UID. UIDAI, AADHAAR: The promise, the premise and performance—a reality check

**If you are looking for a compilation of different articles on UIDAI go to
http://aadhararticles.blogspot.com (AND)
Periodic updates at http://openspace.org.in/UIDaadhaarsecurity2012

for a humourous take
http://thefishpond.in/edwin/2010/uid-scrapped-nascum-calls-for-bharath-bandh/#more-1041 (AND)

** A good short guide http://www.scribd.com/doc/64484088/UID-for-Dummies
**their response http://epw.in/epw/uploads/articles/15120.pdf **

The Unique Identity Authority of India (UIDAI) will collect the following data fields and biometrics for issuing a UID

  1. Name
  2. Date of birth
  3. Gender
  4. Father's/ Husband's/ Guardian's name and UID (optional for adult residents)
  5. Mother's/ Wife's/ Guardian's name and UID (optional for adult residents)
  6. Introducer's name and UID ( in case of lack of documents)
  7. Address
  8. All ten finger prints
  9. Photograph
  10. Both iris scans.

As per the report of Demographic Data Standards and Verification Procedure (DDSVP) Committee set up by UIDAI , the address details to be collected from the citizens will have the following fields: Building, Street, Village-Town-City, District, State, Pin Code etc. As per the Know Your Resident (KYR) plus concept of UIDAI, additional fields could be included by the Registrar. It is suggested that the name of the relevant Village Panchayat (VP) may be added as an additional data field.

UIDAI has been set up to manage this task.

When India’s UID project was set up and the well respected Nandan Nilekani took over as the helmsman UIDAI, his senior—and perhaps more respected—colleague at Infosys Narayana Murthy said that it was like a younger brother leaving home. In the months since then, UIDAI has turned out to be contentious: from those who say that it is the one sure shot solution to india’s problems—from security to poverty allieviation—to those who warn that it is more of a big brother act, gutting the constitution—and everything else—in its path.

There has been a lot of hype about the new technological magic bullet that will suddenly ‘provide an identity to every Indian’ with Nilekani (*) even proclaiming that UID isn't just a number, it is an identity, result in ‘financial inclusion’ and enhanced security. Some of the more fantastic claims include better jobs, better pay and access to banks.

The retort has been from the dismissive ‘hey, didn’t we have names before?! And weren’t passports and ration cards issued based on that?’, to the more measured position that each of these claims is patently false, and known to those pushing for this colossal technological, financial and administrative scam. Given the circumstances of poverty and ignorance of large sections of Indian citizens, it is akin to grabbing the food from a child’s mouth.

UIDAI has hired five experts to help communicate different messages to different sections of the Indian population for a buy in. Due to government regulations, the five specialists advise in an individual capacity and not as representatives of their organizations.

Let us look at each of these claims one by one. We need to ask the more fundamental questions such as Do we need this? What is the problem we are trying to solve? Is this a solution to the defined problem? What has been the global experience? Is this just a solution looking for a problem?

In a telling comment, after a very public disagreement with the Ministry of Home Affairs which called the Aadhaar flawed , the UIDAI has 'taken a break' for six weeks from March 2012 so that they can study what went wrong. The officials admitted that in some sense, it was a large pilot project, and there was a need to pause and look at what worked and what did not. A rather costly field pilot study at over Rs 5,000 crores (Rs 50,000,000,000 U$ 1 billion)

* link from UIDAI website.

01 UID and Financial inclusion

An initial claim by UIDAI, still repeated by some, is that UIDAI will help the poor get bank loans, and therefore lead to ‘financial inclusion’. UIDAI will not lead to financial inclusion. Bank loans are given on the basis of creditworthiness. This is perhaps the most cunning lie. People are told that once they get the UID, they will get loans (we will get to the other services shortly).

The fact is that they will not. They will be worse off than before—they will be straddled with the huge project cost.

