Anything Else

In his futile attempt to fight terrorism, Mr Mukhi asks us a question:

“The question we need to ask ourselves is whether a breach of privacy is more important or the security of the nation. I do not think the above question needs an answer,” said Mukhi.

Not only Mr Mukhi is completely clueless about cyber security, he has no idea why the notion of privacy is so important. So what is wrong if our password are stored and is available to police. Why is someone potentially reading our mails such a big problem?

Privacy relates to access of private information about individuals. Human beings associate trust with this information. Imagine someone coming to you and accusing your wife of adultery, in one case he just proclaims, your wife sleeps with other people. This is meant as an insult and you will take it as such, and will just ignore it. But imagine if he has access to your wife's calendar, and says dude yesterday you thought your wife went to laundry in the evening, well she went some other place, and that movie thing she did with her friends last Friday, well, she dint go to the movie either :-), and few other such tidbits. Ignoring the allegation has become so much difficult now. Imagine if he has access to your wife's email account and told you that she still is in touch with her collage ex boyfriend, your wife will not be able to deny this, but she never saw him, and knew how you hated him. The marriage is in deep trouble don't you think? He might not approach you and might blackmail your wife and make some money out of it.

Everybody has stuff about them that if taken out of context can be a cause of great deal of embarrassment or in many cases much worse. Privacy is our weapon against people finding out things about us and misusing them.

Now imagine, 30-40 percent of Bombay accesses internet through cybercafes. If all passwords are being recorded, sure someday someone will discover where they are and steal them. May be the security would be tight, but may be not.

More about trust aspect of privacy. If I call a girl and ask her to come to some place, she will most likely not, but if I have access to her email password, I can find out about her trusted friends from it, and can pretend to be a friend of them calling her to tell her that the good friend of hers is in accident, and caller found her number from the cellphone in his pocket. The chances that the girl comes to the desired place become so high now, don't you think.

There was a case about a guy being lured to a place and kidnapped and I guess murdered using orkut. The guy made a mistake of trusting an unknown person, but imagine if passwords are stored for lackhs of people in some police computer and its gets stolen, how many potential blackmail and murder crimes might get facilitated.

The passwords would be stored in the cybercafe, one point of attack, anyone sitting on this computer can potentially get the passwords. Next passwords will be collected by cybercafe operator, he might steal them himself, or someone might steal them from him. The passwords would be stored in CDs and collected by someone, or electronically uploaded to some site. Sites get hacked all the time, millions of passwords will just give extra incentive to the hackers. Then there are numerous personnel involved in maintaining the remote database that stores all keypresses, any of them could make a copy for himself.

I know of kids of millionaires and billionaires on Orkut, and if I can kidnap them, I can demand hefty ransom. I might be willing to sell this idea to some underworld don to just kidnap kin of system administrators responsible for the database.

Do you really think Mr Mukhi that such risks are worth the near zero benefit that we are going to get out from the privacy invasive plan that you are rolling out? What have you done to protect such privacy invasion? And if you did do anything, you would be a misreable sob if you did not, then why did you decide to redicule privacy concern instead of convincing us that suitable measures are being taken to protect our privacy?

Any data that is collected can be retained and stolen. A lot of privacy information can be gleaned from those datum and trust system inherent with privacy can be exploited to harass people or engage in criminal activities against them. Privacy is thus important. Especially against such un-thought-out measures by government officials, who usually do it under the guise of fighting terrorism.

Vijay Mukhi, President of the Foundation for Information Security and Technology, is introducing a plan for Mumbai police to install a keylogger and screen grabber on all cybercafe machines in Mumbai. Why only cybercafes? Mr Mukhi explians:

"The terrorists know that if they use machines at home, they can be caught. Cybercafes therefore give them anonymity."

To me this is on the verge of bullshit. Has the president of foundation of information security and technology, heard of Tor?

Tor (The Onion Router) is a free software implementation of second-generation onion routing — a system enabling its users to communicate anonymously on the Internet.

It is a US Navy funded project, I guess Mr Mukhi knows something that US Navy and EFF security experts do not that gives him the confidence that anonymity offered by Tor is not enough!

Tor is just one example, there is SSH dynamic port forwarding that acts as a proxy, and if you have access to a server outside India, it provides complete privacy against Indian surveillance. Getting access to a server outside India costs as low as a dollar per month.

