Mumbai Police Helping Terrorists?
Vijay Mukhi, President of the Foundation for Information Security and Technology, is introducing a plan for Mumbai police to install a keylogger and screen grabber on all cybercafe machines in Mumbai. Why only cybercafes? Mr Mukhi explians:
Tor is just one example, there is SSH dynamic port forwarding that acts as a proxy, and if you have access to a server outside India, it provides complete privacy against Indian surveillance. Getting access to a server outside India costs as low as a dollar per month.
These two solutions give access to privacy that even a complete novice can use [once you realize you have something to hide from government, and have spent a few minutes on Google for basic instructions on how to set things up]. There are more advanced techniques, I can hide encrypted information in unrelated files, like images, upload it to flickr for instance, and my friends can access it, and government can not do anything about it, unless they are sitting right next to me while I am doing all that.
It is an impossibility to even conceive that such communications can be tapped, unless the sender has made some obvious mistakes. Terrorists aren't making many otherwise police must have stopped them in action!
Lets talk about keylogging and screen grabbing for a minute. What if someone is using codes to transmit messages? This is how the world war I and II were fought, encryption. The encrypted text could be written on a piece of paper, typed and Mumbai police will keep staring at the screen wondering what the hell to do with those garbage looking text?
Further, keyboard is just one of the input mechanisms available to enter some information on a computer. First thing that comes to mind if Keyboard is not safe is mouse. There are on screen keyboard that one can use. Screen grabber might help a little bit, if mouse movement is tracked, and screen shots are taken at enough frequency as to not miss any mouse clicks, it might be of some help. But only if no code has been employed. Then many cybercafe allow USB thumb drives, these may contain mails that I want to send my fellow terrorists, how would keylogging and screen grabbing help? Many offer microphones, I can imagine few offering bluetooth. Terrorists are smart, much smarter then the police at least, and they have proved it on numerous occasions, thinking otherwise would be foolish.
This entire exercise is futile against anyone with very basic knowledge about the subject.
Mr Mukhi asks an interesting question:
The blood will be on the hands of Vijay Mukhi for either being actively part of terror network by misusing his position as president of foundation of information security to use inappropriate measures to stop terrorists, or for being an incompetent officer who does not know the basics of information security and yet is egoistical/selfish enough to continue to be as president, and not let other more competent people take over.
Here is what I would have done if I was the president. First of all, I would impress upon everybody that all such mass surveillance is a seductive but bad idea to capture determined individuals. They never work. What works against terrorist is the same that works against any crime and specially the ones involving international parties, and that is solid ground investigation. The old fashioned investigation based on clues obtained in questioning and crime scene, pursuing it with diligence, tracing all the leads, and so on. As a president I would build information infrastructure to help in such investigation, finger print database, car license information database, analysis of bank accounts. I would try to introduce the 100 year old information technology that is radio to more police officers. I would try to build systems in which various police forces in India can share investigation progress and findings. I will help build data-mining systems to mince all information conceivable from data collected all over the country by ground agents.
I would at least realize that my actions, as president of that institution, must be helping terrorists unless they are deterring them.
Indian police is helping terrorists by not getting rid of people like Mr Mukhi, who is either incompetent or terrorist's accomplice.
Am I overstating? Do you think president of such information technology security thing will know something about blogs? Could he have posted his plan on some place and invited discussion from security experts? Did he get his plan reviewed from anybody in any computer science professor specializing in Comptuer security? There are many in IIT Bombay. Or did he just say to himself: oh I am the president, whatever plan I come up with must be right, and other people would not know better, because it is my job to research validity of such plans ha ha ha. Terrorists are using internet to plan bombings, no doubt about it, did he really feel he has outsmarted all of them? This arrogance is costing us lives, and I do not feel right to mince words and call him anything less than a terrorist himself. They kill for religion and misplaced ideologies, he lets them kill for money, I guess he can be counted as worse than them.
Doctors get sued all over the place for malpractices. This is malpractice to me.
This is not just a minor mistake: there is a scarcity of police resources that we have for fighting against terrorists. Instead of trying to coordinate with ground investigators to narrow down to individuals that might give some real progress, this fellow is starting a program that will tie our scarce police resource to excessive cybercafe monitoring, and prosecuting, in the name of fighting terrorism, when its nearly theoretically impossible for the program to make smallest dent in the terrorists networks ability to utilize internet to plan next terror attacks.
"The terrorists know that if they use machines at home, they can be caught. Cybercafes therefore give them anonymity."To me this is on the verge of bullshit. Has the president of foundation of information security and technology, heard of Tor?
Tor (The Onion Router) is a free software implementation of second-generation onion routing — a system enabling its users to communicate anonymously on the Internet.It is a US Navy funded project, I guess Mr Mukhi knows something that US Navy and EFF security experts do not that gives him the confidence that anonymity offered by Tor is not enough!