As the Training Manual on UIDAI and Aadhaar now tells us (page 4)

Benefits of having a Unique Identity
So what does a unique identity have to offer us?
• You get a bank account, passport, driving license, etc., which no one else has. Your money in the bank cannot be withdrawn by anyone except you!
• You can own a credit card and get a loan.
• You can own a house, a shop or a business.
• If you belong to the marginalized and deprived section of society, the government can help you by providing subsidized food rations and various beneficiary schemes.

The fact is that all of this is done now, and possible, without the UID. Yet, the converse can be asserted with confidence: processing an UID will not entitle you to any of these. The absence of UID does not prevent possession of credit cards, homes and businesses, unless the government makes it mandatory by administrative fiat.

The UIDAI has been trying some verbal gymnastics on this, tying themselves into knots and trying to scale back from their initial claims. Now they say that Aadhaar will help the poor open back accounts to access government schemes. This is what the manual says, just one page later. (page 4)

It is important to understand that merely proving one’s identity is not enough to guarantee a bank account, a house, or food rations. But for the government to be able to reach out to the marginalized and the deprived it is essential that each one has proof of identity (page 5).

Not surprisingly, the three examples given (pages 4 and 5) are geared more towards creating a fear psychosis rather than illustrative of why Aadhaar is needed in the first place. None of these need Aadhaar. What Aadhaar will do is to add another degree of harassment… hence the disclaimer immediately after the examples. It is anybody’s guess whether the disclaimer will be emphasised in the training of trainers.

As for the poor needing the UID to open bank accounts—supposedly for the government to reach them—Finance Minister Pranab Mukerjee disclosed that 84% of the money for NREGA is already being disbursed through bank accounts and post office savings accounts . So are we doing the whole exercise for just 16% of 37% the population below poverty—meaning under 6% of the Indian population at best.

Here we do not for a moment suggest that the government cannot make anything mandatory for accessing any of its services. But that is administrative fiat rather than technical necessity—nor is it a security requirement.

02 UID PDS Rations and other government schemes

Since the Public Distribution System (PDS) has the largest database in the country, UIDAI has roped them into providing their database for Aadhaar. Though there are claims of duplication—one of the stated benefits of the Aadhaar is deduplication—this argument is flawed on two counts. The first is that the number of ‘below poverty line’ BPL Ration Cards are well within the recent estimates of poverty whether by the Multidimensional Poverty Index (MPI) (55%) figures, the World Bank(42%), N C Saxena(50%), Arjun Sengupta (41%) and Tendulkar(37%)

It is only when compared with the absurd Planning Commission (27.5%) estimates that the BPL numbers are seen to be too high. For the record, about one in two Indian children are malnourished—a sort of validation for the poverty figures. If not, one will have to conclude that about 25% of the families that can afford to feed their families deliberately don’t feed them. Secondly, the investment in Aadhaar is many times the requirement needed for universal PDS, with the rich self opting out.

Rations will be given based on the Supreme Court orders, not because someone has an UID or not. The PDS system has been under assault for several decades now, and it is the government—this government with the Prime Minister and the Minister for Agriculture—who are opposing giving even the rotting food-grain to the people despite the orders of the Supreme Court of India.

The way to ensure food security is to protect farmlands and ensure that all can access the PDS system. Universal access will ensure that the rich opt out. Administration of the PDS by women’s groups, as is already being done in certain parts of the country will ensure that there is last mile verification and zero corruption by government employees.

The story could be repeated with slight variation for other government schemes. The reality is that most of the leakages are because of government employees and politically connected touts. The 'leakages'--the bribes and the corruption--take place before and after, seldom at the point of sale. The Aadhaar scheme does not cover the more prevalent forms of corruption.

Where there is no electricity—which is most of the country—this scheme will only sharpen the digital divide. Villages where there is no electricity will be removed from Aadhaar, and consequently from government schemes since the government in its wisdom has made it mandatory (or is making noises to that effect).

