<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Computing Archives « Aam JanataSkip to content

2

This post has been updated to take out some points that were misunderstood by me and have been clarified and another issue which appears to be resolved.

Okay, I'm spooked. I don't understand this enough to even claim something is wrong. This is the most bizarre "email situation" I have ever seen.

It began with the government giving the address blackmoneyinfo@incometax.gov.in as the email address for citizens to send tip offs to the government about people who have black money. Leaving the Nazi like technique aside, I was puzzled by the address, as the Indian Income Tax Department's website is incometaxindia.gov.in

So I tried to find the website this email that the government provided belongs to. It doesn't exist. Okaaay. Does the domain exist? It does. And it seems to be registered to the income tax department as well. So far, so good.

Got a brainwave. If it was a server configured only for email, it wouldn't be seen by looking up domain, which looks at website address on port 80. So I did an MX lookup (that would be specifically for email server). Bingo! There it was, configuration errors and warnings and all, hosted on a subdomain pdcsmtp02.incometax.gov.in - which apparently is blacklisted for SPAM!!! The IP address for this is 125.19.19.84 (more on this later) and the reverse IP address does not match. It is for mail.incometaxindia.gov.in!!! Which seems to be blacklisted on FIVE spam lists? So the replies to the email will either not be received by people, or they will be received. It is unclear what has got the domains a spam status. The reasons could range from a relatively benign misuse of official address by a few employees to the server being compromised and used to send spam to even worse, the server being infected and emails could be infected too (spam is often the vector for malware, which is why you never click links in it, remember?)

Anyway, spam or not, whatever it was, I thought I'd found the holy grail. I tried going to the subdomain pdcsmtp02.incometax.gov.in. Page never stopped loading. It is still loading as I write this article. I have no idea what is on the other side. This is like a sarkari Darknet site.

I tried pinging it. Nothing. Depending on tool used, DNS service returns "domain not found" "name or service not found" etc.

Something very odd going on with this email address and server configuration. Is that why the Income Tax Department's server itself is being blacklisted for spam? Given how much the ruling party had done hatchet jobs on Somnath Bharti as a "spammer" without him being on any lists, I wonder what the government is now going to say about the Income Tax Department of INDIA!!!

On a relatively unrelated note, the IP address the Income Tax Department mail server is on, is hosted at DIT Jhandewalan and managed by a Mr. Simanchal Dash using his personal email address on yahoo and uses a Bharti Airtel network. Mr Simanchal Dash is personal secretary to Finance Minister Arun Jaitley. A server is important and official property. It is unclear why the secretary of the Finance Minister controls the server for the income tax department using a private yahoo account, and not an official government email or, for that matter why the government needs to buy network connections from Airtel.

What sorcery is this?

1

So a few days ago,anonymous hackers calling themselves "Legion" hacked Rahul Gandhi's Twitter account and made profane tweets from it.

Anonymous legion hackers then compromised the official Congress handle and other accounts, all of them with official inc.in email IDs.

Yesterday, the anonymous hackers calling themselves "Legion" hacked Barkha Dutt's Twitter account

followed by Ravish Kumar's.

The group of hackers made a tweet claiming not to be affiliated with the BJP.

Which is all very excellent, except there are some very good reasons to believe that the hackers could indeed be affiliated with the BJP. And BJP has a long history of its fronts being "apolitical" or "not-affiliated", going right back to a notable event I attended in 2009 or 2010 (I forget), organized by "Friends of BJP" - which claimed to be an apolitical group. Countless Hindu Sena this that and the other variants have conveniently popped up to attack targets of BJP at opportune moments and vanished into obscurity.

India Against Corruption ran a nationwide protest against the previous government. An "apolitical" organization, that just happened to be amply funded by the RSS, included plenty of BJP affiliated public figures, AND had protests happening in front of every BJP office, was... apolitical.

For that matter, the RSS itself, whose members form a large part of the government and who gets foreign funds for rescue and social work, but managed to put LAKHS of its workers on the streets campaigning for BJP's Lok Sabha electoral campaign is.... (you guessed it by now) an apolitical, cultural organization. I hope you get my drift. If it walks like a BJP affiliate, acts like a BJP affiliate, quacks like a BJP affiliate AND it claims to be apolitical...

