Saturday, June 21, 2014

The case of objectionable FB posts - time to change

Some miscreants put up objectionable posts on FB and the state erupted with riots and ham handed police response. 

It is time to change the way we think about online life because the lines have blurred making the virtual personae as much a part of real life as real life is of the virtual! 

I put together a compendium of news articles starting from June 01... and the headlines speak for themselves (my comments are in red):

Protest against objectionable post on social media hits expressway traffic  - how will traffic disruption help catch the culprit? There are many other ways to protest... why the e'way which is miles away from the police station! Times of India
Tech experts hunt author of FB post which led to violence across state  - Really ! Can they "hunt"  Mumbai Mirror 
Cyber crime cell takes over probe  - this is the department which should have been given the responsibility on day 1 instead of trying to "hunt"  Times of India
Maharashtra police to crack whip on those who ‘like’ offensive Facebook posts - so one guy commits an offense and the government wants to show it's muscle just because it can do little else. 
The government just wants to crack whips - did any minister stand up and make a responsible statement about the posts and calm down the emotionally charged citizens?

Times of India
Origin of offensive posts unclear, cops seek details from Facebook - reality bites! Times of India
Pune mob violence over 'Bal Thackeray pics' kills 1 - an unfortunate killing by a mob. What was the police doing when the mob was getting their act together? The loose handling allows lumpen elements to come in and take advantage of citizen emotions.  Hindustan Times
Don’t let Pune techie’s killers & their leaders get away  Mumbai Mirror 
Pune murder -Six more held Times of India
Servers abroad used to make offensive Facebook posts, Mumbai cyber crime investigation cell says - everyone knows FB servers are abroad. Whats new! Just some inane statements to keep the news papers printing. 

Times of India
Maha Govt Under Siege Over Techie Killing - with irresponsible handling of the law and order situation and refusing to make changes in the face of technology pervasiveness this is bound to happen.

Times of India
Pune techie murder case -  8 more arrests made, 2 minors detained DNA
Pune techie murder case - Another man was attacked by same gang the night Mohsin was killed - what an undeserved death. Poor man was killed for no fault of his.  Times of India
ATS probing reason behind Pune violence -Why are we bringing the ATS ? What next SIT and NIA? This is political FUD - just make it sound so big and show how responsibly you are handling the case. Call the army and tell the world I called them... what more can I do!

Times of India
Offensive FB posts 187 rioting cases filed, 710 held -Great statistics to be proud about. Fundamentalist lumpens go on riot. Government sleeps and makes no statement. No one helps any of the affected and everyone from CyberCell to ATS and technical experts are "hunting" the culprit! Will they find someone?

Times of India
Court extends HRS leader Desai's police custody till tomorrow Times of India
After killing Pune executive, mob attacked bakeries and shops - Whats wrong with us? how will this riot find the culprit? Who does all this and why are these guys not locked up for good. Frankly I would like to know if any of the 700 guys who have been arrested know what is FB and what is objectionable!!

Times of India
Another FB post sparks protests across state Times of India
Cops blocked 113 of 198 ‘offensive’ social media posts since Jan -Great job - this is the capability we have to increase to the level where problems are nipped in the bud. The police and central authorities must create an ecosystem to discover such anti-national posts before they damage the country's peace.

Mumbai Mirror 
My son's murder not just a law & order issue -  Mohsin's father  Times of India
Those behind inflammatory Facebook posts identified  R R Patil -Wow! Great. Mr Patil - now we must throw the biggest book at the culprits and make sure that they get the death penalty. 

Times of India
2 crore of taxpayer money lost as mobs target buses in state Times of India
Like, share ‘objectionable posts and face prosecution Mumbai Mirror 
Facebook posts- Mumbai police say leads did not pan out, trail gone cold - Oh really! What happened to Mr Patil's statement two days earlier that they have been identified! How irresponsible - shows the lack of respect for the dead and the riot affected.

Times of India
Offensive FB posts may be from Pak - YES ! Blame it on Pak. They are the root cause of every evil in India - from robberies to increase in train fares !