03 UID and security

Will the UID enhance security or end up gutting security?

This scheme is touted as a panacea for security. It is here that it is at its most flawed. Keeping all the data together is a criminals dream. It provides them just one (or a very, very limited) server or database to crack, and they get a master key. No matter how much is invested in keeping this data secure, it will always be hacked or leaked. For the record, in just eight months of 2009—10, China hacked into the computers of the Indian Prime Minister’s Office (PMO) not once but multiple times. They have also hacked into the ‘high security’ Indian embassies in Kabul, Moscow and Dubai, United Arab Emirates, and at the High Commission of India in Abuja, Nigeria. Confidential information taken from Indian embassies include assessments of Indian relations with West Africa, Russia, former Soviet republics and the Middle East. Computers used by the Indian Military Engineer Services in Bengdubi, Calcutta, Bangalore and Jalandhar; the 21 Mountain Artillery Brigade in Assam and three air force bases were compromised, and computers at two Indian military colleges were also taken over by the spy ring. Why the Pak Cyber Army hacked Vijay Mallya’s website is beyond me.

Even the security conscious US war department found close to 91,000 of its classified pages on the whistleblower site Wikileaks in August 2010, not very different from the Vietnam war papers landing up at the New York Times in 1971. The Abu Ghraib Prison torture pictures found their way to the internet.

The data storage faces the physical threats of yesteryear. Even in this ‘old world’ data security UIDAI itself has been found wanting. It has just a handful of employees. All are handpicked. Yet, within days of refusing to share their plans and stonewalling any request under right to information (RTI)—so much for good governance, transparency, accountability—their plans landed up on the Swedish website. When Nilekani cannot even safeguard his own data, with his handful of handpicked people, how does he hope to secure the data of the nation?

Since the data is sensitive and is an access point for many different benefits, it will need backups in case of crashing or physical corruption of data. Commercial email has up to seven backups to prevent data loss, so the government databases will probably need up to ten different back ups, in ten different locations. This makes it all the more difficult for database management, since the data has to be wiped clean in all. The data has to be secure in all these locations, and be fire proof, terrorist proof, earthquake proof, with 100% uptime.

The physical security of the database is the lesser risk. In addition, it will have the cyber threats. Since it is to be used, at the very least, as a referral database, access will need to be public. So it will be accessible over the public data cables rather than the relatively more secure dedicated backbone.

Coming from a technocrat, the scheme is even worse for its deeply flawed assumptions regarding technology. Section 38 of the draft NID Bill has a long list of crimes, which if intentionally done, could result in a Rs 10 billion fine. Virtually all of that is possible by anyone using Microsoft operating systems—for instance 38(c) [knowingly] introduces or causes to be introduced any virus or other computer contaminant—since they are known security issues in these ubiquitous Microsoft products.

To understand the power of the code-breaker and the computing power that is available to the hacker, current practice in banking is a good guide. Even ten years ago, the advice was to change the password every six months. It was reduced to two weeks. At the moment, for regular banking transactions, the bank gives one time passwords, valid for 15 minutes, from the same computer from which it was requested. That is the small window that they believe that the password will be secure. For high value transactions, it is even more. It is this superior computing power that will be used against the UIDAI database—and the hacker has to get it right just once.

Encryption is not the solution either. As Bruce Schneier warns us Encryption doesn't reduce the number of secrets that must be stored securely; it just makes them much smaller. Storing encrypted keys becomes as important as storing the unencrypted data was. Historically, the reason key management worked for stored data was that the key could be stored in a secure location: the human brain. People would remember keys and, barring physical and emotional attacks on the people themselves, would not divulge them. In a sense, the keys were stored in a ‘computer’ that was not attached to any network. And there they were safe. This whole model falls apart on the Internet. Much of the data stored on the Internet is only peripherally intended for use by people; it's primarily intended for use by other computers. And therein lies the problem. Keys can no longer be stored in people's brains. They need to be stored on the same computer, or at least the network, that the data resides on. And that is much riskier.

