Monday, August 3, 2015

A ban on Porn sites - an exercise in futility

I have always been of the opinion that when countries say ban this website or that it is only showing off as there is no way anyone can harness the content on the net. 

Many years ago an Indian IT / IS stalwart had said that Google should be banned because Google maps was showing our sensitive defense installations across India to the world. I did have a laugh at the naivete of that gentleman and that of the various people who looked up to him for this "genius's" recommendation. 

Anyway to come back to porn and the love >< hate affair of the so called purists and Asaram's in the country - do they think that our population what it is because of immaculate conception or that our culture says we should engage only to make babies. Funnily this sort of moral ban keeps coming up every now and then - sometimes it is a woman's skirt, or the jeans or long hair or stuff. 

And porn is a favorite bashing subject - Now consider Savita Bhabi  - she was banned and made headlines across the country. Today she is a brand as well known as Ms Sunny Leone. One is virtual and one is real and both brands owe their value to the porn industry. 

The final nail in the coffin and into the argument of all naysayers is this report:

Just check the report to see how much our countrymen and women are enjoying themselves while living a stressful life full of rapes, pothole deaths, corrupt system, scams on chikkis / milk / coal / sports / admission / you name it!

I am sure the ISPs will be shedding tears too because they lose revenue! From 5th place in the porn watching sweepstakes, India will fall down so what does the government want them to watch ? Swamis, Godmen, TV shopping, divya darshan . no Konarak no Kamasutra 

BTW has this word been banned too? Kamasutra ? Will the Government take some preemptive action to protect the Kamasutra copyright if someone puts out a patent on this :)

It is frustrating to see the Government waste time on such orders which can be enforced only to give some comfort for cover my a** thoughts but no way can it stop people from watching porn. Or even make a dent in the porn industry. 

Final words ... like i said to someone - we are doing about town talking of bringing a "Swach Internet" trying to clean up other people's sh** saying it is stinking but we are not aware that the smell is from our own house where the sh** is not cleaned and piles up everyday! Check the corner mobile stores for clips or full length movies.... check the books sold on signals and bus/train stations... check anyone selling bootleg CDs anywhere in the country.. check video libraries.. oh oh.. they are in places where the GoI can't reach so it does the next thing to show the "good " work being done by making an easy decision and banning sites.

Friday, July 31, 2015

SEBI cracks the whip! Great !!

a small message from me, in response to this report ...

Dear Mr Sinha - your "sternness" is impressive, to say the least. And though I am not a market operator, I was scared stiff. 

But, a nanosecond later it dawned on me that your reaction to an event in NYC is misplaced here because manipulation in India does not need the support of HFT or technology of any type. The reason is that jugaad flows in our bloodstream and there is not much use of external assistance. Yes, we need these things to happen so we can get ideas, light our 'dimag ki batti' and pirate them in our own way. 

Anyway the original reason for writing to you was to ask you to please first make your mandatory orders mandatory! I mean that a certain IT audit is mandatory but how mandatory it is needs to be seen to be believed. So, if a technical glitch happens how will u know whodiddit - was it the sophisticated algo or the medieval system which gets a mandatory green signal yearly and can be a carrier of drugs or anthrax - drugs to give the exchange a high or anthrax to kill it.
And while we are talking how about a directive for disclosure - yeh to theek hai, I mean scolding and caning the algo users, but what about the hundreds of companies that spend (or blow up) lakhs to deal with data breaches and cyber attacks ... and never say a word about this to their shareholders or to the exchanges.

Sir, in conclusion, I would like to share a recent finding - a majority of humans suffer from technophobia which causes hyper-reactions in the form of controls, penalties and useless continuous monitoring. Other side effects are heightened security threat perception and growth of personal ego to the extent of getting hallucinations of being God's gift to national security.

I don't know why I mentioned this but it just seemed interesting to share with you in the context of my letter (or out of, I mean, how does it matter) .  

It's Saturday.. enjoy your weekend, Sir, we shall all forget the diatribe as Monday dawns. 

Best wishes for algo-free health!

Friday, July 17, 2015

Internet for the oppressed world

A lot of money is being made by the Googles, Microsofts, Facebooks of the world and their philanthropic actions must be appreciated. 