Times of India

This is not how one handles communication and government outreach in times of crisis. 

Rumors (normally) move fast in the normal world, especially malicious and mischievous ones that are meant to create strife. In the internet world they move faster and further so the impact is greater in a shorter period of time. 

The slow reaction of the establishment is the first culprit in this case and the situation was compounded by the lack of responsible communication by the ministers. Our problem is that the government first goes to sleep and hopes that the problem will be wished away.. and then they come out making inane statements. 

Check the table above - blame it on Pak! How convenient to sweep everything under the table and go back to fiddling while Maharashtra burns. 

Friday, March 7, 2014

Foot in the mouth disease afflicts the establishment - shameful statements for national security

Today is a sad and shameful day when a person no less than the National Security Advisor (Mr Shivshankar Menon) of the country has trivialized security breaches in the (supposedly) most secure confines of the Indian Government infrastructure. 

As reported in the media he has made irresponsible statements like 
"A mere fact that some computer is open in North Block and South Block and is accessible, does not mean that therefore there is big gap in security."
"not every leaked password is a big threat to security"

I really do not know whether to cry or jump off a cliff especially when I know I am living with such people heading security for the country. First we had our Minister (Mr Khurshid) who was very quick to forgive the Americans for their NSA-PRISM snooping calling it patterning and that they were "really not snooping".

Of course if someone shows you evidence of the holes in your underwear you will keep your mouth shut and happily take all the shit that is thrown at you. Then you will go to town claiming that this is not humiliation but is actually adding to your dignity .

No one has the guts to stand up and say we are being raped - this country which is supposed to be Incredible and what-not. Not even a whimper from any of the hallowed institutions which are supposedly responsible for cyber security in the country.

In any case who will stand up to the NSA or the Minister or the people in power and tell them they are not wearing their robes! 

The country is sold every other day with thousand crore scams by politicians and their cohorts. Innocent lives are lost because the defense forces do not have the money to spend on submarine repairs or MIG upgrades. Farmers commit suicide and floods and famine co-exist to wreak havoc on the motherland. 

And all the while we fart with false pride. In simple words, I am plain angry, hassled and I am sure this is the same state of many of my other fellow countrymen and women.

Does the country have any hope when the PMO, DRDO, MEA, MHA, CBI and other sensitive institutions are "haped" every now and then - and the powers that be take pride in their hour of humiliation.

If the people who are responsible for security in the country have such a cavalier attitude, how can we expect any sort of responsibility on the part of government institutions or law enforcement or judiciary?

Well it is a dark day for the country to realize that we have a funnily irresponsible NSA who also has the foot-in-the-mouth affliction. All that we can do is ... "havan karengey, havan karengey.." 

Wednesday, March 5, 2014

Cybersecurity lectures and safety days and weeks ... Part 1

About Cyber Security Lectures 

Everyday I read about lectures being conducted by so many people across the country, sponsored by the local police or some or the other security company using money from their CSR or any other budget. I find them to be good initiatives and applaud the effort of all the people who are doing this but (frankly) I am not impressed ! 

Reasons - these are flash in the pan efforts. Go give a talk and walk away. Did any one understand what you said, why etc ... these are all unanswered questions. From what I have heard these are "magic shows"and the presenters have to show some FB hack, some google hack, pwn someone's mobile phone, show some XXX stuff to get the audience laughing into their pocket. Who cares about the experience of the presenter so long as someone sent him and it is a funny free time for the participants. 

No one asked so no one set the objective for these so called awareness or training programs for the children in school or college. They have very different lives and pressures and did we identity these issues before going and doing a program with them. 
(I do know that for many it is a money making thing - do a 2 day program, give a certificate to the college student, make Rs 1000 per person - split with the college - go home with a cool lakh in your pocket) 

If you guys see Balika Vadhu - Colors  (this is a soap on Colors TV in India) you will appreciate their effort at showing a date rape and MMS crime. No dont laugh - go get the episodes from youtube and view them.  (I mean don't laugh at me for watching the soap!)

