same admin user credentials were used in application/lambda processor/whatever there is. Not at all saying you shouldn't have done it though!
Sadly, if you measure "worse" in selfish financial terms, the site being down is probably worse for you.
Pretty sure GitHub runs a system that will automatically revoke every (AWS and other) key to ever become part of a repository.
Not in my experience dealing with customers who had AWS email them saying 'Hey, we found one of your keys on GitHub'.
I’ve worked on a team where Github was the one who reached out about a leaked AWS secret key, not AWS. They apparently usually do this a few minutes before the key makes it into their search index. It’s not much but it’s better than nothing.
That evidently didn't happen here.

I do remember reading about that too though, maybe it missed it because it was JSON data not a variable definition or something?

https://docs.github.com/en/code-security/secret-scanning/sec...

I can't find anywhere that specifies the actual pattern though.

They have the tools to do that.

You might be horrified by how many shitty developers want all the good guardrails GHE provides switched off, and how many managers will support them because they're a "superstar who gets things done".

Not automatically since that would lead to them getting sued, no?
GitHub always freaks out at me when I include text that even looks like a PEM cert. Too bad they can't scan for AWS key / secret variables too.
They do, this was likely in a private repo which isn’t scanned.
I pretty sure had a PEM cert in a private repo and was alerted. Is this in their TOS somewhere?
You can opt into secret scanning on private repos, but it isn’t default when I last used it.
What are the chances someone goes and gets a new key and then immediately checks it into git on top of the old key?
Is it possible to create another god keys with this key? Will other keys expire also?
(comment deleted)
Yeah, that's an excerpt from Wikipedia. But when I see these lines I actually read "money laundering" and "scam".
Answer by GPT-3:

> How is information security in Infosys?

Information security at Infosys is implemented through a combination of technological and organizational measures. The company has a dedicated information security team that works to identify and mitigate risks. Technologies used to protect data include encryption, firewalls, and intrusion detection systems. Organizational measures include employee training on security policies and procedures.

> teams that works to identify and mitigate risks

Complete failure by team to not see super user permission as risks

> intrusion detection…

Clearly the did not implement AWS CloudTrail threat detection otherwise when op accessed the account it should have raised alarms, so its just plain lie

> …training on security policy

So the GitHub user probably skipped those considering them boring. And instead of reporting their own failure chose sneaky way to make it go away hoping no one will notice

I believe that the OP of this comment thread has been unfairly downvoted. It was irony, right?

Sigh.

About as useful and informative as the output from any Infosys contractor. Did you do that on purpose?
> To put it bluntly, I’m not sure I trusted Infosys to revoke this key in a timely manner. So I did it for them with aws iam delete-access-key --access-key-id=$AWS_ACCESS_KEY_ID, and now the key is useless:

Hilarious. Infosys is a known "mass recruiter" in indian colleges. WITCH (Wipro, Infosys, TCS, Cognizant, HCL) companies is where talent goes to die. No competent employee stays in those companies (from what I've witnessed). Wouldn't be surprised if this turns out to be just the tip of the iceberg, because putting people with 6-12 months of programming / computer "experience" (that they only signed up for because of the money) in charge of major production systems is a recipe for disaster.

>No competent employee stays in those companies

Absolutely true from first hand experience.

Imagine being a top performer doing great work for a company whose managers insist on wasting your time putting you into needless meetings getting you to explain how you're doing everything all through badly communicated text with typos and misspellings.

Well, at least it got Rishi('s wife) rich.
I had some contact with Wipro. It was their standard operating procedure to call us up and yell at support team members that X "Hasn't worked for months and you haven't done anything." + escalate up the chain as high as possible to put pressure on the tech support staff from some other vendor, when in fact they just opened the ticket. They would lie and reference the first old ticket they could think of and say it was the same issue (it never was, they wouldn't even lie well enough to reference the same equipment).

They would declare everything was a P1 ticket and demand it be fixed immediately. Then we would get some output from the machine or even remotely access it and find that outside of testing at the factory this was the first time it was powered on. When we would ask them for configurations ... they were evasive.

If you got their end customer on the line you would find that they had been lying to them for months. This happened a lot ...

> Infosys is a known "mass recruiter" in indian colleges. WITCH (Wipro, Infosys, TCS, Cognizant, HCL) companies is where talent goes to die.