The new German ID cards have somewhat similar features—the face, two fingerprints and a six digit number. They are easily hacked too, as demonstrated on German TV.

Nilenkani seems to be following the Edgar Hoover American model of quantity rather than the Scotland Yard model of quality. Edgar Hoover got so enamoured of fingerprinting that he corralled citizens of New York to get their fingerprints… and wanted the FBI to retain those fingerprints forever… just like Aadhaar. He even got a 10 year old visitor to the FBI fingerprinted… just like Aadhaar. The much more efficient British Scotland Yard purges the fingerprints of those who have not committed a crime in 10 years, and demotes from their active list those who have not been convicted of a crime for two. So the scheme fails even in basic criminology.

04 UID and Accountability

The parent is often a good indicator of how the child would be, and the shenanigans of UIDAI do not inspire confidence in NIA or Aadhaar. They have consistently tried to keep themselves above accountability and good governance.

Repeated requests under the RTI have been turned down—yet R S Sharma Director General of UIDAI makes the astounding claim that the UIDAI has undertaken a wide range of consultations … with economists … civil society activists and scholars, academics, law experts as well as biometric experts. The UIDAI has also engaged in discussions and consultations with several stakeholders at various levels across the country–various ministries and departments of the government, all state governments, the Planning Commission, the Thirteenth Finance Commission, and various independent regulatory authorities. (The details of these consultations are publicly available on the web site.)

The reality is that such information is not available on the website, and it is doubtful that they have it. RTI request F-12013/3/RTI/2010-CPIO regarding consultations conducted by UIDAI from July 2009 to March 2010 for the information on who was consulted, the date, time, venue and participants at the meeting was returned with the same claim after one month. On looking up the website it was found that this crucial information was missing. Does meeting someone on the airport tarmac for 10 minutes count as a consultation? Was the meeting with prior information with briefing papers exchanged beforehand? There is no way of knowing from the website. UIDAI either has the information and is stonewalling or does not have the information and is simply inefficient, not even knowing how to write minutes of meetings. Either way, it bodes ill for the endeavour.

Aadhaar will be more of the same. They know it will be misused on a large scale, and so they ensure that UIDAI cannot be held accountable. The draft NATIONAL IDENTIFICATION AUTHORITY OF INDIA BILL, 2010 is on the lines of the Armed Forces Special Powers Act (AFSPA), keeping them beyond the pale of accountability. While for others (that is you and me) intentional damage will be punishable (Sec 38, NIA Draft Bill) with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than one crore rupees (Rs 10 million) the officials (Sec 52, NIA Draft Bill)—but not citizens—are given virtual impunity both for ‘acts done in good faith’ —never mind the vast data available publicly on the technical flaws and socio-legal demerits. Tucked away in the earlier section 46.1 is that only the UIDAI, and later the NIA, can sue itself: 46. (1) No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.

The other disingenuous excuse is the ‘we are only’ excuse. They say that Aadhaar would be ‘voluntary’—keeping eyes wide shut on the government proclamations that it is compulsory—and that they are ‘only’ going to store the ten fingerprints, iris scan and face linked to a number. They are quite clear about keeping eyes closed about other implications. The spin doctors at UIDAI come with this rather disingenuous word craft to retain their innocence: While Aadhaar per se will not be mandatory, other agencies—such as the passport office or banks—may make it mandatory to have the UID number. With the government bringing out detailed plans on making Aadhaar compulsory, UIDAI cannot keep harping back to this intentional ignorance either on the use that the Government of India is going to put it to, or the experience of other countries.

The experience regarding phone tapping in the recent past is illustrative. Those who were using it confirm that there was no authorisation. In fact, all phones and their signals were being heard without a single authorisation from the Union home secretary as required by law. … Completely illegal and dangerous. As usual, all this activity is conducted without obtaining any written authorisation for any specific phone number. These are random sweeps, which pick and record calls with impunity.

