Skip to content

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

8

Increasing privatization of necessities means citizens are forced to make purchases from private entities that are opaque to scrutiny and unaccountable to people. It is a permanent profit.

Privatizing essentials for living is undemocratic, because private corporations are not chosen by the people and they are not accountable to the people. We are a democracy, though these days many thought leaders seem to see it as a handicap. Things defined as necessities and included in the human development index MUST have government provided options, even if private entities offer their own services too. Like phones, healthcare, PDS or buses. Some things – air, water, land and sunlight – must NEVER be turned into the hands of anyone not accountable to citizens. Our ancestors weren’t fools to worship them – they are the foundations of life itself. Better than saving the cows, the Nationalists should save these.

Shifting the burden of responsibility from accountable government to opaque, private entities

This may seem like a small matter, but it is not. This is the government forcing people to make purchases from private entities, and I don’t see how any government has the right to impose them on people in a democracy. If companies want to sell better water, let them create their own networks for whoever wants to buy it – and source it from anywhere except this country – make it from the sea for all I care. It is possible. It requires technology, but the fancy corporates have abundant and better tech, I hear. Shouldn’t be a problem.

Supposed experts argue that the government is inefficient and that is why we need private companies. This is pro-privatization bull shit. Indian Government organizations run some of the most amazing, intricate and huge infrastructures in the world. ISRO has some of the greatest space programmes in the world for a fraction of the budget of the NASA and definitely not proportionately less capacity. Our Army is one of the largest in the world. We are capable of achieving quality. Not to mention we have indigenously developed nuclear capacities. We aren’t stupid. It is strange how we excel in some services and are miraculously incompetent where corporate alternatives exist. Or perhaps, those with possible profits in privatization keep quality low to prepare the stage by saying, oh, the government can’t do better, we are not private.

Are corporations really more efficient?

India’s telephone network is one of the largest in the world. Public transport, water pipelines… We can reach to every citizen of the country for things like vaccination, census, elections. Show me the corporation that has capabilities of this scale. We privatized electricity in Mumbai, but show me the corporation that electrified the many villages that need it instead of taking over already profitable areas. That is still this “incapable” government’s job and tax payer’s expense.

Why are there corporate subsidies, bailouts and bankruptcies if corporates are more efficient? Of course necessities being privatized will not go kaput, because we’ll cover the losses no matter what for our own survival needs. Unless they do fail and then it will be a humanitarian disaster that the tax payer must bail out to prevent humanitarian catastrophe. In other words, corporates are able to sell “better” on the basis of advertised efficiency, and make the tax payer suffer the inefficiencies that later emerge. Which CEO or upper management doesn’t get paid when the company is going bankrupt? With essentials, the consumer is powerless with choice between several corporations with similar methods and prices.

We blame the government for not making profit while operating in areas of all kinds of lack of development and think corporates that only run in profitable environments and still can make losses are better? What crap logic is this?

Does privatization bring solutions?

If privatization is the solution to everything not working, then the previous year is proof that we must privatize the Parliament instead of merely letting puppets of corporations run it. Let’s do away with elections, stop calling us a democracy and simply go with the “better option”. Let’s privatize the police force. It is far more inefficient than water supply. Whoever thinks people need cops more than they need water is insane. We take water for granted, because we still have it. As in, you and I – witness the massive protests by those whose water gets threatened over dams being privatized, built, destroyed or water sources being polluted… but wait, you didn’t hear about them.

It is also funny how the “need” for privatization is visible only in the areas where massive infrastructures built at the tax payer’s expense are peddled away to a company that couldn’t have dreamed of creating them. A company that will then bill the same tax payers more for using their creation. Big profits are made – from the “big market” India is. As economy slows, sales drop, stocks drop. No such risk with essentials. You will sell your gold and your house and yourself before you live without water.

Is no one connecting the dots to this massive collusion between government and private players? Why is this happening? Because India is a "developing country" in spite of massive undevelopedness and has delusions of being a superpower. Unfortunately, GDP cannot be faked. The money hemorrhaging through scams, misgovernance, lousy policies and plain posturing needs to come from somewhere. So we are now doing what a drunkard does - selling belongings to pay for booze.

Is it really development to sell away what the government owns?

Like the broke farmers selling their land and borrowing from moneylenders, we are selling or leasing our assets to corporates to afford running the country. We are walking this path, because we didn’t take the farmer suicides seriously enough to UNDERSTAND what was happening. Like the farmer who can’t afford seeds and sells more and more of his life till nothing is left, we can’t afford our outgoing.