A heads up by the BJP insider handle

A handle calling itself "BJP insider" had tweeted in July that BJP's IT cell had recruited professional hackers to hack and suspend accounts causing problems to boss (Modi) on Twitter and Facebook. This handle has been around for a couple of years at least and consistently tweets what it claims is the scuttlebutt around BJP headquarters.

By itself, it may not mean much, as several months had passed. Or it could mean a lot. Who knows. It is hardly like BJP has never hired people to do their dirty work online.

Rumors of targeting of political opponents and critics being planned

After the second week of demonetistion, there were several rumors that BJP had plans to target political opponents in various ways. The manner in which they circulated and the variety of actions being suggested as possible don't suggest a single source.

Also some deliberate events happening to discredit conspicuous critics of the demonetisation gave credibility to the rumors. For example, the most popular one expected was Income Tax raids on people. However the "false alarm" with Mamata Banerjee as well as ex-Prime Minister Manmohan Singh under investigation for a scam within days of a powerful speech and article pointing out concerns about demonetisation certainly raise questions about the timing.

The targets of the hacks

All the identities targeted are top targets of BJP's online troll gangs. Both individuals and organizations. Incidentally, once this was raised, @Joydas was among the first to comment that a token BJP hack would happen. And it did. No undesirable tweets got posted and a large "dump" of their database was apparently put up that no one seems to have downloaded (because the hotshots basically DoSed their own server with it, looks like). What is in it could be anyone's guess. But given the complete lack of agitation in the bhakts normally frenzied about the slightest adverse development, it is difficult to believe this to be an adverse development.

Symptoms of BJP's photoshop industry at work

Screenshots posted of what appears to be a transaction notification email to Barkha Dutt from the Standard Chartered bank have two glaring issues.

 

Receipient? Seriously?

Should be recipient, yes? Strange to believe that either Standard Chartered or a mobile application coder good enough to get the interest of a "hacker" would make such a basic mistake. Leads one to question whether the screenshots are real. It wouldn't be the first time the BJP's photoshop department threw up an "original" document, only to reveal themselves with atrocious spelling mistakes (entire political science, anyone?)

Standard Chartered seems particularly lazy about sending notifications

When is the last time you received bank notification of  transaction a day after it happened? And that too for what would apparently be a VIP account given the balances claimed. And no, there doesn't seem to be the possibility of a transaction done just before midnight and notified after midnight, given that this is the afternoon of the next day.

What email application is it anyway?

While I admit I didn't search very hard, I did employ the assistance of google search. The only match anywhere in applications seems to be one called "fake text messenger" - unless of course the hacker built their own email app or has something obscure. Or it may be some custom OS - who knows, maybe will help cops trace the phone.

What navigation is that anyway?

There doesn't seem to be any "menu" provided for this "email". Back arrow next to the icon one can understand - goes back to the archive. Where would an arrow pointing right go? Twitter? :p

No need to delete, archive, etc and reply is out of question of course, given the quality of spellings.

What's that url again?

We have here a banking notification that points to a mobile site at one place and regular site the other. No https (though the url will redirect). Who in the world points to mobile sites in notification emails in the age of autodetection? Probably "hackers" who hack using mobile phones. Either they are very very good or nowhere near the server, given how tricky mobiles can be.

Whoever has seen an email from a bank that ends like this?

No disclaimer text "this is an automated email blah blah blah" What to do if you've got a notification for a transaction you didn't do, etc. No support email... No sign off... really? With half the email being an overlap, unlikely they had to cut it off for space.

Though in all honesty, I don't have a Standard Chartered account, and they may have the casual approach to notifications. If you do have a Standard Chartered account, do me a favor and send me a screenshot of a notification (blurring as appropriate) on Twitter? My handle is @Vidyut

And well, finally... what the hacker chooses to see or ignore

Some emails supposedly "leaked" by the hacker are like total Kashmir Pakistan obsession. I mean seriously, a politically indifferent hacker gets into a big journo's account, and all he can find is emails on Kashmir? ok.

Really? REALLY?