It strains credulity that UIDAI does not know about the experience of UK, where it was scraped in 2010 with an estimated savings of at least BP 80 million, or the US. A simple net search—surely not beyond the capacity of the authority—would confirm these.

With caste being enumerated, and the biometrics being taken, the master key will provide permanently rigid caste identities despite the provision in the draft NID Act 9. The Authority shall not require any individual to give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health. This is not as contradictory as it seems. It is fully in keeping with the UIDAI position that it is ‘only’ going to give the numbers and ‘only’ going to validate ‘yes’ or ‘no’ queries and the Government of India’s attempt—helped in no small measure by Nilekani’s tunnel vision, single minded obsession and messianic zeal—to make the number mandatory virtually everywhere from the PDS to passports to bank accounts to school admissions.

In the hurry to get things done, UIDAI has learnt the art of working around government regulations. As we are informed, UIDAI has hired five experts to help communicate different messages to different sections of the Indian population for a buy in. Due to government regulations, the five specialists advise in an individual capacity and not as representatives of their organizations.

05 Cost and cost effectiveness

There is as yet no cost benefit analysis, nor a business plan. Faced with this anomaly the minister for finance has resorted to hiding costs under different heads. The initial investment towards this is about Rs 20 billion (Rs 1 billion in 2009-10 and Rs 19 billion in 2010-11). This is in addition to an unspecified amount hidden in the census budget. Rs 100 was to be given the gullible, hapless poor is more a bribe rather than an incentive, preying on their poverty and ignorance using public money and is certainly not ‘free’.

Other services that would like to use Aadhaar for verification—for instance the banks—will need to set up the requisite infrastructure. Verification would mean biometric scanners in every ration shop, every bank branch, every school, gas agency, petrol pump… and then the broadband infrastructure and bandwidth to connect to the centralised database. The recruitment, training and hardware costs will add to economic growth, GDP and corporate profit while simultaneously pushing up transaction costs for the individual. This would mean higher costs for inclusion.

Just like the dams across the Narmada, which was started and billions of tax payers money spent on it without the planning commission approval or statutory clearances, UIDAI will also come back with the argument that ‘since a lot of money has been spent’ let it continue. Dismantling this infrastructure, disentangling it from other databases such as the passport etc will cost even more—as the UK has discovered. When the database is hacked, the biometric data collected (fingerprints, iris, face) will need to be replaced, or an other level of data should be added for authentication. Then the plea will be to add a DNA check to it ‘since so much money has already been spent’ else the database will have to be shutdown. This will mean additional expenses. And when that is hacked…

It is ironic that in his earlier avatar as CEO of Infosys, Nilekani would not spend a fraction of this amount with out a business plan, feasibility study or a cost benefit analysis. All of these are missing in this endeavour, resulting in an activity that does not address, much less solve, the problems that it is supposed to solve. It is not even a solution searching for a problem. It is creating a problem where there is none, fully knowing that someone else will have to clean up the mess. It is rather like Wall Street during the financial meltdown of 2008-9. They made the mess the way they made the money, and they made money cleaning up the mess. We will be straddled with this black hole of public expenditure since by then they will be too big to fail and no one will be there to take the blame.

In the use of digital technology, software plays an important part. Here the terrain is highly contested between the proponents of open standards and free and open software on the one hand and the proponents of closed and proprietary standards on the other. Since data is stored and needs to be accessed for a long time, it has to be in a standard that enables access for a long time. It cannot be dependant on the whims and vicissitudes of a company. For instance, if a person’s data is stored from birth to death, it will have to be accessible for about 100 years. Few companies have that kind of longevity. So unless the standards are open, the data may not be accessible if the company goes bankrupt or closes down. Security and privacy concerns are another reason for free and opensource software (FOSS). Aadhaar is not fully FOSS compliant.