This could be true but you cant really generalize and it has nothing to do with the article. Infosys is not the only company leaking keys online. pretty sure tons of Amarican companies have done that

I think that post goes on to explain why that might be relevant.
(comment deleted)
Infosys bot spotted. 'Amarican' companies eh?
> Cognizant

Someone hired those clowns as contractors as extra in a previous job, to loud protests from our development team. They produced what was quite possibly the most chaotic, copy-paste, typo-laden code I have ever seen in my life.

This is hardly surprising. Most of them would be completely clueless about the code they've "written".
Fun fact: Mozilla projects are now developed in part by Cognizant Softvision, including Firefox for Android. Their employees are everywhere on Mozilla bug trackers, and their numbers seem to have increased since 2020, right after Mozilla fired a quarter of its workforce.

https://www.cognizantsoftvision.com/blog/pedal-metal-mozilla...

This pisses me straight off. Someone needs to fork Mozilla (the company) and bring back its hayday culture.
they went woke, and are on the path to go broke. Sadly, they’re the only mainstream competition to Chrome.
> and are on the path to go broke. Sadly, they’re the only mainstream competition to Chrome.

Is it overly cynical of me to wonder if this is Google's doing? Setting someone to infiltrate Mozilla's management and sabotage it, with the long-term goal of killing all serious non-chromium alternatives.

I don't know about the woke thing, I figure it's more likely to be about removing ad-block friendly API's in Manifest V3 (and presumably even more hostile changes in some future Manifest V4).

Nobody wants firefox to stay around more than google. Its one of their few escape cards in an antitrust trial for browser monopoly.

And the woke thing is non sense.

Nobody wants firefox to stay around more than google. Its one of their few escape cards in an antitrust trial for browser monopoly.

Google wants Firefox to stay around, but in a form that's much closer to Chrome. Of all the browsers that still have significant userbase remaining, Firefox is an "anomaly" in that it's one the user has more control over, and Google is slowly trying to change that.

Already happened years ago, if you want the old Firefox with XUL extension support, full themes and zero tracking as it was before they started copying Chrome in 2011, give Pale Moon a try. It's an independent fork, the last independent browser left, with its own rendering engine Goanna that is a fork of Firefox's Gecko.
This is a #TIL to me. I'm not sure I would trust these Mozilla projects going ahead.
Luckily, if https://wiki.mozilla.org/QA_SoftVision_Team is any indication, they're mostly babysitting test suites and reviewing submissions to the add-on store and stuff. (That and developing Firefox for Android, but Firefox for Android has sucked and included tracking SDKs for years now.)
I've seen Infosys-produced code that there was no way it was going to work... turns out that after I googled it, multiple lines were straight 1:1 copy pasta from multiple StackOverflow answers - just jammed together in the hope that something would work. I was shook.
This is unfortunately common even outside of Infosys. I've experienced it at several of my former employers, although admittedly more in China than in other countries I worked.

It's interesting when you sit beside a developer who does this kind of stuff in a pair-programming context, because it immediately becomes clear that they really don't have a clue how to read and understand code in the abstract. Their process is literally copying and pasting stuff that seems similar and then running it until some arbitrary happy path test passes, not considering that it might only be passing by accident, or that they might not even be testing a real business scenario, or that there are now a bunch of unused and misleadingly-named variables floating around. And when you point that out, there isn't even a lightbulb going on that perhaps they should try to clean things up or adapt the pattern to better fit the specific use case.

I've always attributed it to a mindset that doesn't really take quality into account. And it's hard for me to argue the point when I have also been "guilty" of doing a quick hack solution or employing YAGNI to build something that might not be DRY or especially elegant but does work to solve the problem. People who just throw everything at the wall until something randomly sticks believe they're doing the same thing. Who cares if the code is unmaintainable or not performant? Who cares if there's a bug? They still get paid anyway, and the corporate machine just keeps rolling on. So - from their point of view - why make the extra effort? For me I think it's just a neatness or tidiness compulsion that makes me want to try to make code clear, robust, backward compatible and maintainable. But realistically even if I didn't do that, I'd probably still be 20 years into my career and working as a senior dev, so what's the difference?

It makes me sad.