Then I came across this article from Rolling Stone (put up by my friend Shyama) and it provides a detailed analysis based on the investigation of a girl who was traumatized by her friends into committing suicide ...

We shall see such episodes in our country too and the need is to concentrate on social and personal problems, risks and threats that is posed by the Internet and technology rather than the technical aspects we seem to be focused upon. Yes the kids need to learn about technology or VAPT but not in grade 4 or 5 or 6! 

And the final question - do their teachers and principals know about the extent of the dangers ? What about their counselors ? Did anyone share the training program with the counselors and try to find out the type of problems that are being addressed?

I would like to know about your experiences and thoughts and shall welcome comment - in public or via private message. 

I shall soon write about the celebration of Internet Safety Days and weeks and months ... !

Saturday, December 28, 2013

In India - ATMs to be shut down at night

Incredible India! 

Incredible Indian people who run this country - they just morph into nincompoops when thinking about the country's progress. 

Today IBA and RBI have come up with a fantastically BS proposition to close ATMs at night and I can't help but laugh at their (lack of) wisdom, intelligence, whatever it is you have between your ears. 

What a great idea sirjee... identify low traffic ATMs and close them at night! It is surprising that on the one hand these guys are talking about private ATMs across the country and that every rural branch must have an ATM, and on the other hand this. 

(With due apologies) Besides it is also a reflection of the trust in the police department - which seems to be touching rock bottom. Or, the trust the police department has in itself - which seems to be even lower! 

First they said - place a guard at every ATM which meant employ and deploy 5000 people from where-ever within 2 weeks in Bangalore - from where? Which factory will provide so many human beings on order. 

We excel at jerking our knees and there is no better evidence than this - deploy overnight, close ATMs, open ATMs.... blah blah and double blah.

Is closing ATMs a solution - it is just IBA/RBI/Cops running away from the problem. No intelligent statement has come from these institutions to tackle the problem except jerking their knee. This is so typical - make a statement which sounds so high and mighty that everyone will be appeased, and nothing will be sorted out. 

So who will close 5000 ATMs at night? Will one doddering guy go to all these ATMs and down the shutters. Won't you have to hire people to do this! Or will you install a central system which will do this at the flick of a button!

Dear IBA/RBI/Police - what are you thinking? Do  you really think that the untrained, illiterate villagers who are given black and blue uniforms and seated at ATMs are capable of thwarting a robbery! Hah ! and Bah!! 

Sorry - take a Babaji Ka Thullu for that thought!!

I agree that hiring thousands of guards will blow a hole in the budget and (anyway) it is a short term solution. ATM count will keep increasing and the quality of guards will keep going down. Why cant IBA/RBI/Cops advise to work with the security agencies to create a rapid reaction force, install intruder alarms, upgrade the CCTV and make it good for the next five years. 

Close the ATMs today, hire your non-guards next and still suffer from the same disease and keep floundering all your blooming life. 

Closing your eyes to the problem will not resolve it! This is NOT risk / threat remediation it is containment.
Response from Nandkumar On another occasion, I had heard of a mind-boggling suggestion that ATMs be clustered in a centralised location in a town so that tight security can be provided!
Banks also need to do away the 'lounge-like' appearance of ATMs and make them 'box-in-the-wall' thingies, so that all transactions happen in the open with the real world precautions and protections for cash transactions.
Of course this is typical knee jerk reaction - you do not understand something - close it. Why bother finding a solution and making life easier for the customer. We are a bank, a big bank, customer will come to us and all we have to do is keep our flag flying high and showing how nice we are! 

This is India my friend, if you are a customer and your money is with me - you are a "keeda" (insect).

Tuesday, October 29, 2013

The US visa issue and more on governance and compliance

It is interesting to see the most admired Indian IT company, also revered as the model of governance demonstrate that it is not possible to shed your Indianness. The jalebi thought process that is genetic to our race and the concept of ‘jugaad’ which we are trying to push upwards in business thought as the ultimate tool for inventiveness.

