Is the kind of complete negligence, carelessness and shabby-sloppiness exhibited by UIDAI to be the hallmark of Digital India?
India is rumored to have made great strides in the field of Information Technology — or so we are told. While the public is treated to Big Words such as: “continuously updating security parameters” and “threats in cyberspace”, the ground reality seems to be rather different. Well, in the interests of our National Security, let us take a closer look.
We please urge our reader to refer a statement issued by the UIDAI itself, for example in New Indian Express dated 5 March 2017.
Statement by UIDAI as reported by New India Express 5 March 2017 :-
“The UIDAI, the statement stated, is continuously updating its security parameters looking at the new threats in cyber space. “It also undertakes security audits and takes necessary steps to augment its security features. UIDAI has decided to have registered devices for capturing biometrics data and further that such biometrics will be encrypted at the point of capture itself. This will further strengthen the security features of the UIDAI Aadhaar eco-system ..the statement added.” (Italics mine)
Subscribe to GGI via Email
Well, do we wake up in March of 2017 to hear the UIDAI telling us that it has decided to have registered devices for capturing biometric and that further it going to start encrypting the biometrics from the point of capture itself. DO THEY EVEN REALIZE THE IMPLICATIONS OF WHAT THEY ARE SAYING AND ADMITTING TO?
So then are we hearing that in the Year of the Lord Jesus Christ, 2017, the UIDAI of the Most Prestigious UIDAI Aadhaar Project of India woke up to the realization that data should be encrypted from the point of capture itself, and that you need to register the devices on which the Biometrics are being collected??
It took them several years to come to this realization?? While, as they claim they may have encrypted the biometrics data of Indians while it is inside their database, where it is relatively more secure, and shout “our databases are highly secure”, are we to conclude from their own statement that they are themselves admitting that they DID NOT ENCRYPT THE biometric data of 1.1 billion Indians at the most vulnerable points (where the encryption is much more required!!). They are going to start doing it now?? …What were they doing UPTO NOW?–and they are themselves thus admitting that the Biometric data of 1.1 billion Indians was collected on un-registered devices that they did not know about? And then not encrypted immediately..?? Then at what point in the data flow path did they start the encryption?? How did they ensure that they have deleted the data immediately after encryption from the flow-path sections prior to the encryption– before it could be siphoned off by un-scrupulous elements in the earlier segments of the flow-path? From the standpoint of security theory, if security-critical data has been sent on any segment of the architecture without encryption, it should be treated as security-compromised.
This is what they themselves are admitting to…… If they committed this kind of a blunder in the initial architecture, should they have been careful to keep quiet about it? Or should they have by mistake have “admitted it”, that too after the data of 1.1 billions Indians should from the security standpoint be treated as security-compromised? What punishment should they themselves be given under the Aadhaar Act 2016? What sort of a joke is this?
If they have committed this kind of an architectural-design mistake, what other mistakes have they committed?
Did not even one single one of the millions of these IT-professionals in the country catch this serious, un-pardonable breach of security? Are you telling us that the biometrics of 1.1 billion Indians could have been lifted off from the point of collection itself? That they were not encrypted immediately? Fingerprints – which can be easily replicated using hardware and software and a polymer for a few dollars –can be obtained, of millions Indians, just from about any collection center? Is that what they themselves are telling us?? When the rest of the world is moving away from Biometrics, why did we not see the numerous studies on this issue done by the West raised by our Indian IT-professionals? If no, they are not fit to be called IT-professionals. Shame on all the so-called IT-professionals of India….
It is public knowledge that the American Firm Price Waterhouse Coopers was given the job of looking into the Security aspect of this project, again by their own statements. Please, Please, may we let these pitiable Indian IT-experts — wearing coats, driving Mercedes-Benz, staying in seven star hotels while Indian farmers are committing suicide at a rate of 30 persons per-day — please know that Cryptographic Security issues for US-Government computers should be checked via a standard called the “Federal Information Processing Standards.” All systems belonging to or purchased by any US-governmental organization MUST meet these standards. Is it surprising (or not surprising?) if the Indian UIDAI project did not follow the same standard, given it was audited by an American Firm. The more general security (not exclusively to Cryptography) should meet what are called “Common Criteria Standards”. These standards span not only the US, but most countries in the world.
Please, may we bring to the notice of our abominably-ill-informed Indian readers who fight like un-educated goons, and so-called IT-experts who may have debated this matter, that there is no such thing as “Secure” or “Insecure”. There is such a thing as “Secure at Evaluated Assurance Level -1” or “Secure at Evaluated Assurance Level-4 ”. Level-1 maybe OK for your home, Level 7 would be for Governmental Security Computers. You cannot simply shout… “WE ARE SECURE” …….. “oh no, YOU ARE NOT SECURE.” This makes Indians look like CAVEMEN — the world already thinks so anyway.