This is probably the first when a hacker out to "expose" missed actionable information (or even to seek it, looks like, if this is the highlight of the hack). For that matter, it could be anyone's inbox.

Worldclass hackers, put up a 98MB download with piddly bandwidth, DoSed their own expose? Hilarious. I suppose by the time the traffic goes down, BJP will have it taken down as "action taken".

If you can download the files they have posted, I would highly recommend you not do so unless you know what you are doing and have secured your machine appropriately. If you have to ask how to, don't.

Maybe it is possible that Legion ain't BJP backed. I'll believe it when BJP arrests them. Surely an attack on a political party, account of an MP and journalists - who have protected sources who could be at risk - warrants investigation and arrests right? So let us see.

First of all, what is National Encryption Policy?

“Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption”. So DeitY has framed a draft of such rules which will decide the future of how encrypted services are to be used or provided to users in India. The preamble in the draft clearly shows that they very well understand what encryption is meant to be used for. What they fail to understand is how it helps secure communication between two entities. The problem lies in the strategies stated in the draft. Let us break the draft into parts and try to analyze how exactly they can possibly ruin encrypted services and also how it will affect you.

  • (III Objectives i)) states “to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”. This is perfect but then they contradict themselves by saying (IV Strategies 4), “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. Yeah, so what is wrong with this? Well, to answer this, let us take an example. You are currently using messaging services that encrypt data sent over network. You still have a sense of security that you can freely talk about things over the network without worrying that ISPs, private companies and the government are continuously monitoring/logging what you say. The problem arises when the private companies like your Internet service provider, government and even notorious hackers can misuse this data. What government has stated under “Strategies” is not exactly that but a different version of this. They don’t want to get rid of the encryption but want a backdoor access to the encrypted networks. This is not acceptable. By demanding this, they are putting critical data and infrastructure in danger. Why? Ask these questions to yourself. Can we trust the authorities to keep the keys and the data in “Plain text” safe from hackers? It is common that hackers target government organizations everyday to get their hands on information. Governments are easy targets for most hackers because they don’t invest enough resources in security. Can we trust the government employees with our data who can’t prevent hacks on government websites? The cost of such security breaches would be severe. Think if e-commerce companies are forced to keep currently encrypted data in plain text as well. Not challenging anyone’s security but knowing that hackers always find a way in, from experience, I can tell that I would probably never use e-commerce services again knowing they are storing critical data in plain text as well. Like me, many would not want to access such services ever. This will affect the economic growth. These services will lose users. If there is a security breach and hackers have access to data stored in “plain text”, people will think twice before using such services ever again. At least currently the data is encrypted. Even if hackers get in, there is still an extra layer of protection. They may or may not be able to decrypt the data easily. Of course it all depends on the methods used to encrypt such data. This is one of the major problems that I personally see with government asking services for back-doors.
  • (IV Strategies 5) states that “B/C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India”. The entity B is any business and commercial private or public bodies providing encrypted services and entity C includes every citizen. This is completely broken. They say that all information should be stored by concerned B/C entity for 90 days from the date of transaction. How can they expect citizens to store such information? What if the hackers hack into anyone under “C” entity and gets access to that information. In that case, who will be held responsible? Will the government take responsibility because they demand users to store such important information for 90 days? Moreover, they are clearly saying that they will be the ones to dictate what encryption algorithms to use and what should be the size of the key. This will cause problems to any business on the technical front. What if their business wants to use a different encryption algorithm because it suits their requirements better? Now the government will decide how you should do business and the technology used behind your encrypted network? That’s why this is completely broken.
  • The most absurd point, according to me, (IV Strategies 7), states that “Users within C group (i.e. C2C Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All citizens (C), including personnel of Government/Business (G/B) performing non-official/personal functions, are required to store the plain-texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”. This is a horrible strategy to propose. See, C group contains every citizen. So this clearly applies to communication between two citizens. Now let us take an example. I encrypt most of my emails with PGP and now according to the above stated strategy, the government can tell me to stop using PGP and use something else or they can also tell me to reduce the size of the key. This will only make my data more vulnerable. There is a reason why PGP exists. I use it so I can be sure that the email is only read by the person whom I grant access to. No matter what network it passes through, no one else will be able to read that data. I have this sense of security right now. The point 7 even takes away that from me.
  • (V Regulatory Framework 1), states that “while seeking registration, the vendors shall submit working copies of the encryption software/hardware to the Government along with professional quality documentation, test suites and execution platform environments”. This is very stupid. Why? See, if some xyz organization has some patented or closed source encryption technology, the government cannot just ask them disclose every detail of the encryption technology. The government will have to get a license from the organization to get each and every detail of how the encryption is implemented. Think about the cost. Secondly, the more problematic situation is that what if such details land up in the hands of competitors? Bam! that will expose your whole security infrastructure to competing company. That can happen. How can you rule out such possibility when you know more than one organization has all this information stored somewhere? Whom can you trust?
  • (V Regulator Framework 3), states that “The vendors of encryption products or service providers offering encryption services shall necessarily register their products / services with Government for conducting business in the country”. So most of the services will probably not wanna do business in India because of above stated reasons. Now you only decide if it’s going to affect the economy or not.
  • Lastly, (V Regulator Framework 5), states “Users in India are allowed to use only the products registered in India”. Well, say goodbye to VPN services. You see what they did there?