Both, the jalebi and jugaad are words with start with a ‘j’ and in a pack of cards the j is a Joker. One does not need to ask a Tarot practitioner what the Joker represents. Sadly we hide behind the ever-smiling mask indulging ourselves in our individual fantasies of security, ‘Ramrajya’ roti kapda aur makaan’, incredible India, Shanghai to Bombay or whatever pleases us to blow our trumpets out loud.

Enough said about the joke on us, and to turn the spotlight on Infosys – it is being hit with a $35m fine for indulging in questionable visa practices. Recently it broke with “tradition” when Mr Murthy was called back to help the company stand on it’s two feet again. The first governance rule was not to go past a certain age and the second was not to have your kids in the same place! And, Mr Murthy brought his son along as his personal assistant, and the assistant has become independent and promoted to something (I do not know what).
Now I have nothing against Mr Murthy or Mr Nilekani, but guys, you are role models for millions across the world and if you cannot live by your word then WTF!

OK I accept that rules are not cast in stone and the world of business is dynamic and one has to move with the times and all that .. but then at least have the guts to issue a public statement explaining the change of stand, but no. This is not done in the Indian scenario – if you are successful or if you are boss, you do not stoop low as to offer explanations of your actions to the hoi polloi.

So it is fine to be hit with a fine, you are Indian working overseas and you never came to terms with the word compliance because you were fine with jugaad.

Now if we examine why the visa is misused, we have to blame the US Government and clients too, not just Infosys and other Indian companies. Oh come on, just because there are no other names does not mean other Indian companies do not indulge in such practices. Maybe they indulge in darker practices which are too deep to discover !

Well the US Government should realize that it is not easy to get an order from public or private organizations. And, once an RFP has been decided in it’s favour, no self respecting organization will make the first move until an iron clad purchase order is received. From receiving the first whiff of a requirement to getting the iron-clad Purchase Order is usually a very long period of time and can bring organization CxOs to the brink of insanity or to being committed.   
After this long drawn gestation period to get the order in hand, the client wakes up from deep slumber demanding overnight deployment of teams and program managers crack the whip at their Indian laborers. Yes this is a repeat of the slave trade, albeit in a different manner.

Now comes the crunch – the Indian IT behemoth keeps their ‘bench’ in India because this is home and costs are low. The moment the demand crops up the easiest visa is a B1 which is for a business visit and it is easily given out by the US Consular office which looks at income statements, pedigree of the employer and stamps the passport of the young 20+ year old kid. Of course the Consular officers are not so “duh” as to stamp every one meeting this frugal criteria – they seem to have some kind of sweepstake going on too. The reason I say this is because for every ten successful first-timers-with-visa there are 1.5 to 2.5 who are rejected summarily … these guys go back after 3 months and get a visa (same routine).

Now Uncle Sam (chachaji) has woken up and said that the visa is misused. So why cant they just recognize the fact that there are millions of team members who are to travel and get deployed on assignments in their system, or even in the dreaded dirty-tricks NSA. Why can’s a visa be tied to a contract?
Contracts are subject to import laws of the US of A which means that some or the other arms of Government have worked to approve the import of the service and that national interest (security) is protected. Additionally, they will have also done an impact analysis of the contract on US employment, skills and local excitement. If they can do all this then why cannot another department be brought in and a blanket “Contract related visa” – the vendor has made an estimate of the effort and also has a far idea of the number of people that will be deployed. Make sure that the  visa is issued for that contract, that the buyer is jointly responsible for the team members who are deployed and their movement is recorded.

There will be some team members who will qualify for multiple assignments and the Immigration office can include those contracts too.

With limited validity and traceability it will benefit the companies which are engaged in legitimately and are forced into visa non-compliance situations.

Until then the bellwethers of corporate governance should lower the volume on their drum beating and be a bit more patient when acceding to the client’s demand for deployment of the onsite team. 

Whatever course of action is taken by the US government, clearly they are working on an internal agenda. You need us but you want to act pricey and funny and make life miserable for us. Now Infy will be down by 30 odd million and that is not small change and the blame is not 100% on their doorstep. 

Thursday, September 26, 2013

An open letter to the Government, Mr Prime Minister

Dear Mr Singh – as you prepare to go on your US trip there will be many a ‘faryaad’ in yours and Mr Khursheed’s mailbox (I assume he will be accompanying you).