Tor is just one example, there is SSH dynamic port forwarding that acts as a proxy, and if you have access to a server outside India, it provides complete privacy against Indian surveillance. Getting access to a server outside India costs as low as a dollar per month.
These two solutions give access to privacy that even a complete novice can use [once you realize you have something to hide from government, and have spent a few minutes on Google for basic instructions on how to set things up]. There are more advanced techniques, I can hide encrypted information in unrelated files, like images, upload it to flickr for instance, and my friends can access it, and government can not do anything about it, unless they are sitting right next to me while I am doing all that.
It is an impossibility to even conceive that such communications can be tapped, unless the sender has made some obvious mistakes. Terrorists aren't making many otherwise police must have stopped them in action!
Lets talk about keylogging and screen grabbing for a minute. What if someone is using codes to transmit messages? This is how the world war I and II were fought, encryption. The encrypted text could be written on a piece of paper, typed and Mumbai police will keep staring at the screen wondering what the hell to do with those garbage looking text?
Further, keyboard is just one of the input mechanisms available to enter some information on a computer. First thing that comes to mind if Keyboard is not safe is mouse. There are on screen keyboard that one can use. Screen grabber might help a little bit, if mouse movement is tracked, and screen shots are taken at enough frequency as to not miss any mouse clicks, it might be of some help. But only if no code has been employed. Then many cybercafe allow USB thumb drives, these may contain mails that I want to send my fellow terrorists, how would keylogging and screen grabbing help? Many offer microphones, I can imagine few offering bluetooth. Terrorists are smart, much smarter then the police at least, and they have proved it on numerous occasions, thinking otherwise would be foolish.
This entire exercise is futile against anyone with very basic knowledge about the subject.
Mr Mukhi asks an interesting question:
“The question we need to ask ourselves is whether a breach of privacy is more important or the security of the nation. I do not think the above question needs an answer,” said Mukhi.Terrorists are using cybercafes for planning terrorism related activities. I would be really surprised if they are not using their home computers for doing the same. If my assertions are correct, and the measures taken by Indian police is completely futile in stopping any of them, the question is, did the police know how futile these are, or they are really ignorant enough that all this is coming as news to them? Is this move an honest attempt by police to stop terrorists, or an attempt to save their face for not doing anything. This is not just a casual question, if Mr Mukhi knows that these measures are futile, and yet pretends it will work, I will consider him a part of terror network, who is helping the terrorists.
The blood will be on the hands of Vijay Mukhi for either being actively part of terror network by misusing his position as president of foundation of information security to use inappropriate measures to stop terrorists, or for being an incompetent officer who does not know the basics of information security and yet is egoistical/selfish enough to continue to be as president, and not let other more competent people take over.
Here is what I would have done if I was the president. First of all, I would impress upon everybody that all such mass surveillance is a seductive but bad idea to capture determined individuals. They never work. What works against terrorist is the same that works against any crime and specially the ones involving international parties, and that is solid ground investigation. The old fashioned investigation based on clues obtained in questioning and crime scene, pursuing it with diligence, tracing all the leads, and so on. As a president I would build information infrastructure to help in such investigation, finger print database, car license information database, analysis of bank accounts. I would try to introduce the 100 year old information technology that is radio to more police officers. I would try to build systems in which various police forces in India can share investigation progress and findings. I will help build data-mining systems to mince all information conceivable from data collected all over the country by ground agents.
I would at least realize that my actions, as president of that institution, must be helping terrorists unless they are deterring them.
Indian police is helping terrorists by not getting rid of people like Mr Mukhi, who is either incompetent or terrorist's accomplice.
Am I overstating? Do you think president of such information technology security thing will know something about blogs? Could he have posted his plan on some place and invited discussion from security experts? Did he get his plan reviewed from anybody in any computer science professor specializing in Comptuer security? There are many in IIT Bombay. Or did he just say to himself: oh I am the president, whatever plan I come up with must be right, and other people would not know better, because it is my job to research validity of such plans ha ha ha. Terrorists are using internet to plan bombings, no doubt about it, did he really feel he has outsmarted all of them? This arrogance is costing us lives, and I do not feel right to mince words and call him anything less than a terrorist himself. They kill for religion and misplaced ideologies, he lets them kill for money, I guess he can be counted as worse than them.
Doctors get sued all over the place for malpractices. This is malpractice to me.
This is not just a minor mistake: there is a scarcity of police resources that we have for fighting against terrorists. Instead of trying to coordinate with ground investigators to narrow down to individuals that might give some real progress, this fellow is starting a program that will tie our scarce police resource to excessive cybercafe monitoring, and prosecuting, in the name of fighting terrorism, when its nearly theoretically impossible for the program to make smallest dent in the terrorists networks ability to utilize internet to plan next terror attacks.
Labels: India Calling Security n Privacy
If you find this post useful, please conside buying me a pizza!
0 Comments
<< Home