I don’t know you at all aside from this post, so I could be off the mark, but I suspect you need to find a better place of employment. Places where people exercise discretion and aim for quality and ship quality do exist. They are not the norm, but they absolutely exist.
Thanks for the suggestion. I am pretty happy in my current place of employment where I fortunately haven't (yet) encountered this, but I have definitely been surprised in previous jobs where I encountered it despite hiring standards that theoretically should have rejected this type of candidate at the outset. I have even worked with ex-FAANG colleagues who had this approach to development. I have come to think there is only so much you can do to try solve this in the hiring funnel... Eventually people who don't code very well or don't take code quality seriously will slip through, especially in larger companies.
Man, I echo the same sentiments. Even I too have this compulsion for neatness and tidiness and find it near impossible to work on completely messed up code.

>But realistically even if I didn't do that, I'd probably still be 20 years into my career and working as a senior dev, so what's the difference?

Similar thoughts. Looking back I think about all the time I had sacrificed to make myself better but for what? There is no value for this as I have seen totally incompetent people still standing and moving much ahead. The corporate juggernaut does not give a damn about workmanship or quality, something I learnt later in my life as I took a pause to catch my breath.

Somehow this triggers memories of (among all things) taking exams when I was a student.

Unless you prepared well, there's often some exam questions you are clueless about, and yet there's usually no penalty for writing some bullshit in the hopes of accidentally getting a partial score. So what students are trained to do is to write whatever bullshit that seems to be relevant and hope for the best.

I realized the mindset that makes me a quality-conscious programmer is actually the anti-thesis of this. In fact during my later years I almost couldn't do that exam-bullshitting any more. It feels so bad writing something I don't understand that I almost couldn't do it.

This might be offtopic, but I guess many people who don't have a natural OCD-tendency to deeply understand their work and care about tidiness might have to actively unlearn what they trained for at least a decade in school...

> No competent employee stays in those companies

I gotta say, this explains so much.

We have a FTE who came from infosys and he's very good. I have such a hard time squaring that with the team that submits an initial PR with the bin and obj directories checked in, then follows it up by adding .gitignore.txt file before FINALLY submitting a .gitignore file. And then finding them representing currency as float, or finding catch statements with a single line that rethrows it, as below (C#)

// this form throws away the stack trace from the original exception. catch(Exception ex) { throw ex; }

And when asked why this exists they add logging to it

catch(Exception ex) { _log.Debug("Unhandled exception handled.", ex); throw ex; }

----

I could go on, but the ole eyebrow just twitches whenever I think about infosys.

But then I see this other person who came from infosys. It's like trying to understand how that 6'11" basketball player came from that family who has no one over 5' tall.

Rationally I know strong technical folks can come from these companies, but damn... how? There's another poster claiming everyone makes mistakes, but no, many of the mistakes they make are not reasonable.

They employ a quarter million people. Quality may vary…
Yes. There are a number of highly skilled and talented people in Infosys and the other WITCH companies, but they're generally staffed only on the most prestigious projects and tend to move on fairly quickly. As another commenter said, in most cases they got recruited straight out of college.

So it's not that everyone at companies like Infosys are bad, it's that their hiring standards are so lax and hiring rate so high that the large proportion of their engineering people are mediocre at best, and that's why most engineers at European or American companies would've been exposed to.

The typical model of a WITCH engagement is to get a new client project that requires, say 100 engineers, and immediately go to market to hire 90% of them because they don't have a bench. Screening is minimal. They're then heavily micromanaged on the project for the first few months, where it's expected that at least half of those people will fail and either their manager or the client will demand they get rotated off and then sacked. They're replaced by another cohort freshly hired and the process repeats until you have a stable-ish team of good-enough competence about 8 months in.

It works because it's still cheaper and easier for big corps and big projects and the delivered quality is fairly shit, but still acceptable. And the margins are so good that in the rare event there are late delivery penalties they're fairly easily absorbed.

He must have joined Infosys at 'on-campus' recruitment. Infosys and other companies might have visited his campus, he gave a sort of test and he was selected. Sometimes, once you pass an interview, you aren't allowed to try for other on-campus companies. So he was 'stuck' with Infosys.

The other reason is that programming as a hobby during college isn't a thing in India. (This might have changed in recent years). So you only get a chance to really mature as a programmer in the first few years out of college. So when he was ready to move on from Infosys, he had matured, but still had the Infosys 'stigma'.