Google has GSoC, support Raspberry Pi, Code for America etc etc... 
Microsoft is legend and the work of Bill and Melinda Gates across the world for healthcare etc is fantastic
Facebook has a lot of work too and then there is which is a great thought to reach out and provide connectivity but has been at the receiving end of a lot of criticism (I really do not know the details, so you will have to search for this)

In India (my home) the telecom giant Airtel tried to cloak a lot of money spinning into bunch of "supposedly" philanthropic moves saying they will bring the internet to the far reaches of the country. 
Digressing for a moment - I was ROTFL for a few days after learning about this, and then I wept emotionally just thinking about the magnanimous proposal of the moneyed behemoths who brought up the 'airtel zero' plan. It is reminiscent of the subprime mortgage crisis that caused the 2007/08 meltdown.
However this is not what I want to think about - rather I got thinking about the most oppressed places in the world, the war zones, the absolutely poor regions where people may be cut off from telecom services too but need to reach out to the world. 

While we debate "net neutrality" and explore ways and means to milk the system - there are millions who are desperate to connect!
What is needed is to channel the magnanimity to bringing access to these areas where the people are oppressed. In war zones like Iraq, Syria etc where human rights do not exist, it is important to build the groundswell which can stand up against these forces of terror.... and we all know the power of the internet,or flashcrowds. 

If the terror organizations like ISIS, LeT etc are using the internet to recruit why not bring the internet to the ordinary people who are suffering and will also be able to share their stories which will be able to counter the terror propaganda.

The Facebooks, Googles, internet.orgs of the world should direct their money, satellites, and resources to these areas and bring about change though the power of the internet. 

The internet is recognized as a fundamental right across the world and the unfortunates who live under oppression and in war zones are deprived of this basic resource. Human Rights organizations have to step in to make sure this is also a mandate for governments along with freedom, speech etc. 

Imagine a scenario where a government like North Korea has to fight against the power of a freenet that is available on air across the country. How will the government fight against this power and for how long! A movement which will surely lead to change... !

The question arises that this is going to be expensive so who will foot the bill - and my take is that there are enough benevolent organizations and people around the world who will be happy to contribute - money or sweat. And governments have enough satellite bandwidth that can be allocated for such actions.  

A thought which may be worth looking at! Free Internet in war zones, and against repressive governments ! 


Friday, June 19, 2015

nasscom-symantec will resolve global skill shortage

When this was announced I did have some strong thoughts but kept my counsel to myself. Now when I read the last para in this news item I felt like clapping and kicking someone. 

Just two questions - does the Nasscom-Symantec jodi (couple) really think they are going to resolve the global problem? I want to invite readers to applaud this statement which is bound to make many chests fill with air in the corridors of power, not to mention them being laughing stock of the global community making banana statements. 

Second question - does Nasscom think the country lacks the capability to devise adequately strong training programs? 

Saala no one wants to put money so how do they expect anyone to do this ... just don't have five star hotel conferences and don't stay in five star hotels for a year and you will have enough money to create more than world class programs. Besides, there are many people who travel across the country delivering lectures to LEA, school and college kids and these guys are working selflessly - so is their knowledge worth nothing. Sad to see small thinking continuing to plague these supposedly "national" organizations... especially in a time when they speak 'make in India' and then go "make-out without India" . 

Thursday, June 18, 2015

Pandora's box opening .. dot SUCKS TLD is here

New TLD goes on sale from Sunday 21/6 - Book your .SUCKS domain
- IndiaWatch
Yes you got it - the new TLD that will be available is .sucks and there is bound to be a big rush on opening day. If you have a big brand, trade mark or a well known company or celebrity client - make sure you book the domain name before any of the trolls, criminals or dirty guys get it.
It's like someone rushing to get or and the Congress party looking for or the BJP getting their hands on
Looks like fun or more litigation, claims and counter claims. The domain registrars will make it good and so will my lawyer friends.
So be prepared to do this immediately if you want to protect yourselves and your clients. Oh yes the domain squatters will be also out in full numbers at the 'first day first show' to take the names and then sell them back at good profit.
It seems there was a "sunrise period” (…) during which trademark holders could apply and protect themselves, but IndiaWatch has not seen any media report which could have brought this to the notice of stakeholders. However it will be interesting to see how this works out in the country and how the judiciary will address this new threat to IP and reputation.
The .sucks registry is manged by and they have a few other TLDs which are pending approval. Quoting the report on The Register they (Momentus) defends itself as saying it is empowering consumers to start conversations about brands. It's therefore created an "advocates program" that gives away free .sucks domains to "cause-related, customer service-driven and politically partisan websites among an even wider set of domains devoted to helping people make a point and rally a community."
You want one? Pay $249 - check out the pricing. And if SUCKS is not good enough wait for dot-GAY or some other controversial TLD.
As for me.. I am old school and believe in not doing bad to anyone so I hope no one wants to do something bad to me so I am sticking to dot-COM.. man I cannot afford 250 bucks and try to fight the world.