Payments over $100 billion coming up. We have a few reserves, but using them will make us less super power and be the stamp on the government’s lack of credibility with money. Time to sell something. The FDI in Retail flopped because massive outcry was raised. Some other FDIs still happened. India is assuring Wallmart that the FDI too is going to happen. Pranab Mukherjee is candid “I need the money“. Never mind that a Parliamentary Standing Committee on Commerce report on FDI in Retail in May 2009 recommended against it. Now water privatization. A bomb proof market of citizen’s needs is sold for vast amounts of money, as guaranteed, stupendous profit.

Corporations are less corrupt is a popular perception – because they 1. legitimize many payments that come out of the customers pocket (compare salaries like CEOs, perks to top management, meeting and conference and such expenses, corporate branding, dress codes, running expenses… for example) and 2. they are not transparent, so you don’t know anyway. You can’t file an RTI to find out even if you suspect. But make no mistake, you pay for the glitter. It isn’t corruption if they tell you upfront. It is only unfortunate and these costs are unavoidable cost of running the operation and you want water from it and now you must pay your bill.

Who is responsible if the poor cannot afford life essential services from private operators?

I have no wish to dictate what corporates do with their operations with non-essentials, but I think in a country with massive poverty, necessities must be as lean and subsidized as possible without trying to “recover investments” at the cost of human rights. There are arguments about “welfare state” and such. I don’t know when the word welfare itself became a bad word, but I cannot understand why it is wrong to ensure a basic human need like water for all regardless of their ability to pay for it.

Is our country really saying that staying in the country is different from having water for living in it? What next? Air? Sunlight? Earth? With India being the most polluted country in the world and radiation increasingly recognized as unsafe, they are possible. Imagine piped breathing air for enclosed spaces from villages or other areas with trees and low pollution, portable air decontaminators with bluetooth pairing with your phone and computer. Radiation and other contamination free properties available for a price. Huge roofs over cities for solar power and you can pay to enter and spend some time in the sun… But only privatized after the tax payer first pays for creating the infrastructures. And then the rest of the people should live with the lousy contaminated state of their “services” or pay up. Our experts would talk about India’s prowess in taming the four elements of our ancient texts.

Why have development indexes by country at all? Privatize all needs, and ask UN to speak with service providers over people dying of hunger and thirst, who will simply say that they are not customers, and they are not answerable for those they don’t provide service to. We can always say that we cannot help epidemics, since we don't have a service to monitor them, and we don't have the service because no one wants to pay for a service that monitors epidemics where mostly poor die. So we at least don’t appear so bad.

Life essential needs are not merely products and services, they are what make life possible

The big, fatal mistake is in buying the government and corporate bullshit that basic needs are services. They are the backbone of a country. They are the resources of the nation entrusted to elected representatives to govern to the advantage and well-being of all. That is why you don’t have corporations who built millions of kilometers of water pipelines. They developed with the taxes paid by the average person to develop the country – over decades, a little at a time. In ANY country. Like building your own home, but as a country. For your whole family. You speak of national unity and staying together and such? This is it that we are kicking away and wondering why people are breaking free.

It isn’t about corporates offering better quality or not, it is about representatives of the people being directly in control of their basic needs. Quality can be improved. You can’t ask a corporate why it provides a certain service to a certain area more than others. You can’t ask a corporate why you don’t get water, but the theme water park in your locality does or make it pay or suffer. Elected representatives have to listen or they get voted out. They have to answer. You can’t ask a corporate just how much profit it is making out of selling water to the “domestic and agricultural sector” and how much of the water is throttled and diverted to other large corporations for their purposes. It is happening already, but now you can file an RTI at least.

In theory, you could regulate what a corporate offers, manage prices, force service to needy areas, even force RTI – which should be done anyway for publicly offered services… but then you would end up taking responsibility for consequences too – witness Kingfisher and its bankruptcy over being forced to service less popular destinations. Now imagine Kingfisher selling your water. Either the poor go thirsty, or bail us out. The corporate becomes beyond the reach of any result, because it has the people by their needs.

If corporations are more efficient, why do they take over what is already working well instead of developing new assets?

Why not ask corporations interested in working in the “water sector” to pick areas with water problems and no infrastructure and develop them and bill the people for a set period before handing control over to the country?

Why not hand over our poor, damaged, polluted, destroyed water bodies to corporates, let them clean up, sue industries that are wrecking them, and make them usable again in return for using them to sell water for some years? They have the resources to make it possible, unlike citizens who cannot and governments who will not. Why not ask for development in return for controlling development? Why can’t corporates be expected to participate in building the country like citizens?