The technology is fraught with risks, but more so the operations. As the Biometrics Standards Committee Report says (p22) there is also data to suggest that quality drops precipitously if attention is not given to operational processes…. Empirical data has highlighted several non-technical factors that can impact accuracy. The lacunae are simple operational quality assurance, missing biometric records due to poorly designed processes and biometric software be tuned to local data. They promise an accuracy of above 95%. The SHG federation women have a loan repayment record of close to 100% and, when the PDS outlet is entrusted to them, 100% accuracy in delivery.

Update February 2010

After a very public disagreement with the Ministry of Home Affairs which called the Aadhaar flawed , the UIDAI has 'taken a break' for six weeks from March 2012 so that they can study what went wrong. The officials admitted that in some sense, it was a large pilot project, and there was a need to pause and look at what worked and what did not. A rather costly field pilot study at over Rs 5,000 crores (50,000,000,000 US$1 billion)

06 A ‘permanent identity’ that ‘cannot be duplicated’

The biometric identification—the fingerprints, photograph of the face and the iris scan—are supposedly a foolproof way of ensuing that the identity of the person. There are two problems here—one in data capture (permanence) and the other is data integrity (duplication).

Data capture is a Herculean task, apart from being a logistical nightmare (just think of the thousands villages without electricity, multiply that by the number of ration shops, thasildhars offices and banks… and you begin to get the idea). UIDAI itself seeks to update its database periodically, because the face changes, people grow up, grow old…. Not so well known is that fingerprints also change, and faster for manual labourers—the very section it is marketed as supposed to be helping, and in whose name everything is being done. So they will have to update their fingerprints much oftener than others—resulting in their losing a days wage (plus bribe costs) for each update.

Identification of ‘terrorists’—especially killed ones will not be enhanced by the use of biometrics. Fingerprints have a success rate of only 44% and an error rate of 22% even in controlled circumstances. The use of mehandi makes fingerprint comparison difficult, as the UIDAI Biometric standards committee itself admits (p52) Lawsonia Inermis (commonly known as henna or mehandi) can cause significant differences in the quality of fingerprint images. Widely used by women in the Indian sub-continent during festivals, henna is applied on hand/fingers and when applied, fingerprint sensors may not properly capture fingerprint features.

The iris scan is ineffective after death. Fingerprints are unreliable after rigor mortis, not to speak of conditions of mutilation after burns or decay in water. Iris changes periodically for those suffering from a variety of common diseases—retinopathy, chronic glaucoma, hypertension and diabetes. As a point of interest, India is the diabetes capital of the world, with 50.8 million Indians suffering from diabetes. By 2030, nearly 9% of Indians are likely to be affected from the disease.

About 35% of the population will not even be within acceptable limits of error in biometrics. The the iris does not stabilise before eight years of age and the fingerprints do not stabilise before 16 years. So children will not be covered with any degree of accuracy—and should be exempt from this futile exercise. But to ensure ‘profitability’ their biometrics are going to be captured any way. As UIDAI tells us, Aadhaar is ‘for every individual, including infants’.

Investment to monitor government schemes such as Sarv Shiksha Abhiyaan and Integrated Child Development Schemes will come to naught. Aadhaar cannot address the corruption or bogus claims. Even with Aadhaar, mothers can still claim to have delivered five babies in 60 days and claim Rs 1000 as incentive’—as they did in Bihar on July 2010. Ironically, since the biometrics of children are going to be captured any way we are actually adding another layer of corruption—a high tech one at that—because it will give an incentive for those collecting the biometrics to inflate the numbers.

The case of Keralam is intriguing, and a pointer to what would happen. As usual, UIDAI relies on others—called registrars—to do their data collection. The registrars are free to collect whatever other information they want, so long as they collect the stipulated demographic and biometric data for UIDAI. In Keralam, not only are the registrars IT@School collecting the biometrics of six million students, but they are also collecting the class and roll number into their Student Management System. It is certain that such data will not be erased, leading to privacy and security concerns. This certainly is not the ‘black database [that] no one can read from’ as promised by Nilekani. This process is called ‘creeping functionality’. In this case it is by design since though UIDAI will ‘only’ give the number, the government is making it mandatory for opening back accounts etc.