Wednesday, April 29, 2015

Information Security Buzzwords

Every year (or is it every 6 months) we find a new trend in the IT or IS world and this is seized upon by all and sundry. Conferences revolve around these buzzing trends, million dollar business is contracted and zillion dollar investments are made by VCs and folks with lots of money!

I got a start with this article from the CISO platform website and added some of my own thoughts... 


Threat/Cyber Intelligence
Everyone who is anyone in the security business is talking about TI and offering it. Many different flavors and definitions but whether it is providing value to anyone is everyone's guess. In any case, someone's makin' a good load of money here.
Internet of Things - IOT
IOT is hot hot and hot.. and it is huge. Every product is good for IoT, so is every threat and vulnerability and risk. Be prepared for more FUD and a lot more happiness. Who will win the game - anyone! However, we will see both - the IoT vendor and the security practitioner making good. 
I have seen one organization offering IoT training! Don't ask me what the training does but it is offered regularly and costs about a 100 bucks. 

Software Defined Network or Software Defined Perimeter
Not yet mainstream buzzword and I too came across it quite recently. SIEM is passe and this is it. It will be quickly climbing up the MQ and you will soon hear it more frequently so keep watching the space. 
Everyone is setting up a Security Operations Center! Don't say SIEM because it is the only thing in the SOC.... old wine new bottle. What will a SOC do is still being investigated. 

This seems to have lost it's bite and the FUD associated with APT doesn't seem to be as scary. Or maybe humanity has developed immunity to this strain. 
Were big things and every enterprise was mucho concerned about this. Whereas there was no reason to really worry because there is nothing you can do to stop the march and onslaught of mobile devices. This is like telling your workforce not to wear shirts or pants to work!
Other Notable Keywords from CIO Platform are some other notable keywords seen at the floor
  • Mobile
  • Cloud
  • Phishing
  • Insider Threats
  • DDOS
  • Risk
  • Analytics
  • Passwords/Identity

If you have any suggestions please submit and make this list more interesting :)

Friday, January 2, 2015

(Indian Government) Strategy / Planning Deficiency in Cybersecurity

Jan 04, 2014. This article has been updated based on feedback from friends in government.
The India news media is going ga-ga over the proposed cybercrime panel announced by the Home Minister.. but, not me! I have serious reservations about this activity hope good sense prevails before the panel gets to work!In case you missed the news, read it here on Deccan Herald, and here on TOI or search online

It is an accepted fact that the world is technology dependent, and, that governments and infrastructure will come to a halt in event of non-availability of IT resources. Doomsday and Pearl Harbor scenarios are thrown up by world leaders and every malicious incident is termed as cyberwar accompanied by appropriate war-drum type noises by Presidents, ministers and ministries.

Governments, globally, have a common objective of the necessity of securing their information – whether to keep state secrets or keep their black deeds secret or to steal someone else's secrets. Some are creating armies of cyber-warriors while some are deploying cyber-mercenaries to achieve their goal.  

A number of ‘so-called’ third world countries are defining their IT and Cyber Security policies and working hard (and fast) at building internal capacity and capability. These are strategically planned efforts with clearly defined objectives (we want to be the technology powerhouse in our region in 10 years time).

When we compare such activities with those at home one can only hangour heads in shame! Since the advent of the internet in 1995 and the IT Act we are yet to see any national strategy or workable plan. Yes we have seen non-working policies and delusional visions of our leaders (India is IT Superpower, Mumbai will be Shanghai, BRTS in Mumbai, Ban Google etc)

Last week the Home Minister announced the formation of a panel of experts to define a policy for cybercrime. This august panel was to comprise academics and industry professionals, but has academics and bureaucrats and not a single cybercrime officer

The action itself smacks of self-aggrandizement and demonstrates the continuing deficiency of strategic thought OR common sense at the high levels of a supposedly 'aware' government.  Without a SINGLE member having cybercrime and/or cyberlaw experience (pray) how does this august panel expect to define a national cybercrime policy which will actually work.