Wouldn’t that be a more logical use of a “more efficient entity”? We have huge areas with drought and such. They could do with a “solution” that is more effective than the government. Water and sewerage of Mumbai is separate from BMC to be eventually privatized. What is the problem with Mumbai’s already excellent water that privatization will fix and the BMC cannot?

Apparently, it is only the government’s inefficiencies that corporates fix. Apparently these corporates that are better than the government cannot create from scratch. And stupid citizens believe this bullshit, because we have people dedicated to telling them over and over that the Emperor is wearing this miraculous robe that is visible to the intelligent. So they ignore draining wallets and pretend to be smart rather than be publicly known as fools or worse “low society people who can’t even afford so much”.

Because we don’t expect capitalism to have a soul. We only expect it to churn out cash. Cash it earns from the masses and delivers to those in power as the price of keeping even more for itself. It is a one way flow. Few citizens other than employees have any way of earning back from these entities. Then we have the amazing numbers of inequality that activists will quote and get criticized for. We admire progress. Increasing numbers. They manage to sink once in a while in spite of such odds when their customers are no longer able to pay more to sustain them.

But asking such questions will not work. I will get a bunch of trolls calling me socialist as if it were a curse – even though I have little knowledge of socialism and am simply questioning what I am seeing being promoted as a good idea – like everything else questioned on this blog, because the maths seems fake.

Make no mistake, the strategic “experts” hit bulls eye when they say the next wars will be fought over water – apparently they don’t coordinate their bullshit with the development experts, and this is not on their bullshit agenda. Both between countries, and inside countries – as water resources become scarce, people will kill and die for water. Our government here is giving corporations the tools for future genocides, or “anti-national elements” tools for the next French Revolution. Because NO ONE can live without water.

But the mainstream media will continue to tell us that they are anti-national people wanting “our” water as long as we pay the bills.

1

The Indian state has managed to keep the devastating drought in the country out of the National consciousness. Just as it has kept quiet the massive destruction of water resources, falling water tables and sale of water and waterbodies to private players while people and their lands thirst.

What is the situation really?

314 villages of four districts in Odisha are drought-hit, Balasore (278), Bhadrak (4), Mayurbhanj (8) and Nuapada (24). Revenue minister S N Patro told the assembly that the declaration was made based on the crop-cutting experiment report received from collectors of these districts which expects 50% crop loss. Affected farmers of the areas would be eligible to get compensation as per the relief code.

31 out of 32 districts in Tamil Nadu are drought hit. Water channels in the Cauvery delta have dried up, and farmers have suffered massive crop losses, harvesting 10% to 30% of normal yields. Cattle farmers in Tamil Nadu are reeling under scarce and increasingly expensive feed and fodder following drought. A 50kg bag of cattle feed went from Rs.600/- to more than Rs.1000/- within a year. Profits are becoming unsustainable.

Maharashtra (the five year unbeaten champ of farmer suicides and ten year successful robbery of irrigation development) is in a dire condition. Maharashtra is facing the worst drought since 1972 with over 7000 villages in 123 talukas (including entire Marathwada) affected. 1,663 villages and 4,490 hamlets are completely dependent on tanker water supply by 2,136 tankers. Among the worst hit, 236 villages and 1,291 hamlets in Solapur depend on 279 tankers for drinking wate. 230 villages and 986 hamlets in Ahmednagar struggle with 270 tankers. People who can't afford tanker water search for water for long and even seek broken pipes.

Ill planned mass conversion from traditional crops to the perpetually water thirsty cash crops in a land with very little irrigation (less than a fifth of total agricultural land is irrigated), combined with a genocidally corrupt government stealing funds for irrigation has led to devastation on an enormous scale. India will see a 3-5% drop in foodgrain production due to this drought in Maharashtra.

An entire decade saw the addition of 0.1% of irrigated land. Abject neglect of protection of the water table, water harvesting, forest conservation compounds that with a rapidly depleting water table. There isn't even MNREGA work available without water. Many have not seen water come from a tap since November. Others in Jalna haven't seen water come from their tap for years.

There are appeals to donate sintex tanks to store water delivered by tankers. Presumably because the thirsty earth soaks it right out of wells used for the purpose.

Crops are gone, trees in orchards are dying devastating years of work. An alarmed state government is considering methods for monitoring distress migration out of drought affected areas. The state cabinet has decided to charge 60 crores to cooperative and private sugar factories toward providing drinking water to drought hit regions. An interesting state of affairs, is this an official admission of the outrageously exploitative inequality of water supply (more than half of Maharashtra's water supply goes to sugarcane, which is 6% of cultivated land) being compensated with an emergency one time charge rather than restoring water equality?