And then it's really a numbers game. Infosys has hired millions in the past decade or two.

Emphasis can be a good way to get visa endorsement for finding a better job. Also sometimes people who are booksmart are not streetsmart and end up working for a bad company.
Tier 1 companies generally hire from tier 1 colleges. Tier 2 and tier 3 college students are either ignored or not able to make it due to lack of quality education.

But those talented students take up any job offer they get (I.e. WITCH). when they get experience, they switch to higher tier companies.

There are many talented folks at WITCH companies, they just don't stay there.

Programming/anything to do with PCs in India is a rich man’s hobby. Tinkering is not encouraged in colleges in the country. In any case this is a big country with a lot of talented devs. But for the same reason the pool of mediocre programmers is also pretty big.
>Programming/anything to do with PCs in India is a rich man’s hobby.

This is not true. We had a good culture of self assembled PC enthusiasts in our district. This was in early 2000s. In fact it has reduced now maybe due to lack of interest or something even though the prices of PCs have dropped significantly. I see many people use their PCs as locked up phones with no curiosity of hardware.

>Tinkering is not encouraged in colleges in the country.

This sad state is still present to this day and it has become worse as the hardware gets more and more locked down. I don't see much interest in Linux in the younger generations.

>This is not true.

It is absolutely true. Just because you don't consider yourself rich doesn't mean that these devices aren't out of the reach of a vast majority of the population.

Almost everyone has access to a smartphone, but most of those are poorly made, overheating pieces of plastic - barely suitable for use as a phone, let alone as a computing device on which you can learn something.

In my second statement, I'm also trying to say that though you have a huge number of people in the workforce who haven't had easy access to computing devices, there are also many who do (in absolute numbers but not in percentage). But the numbers are such that given an average Indian programmer, they are more likely to be someone who got educated in a substandard setting among unmotivated peers who have an aversion or even a fear of tinkering and putting a big investment (like a PC) at risk.

People who have money to get a PC as a hobbyist do it for unworthy reasons - like the chance to play garbage tier games like pubg or whatever, or becoming an influencer. This is a generalisation but it will affect the probabilities.

The resources that we have now is way better than what we had in our time. The interest amongst students have been more or less the same.

>that given an average Indian programmer, they are more likely to be someone who got educated in a substandard setting among unmotivated peers

This too has not changed much from our time to now. The changes I have noticed in students is the rise of memorizing leetcode type problems due to the plentiful jobs now which need this skill for interviewing.

(comment deleted)
Imagine trying to debug a issue in the middle of the night and you go to the logs to find "Unhandled exception handled." dozens of times.

I'd probably just quit.

too bad, it's a great company name that inspires confidence... until you read a comment like this!
What about Sapient?
AWITCH ... you forgot Accenture
Glad to find this mentioned, Accenture is absolutely an offender.
I have had some ridiculous situations with them. For one the developers in Bangalore Delivery Center 8, and what do I know, all of them?, had to work with their private computers.

A unix engineer could only work with Aix Tar and would not touch GNU Tar on Linux, because his manager had not approved it.

Onshore engineers flying home to India due to a stomach ache, instead of seeing a doctor for free in the host country due to being afraid. Of course messing up the flow of our projects.

10/10 will leave jobs to avoid such projects and situations again.

> Onshore engineers flying home to India due to a stomach ache, instead of seeing a doctor for free in the host country due to being afraid.

This feels like an exaggeration to me, although I'm open to hearing specifics to the contrary. I know of (non resident) immigrants who delay medical visits and treatments until they get back to their home country, but flying home (spending a good deal of money on air fare) for just a stomach ache sounds pound foolish, which immigrants generally aren't.

It happened, that's all I can say. At times banality knows no limits.
These companies literally do not want to hire competent people, because they know they won't stick around. Their business model is to hire the absolute bottom of the barrel engineers, pay them the tech equivalent of minimum wage, and sell "consulting services" to overseas firms that don't know any better.
Lol, I love how he just opted to delete it. Great on ya for having some balls instead of walking on eggshells like most of these security back and forth dialogues.
Reading the recent posts about an Android bug and how difficult it was for the researcher to get them to fix and how he was reluctant to disclose or even threaten to disclose reminds me of a time gone past of… harder… type of hackers.

It’s like the completely backwards on the wrong foot.

