My views

pictureMy views about the Supreme Court Judgement on 24 March holding the Section 66A of the IT Amendment Act 2008 as 'unconstitutional' is that a powerful tool in the hands of cyber crime sleuths has now been lost. Read on for the full story...

pictureAbsence of Moral Education or a session for Ethical Values in the time-table especially in Secondary or Higher Secondary Level takes its toll. Students and the educational institutions in general these days are particular about more and more marks, which alone has become the criterion. Bringing up culturally well-behaved, ethically stronger and well-behaved youth is not in the agenda of educational institutions. This was the crux of my interview on being questioned why the number of graduates (ie educated ones) is on the increase among convicts this year. Excerpts from the Indian Express dated 1 Nov 2014.

pictureOf late, fraudsters innovate in learning about technology and finding newer techniques in committing crimes. It is difficult for the investigating agencies to keep pace with them and learn the same at the same pace and of course, equally difficult for the victims, for the legal fraternity and the judiciary who are all the other stake holders in crime investigation. Among the latest is IMEI Number faking in mobile handsets with a view to make them untraceable. Such faking (as a hardware chip-level embedded technology) is certainly an offence, no doubt. Times of India carried an interesting story on this. Click to view My interview in Times of India 7 Nov 2014.

pictureIt is heartening to read that the National Cyber Security Co-ordination Centre will be in place shortly. An apex level Monitoring Agency with all information! Oh, this has been the dream of every concerned Indian. Security professionals in India have often felt that cyber security has not been given the due place it deserves.

There are agencies, ministries, departments and government bodies (like NTRO, CBI, State Police departments, IB, RAW, Intelligence, Defence and Home Minsitries besides the PMO itself) who often acquire lots of critical information on cyber security of national importance (sometimes from across the cyber boundaries and often from within the nation itself). Cyber Criminals take advantage of the disconnect and the absence of sharing of critical information among these departments. It is already late. As top priority, at the apex level this NCSC should be in place with some sort of control at least for sharing of information among all the stake holders including the state police and all investigating agencies.14 Sep 2014.

Blocking of pornographic websites

pictureIn response to a Public Interest Litigation filed in the Supreme Court of India, the Government recently submitted an affidavit wherein, as reported in the Press on 28 Aug 2014, the government has stated that ‘it is impossible to block the pornographic websites in the Internet and if one website is blocked, hundred sites come up’. It sounds as though, the problem cannot be solved. In fact, this problem has a techno-legal solution. Technologically it is possible like having a national level firewall, web-filters, content monitors etc (and in the long run going for an Indian operating systems for computers, our own anti virus, indigenous firewall and above all, our own servers to host) and legally it is feasible to have control over such websites and take speedier action in blocking that would serve as a deterrent to many more coming up. While it is true that the government cannot be expected to take care of all security initiatives like blocking pornographic websites etc , it cannot be digested that the government cannot wash its hands off, saying that there is no solution to the problem.

Without going into the wider ramifications of the issue and the technical feasibility and legal remedies available, let us look at the issue from a citizen’s perspective. From a social angle, it is the duty of Internet users especially the elders and parents to have watch on the websites their siblings visit, to ensure that the computer systems are kept in the open halls wherein the parents too can look at the monitors and have constant interaction with the children on their likes and dislikes in the Internet. Technologically, initiatives like child-lock URL filters, web-filters, PC fire-walls with content filtering etc can be put in place.

Blocking of Websites and monitoring of SMS 

pictureIt is time the government did something to enhance the level of information exchange and co-ordination among the various agencies that are involved in information security, cyber crime prevention, investigation and other related areas.  At the apex level at the Government of India, say the PM’s office or some such higher level, there must be a common repository of cyber crime related information, from which authentic data can be taken by all the stake holders say the state police department, Intelligence Wings of various state police, Crime Branch sleuths and others.  This may be monitored, controlled and checked for any possible misuse.   

Quite often there is a big hue and cry that Sec 66A of the IT Act should be repealed.  There is a writ petition in the Madras High Court on this.  Some people are always of the opinion and vehemently too, that individual privacy, liberty and freedom of opinion and expression is supreme.  Let it not be mistaken that even the constitution-protected individual rights to life and liberty and expression is always with reasonable restrictions, as interpreted in many judgements.  Individual right of expression should never be above the national interest.  When the nation’s supremacy is questioned or the national sovereignty is sought to be impacted, there is no question of individual right of expression or freedom.  Under such circumstances, it is not the right but the duty of the powers that be to protect communal harmony even at the cost of curbing individual right to freedom.