Sugarcane output is expected to drop below consumption in the coming year. This will get the attention of the sleeping middle class. New plantation is down by nearly 50% in both Maharashtra and Karnataka. Wineries have survived the drought with water brought in by tankers for irrigation in some cases. Alas, beer is not doing so well. Six out of eleven of Maharashtra's breweries being in Marathwada (worst hit) and sourcing water from the Jaikwadi dam (which has only 5% water left), they do not have enough water for production.

The Babasaheb Ambedkar Marathwada University (Bamu), Aurangabad, with a large number of students from the economically backward class has set up a student relief fund, which has so far received contributions of around Rs 46,000, said registrar Dhanraj Mane. You can support these students by sending your donations to the fund account number 60123671371, Bank of Maharashtra.

Rich temple trusts are reaching out to help people in this moment of need. The Siddhivinayak Temple is donating Rs 25 crore to the Chief Minister's relief fund. Pune's Dagdu Sheth Halwai Temple Trust is adopting a village in drought hit Sangli, while the Shirdi temple trust has decided to provide 5,000 water drums each of 1,000 litres in the drought hit villages.

Maharashtra Police is donating 15 crore out of salaries. "Constables and Sub-Inspectors will donate their one day salary. Assistant Police Inspectors and above level officers will contribute their two days' salary of the current month towards drought relief," a police officer told PTI.

The political opportunism continues unabashed. RR Patil declared donating a month's salary toward drought relief and suggested the cabinet do the same with Chavan and Ajit Pawar donating two month's salaries, which Chavan called a publicity stunt and shot down, because [pay attention] they were asking the center for a 2500 crore package and could ask for corporate donations. Two days later, Chavan did his media stunt "I appeal workers to wipe tears of drought-affected people ... We will have to reach out to the people by showing them the work we have done as promised in the manifesto.".

Congress minister Patangrao Kadam raised concern over depleting water levels and announced special funds to make water available for citizens living in areas hit by the drought. NCP minister Rajesh Tope demanded that farmers indulged in fruits farming too have been hit by the situation and demanded a special package of Rs 90 crore to bail out these farmers.

Raj Thackeray had harsh words for Sharad Pawar over the irrigation scam and its role in the drought (I think Ajit Pawar should be hanged, if anyone is asking). NCP workers pelted his car with stones. MNS workers purchased and burned a car as protest and got arrested for burning their own car and "pretending to protest" - whatever that means. Presumably that they should have burned public property to get away with protest without arrest. Protests that do not harm others get arrested in India - golden rule MNS forgot.

At a conference in Aurangabad, Sharad Pawar, accompanied by Ajit Pawar, had blithely defended the diversions of water to industries, and rejected the idea of more resilient cropping patterns because sugar was important. He promised all help, but didn't actually announce any saying that the center had already given 778 crore to the state to compensate previous crop losses. Yes, this is the agriculture minister speaking. Instead, he urged Rural development minister Jairam Ramesh to visit and criticised NCP MLA Madhukarrao Pichad for his reluctance to release water from the Nilwande dam.

In Pimpri Chinchwad, be blamed the drought on unplanned use of water. What water? There was no conservation and rain is the only source. Not even water harvesting. Let alone the irrigation.

The Bhujbals, on the other hand are in chance pe dance mode, having cancelled their electricity stealing, private funded Nashik Festival (MSEDCL found power stolen from street lights and demanded payment) in favor of comandeering land moving machinery and passing it off as the contribution of their foundation to making a watershed in the village of their rival. Still, not stealing electricity in times of severe shortage has to get some marks. After all, this is Maharashtra, ruled by a cartel. Plus, who knows, the machinery publicity may actually end with something useful? Also some bonus points for developing rival's village before own? Election gimmick you say? Ok.

In the meanwhile, the irrigation scam seems to have got off scot free. Ajit Pawar is happily rehabilitated. A decade of lost irrigation development, now discovered has led to no attempts to try and compensate at this late date at least. Cheaper, long term development like rainwater harvesting or other low expense initiatives with potential for transformation have been ignored - presumably because low cost offers no profit margins. The budget has no special provision for Maharashtra in spite of its devastating (and man-made) crisis. 1,800 crore for five drought affected states seems vastly inadequate for the kind of recovery necessary. Though how the state even has the audacity to wash hands off its own scam and blame the center for not allocating funds to compensate is a mystery.

We speak of raping, plundering invaders, looting colonists. Maharashtra government has managed the impossible. It has successfully raped, plundered and looted land and water itself.