In good old days you could do a lot without some massive Corp dragging you to court. Are you willing to risk years of self-funded courtroom process which may not turn out well for you, just to show how hard you are as a hacker? I don't think so. We know of cases where even reporting an issue caused lawyers to threaten you without any upside otherwise.
Yea… but I guess I’m from a time that you wouldn’t do any of this under your real name.
[dead]
Well, if they choose Infosys as a company to implement CBDC then at least we are safe for the next 20+ years, because there's no way they complete the project before that time :)
Governments already observe most every financial transaction, either because they run the money transmission system (ACH/FedWire/etc), or because countries with VAT send every invoice to the tax office. It's not clear how a CBDC is actually different from the current system, but insofar as it isn't different, it's not less private.
The Indian cdbc is being developed in-house by the RBI afiak
Is it possible to do a full sweep across all tokens in all Python files (for instance) in Github and find such keys? Can you tell from the contents if it's a key or some such "important" string?
GitHub already offers this - they scan all the code that gets uploaded to look for keys. I think the issue here is that the code wasn't on public GitHub, but the artifacts were uploaded to PyPi
Yep, and if you don't look for them, you can be darn sure someone else is looking for them. I heard about an incident from a friend where a GitHub repo was created accidentally public (ran out of private repos and I guess the failure mode back in the day was just make it public) and that repo had developer level access keys in it. Some enterprising fellow was scanning public repos for this, grabbed the keys, opened thousands and thousands of the biggest GPU machines they could get on AWS and started mining bitcoins. They were nice enough not to delete production to make room for more bitcoin miners.
That's not nice, that's just smart. Delete production, and someone will notice right away. Leave production as it is, and they might not notice until the bill comes due.
The keys here were actually in the published package, not in GitHub, as it seems it was published by accident.

Here[1] are the prefixes used for all AWS IAM access keys. Here[2] is the API definition for an access key. If you're going to search all of PyPy for keys, here's some more keys you can look for: [3] [4]

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_i... [2] https://docs.aws.amazon.com/IAM/latest/APIReference/API_Acce... [3] https://github.com/Josue87/GiveMeSecrets/blob/master/rules.p... [4] https://github.com/BitTheByte/Eagle/blob/master/plugins/spid...

Heh, your 3rd link must have OCR-ed a PDF or something because "(A3T[A-Z0-9]" is for sure wrong; I'm guessing they meant "ABIA" and then the 4th link must have copied from #3 (based on the commit date) because it makes the same mistake
Many years ago, I did some consulting work on a project that had been "delivered" by Infosys. It was, to put it lightly, a complete and utter mess in every way. Just from a security vulnerability standpoint, it had: SQL injection, plaintext passwords for user accounts, zero protection against URL manipulation, etc. And those are just the ones that come to mind immediately.

Glad to see nothing has changed.

Infosys, the UK prime ministers wife's families company.
This kind of stories is one of the reason I visit Hacker News. Thank you!

It's funny and annoying to read every week or so about another epic fail of a multi-billion "multinational information technology company". Good luck with outsourcing your critical services and medical data to neurodivergents.

Thanks again for making my day.

Not outsourcing, its incompetent engineers. Do you know how many american companies got hacked because of 200k enginners istakes?

Still some american banks store user passwords in plain text, Allow sim awapping without a proper check and so

Yep, I guess you are right. But I think that some of those engineers come from Infosys-like companies, so they do exactly what they’ve been taught and what they are accustomed with. IDK, maybe it’s a cultural problem? Or is it a problem of following best security practices?

I understand that it’s useless to seek answers to such questions. Let’s leave it to philosophers. :)

> neurodivergents

Can you please explain this?

It's good old-fashioned racism.
Sorry, but it is not.
In another comment, you ponder whether it is a "cultural problem". Yeah, sorry, but it absolutely is.
What I actually meant was “corporate culture”. Culture != race.

Thanks for reviewing my comments, though.

Infosys is long known to be incompetent as an organization among people who have experienced their brand of greed and labor fraud; I highly recommend you avoid them as much as possible.
In a world filled with more competence and less corruption, Infosys would have gone bankrupt 20 years ago. But here we are with Wipro, Infosys, TCS etc. all chugging along.
TCS -> US$25 billion Revenue in 2022

InfoSys-> US$16 billion Revenue in 2022

Wipro -> US$10 billion Revenue in 2022

I want to get out of this Universe and get into one that makes sense...