Views on Blocking of websites and monitoring of SMS appeared in "The Hindu" 29 Aug 2012. Click for the news item

RBI's ill-conceived move

pictureRBI understandably, is seriously mulling over the idea of 'disincentivisation' of use of cheque books. In other words, use of cheques is going to be discouraged and instead use of electronic remittances and use of Internet Banking and other electronic remittances are to be encouraged. As the regulatory and Public Sector Monitoring agency dedicated to customer interest and investor protection, I fail to understand why RBI should embark upon this task of disincentivisation of cheque leaves. Even advanced (technologically and academically more literate) nations like UK once thought on these lines and later gave up the idea. Major banks nowadays fail to make public the amount of loss of the number of cases under disputed electronic remittances. SBI the major public sector bank of the nation, even escaped revealing such figures under the cover that SBI cards is a separate entity not coming under the public authority of SBI. Under these circumstances, this move of RBI is not in the common man's interest. The time is not ripe in India to discourage the use of cheques or replace it.

Press Appearances

pictureParticipated in the Panel Discussion in "Puthiya Thalaimurai TV" on 20 Nov on the issue of arrest of two girls in Mumbai for posting their message in FaceBook expressing displeasure on closure of shops in Mumbai, after the death of Bal Thackerey. It was a live programme from 9 PM to 10 PM with the other participants in the panel being Ms Salma, Social Activist and Poet and Writer and Shri Vijayashanker, from the Frontline Editorial Board.

Hacking: Illegal but ethical??

picturePreface: This article discusses in brief the techno-legal issues in the activity called ‘hacking’, its treatment in the Information Technology Act 2000 (later amended by the I.T. Amendment Act 2008), the practice and the social acceptability of ethical hackers and the responsibility of information system security professionals.
Read more...

Addressed a Press Meet on the Government's action in blocking websites and curbing SMS

pictureOn 28 Aug 2012, there was a Press Meet organized by Cyber Society of India to sensitize the Press on the wider ramifications of the action taken by the government by blocking many websites and curbing sms as a preventive measure in the aftermath of mass exodus of people to North East, from different parts of the country. On behalf of CySI, as an official spokesperson, I clarified to the Press along with the other CySI office-bearers present said that what the government to block the websites and curb sms and thus prevent major threat or loss of life is most welcome. But we have to look at the preventive measures. As an immediate measure, steps like verification and a 2 Factor Authentication of a mobile number and session generated PIN to activate the newly opened mail (like in Gmail) or even while creating a website can be followed. Monitoring, surveillance etc for sms with the usage of specific software search string based utilities may be explored. As long term measure, India going in for our own operating system, our own anti virus, firewall and other security related software like Unified Threat Management software including URL filtering, stateful inspection etc and even hardware manufacturing may be explored. Our indigenous O/s BOSS developed by C-DAC is not being effectively used, for want of support and patronage, marketing and popularity. Better and enhanced co-ordination among all information security related agencies and government departments may be ensured. Now these agencies and departments come under various Ministries exposing to lack of exchange of information security information. In a crisis situation, enhanced exchange of such intelligence information will be of great help. http://www.thehindu.com/sci-tech/internet/article3844006.ece

One journalist in his blog has questioned the expertise of CySI office-bearers to convene the Press Meet and address the media as experts, though the media gave extensive coverage to the Press release and all these suggestions, especially The Hindu, The Times of India, Deccan Chronicle and Dinamani in Tamil.

One or two sentences in the blog, especially the phrases like 'self-styled cyber experts' , "hiring PR agencies vying for a 15 seconds slot in national TV" are all grossly uncalled for and highly in bad taste. He has not mentioned by name. If CySI is a self styled cyber expert vying for 15 seconds in national TV channel, what is this reporter doing? He too by spitting venom wants the same few minutes attention by this article, right? In fact, I read the story twice. Frankly, I do not understand what exactly he was trying to convey. Other than the view that our idea of asking for id is not practical and cannot be used, there is nothing else I can make out.