These two solutions give access to privacy that even a complete novice can use [once you realize you have something to hide from government, and have spent a few minutes on Google for basic instructions on how to set things up]. There are more advanced techniques, I can hide encrypted information in unrelated files, like images, upload it to flickr for instance, and my friends can access it, and government can not do anything about it, unless they are sitting right next to me while I am doing all that.

It is an impossibility to even conceive that such communications can be tapped, unless the sender has made some obvious mistakes. Terrorists aren't making many otherwise police must have stopped them in action!

Lets talk about keylogging and screen grabbing for a minute. What if someone is using codes to transmit messages? This is how the world war I and II were fought, encryption. The encrypted text could be written on a piece of paper, typed and Mumbai police will keep staring at the screen wondering what the hell to do with those garbage looking text?

Further, keyboard is just one of the input mechanisms available to enter some information on a computer. First thing that comes to mind if Keyboard is not safe is mouse. There are on screen keyboard that one can use. Screen grabber might help a little bit, if mouse movement is tracked, and screen shots are taken at enough frequency as to not miss any mouse clicks, it might be of some help. But only if no code has been employed. Then many cybercafe allow USB thumb drives, these may contain mails that I want to send my fellow terrorists, how would keylogging and screen grabbing help? Many offer microphones, I can imagine few offering bluetooth. Terrorists are smart, much smarter then the police at least, and they have proved it on numerous occasions, thinking otherwise would be foolish.

This entire exercise is futile against anyone with very basic knowledge about the subject.

Mr Mukhi asks an interesting question:

“The question we need to ask ourselves is whether a breach of privacy is more important or the security of the nation. I do not think the above question needs an answer,” said Mukhi.

Terrorists are using cybercafes for planning terrorism related activities. I would be really surprised if they are not using their home computers for doing the same. If my assertions are correct, and the measures taken by Indian police is completely futile in stopping any of them, the question is, did the police know how futile these are, or they are really ignorant enough that all this is coming as news to them? Is this move an honest attempt by police to stop terrorists, or an attempt to save their face for not doing anything. This is not just a casual question, if Mr Mukhi knows that these measures are futile, and yet pretends it will work, I will consider him a part of terror network, who is helping the terrorists.

The blood will be on the hands of Vijay Mukhi for either being actively part of terror network by misusing his position as president of foundation of information security to use inappropriate measures to stop terrorists, or for being an incompetent officer who does not know the basics of information security and yet is egoistical/selfish enough to continue to be as president, and not let other more competent people take over.

Here is what I would have done if I was the president. First of all, I would impress upon everybody that all such mass surveillance is a seductive but bad idea to capture determined individuals. They never work. What works against terrorist is the same that works against any crime and specially the ones involving international parties, and that is solid ground investigation. The old fashioned investigation based on clues obtained in questioning and crime scene, pursuing it with diligence, tracing all the leads, and so on. As a president I would build information infrastructure to help in such investigation, finger print database, car license information database, analysis of bank accounts. I would try to introduce the 100 year old information technology that is radio to more police officers. I would try to build systems in which various police forces in India can share investigation progress and findings. I will help build data-mining systems to mince all information conceivable from data collected all over the country by ground agents.

I would at least realize that my actions, as president of that institution, must be helping terrorists unless they are deterring them.

Indian police is helping terrorists by not getting rid of people like Mr Mukhi, who is either incompetent or terrorist's accomplice.

Am I overstating? Do you think president of such information technology security thing will know something about blogs? Could he have posted his plan on some place and invited discussion from security experts? Did he get his plan reviewed from anybody in any computer science professor specializing in Comptuer security? There are many in IIT Bombay. Or did he just say to himself: oh I am the president, whatever plan I come up with must be right, and other people would not know better, because it is my job to research validity of such plans ha ha ha. Terrorists are using internet to plan bombings, no doubt about it, did he really feel he has outsmarted all of them? This arrogance is costing us lives, and I do not feel right to mince words and call him anything less than a terrorist himself. They kill for religion and misplaced ideologies, he lets them kill for money, I guess he can be counted as worse than them.

Doctors get sued all over the place for malpractices. This is malpractice to me.

This is not just a minor mistake: there is a scarcity of police resources that we have for fighting against terrorists. Instead of trying to coordinate with ground investigators to narrow down to individuals that might give some real progress, this fellow is starting a program that will tie our scarce police resource to excessive cybercafe monitoring, and prosecuting, in the name of fighting terrorism, when its nearly theoretically impossible for the program to make smallest dent in the terrorists networks ability to utilize internet to plan next terror attacks.