This universe makes perfect sense, you just don’t want to accept underlying equations is all.
I think the coming recession will help that along ;) There's going to be less fraud and we'll find out who's been "swimming naked" when the tide goes out as Mr. Buffett likes to say. Like FTX..
I don't believe software development is their bread and butter. Traditionally these companies are known as "systems integrators" which basically means they have armies of people who have RTFM for popular enterprise software products and will provide you with bodies who sit in your office and install or provide support for the product.
The GitHub user instead of reporting incident to their security team chose to take sneaky approach to remove the keys fearing the actions from company.

They will be fired and instead of retrospectively improving the security Infosys will ban all OSS contributions from their developers.

(comment deleted)
You assume they have a security team :)
They will have ten security teams at the minimum. You assume that their teams know what security means though :)
This is an accurate assessment. Having worked for companies similar to Infosys, I can confirm this.
> Infosys will ban all OSS contributions from their developers.

Sounds... good to me?

Wow. Just wow. Not going to even unpack the levels of ineptitude this went down.
Can you please stop posting unsubstantive and flamebait comments and otherwise breaking the HN guidelines? You've been doing it repeatedly, unfortunately, and we have to ban such accounts.

If other people are wrong or you feel they are, you're of course you're welcome to post substantive comments explaining why. Other users in this thread have modeled that quite nicely: e.g. https://news.ycombinator.com/item?id=33635659. But snark, name-calling, and swipes are not ok—they're not what this site is for, and destroy what it is for.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

Infosys = if "I have a friend that does it cheaper" was a company
(comment deleted)
I applaud any bad press on InfoSys. I picked up contract gig through them a few years ago. Here are some of the takeaways from my short lived experience: - It took them over two weeks to send me a computer. - They cancelled PTO for everyone. (this was the most egregious single thing they did) - They had absolute worst internal site for accessing HR documents and accessing personal resources. Just a maze of links. You could only access it via Internet Explorer (I swear I'm not joking). Everything took forever to load. It was like stepping back into 1997. - When I gave my 2 week notice, they refused and said I 'owed' them at least a month. LOL not sure how they think they can control people like that. I gleefully told them to 'deal with it'. This happened about 45 days after I started as it became obvious very quickly how bad this company treats people.
was in a client position (Infosys was contracting for the companied I worked for). Absolute worst processes in the world. At one point they blocked legit dev domains in their firewall and took 3 weeks to unblock a mongo db after vehement protests. DON'T touch Infosys with a 100ft pole
> You could only access it via Internet Explorer (I swear I'm not joking).

That has been in the case in most investment banks as well.

> When I gave my 2 week notice, they refused and said I 'owed' them at least a month. LOL not sure how they think they can control people like that

To be fair, in many countries (probably most developed ones) there are regulated mandatory min and max notice periods. E.g. in France the standard is 1 to 3 months, negotiable of course.

When attempting to look at the git pull request files changed details [1], Github returns a server error.

Any ideas why?

[1] https://github.com/orf/pypi-data/pull/2/files

The article mentions a takedown notice they received from GitHub instructing them on how to remove certain content from their repo. I'm guessing maybe this PR contains some of that content they were asked to remove, and there's a bug in GitHub when rendering a pull request page that references deleted content?
Interesting that pull requests 1 and 2 on that repo cause a 500 error when I try to view their diffs. Is this due to action on github's part to try to suppress displaying of the keys?
> Johns_Hopkins_Hospital/Input/Excel/Covid_patientdetails/covid_patient_details.xlsx

Should I file the HIPAA complaint, or has someone else already done that?

(the stupid government website for filing complaints is, of course, not loading for me now)

I feel a very satisfactory kind of schadenfreude at the idea of you filing this HIPAA complaint.
Pro tip: https://www.hopkinsmedicine.org/institutional_review_board/h...

The breach notification to HHS typically comes from the covered entity. They often have the information on exactly what PHI was out there, how many individuals were impacted, and can provide the right info to HHS.

And with my experience in healthcare IT, I can say privacy and compliance officers take reports like this incredibly seriously. Those might not be the right people but getting an email to compliance folks inside the covered entity and saying “here’s a likely breach” will absolutely get the ball rolling.