Please, may we tell our readers, that there SHOULD be a document called the “Security Target”, amongst others that should be made AVAILABLE TO THE PUBLIC. This “Security Target” document should contain a “complete list of ALL the Security Claims being Made.” For all security certifications, in the USA and Europe, including that of the high security servers, these documents are PUBLICLY AVAILABLE on the certifier’s website.
We would then have expected at least a few thousand questions based on this from our Indian IT-experts. For, these tragic folk, let take it on ourselves to provide a few examples. A level of detail for cryptography question would be: “Is the Random-Number-Generator (used for the encryption key creation) actually generating random numbers? or are they not actually random..in which case, the encryption Key can be easily broken”…….all the way from this level of detail…..to an intermediary level: “Prove that no process running on the system is transmitting data outside the system”…….. To a far more outer-layer questions such as : “What is the Electromagnetic Emission signature of the device?”; Can data can be accidentally sent-out via the electromagnetic emission? ” to personnel handling protocols: “Who has access to the Device Under test? And What Physical Protocols do they follow when entering and leaving the room..such as check for no pen-drives or other storage devices in the pocket of any and all entering the room”. These and thousands of others like this one should have publicly debated by our IT-establishment, and the results should be PUBLICLY AVAILABLE.
But if as you say, you have been using devices that are not registered, we cannot even think of asking any of these security-related questions? If you cannot ask any security-related questions, how do you start thinking about security? Then What Security in Heaven’s name are you talking about?? IIT-JEE rank number -1 usually picks Computer Science as first choice, and not one question of this kind is seen from the entire spectrum of the IIT-trained computer scientists?
The answers to all these questions should be in the Public Domain, available for public inspection via the internet. This is the way it is done for all devices purchased by the US government. Are the Security Target, the Proof-structures for the Security-Claims, etc for this UID project in the Public Domain as they should be??
Are they not OR Are they? Let us look at the implications of both cases:-
Case 1) If They ARE NOT on the Public Domain: If they are not in the Public Domain, then there is absolutely NO PROOF of any claim of the UID-project security, and however much they shout, it has to be taken that the UID-project is completely and totally devoid of any security, and it would have been the duty of the so-called IT-experts in the country to bring to the notice of the Learned Chief Justice and of the Public that if these documents were not made available for Scrutiny and it would the Universally Accepted Case that the UID project must be taken as having no security protocols at all…universally….minus cognitive-dissonant India…that is.
Case 2) If They ARE in the Public Domain: If they are on the public domain easily available on the internet, then Please May we politely ask, why in this entire debate that was witnessed in India spanning the past several years, NOT ONE SINGLE PERSON, NOT THE IT-MINISTER, NOT ONE SINGLE IT-EXPERT, NOT EVEN THE LEARNED CHIEF JUSTICES asked the First-Question that should be asked:- “WHERE IS YOUR SECURITY TARGET POLICY DOCUMENT?” which contains your “SECURITY CLAIMS”? WHERE IS YOUR LINKING DOCUMENT Linking the SECURITY CLAIMS WITH THE SECURITY REQUIREMENTS? WHERE ARE YOUR TEST RESULTS?”, “WHERE ARE YOUR ARCHITECTURAL DIAGRAMS?” ——– these should be Publicly Available on your certifiers website, and should have been shown to all who wanted to see the, as is the case for all secure systems worldwide. NOT your SHOUTING: “We are secure…We are absolutely Secure…We are telling you we are secure!!!” NOT the Learned Chief Justice of the Supreme Court saying: “We can accept the assurances of security given by them”.
Did you review your architectural diagrams properly? Did you test whether the encryption is being done where it is actually should be? If yes, then how, in Dear God’s name is this report appearing in the newspaper, by your own spokesperson? What a shame !!!!!
Granted the common man of India does not the courage or wherewithal to challenge these big words “Internet Security” or “CyberSpace” but did no coat-tie-wearing CEO of any Indian company, arriving at his Company in a Mercedes Benz and getting a Salaam from the doorkeeper and Secretaries have the courage to ask the question the UIDAI:-
Why in heaven’s name did you not discover this error in the early Architectural Stages of your design? Why did you not see this error in you Security Policy Document..which should be Public?
And one fine morning in March 2017, a common Indian citizen wakes up to learn that the data was not being encrypted at the point of capture via a newspaper-carried statement that stated this by inadvertent implication? Or should we have learnt that the data was not being encrypted from the point of capture via a Test-case-document Review — or more properly from the Architectural Design Review phase itself? Even a basic glance at international security requirements would make this look like an INTERNATIONAL LAUGHING JOKE, implemented by primitives.