The draft NID Bill even has provision for other enrolling agencies—an agency appointed by the Authority or by the Registrars, as the case may be, for collecting information under this Act (2i)—meaning an infinite spiral of sub-contracting. It is the contractor with the lowest skills that will win the bid and become the enrolling agent—and he will give it to a 10 standard fail person to do the actual work. Even the premier snooping agency, the National Technical Research Organisation the actual operators listening in are lowly-paid officials earning about Rs 8,000 to Rs 10,000. They can cause immense harm and blackmail people they are tapping. Not all will be Nilekanis sitting there. Guess which way accountability is going?

A critical part of it all is data collection. The [Biometrics Standards] Committee feels that the UIDAI should collect photograph and ten fingerprints as per ISO standards. The people collecting this data are going to be from the lowest quotation contractor. A look at the mess for the voter ID cards is a pointer in the direction.

The biometrics are difficult to replace for the ordinary citizen, yet easy for the government and criminals. The duplication and falsification software already exists, for fingerprints, iris scans and for the face. At the moment it is a bit expensive, about Rs 1500 per iris, but it will not always remain so. The economies of scale will kick in. When many people want to duplicate, it will become cheaper in the grey market. In case of computerising railway ticketing, the investment to hack and block book is disproportionate to the returns. In the case of the UIDAI goldmine, any investment will be worth it. Once hacked, the cost of duplication is so low that we will probably have people selling it for Rs 30 on the sidewalks of Kathmandu, and under Rs 10 in Burma Bazaar.

07 Inter-agency information sharing

The fact that internal and domestic spy agencies of the same government—and sometimes of the same department—do not share information is due to interdepartmental rivalry, rather than technical limitations. If the government really wants to, it can even today easily arrest the IAS officer from Bangalore who goes to China regularly without permission by flying via Calcutta. It does not, though the government not only has all the information in the customs and immigration database but also other electronic surveillance systems such as Crime and Criminal Tracking Network & Systems Project (CCTNS Project), National Intelligence Grid (NATGRID), National Counter Terrorism Centre (NCTC) of India in a total of 21 known databases. Not using the information available in one database will only lead to more confusion when 21 databases are interlinked.

Sharing of information, and mining of such voluminous data would ultimately be in the same league as other electronic surveillance with the same results: most often it is used for political purposes, for the security of the party in power. In times when there is no political crisis, it is used by the bored eavesdroppers to listen in on romantic interludes… intercepted calls of the wives of MPs discussing personal and sensitive matters, corporate leaders seeking private liaisons in hotels, corporate leader seeking a woman… calls at night are for sex… a woman official of DRDO near the Nizamuddin bridge area discussing some very personal liaisons—in short as a public funded porn telephone. Having bored publicly funded ‘data analysts’ ogling online porn is that last thing that we should encourage. Perhaps NTRO operatives would differ, and consider it perk.

The more important reason is that some data must always be kept separate, even within the security agencies, to prevent misuse and paradoxically, to enhance security. It is for precisely this reason that the Cabinet Committee on Security (CCS) did not permit the interlinking of the databases to form NATGRID in early 2010—not because they care about civil liberties, but because they realised that they may not always be in government, and then the database could be used against them.

08 Privacy

The proposed privacy laws are weak in intent, and will be non-existent in practice. The concept of privacy in India is still underdeveloped. There is virtual ignorance about the implications of technology and privacy. However, the flaws are deeper than just that, and is at the very conceptual and design levels itself. To make UIDAI revenue neutral, share cost or otherwise monetise the database it will have the PPP (public private partnership) model. This means the sale of data to third parties. So by design, the government is going to do the work of the private sector—just like it acquires the common lands of the poor for the rich industry, it is now going to do the same in the digital sphere for helping in marketing.