We can expect another big load of balderdash, alien concepts or impractical and inane directives on the same lines as the much touted National Cyber Security Policy (NCSP).

To refresh our memories, the NCSP was announced with much fanfare in mid 2013 and has, thankfully, remained dormant till now. It has provisions which are far reaching in thought and reality. So far, we do not seem to have taken our first steps. A few concern areas from the NCSP worth mentioning are:
  • Suggestion for PPP: without talking about how will the Private entities benefit from the Public Participation. The government expects free services – just because they are what? Government?
  • The policy says “enabling creation and operationalization of sectoral CERTs as well as facilitating communication and coordination actions”. These are very noble intentions that sound great but just one line in a national policy for such an important function! It had to be lost at birth!
  • Using PKI for Government communication – we haven’t been able to get government to stop using public email services and we talk about PKI. 
  • NCIIPC … where is this gone?
  • The piece de resistance is the last paragraph “This policy shall be operationalised by way of detailed guidelines and plans of action at various level  such as national, sectoral, state, ministry, department and enterprise, as may be appropriate, to address the challenging requirements of security of the cyberspace.” 
    • that's great and who is responsible, how this will be done, when will this be done and is there a penalty for non-compliance?

Frankly, I can keep going on but this is another story altogether. If interested you can ask me for my clause-by-clause analysis of the NCSP. 

Before I move ahead to the present topic, I must mention another governmental activity for brownie points to get media attention - around the same time as the NCSP in 2013, the National Critical Infrastructure Guidelines document was released. It was not really a set of guidelines but was a bad clone of ISO27001 and was actually a set of controls suggested for the CI Institutions. How effectively it has been used in the establishment is evident from the fact that it is not talked about at all. One simple question - does NCIIPC exist? Yes but is it staffed appropriately, and does the staff know what they are supposed to do? Personally I have yet to hear about baby steps of this organization. 

Returning to the subject of the proposed Cybercrime Policy development panel and the serious deficiency on the part of the government establishment. 

It seems no one thought it appropriate to apply their mind to create a strategy, objective / vision BEFORE nominating names and forming panels to create national policies. Especially nominating names of persons from unrelated domains. A knee jerk reaction to the world events around cybersecurity or what? And it seems our government is just doing what it always does .. create new security organizations, panels, policies as a knee-jerk reaction whenever a new incident happens!

Doing a root cause analysis of such fiasco type acts it is obvious these are political actions designed to sound and feel good. It ends here as political masters are seriously deficient in cybersecurity knowledge and have short-term memories. 

Another surprising factor (for me) is the acceptance of the nomination by these persons of eminence. None of them felt the need to object saying that cybercrime was not his/her domain. None felt the need to ask the same Government establishment and functionaries to include additional members, especially cybercrime specialists.

I do not want to name names but is it so much of a problem for all nominees to raise a flag against such decisions if working within the government establishment.

Today there are cybercrime cells across the country and these are manned by uniformed junior and senior officers of various Law Enforcement Agencies. The personnel are qualified and professionally trained and face multiple challenges everyday in the course of their investigations and fight to control the menace of cybercrime. These cybercrime professionals have to struggle against the stonewalling tactics of domestic and foreign corporations in the business of ISP, web hosting etc and have developed an intimate knowledge of local and international laws, treaties and regulations.

These personnel are acutely aware of the limitations of Indian laws and policies and possess the leadership of thought for development of domestic rules and regulations that will help in cybercrime control at all levels and will help build the image of the country as a resilient nation that will deal strictly with new-age criminals.

I can only hope that better sense will prevail and that the powers-that-be will consider a change in their decision making process when looking at the cyber domain. This is new-age and cutting edge, stuff which has not been experienced in real life and (seriously) needs to be handled differently.

High time the establishment undertakes cyber training / learning and does a reality check to clear their mindset of conventional thinking so that the knowledge deficiencies are cleared. High time, India claimed it’s place in the Internet / Technology space as a real leader and not just a self-proclaimed one. 

The internet age needs a new pair of spectacles and no one is buying. It needs a central agency to own and operate security, it needs leaders to think but leaders do not think! It needs governance and transparency but every government is loathe to accept this. It does not need an alphabet soup of organizations with each pushing personal agendas and claiming to be the ultimate cybersecurity organization. 

High time, we become the keepers of security in cyberspace and thought leaders.