Wednesday, April 9, 2014

Suing the Government

Should a government department, a government official or an elected minister be sued in event of negligence or lack of services which are promised by the Constitution?

Yes, by all means; but taking any such action requires permissions at various levels which includes running hurdles for the investigation team.

This thought has been on my mind for quite some time and was rekindled by this report about an event in the US. a court recognizes that a government agency can sue anyone for not having security in place.

We are lucky that our IT Act has a similar provision as it expects ‘reasonable’ security to be in place and this is good for all – prosecution and defence lawyers. I say it is good because everyone will have a great time discussing the definition, scope, inclusions and exclusions of the term ‘reasonable security’.

Anyway there are cyber and non-cyber considerations:

First a look at non-cyber considerations – 
a lady alighted from her car and fell into an open drain on Marine Drive day before yesterday. People have fallen into drains, or off trains because the platform is too low; cars have fallen into ditch sized potholes, potholes dot all Mumbai roads and can break your neck or back.
So can we sue the Mumbai Municipal Corporation, the Commissioner, the traffic cops and the local Minister for abetment in a conspiracy to murder/ or for culpable homicide? If the police arrest the husband, and all in-laws, (usually) as abettors, in the unfortunate event of a suicide by a lady, then how is this different from the blind actions of the MMC arising from the indecent state of infrastructure which can kill you at any moment?

Another scenario is when there is a fire and the Fire Department discovers that the absence of fire-fighting equipment – they penalize and take you to court.

Now we take a look at the Cyber scenario – 
In the country CERT empanelled auditor firms are in great demand and there are only 40 / 50 companies which hold the distinction of this honor. The government mandate is that CERT is our cyber protector, and these empanelled agencies are the eyes, ears and hands which will ensure that the Government infrastructure is secure. Inspite of all the brouhaha and strict procedure government websites are defaced and reports are leaked about breaches and hacks in Government departments, banks etc – all those institutions which place blind faith on the CERT empanelment.
The BIG question is – how come no official is kicked out? How come no empanelled company is de-listed? How come there is no public inquiry into such incidents? Why doesn’t the police arrest anyone from any of these audit firms (they did arrest auditors in the Satyam saga)?
Why is no one taken to court for deficiency in their security infrastructure and for deficiency in service?

Why is no one taken to court for paying huge penalties for using pirated software – not a single company or bank has every reported this to SEBI or the bourses. And when the cops advise not to file an FIR are they not abetting the crime being committed by the management.

A shameful event (among many breaches) was the defacement of the CBI website which then remained ‘down’ for more than a month. Did the auditor / webmaster / IT / IS officers and contractors get kicked out and charge-sheeted .. I guess not!

Will this happen when the insurance market matures, or will this happen when the cyber-police department is sufficiently staffed to handle volumes. And with every passing day the volume of crimes is bound to increase.
What is needed is a Data Protection Act, better Governance (corporate or institutional) but we are all chasing a Privacy chimera – maybe this sounds more fashionable.

Someone has to be held responsible – and we all know who has to stand up. Will anyone have the moral and procedural guts to be the change?

Friday, April 4, 2014

WMDs of a different kind

Just when the world is understanding a concept, we can trust the US Government to come up with some brilliant idea that turns the concept on it's head. 

Remember Stuxnet? We were struggling with the viruses in the wild, calling them trojans and malware and all sorts of names and then... boom! Stuxnet rises, cripples Iran's nuclear abs and creates a new lexicon entry - APT. 

Cut to present day disclosures - Cyberwar and cyberterror experts are yet to digest the contents of TAO or PRISM. In fact the most respected people in the war business have (on record) said they do not understand the term "cyberwar". 

Inspite of such disclosures, governments are buying cutting edge tools for doing stuff on their perimeter and outside. Armies of developers are creating cyber-weapons (malware) and letting their inner devils run wild.

No one even thought about creating chaos to bring down a government, except the brilliantly evil brains in the American establishment! 

Read U.S. secretly built 'Cuban Twitter' to stir unrest

No one thought of converting the idea of "Arab spring" into a cyber-weapon! 
Except for the brilliantly evil brains in the American establishment :)

And the concept of cyberweaponry is now turned over it's head. A true blue WMD that can be used to spread disinformation, create chaotic crowds, influence thought or engineer civil strife. And there is the easy way to engineer the downfall of a government.  

The US government used the facade of USAID to set up a twitter-like portal (Zun Zuneo) focused on building a community in Cuba and have used it for a number of self-serving activities. The underlying objective is to influence thought and bring about change by having a democratic government. 