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

[Update - September 21]

New exemptions to DeitY policy
New exemptions to DeitY policy

All those who are saying that the proposed addendum exempts social media apps, messaging apps, etc., have clearly not read the addendum point 1 carefully. It states that “mass use encryption products” are exempted from the NEP. The “mass use encryption products” definitely does not include copyright crypto algorithms/proprietary encryption products owned by respective companies. So it does not clarify anything but only adds to the problems.

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

Originally published by Bhavyanshu Parasher here.

 

Was drizzling when I woke up.

Rain had arrived like a wayward teenager slinking home in the early hours of morning, greeting the day with "What? I was right here!"

"What? I wasn't up to anything!" ~ rain.

"Exactly." ~ @Vidyut

"If you're going to be snarky, I'm going."

"Where?"

"Out"

"You're already out"

"Anywhere YOU aren't there."

"Why?"

"because"

"Typical"

This story first appeared on Twitter.

12

This post explains Net neutrality and the challenge facing it in India for all of you who can't exactly figure out what is going on. This is not intended to be comprehensive, but it gives you the bare bones of the issue and ideas on how to find out more to form your own opinion.

Net Neutrality is the idea that internet access not be manipulated to favor some websites over others. Unfortunately the user will still be limited by the internet package they purchase. Let us be upfront.

So why, if you don't have a website is this debate important to you?

When you surf the internet for entertainment or information or engagement, your freedom is at stake when you are manipulated toward using some sites over others. While some deals are transparent - in the form of packs - "100 MBof Facebook data free with 100MB 2g" or whatever, other deals may simply manifest as one website opening rapidly while another is agonizingly slow. So, your tendency to go with whichever is ready fast plays out over hundreds of thousands of users. Some sites make a windfall from your unintentional bias (that has been induced by technology) while others may become extinct. Do you intend to be biased?

So what if I am biased? I like fast websites, and they made the effort to be fast for me.

Not exactly. Throttling is more like other websites being made slower. But there are tangible disadvantages to you too. Let us begin with saying that there is no such thing as a free lunch. When Flipkart invests its money to get you on their site, it only does it because it earns more from your visit. When your network ties up with one operator, it is essentially like the taxi driver who takes you to the "cheapest hotel" and earns a commission for bringing you. You have nothing more than the driver's word that it is the cheapest.

If you are looking for a laptop and get an array of prices from Flipkart fast, while its competing sites will load agonizingly slow, chances are high that you miss finding the cheapest option, because you will be bored surfing slow sites while one blazing fast one is tantalizingly close. The difference in the laptop costs would probably buy you several data upgrades that could let you surf and find the best choice.

But I don't buy online.

How about Facebook (which has a history of offering user data to governments) being the only social network you can use because it is fast and even if you are willing to use a safer one, all your contacts are on Facebook, because it is fast.

What happens when you have to buy data packs and what looked like a FREE Facebook pack becomes a collection of 100MB packs each coming with something else free? One for WhatsApp, one for Google, another for youtube.... Would it be cheaper, really? It isn't cheap while you get the "free Flopkart" either. Only less visible, because you will easily use up the 100MB non-Facebook data and you're getting only one pack.