And of course I also assume Mr John Kerry will also be meeting both of you and I, as a humble Indian citizen have a suggestion - please do carry some CDs to help him and his government put some “zing” into their data patternizing which is being dealt strong punches by that, that President of… Brazil! Hah, what do they have except for the mardi gras and beauties on beautiful beaches!! We are so much better we are an IT Superpower (doesn’t matter if our superpowers are based on our body slave trade shopping expertise).

BTW patterns is a cute word and reading this article is a shame:Officials play down snooping on Indian missions in USEspecially terms like intent, technology and Mr K's shitewashed statement 
And of course do not forget to mention this to President Obama. BTW I call him Big Barack, a slight take on Big Brother considering the global mischief he is into and of course he is following the role to the ‘T’, sorry ‘B’.

I shall make this short without poking any fun at the joint statement of Messrs Khursheed and Kerry after they had examined the NSA program and found it was only intercepting (unlawfully) the internet traffic from India for patterns – curly, wavy, sadhna cut, booti, dhoti, pyajama… patterns. And they say these patterns would provide them with terror intel. 

Man, was I impressed with the explanation! So impressed, in fact, that I had to go to the loo for a puke and then # 2. 

No sir, I was not impressed, I was overwhelmed by the shi#intelligence of my Minister.

I recently read a book 'kiss my as%' and that was less smelly than this

Time and again I have professed the need to intercept traffic in Sulabh shauchalya too and your office does not seem to listen. It is in one’s most private moments that the most profane thoughts are unleashed (ask Mr O or Mr K and they will say “Yaah”). That is the place where a suicide bomber will strap on, or from where they can have their private communion. And… you, the government, is not listening. Just carry some unlawful or lawful traffic and share with them and let the white man reveal the knowledge therein.

Believe me this is the stuff that the “pattern” statement of Messrs K and K was made of. The real McCoy that bulls create!

Anyway – I want to come to the main point of my letter and this BS is getting smelly.

Sir, I want you to please give me a pipe to smoke too, a pipe which reaches into the dark abyss of the Government machinery and infrastructure and allows me to capture all the data and the non-data which traverses the country’s Internet. I want to see, smell, hear and store what the Indian citizen is saying, eating, drinking, copulating, crapping or whatever. And – then I want to build the largest leakiest data center in the Thar desert.

Why leakiest you may ask. Theek Hai I shall share this gyaan – when the country is being raped why should I run! Why spend money on making it secure when it has got to go or it has got to be given – for patternizing!

I know this is for the good of the country – the rape I mean. And of course, since we are a declared banana republic (this is my assumption since no one in Government opposed this declaration-in-law) we cannot expect any ‘headly’ in cooperation or access.

Accha do you know why? It is because JFK said this long ago – “Yours is not to question why. Yours is but to lie back and get it and give it all – why ? we are USA, we are the land of the free, we are the change and the protectors of the world – we are the Masters of the Universe

My apologies for digressing, and to come back to my request to pull traffic information a la NSA’s Prism – please be assured I shall do a lot of patronizing patternizing. And believe me I shall do a better job – first I shall call my program Padhaar from Pattern or Paad (depending on what you are looking for – BS is data or BS in explanation).

Since I am Indian I too have a ‘jalebi’ mentality and my DNA is tuned to corrupt, unlawful practices. Having travelled on potholed roads and with a short temper which is ideal for road rage, a propensity of launching into ‘maa behan gaalis’ at the slightest provocation, living in the fast lane on a bullock cart and so much more that make up my being as ‘khaalis’ as  can be. All this and more make me qualified for extracting the gyaan and a-gyaan from the pipes I shall plug in.

You may ask – why me? And to clear the doubts of any agyaani gyaani I shall say that if my Government can legitimize a state sponsored espionage operation by accepting their patronizing ‘pattern’ and not utter a ‘choo’ – WHY NOT ME !