So what does this now do for the world? Increase the level of distrust for all business or things of US origin. 

I mean if Facebook starts a misinformation campaign after setting up about a 1000 or more fake accounts where are we headed. 

How about scaring a whole country (or community) and starting mass migration and polarization on the lines of caste / color / religion / language. 

Or mobilizing flash crowds in every city to chant anti-national slogans creating a law and order situation.

In the last few days we have read disclosures which reported that Google and Microsoft have accessed emails without authorization. The Snowden disclosures are still continuing and have not helped in managing the reputations of any of these global corporations. 

There is distrust all around! And incidents like this from USAID will not help. 

However, we have a new WMD and it has to be developed in stealth mode. 

Friday, March 14, 2014

Friday Musings - happy times under the spotlight

Taking a break from the daily gloomy tidings about UID misuse, foot in the mouth pronouncements, government system breaches let us look at some silver linings and keep the weekend cheery!

A recent analyst report says that the Information Security business is worth $102 billion - happy days for all! Who cares if this spend secures enterprises or governments so long as we can invoice them and get our payment! I can see the India Infosec group members coming together for an all India F2F to discuss the bulk purchase of high end Mercs, BMWs in the near future. Ek billion de de bhagwan hum ko :)

Tim Berners Lee was answering questions on reddit and there are some great quotes - this is a must read on the weekend He talks about Snowden and that whistleblowers may be all that will save society and that he favors surveillance for fighting crime (but there must be oversight). Incidentally, he had considered alternate names like The Mesh, The Information Mine before he finalized on WWW.

An extract from the reddit post:
[Question] Did you ever think that the internet would get this big?
[TBL] Yes, I more or less had it nailed down when it comes to the growth curve. I didn't get it completely right --- 25 years ago I was predicting Id be asked to do an AMA on reddit next wek, but it turned out to be this week. Well, we all make mistakes. (no of course not)
Closer home and elsewhere, IMS, CMS, NETRA, NSA, PRISM are a few terms that bring visions of a surveillance state intruding into every facet of your life. However this is not the start of surveillance as it has been around even before Biblical times. Every ruler and his statesmen have engaged in some form of surveillance on their populace - the level of intrusion depends on the case. 

In the Internet age, there has been great debate on the extent of surveillance and the fear of misuse, or loss, of data collected.

So say all the wise people outside the establishment. 
So says Tim Berners Lee too. 
Has anyone heard any government say this convincingly ? We shall rest our case here and learn to live with it.  The debate will continue and the government will do what they have to do against the raving and ranting of the privacy and human rights activists. 

There is a lot not happening in the InfoSec domain - good bad and ugly!  Some ugly stuff - I was with a client who had 'obtained' an ISO27001 certificate. They paid Rs. X for the certificate and then another Rs 150 for framing it :) .. of course they felt bad that this agency gave them the certificate without the photoframe. And now they were scrambling because a client wanted to do an audit and they did not have a single policy. Of course they did not have a hope in hell and flunked the audit.

InfoSec advisories warn about the insider threat and this is may be the biggest example: It is being alleged that Princess Diana leaked royal family phone numbers to get back to her husband - disgruntled wife causing a data breach! Another one was about the daughter of Michael Dell who was regularly posting details about her father's travel plans on her FB page while he was spending a few millions on protecting his privacy and security!

BTW - one of the fans on the TBL AMA commented that Berners-Lee does not use a browser! He just pulls on an ethernet cable like a hookah :)

How many of us can claim this power ;-)
However, with dollar dreams I should no longer care about surveillance or insiders - I have the power! (of the ISO certificate!

With that thought... have a great weekend. 

The world is full of great surprises & the uncommon shortage of common sense is one of them. 

Notice: this is my post on the India InfoSec Mailing list on Yahoo! a private closed group of information security professionals from India.

Monday, March 10, 2014

Sadly MH370 is lost and no thanks to the aircraft manufacturers

 Malaysian Airlines MH370 loss

This is not the first time an aircraft has been lost over sea and we are replaying the same scenario - MH370 loses contact and is feared lost. Now there is a search operation involving about 30+ aircraft and an equal number of ships.

