Security is not about collecting information. It is about collecting very narrow and specific information. It is the reason why prevention is so hard. Even if one knows what one is looking for, it requires a constant state of receptiveness and intelligence to discern patterns. Quite obviously computers would fit the bill for being very receptive and could be scaled suitably for looking at EVERYTHING ALLTHETIME. So someone - it has to be a person swayed by sophistry about both computers and security - in the government swallowed that rubbish hook, line and sinker. They decided that snooping on all electronic communications all the time would prevent the type of attacks happening around the country with fair regularity. The government passed various laws that made it mandatory for service providers to record all our communications, including handing over cryptographic keys for services which were encrypted (Blackberry). Bad enough so far. Someone found that getting permissions from various state departments was a pain. Besides each state investigative agency was running their own pawn shop. How wonderful it would be if we could have a central secretariat. Each individual investigative agency need just forward their request to the central secretariat and the secretariat without having to send any request to the service provider - a particularly nice benefit - could then access your communications. Another nice benefit is that if more than one agency were investigating the same subject, they could all be alerted. This secretariat would also be linked to the NPR and 20 (or some such number) other databases, with probably more to follow (CCTNS).
The secretariat is know as the NATGRID.
NATGRID is not a secretariat, it is a network with a storage backend that links to the above 21 databases. It will have capability to retrieve info and run various heuristics to discover patterns and correlations in the 21 (+) databases. These heuristics will proffer the intelligence in discerning underlying patterns. And here lies the rub.
Besides the obvious-to-all-except-the-government total breach of privacy, any claim to intelligence would have to be taken with a sackful of salt. It is utterly trivial to defeat such heuristics both on a lexical analysis as well as on geographic tracking. Any 2 pence terrorists would be really stupid not to stay under this surveillance radar, and tracking stupid people with "intelligent heuristics" speaks a lot about both the natgrid and our agencies. Methods to fool the system would include using various annoymizing proxies, including a large number of people to whom the suspects send random stuff, using codified words for real communications while asking everyone to include a random collection of explosive sentences, that would bomb the ears and create mayhem in minds of the infidels who kill chicken and massacre forests, etc - You get the drift. We havent even begun to talk of encrypting your data, setting up fake BTSs, having zombie networks - top level domain nic.in might be a fine place to host one -, using steganography, captcha like devnagiri/indic fonts, or just plain not using data and voice networks. Do all the stuff man-o-man.
So, far from actually being able to detect anything meaningful, it is most likely to send an already overworked and grossly under-trained police force on wild goose chases. It will also set about enabling the means for political victimisation both at a macro level and at the local level by generating fake data.
As it now stands there is no supervision of the natgrid's use. An audit comittee - consisting of it's users IB, RAW and CBI (no it is not a joke) - is the only supervision. Given our investigative agencies penchant for political gamesmanship, one should oppose yet another waste of taxpayers money. While politcalisation and subversion of the police continues unabated, we come up with these schemes with failure painted all over it.
Security is about making U the public secure. Treating U and your data as sacrosanct. It's the U missing in the government's security (and other) policies that is the cause of the problem.
Talking of bypassing supervision: In 1975 we had an exam prelims on economics. Many of us were a bit apprehensive of the subject. One of my classmates named Prithiviraj Dandu marches into the exam hall and starts writing right to left, an entire para. It took some looking at - especially if you did not see him actually writing - to decipher that it was the answer to a question in the paper. The class supervisior as well as the principal, vice principal and senior supervisors passed by doing their rounds, looked at the gibberish askance and never found out what it actually was. Hoodwinking humans is easy. Hoodwinking computers is a lot easier. Converting computers to zombies and gaming such systems is even easier. It would be utterly trivial for an inimical neighbour to plant or remove all sorts of data from such centralised, single point shoot-me-in-the-head targets.
I would strongly recommend that everyone include a random smattering of guns-n-roses, bombs, grateful dead, mayhem, deep purple, nuclear, dirty bumb, man killall, shoot the foobar etc in all communications on the net.
The secretariat is know as the NATGRID.
NATGRID is not a secretariat, it is a network with a storage backend that links to the above 21 databases. It will have capability to retrieve info and run various heuristics to discover patterns and correlations in the 21 (+) databases. These heuristics will proffer the intelligence in discerning underlying patterns. And here lies the rub.
Besides the obvious-to-all-except-the-government total breach of privacy, any claim to intelligence would have to be taken with a sackful of salt. It is utterly trivial to defeat such heuristics both on a lexical analysis as well as on geographic tracking. Any 2 pence terrorists would be really stupid not to stay under this surveillance radar, and tracking stupid people with "intelligent heuristics" speaks a lot about both the natgrid and our agencies. Methods to fool the system would include using various annoymizing proxies, including a large number of people to whom the suspects send random stuff, using codified words for real communications while asking everyone to include a random collection of explosive sentences, that would bomb the ears and create mayhem in minds of the infidels who kill chicken and massacre forests, etc - You get the drift. We havent even begun to talk of encrypting your data, setting up fake BTSs, having zombie networks - top level domain nic.in might be a fine place to host one -, using steganography, captcha like devnagiri/indic fonts, or just plain not using data and voice networks. Do all the stuff man-o-man.
So, far from actually being able to detect anything meaningful, it is most likely to send an already overworked and grossly under-trained police force on wild goose chases. It will also set about enabling the means for political victimisation both at a macro level and at the local level by generating fake data.
As it now stands there is no supervision of the natgrid's use. An audit comittee - consisting of it's users IB, RAW and CBI (no it is not a joke) - is the only supervision. Given our investigative agencies penchant for political gamesmanship, one should oppose yet another waste of taxpayers money. While politcalisation and subversion of the police continues unabated, we come up with these schemes with failure painted all over it.
Security is about making U the public secure. Treating U and your data as sacrosanct. It's the U missing in the government's security (and other) policies that is the cause of the problem.
Talking of bypassing supervision: In 1975 we had an exam prelims on economics. Many of us were a bit apprehensive of the subject. One of my classmates named Prithiviraj Dandu marches into the exam hall and starts writing right to left, an entire para. It took some looking at - especially if you did not see him actually writing - to decipher that it was the answer to a question in the paper. The class supervisior as well as the principal, vice principal and senior supervisors passed by doing their rounds, looked at the gibberish askance and never found out what it actually was. Hoodwinking humans is easy. Hoodwinking computers is a lot easier. Converting computers to zombies and gaming such systems is even easier. It would be utterly trivial for an inimical neighbour to plant or remove all sorts of data from such centralised, single point shoot-me-in-the-head targets.
I would strongly recommend that everyone include a random smattering of guns-n-roses, bombs, grateful dead, mayhem, deep purple, nuclear, dirty bumb, man killall, shoot the foobar etc in all communications on the net.
No comments:
Post a Comment