[tweetthis]Is "Free" really free? #NetNeutrality[/tweetthis]

What is the price we pay for free packs?
What is the price we pay for free packs?

Would the cheap packs still be free if you purchased them a-la-carte and added sites you use often one by one - for a price? You'd have to, because using them normally would give you the slow versions or be costly if you use them a lot. How many sites do you use in a month?

What if you are an activist or blogger?

If you get a whim to start a blog, you can just start one today. Without Net Neutrality, your blog would be like the tree that fell unseen, unheard - did you even make a blog if no one reads it? If people get bored waiting for it to load and find something better to do? This page loaded in 2 seconds. If it loaded in 8, would you have waited to read something that says "pay attention here"?

There are hundreds of blogs starting daily. Causes. Initiatives. Businesses. Someone finds a problem with degradation of environment in their area, starts a website to converge resources and information to fight it. Today, if you want to start a website, you buy a domain name that costs about Rs.300 for the first year and some webhosting space and you're in business. If you are like me, you already have a server and one domain name later, you add a new website to it. New initiative launched for a net cost of Rs.300 and some effort. What if all these people would be seen normally worldwide, but achingly slow in India, where their target audience is?

Or, the cost of starting a website just went up to Rs.300 + hosting + Airtel hafta + Idea hafta + Vodafone hafta...... 20 operators later, and most of your website running cost would be about PREVENTING artificial interference from driving away your visitors instead of whatever you are trying to do. Or, of course you can pray that all your visitors have the patience of a saint.

[tweetthis remove_twitter_handles="true"]Without #NetNeutrality most of the cost of website would be in preventing it being silenced by paying off providers[/tweetthis]

When the Net Neutrality debate was raging in the US, activists had organized a day when websites participating in the protest deliberately slowed down their websites to show people what the internet would be like without Net Neutrality. It was the 10th September - day after my son's birthday. I will remember it for a long time, because almost none of my visitors read a second page on any of the six blogs I had activated it on, on that day. From thousands of pageviews, that day was a few hundred. Who'd want to read another page on a site that just.wont.load? I did it deliberately. This would become my reality unless I was willing to shell out money for faster access.

There is a protocol coming up. Http/2. It is already released of sorts. Google and big sites implement it. By the end of the year, a very popular server called Nginx will be implementing it. Sites worldwide will become much, much faster. Except for sites that won't pay these middlemen - in India.

The Telecom industry has been showing huge profits.

This isn't about not being able to afford. It is about exploiting a ready resource for the profit of some cronies. I have said this before, during the debate on FDI and I say it now. We are not used to thinking of the Indian population as a national resource. Yet, if you can harness something that earns you a rupee from each Indian a month, you'll earn a cool 1.2 billion every month. Whether it is by opening the market so foreign companies can profit, or luring citizens to services you make deals with, so those services earn from it. And make no mistake, even if you buy nothing on Facebook, write nothing, even checking your notifications loads pages and earns Facebook ad revenues. Notice how the notifications are designed so that you can NEVER make out which post got the like from your friend till you actually click the link to find out. That's a page load.

I am not trying to be paranoid or even grudge anyone advertizing revenues. Only pointing out that your convenience is not the goal, the goal is revenue. But it wastes YOUR time. But other services that may be way more user friendly will not be able to compete with a network promoted by every telecom operator in the country. Even if you are willing to risk a slower network, people you network with will likely not.

In other words, this is a manipulation, and for all the claims of "giving Facebook free", as Rajesh Mathews put it, I have yet to come across a single free data pack on any mobile provider's website. You have to purchase data, and you get their crony for "free", which will be recovered from your hide in other ways.

Data is data. What you use it for is your business. When you purchase data, it is being sold because it is profitable selling it. The idea that existing data is not profitable and hence principles of equality must be ignored is discrimination and illegal.

The idea that there isn't enough spectrum and therefore existing services that are ALREADY MAKING MASSIVE PROFITS can hold India's internet hostage for their own windfalls is plain and ugly cronyism, if the government allows it.