The question that nags me is that after so many years of technology advances in aviation we struggle to find missing aircraft and when we find the debris there is big time trouble to locate the 'black box'. By now this should be child's play. I have a few childish  suggestions...
- why can't Boeing and other companies just embed homing beacons all over the body or an aircraft (it should not add more than $ 1000 to the cost) - Why can't these guys put reflective paint on the body- Why not have more than one black box OR keep a voice channel open to the ground where they can keep recording the cockpit activities- Why not have a 'call home' transmitter embedded across different parts of the aircraft

Then when you think about all the issues reported by the Boeing Dreamliner you realize that this is not happening because these guys have yet to get their act together in the flying section so how can we expect them to be good in the security segment!

It is the same story being replayed when precious lives are lost and the relatives are clueless about their loved ones and how did they die! 

As I write this there is a massive search operation underway and in the end we will have a monument somewhere in the middle of nowhere. Security checks have addressed many risks, however, when we think about the hardships which could have been avoided with a swifter search (in the event of an unfortunate mishap) there is no excuse. 

Someone from the design teams or from the FAA in USA or DGCA in India or equivalent bodies across the world should exert pressure on the aircraft manufacturers to something!

Friday, September 20, 2013

Creating A New World Order on the Internet - SAC5

It was a dark day in Internet history to which the world woke up when The Guardian published Snowden's disclosures about NSA's Prism program. Then over the next few days we read how the US Government unleashed it's wrath, using 'all the king's horses and all the king's men' to get to him in Hong Kong. Since then, the story has taken many twists and turns, bringing grief and embarrassment to the US establishment as every new disclosure peels of the layers of the prism program and reveals the depth (and extent) of surveillance carried out globally. 

As it has turned out - there is no safe harbor, nothing is sacred and no one can be believed. It is akin to the world known to spies during the cold war when the world was fractured into the western world and the communist camp. 

In those times of strife a few nations rose above the demands of the powers that be to ally with them and formed the Non Aligned Movement (NAM). This eventually morphed into regional movements driven by social and commercial motives. 

Now, we been brought to the cusp of another era of global strife and mistrust with the US program that has been spying on, practically, human being on the planet. Against this power center is China which has created exceptional capability and capacity in all things cyber - offensive, defensive, proactive and preventive. The third player is Russia with it's underground players who are also very nationalist, as was proven during the known cyberwarfare attacks on Georgia and Estonia.  

Whether a country is aligned to any of these three global players is of no consequence whatsoever because, as per the disclosures, even if you are actively participating and contributing to the Prism program, you will continue to be monitored and spied upon.

So,maybe the world order needs change and the 'weak' nations need to come together to form their own support and power club. India can lead this movement, in the same way as having led the NAM many years earlier by forming a South Asian Cybersecurity Capability and Capacity Cooperation Council (SAC5). 

The South Asian Council can comprise neighboring countries, Middle Eastern and African countries with India leading the way. Collectively, these countries can share information, develop joint capabilities, conduct skill enhancement training and form a central response or early warning cell. 

Brazil has put out the clarion call for an Independent Internet and slowly and steadily the backlash against US (and Allies) resources will gather momentum like a tsunami. The Prism - NSA disclosure has implicated US corporations like Google, Microsoft, Facebook etc and resistance is bound to rise in time. says - let's break away from the Internet ! The Brazilians have also protested strongly to the US and this has led to a long phone call between the two presidents. 
So is it time for the world to polarized again and, worse, for the internet to publicly lose it's independence and be branded as a tool of American hegemony. 

The movement to break away from dominance of a few countries on the internet has been shouted out. If the South Asian countries ally and form a Council it will be another power center which will be an effective foil to any type of actions to take over this critical medium. 

As I have said earlier this is a new and different dimension and has to be understood and accepted in a different light. Mankind co-exists with the dimensions of water, air and has to learn to live with ether - better early...  before this dimension is destroyed by mankind itself. 

Monday, September 9, 2013

Innocence Lost....

Sometime back we lost our innocence. 

When wikileaks leaked Manning’s files worms crawled out affecting the pride of country leaders across the world. Egos were punctured because the cables sent by US embassy minions to their masters were judgmental in nature and revealed “private” foibles and conversations. This has been followed up by Snowden’s snowfall which is more damaging for the US Government and business than for any other government.

Over the past few months, every day we are stripped layer by layer by the revelations of the NSA’s prowess for invisibile intrusion. We thought the TSA guys were having fun seeing us in whole body scanners and sharing the pics, but it turns out that the NSA has been having more fun. Move over Guantanamo Bay that was just a small set of prisoners who could be stripped, chained or flogged – here they have the world at our fingertips, and no one looking over their shoulders.