I am an Indian citizen and have that non-mandatory Aadhaar. I shall only look at patterns and not do any spying or anti national analysis. And if any CM or President from any of the states or countries objects you will be well within your rights to tell them to fly cattle class to wherever they belong because we would not be spying, we are only collecting patterns .. tra, la la, la la..

So Mr PM, Gyaaniji, thank you for your strong individualistic leadership and your grasp on things economic. I sincerely hope you will provide me with the pipe, or better still, why not a public pipe where anyone can plug himself/herself. The thought behind this is simple – why not share our crown jewels, state secrets, and strategic plans et al with the mango people when firangs are already enjoying them, our national treasures. They are doing this without asking for permission, and here I am asking… am being honest and ethical.

Besides, when a foreigner can rape my motherland and be accepted for it I am just asking for a ringside view of the sordid happening.

Me, and many other countrymen will be very pleased to have the opportunity to dipstick the mess that flows through the data cables and have our local fun in creating ‘patterns’ which will help identification of sulabh and a-sulabh terror cells which may wreak foul viruses in the air that will attack olfactory senses of our populace. Even the latest Bollywood song is an oblique reference to this need where it says “kitna maja aa raha hai kyon ki tu ne hawa main bhang mila di”

My best wishes for your meeting with the Big Bro’ and I look forward towards your and Mr K’s contribution to haha highly connected world where open and transparent systems exist and we can freely allow anyone to probe the holes in our chaddis and cement a chaddi buddi patternship.

Yours in patterns
Dinesh O Bareja

(wannabe chaddi holes voyeur)

Friday, September 20, 2013

Bounty Programs - a two way street - organizations and hackers must respect each other

This is my third post on the Bug Bounty phenomenon  - it gets more fascinating as one digs deeper and I am sure there will be still more to come. 

Organizations rule the roost in doling out rewards in cash or kind, and by adding the names of young hackers on Walls of Fame or making Honorable Mentions. These decisions are internal and there is no recourse for the Hunter to dispute the value of the payout. 

Unfortunately this is presumptuousness on the part of the organization(s) running the bounty program. They need to realize this is not a one way street and they had better realize it quick else they will start losing star Hunters to the alternate market. 
I use the phrase alternate market so as not to spoil the reputation of the Hunter hacker friends, many of whom are too young to understand the strategic planning behind these programs or about exploitation. I would not like any of these friends to be associated with the dark underground markets, getting paid in virtual hot money and then trying to hide it, breaking the law.
Well this is the scenario to consider - someone discovers a bug and classifies it to be critical. It is submitted to the relevant organization - they do not understand the bug and reject it. Or, they do not accept that it is critical and classify it to be low criticality and the payout is a few peanuts. 
Remember the infamous cases recently when Facebook refused to accept critical bugs twice. And then (sheepishly) they accepted the bugs when it was squashed in their face! Check these links:
FB refused to accept a bug that allows anyone to post on anyone's wall - he finally posted on MArk Zuckerberg's account to get noticed !

There was another FB bug which the FB team did not understand and they again demonstrated their pigheadedness. Check the search engines and you can find it. 
The organization demonstrated it's blind side - by acting in a high handed manner but, in the bargain, now they have a few disgruntled Hunters. The next time this guy is not going to submit a POC for a serious issue and the loser will be the organization! Why !? Well because the next time this Hunter will find the critical bug and will demand the value he/she has placed on the find. If not paid that amount, he/she will go and sell it in the 'alternate market'.

That's why one has to realize it is a two way street - the hacker is expected to do a 'Responsible Disclosure' and submit as per the terms and conditions put up by the organization and  this organization is expected to value the bug fairly and pay out asap.

The other risk is about the hacker going rogue and causing havoc when ill treated. 

Drive along carefully on the two way Bug Bounty Street - respect the hacker and his/her intelligence. Do not hide behind legal jargon and try to dupe anyone with low valuations.

Bug hunting is hard work and make sure you reward the hunters well else be prepared for some unethical people crossing your perimeter. 

So the next time you do not pay out appropriate bounty you may be doing yourself a disservice by arming underworld characters with knowledge about weaknesses that can be misused to damage your organization.