Even to this counter, I would ask him this: I have seen "A Wednesday" the Naziruddin Shah film as well as its Tamil version by Kamal Hassan "Unnai pol Oruvan". That is not about mobile number and id proof. (In fact that is about stuxnet or Fast flux -- ie a variant of botnet -- where your IP address keeps changing taking the bot's IP on the fly making the system work like a zombie). That apart, if id proof can be faked and does not serve the purpose, even number plates in cars are faked and in many films the villains and sometimes heroes too drive the cars with fake number plates. Can I say, we do not need number plates, they don't serve any purpose. Police officer's uniform is faked and many con-men come dressed in police attire. Can we say police uniform does not serve the purpose?. I can make the list endless. If the reporter can quote "A Wednesday" I can pretty well quote the Prakash Raj film "Payanam" wherein a journo comes in the uniform of a police and takes a photo of the hijacked aircraft. Can we say for a moment that all reporters are criminals and cheat like that?

The other idea of national level body. The Note on Securing the Cyber Frontiers, submitted by DSCI - NASSCOM, dated 22 March 2012,may be seen, wherein the first of the ten recommendations, is on National Structure for Cyber Security...appointing a fully empowered head for cyber security at the highest level....

The NASSCOM-DSCI recommendation No,5 is on National Threat Intelligence Centre which should integrate all the existing information sources such as CERTs, intelligence bodies.....(In fact this is what we were precisely telling in the Press Meet)

Recom No7 is on building lawful interception capabilities. This is again what we stated I the Press Meet by describing it with 'key word search', interception of message etc.

The NASSCOM -DSCI publication is in the form of a 72-page book, and carries a diagrammatic (pictoral) representation of various ministries showing the agencies coming under them ie showing DIT, CERT,NIC, NISCG under ICT Ministry, CBI, NIA etc under Home, DIARA, DRDO under the Defence Minsitry and NTRO separately. In fact, this is what exactly we were telling in the Press Meet. Frankly, though nothing new in our suggestions to the government, there is nothing wrong or technically impractical either.

pictureAppeared in Sun News Channel on 10 July 2012 on the recent cyber attack in the Tamil Nadu Police Department website in which newspapers reported that police data have been stolen by "Anonymous".

Senior police officials stated that only some data relating to the complaint detailed lodged with the police have been stolen/copied and no critical information. In the TV interview I explained the provisions of Information Technology Act 2000 and Information Technology Amendment Act 2008 which have stringent provisions on Hacking and other data related offences. I explained the need for the government to have more Information Security professionals in places and to take swift action and spread the message that the government was serious in data protection.

picture
Pornographic Sites and Cyber Crimes

Of late, it is quite depressing to note that pornographic sites are on the increase. Whatever be the complaints against them and the efforts taken by the government, it is becoming difficult to curb the menace completely. The filtering of pornographic sites poses a technical challenge. These websites keep on changing the names, domain addresses and hosting platforms from time to time making it difficult to filter or block such websites. Unfortunately majority of these sites are hosted outside India. Software tools used for blocking are not of much help either. Sometimes they act block some genuine content or slow down the systems.

It is heartening to note that government is aware of the issue and concerns are being expressed at various quarters in the subject. On 12 Aug 2011, Shri Sachin Pilot, the Minister of State Communication and Information Technology, Government of India, in response to a question in Rajya Sabha reportedly gave information about the relevant sections of I.T. Act as amended by I.T.AA s008 (the popular Sections 67, 67A and 67 B) and added that legal framework in the country is adequate enough to tackle the problem. But the question is CERT-In is the empowered body to take action on these complaints. CERT-In does not adequate man-power and does not have the publicity material to make its efforts and to show its strength to the public, especially the wrong-doers and the misguided and misadventurous who port materials in such web-sites or help such web-sites. The Hon'ble Minister could have added these points also in his reply emphasizing that CERT-In coming under Dept of I.T. under the Ministry of I.T.will take steps whenever any complaint is received by it. Such a statement when it comes from the Minister himself will deter those in the 'trade' of porting such lascivious material in such objectionable sites.

picture
•  Workshop on Cyber Crimes planned by CySI.

•  Times of India Chennai Edition carries a big story under the caption: "Honing the Sleuths" In this descriptive article the story focusses on the contents of M.Sc. Cyber Foresnsics and M.S. Criminology courses of Madras University. In the just concluded academic year, this course has witnessed 100% placement thanks to the tremendous employment potential for those with a knowledge of computer security and the subject of criminology. As a Guest Faculty in this course, views of V Rajendran have appeared in Times of India 7 June 2011 page 4. Chennai.

Authorship ANd Articles

“Security Concerns in electronic delivery channels in Banks” in the Technology Special Issue of Indian Institute of Banking and Finance’s journal “Bank Quest” in its July 2007 issue. Click here for the full text of the article.