First one learned that there was access to emails and internet conversations, the next layer included voice conversations, then came location data, followed by the revelation that IT majors like FB, Google. Microsoft, et al are participating in the program. Alongwith these businesses, some governments also howled in only to retract when the next revelation exposed their participation and remuneration. It was another shocker that told everyone about the possiblity of backdoors in commonly used software and hardware. The world started thinking about seeking safety under cover of encryption and proxy technologies only to learn that these have been seduced long ago – in other words encryption technologies have a backdoor.

So, is there anything which is safe? Maybe we have to go back to living in caves to save ourselves from this intrusion, because it seems that the only thing Uncle Sam cannot do is shove a finger up your 455. But, maybe the time is not too far off too what with the Internet of Things promising particle transportation and more!

Yes our innocence is lost – the new innocence is that “we do not look inside, we only search patterns”. The new innocence is that you are just a lump of flesh which eats, breathes, shits and screws and that’s it – simply put you are an animal and no more. Of course, this is so if you are not the most powerful man on earth, a.k.a. Mr President. Liberty, freedom, privacy and such rights are good to discuss but not to be expected in the face of secret laws and powers available with the intelligence organizations.  

In any case, even if you are Mr P there is no gurantee that someone did not dip into your smart phone or that of your wife or children. There is no way you would know, just like the world did not know until it started snowing. Quite possibly Mr Snowden carried some stuff on you and that is the major cause of the big manhunt that has been launched.

Today, every government wants their own NSA with enough powers to run every sort of surveillance on their citizens. What will be done with the data is anyone’s guess – maybe it will help run genocides and progroms more effectively. Or get to play ghetto-ghetto by segregating people based on caste, color, religion etc. At the cost of development, Governments are spending billions on technology selling the dream of nirvana that follows thorugh an e-governance portal or a new registration card, and it does not matter whether you can read or write, or whether you have had a square meal in a day.

Innocence lost forever, welcome to the new order Kalyug is now the C-Yug  where C=corruption, chamchagiri, cronyism, chutiyapanti, conmanship, carpetbaggers, cybercrime, computers and any other C which you can define negatively.

So what is happening is that we are all without clothes, having been stripped, layer by layer and naked for NSA eyes.

I wonder – are we a number or a name in the NSA records? Is this numeric, alpha-numeric, with or without capitalization. Or is it a continuation of the numbers given in Auschwitz and Dachau .. that may be apporpriate. Will we soon start hearing ‘arbeit macht frei’ or will it be embedded into our flesh at birth. Are we going to see Mr President in a new role as the oracle from Minority Report?

Mommy is that what Big Brother’s look like.

Wooooohhh !

Wednesday, June 5, 2013

Software Asset Mis-management... who deserves to be hit?

It was another day and I was excited when I learned about another possible 'victim' of the SAM missile. Am putting them here for record...

Case 1 - Last month a close friend who is the IS head got the review call and I was happy to help him face the notice and the threatening discussions that followed when he pushed back. Yes, he pushed back and the License Manager was sort of surprised and changed tracks. Eventually it was a bad one and everyone was smelling bad too. To cut the story short his company was wrong in the license use - they have a good quantity of licenses but needed more. They were plain lazy and this requirement kept going under against other "priority" budget items. Well they had to spend about Rs. 85 lacs ($ 150k) within a week of closure. 

So much for the budget ! All I can be happy about is that they are compliant and I could help them save about Rs. 40 lacs ($ 70k) - pro bono work to help a friend. 

Today a fellow consultant provided information about a bank that is presently under scrutiny. Now this is different - it is a bank and they are covered only about 15% with licenses. And the balance 85% these guys are using pirated stuff. Well they are desperately trying to move to open source and I am waiting for them to be HIT. They deserve to be HIT and HIT BAD and i hope that the s/w vendor that is reviewing them includes a penalty too. 

I did offer to help and may provide advice too, but it is going to cost them if I am called. I know that they will not agree to pay my fees and will just seek advice (which I am not going to offer).

In any case I do not think they can be saved and I will really not be happy doing this.


Am I being judgmental ? I don't think so as it is my prerogative. However, as I repeatedly say - I do not support piracy. Especially if the person (or entity) can afford to buy the software. I am against strong arm tactics against ignorance bred due to complexity, and will continue to speak out my mind whenever I come across an instance. 

In the above cases both could afford to buy licenses, one was delayed in purchasing and had a friend at the helm, so I wsa okay in my support. The other could afford to buy but did not do this on purpose and deserve to be penalized. If I can get a share of the amount they will have to spend it will be my good luck :)

More SAM as and license stories as I keep going hunting.