It is hard to understand that after so many Indians have been granted H1-B visas and worked in the USA, and returned to India, since the past 20 years now, this same careless attitude continues. Not only today, but fifteen years ago in even a petty American IT company, for this kind of a mistake, the Chief Technology Officer would have been immediately fired and he would not have got a job anywhere else. He would have been laughed at for the rest of his life. What sort of a joke is India’s Information-Technology? No wonder at all that Donald Trump is cutting back on Indian H1-B visas. Perhaps Donald Trump is doing the right thing in kicking the Indian “IT-experts” out. God Bless America.
ALL IT-PROFESSIONALS IN INDIA CEOs, CTO,s developers , project-managers etc, etc. as shown above in either case-1 or case-2 your are gone. You are the representatives of “Digital India”, the glorious path ahead as indicated by our Honorable Prime Minister. Is this complete negligence, carelessness and shabby- sloppiness exhibited by each and every one of you to be the hallmark of Digital India as envisioned by our Honorable Prime Minister Shri Narendra Modi? You have badly let our Honorable Prime Minister down, as well as endangered the entire country.
The security of our whole country is now at stake. We do not want to hold you responsible for this. But, as has been shown above, your knowledge of the IT field is itself highly questionable. Given this, it is not likely that you understand the fundamentals of any other field in society. Please do your bit to tone down the IT-hype before the entire country is endangered. The more serious question of the security of the most responsible members of our society, including the Prime Minister and RBI chief, will be discussed in a later section.
Contrary to what you may think, We are not pointing fingers exclusively at the UIDAI or at the IT-folk alone; In our next sections we shall attempt to see who is actually responsible this state of affairs.
Perhaps, it is time to take a break, return to your ancestral homes, use the money you have earned working as slaves for the IT-sector to buy back the lands you fathers sold away, and start agriculture again first by LEARNING HOW TO GRAZE YOUR DONKEYS…don’t ask the local farmer’s son to do it for you just because you have the money..learn it yourself…nothing wrong with this at all. Oh, by the way don’t be scared…you will not be alone in the village!! You will find there your friends from the IIMs waiting for you. Except that instead of grazing donkeys, they will be driving the bullock-carts….Read on the rest of this document. And by the way for those IIM-MBAs who scream: “You will push us back to the dark ages”, we have reserved a section on the actual cavemen of India.)
Polite Note to Chief Justices of India.
It should be noted however that the former Chief Justices of the Supreme Court have stood their ground to protect the Indian public, although they might have seriously erred in “accepting the assurances” given by the UIDAI regarding security. These issues of Technology are perhaps difficult to grasp given that they are busy with so many other things, and it was upto the IT professionals to educate them. They, the Learned Judges have served their country as well as they could, via the Supreme Court, which any common man in India will tell you has lost most of its relevance. It may be time for them to abandon it to the reality of History. We wish them a happy retirement to their villages where they can perhaps run the more simple village panchayats and pray God to grant them birth in a better society in their next life. No Punishment that the learned Judges can award is adequate for this crime that has been committed against the people of India………
P.S. Request to our Income Tax Authorities of India:
The Income-tax department has been kind in receiving suggestions, and has updated many security practices, based upon inputs from the general public. Please may we bring to the notice of the Income Tax department of India one more shoddy security practice that is still continuing. The Income tax department is sending notices such as ITR-V over the e-mail using for encryption a combination of lower_case PAN number and birthdate (half of the PAN being in the message header and the birthdate being obtainable from the e-mail account). This is poor security practice. Please may we politely tell the Income Tax department that if you wanted to communicate via e-mail, the correct thing to do, is to send an e-mail containing a message “ Notification from Income Tax: Please logon to Income Tax Website to see notification”, do not send any other details via the e-mail. If Individuals can access their e-mail, surely they can logon to the much more secure IncomeTax website, and then download the ITR-V, using for example a simple encryption key that can be set on/from the website. If there are these kind of poor-security-procedures even as of today, it is likely that there are many other problems as well. It is upto your team to find all of them out. It is very un-fair on your part to expect the hard-working-tax-paying public of India to point all of these out to you. IT DOES NOT LOOK GOOD ON YOU IF THE COMMON PUBLIC POINTS THEM OUT, although we may not mind doing so.
Read this explosive hard-hitting myth-buster, a timely reminder for the decadent Indian society; a masterpiece on Indian geopolitics – India in Cognitive Dissonance only in GreatGameIndia – India’s only quarterly journal on Geopolitics & International Relations.
Previous Section 01: Spokesperson of our Nationalist Party…… or Good Boy of England?
Next Section 03: Students of India .…or Criminals of the Indian Government?
Join us on WhatsApp or:
Donate to GreatGameIndia