We are assured that the government will protect the privacy and ensure data security. Nilenkani himself says that ‘UID is a black database and no one can read from it… no other person can access data from it’—yet goes on to say that every kirana shop would become an ATM with this. When Blackberry’s and iPhones can be hacked in 10 minutes or less at the roadside, by illiterate teens Nilenkani’s innocence is touching. However, the track record of the government does not inspire confidence on two counts—they do not have the will nor the technical capability. Remember the ‘Do Not Call Registry’? Yet unwanted calls continue, and spam SMS proliferate. How will this be different? The government is technologically powerless to stop the small retail outfits that do the spamming. The investment for spamming is getting lower by the minute. So how can the government stop it?

The other is the question of intent. Does the government use the information that it does have for the benefit of the citizen? Sadly, that is not the case. It has consistently sided with corporate interest versus the tax paying citizen. The case of the mobile phone is illustrative. Every mobile phone has a unique IMEI Number. So theoretically, there can be no mobile thefts, since stolen mobile phones can be traced and recovered within minutes. The technology exists. It is the political will that does not. It is also a fact that the IMEI can be cloned at your friendly corner shop. When the government demonstrates its concern for the welfare of its citizens, then—and only then—does it become worthy of the citizens’ trust. Till date, we have not seen such evidence.

Security expert Bruce Schneier puts it this way: Crime fighting requires both resolve and resources, but it's done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens. What we are doing now, to use another of his terms, is indulging in security ‘theatre’—a ‘show’ of nothing but smoke and mirrors with nothing concrete to address security concerns itself.

09 Unintended consequences

Unintended consequences are by definition unforeseeable, and some take decades to become visible. Sometimes the cost is worth the risk. Sometimes it is not. Once hacked, to name just once instance, the identity of the Indian spies abroad will be compromised permanently. Is the Government of India ready to face the security implications of iris scans in Pakistan and China and matching them with a hacked UIDAI database?

The consequences of secure, protected data are also unforeseeable. One consequence will be to permanently brand entire sections of the Indian population as statutory rapist and illegitimate. This will be visible only after 14-15 years when the children go to school. How it will happen is like this. The biometrics of everyone over 15 will be collected with the census of India 2011. From 2026, when the children born in 2011 go to school, they will be checked with the biometrics of their parents. The age of their parents age at the time of birth will be clearly identifiable since Aadhaar will be linked to other databases. Since sexual intercourse below the age of 15 is statutory rape (there is no question of consent there) all those children and communities will be on the wrong side of the law. So we are going to condemn an entire generation of people, and entire communities, to lifelong (and beyond) sigma, since this is going to be a ‘permanent’ database.

There will also be onus on the government to prevent such large scale child marriages, since it will have the data in its own databases. It will leave itself open to charges of connivance and avoidable litigation if it does not act on this information. Will the government not allow these children to join schools? Or will it imprison the parents? Either way, it will leave the parents open to blackmail by those who know that the data is available, with the Damocles sword of exposure hanging over them permanently.

Keeping data permanently will also be in conflict with the Juvenile Justice Act that rules all criminal records be wiped clean at 18. UIDAI seeks to keep the records permanent.

10 In good faith?

This is not a scheme of a government that is desperate to ‘do something, anything’ about national security. If Home Minister Chidambaram is serious about security, what he can do—and he knows full well—is to choke the financial lifeline of the ‘terrorists’. He could easily do so by demonetising all currency notes above Rs 100—the Rs 500 and the Rs 1000 notes. Unfortunately, he and the rest of the ruling elite, know that they cannot do so since these slush funds are required for his company to hire goons to take the land away from the farmers and the forest from the Adivasi.

There are many theories as to why the scheme is going ahead. It is a money making opportunity for the IT companies desperate to stem the steep fall in their revenue streams due to the financial crisis of the west. The global economic scenario has fundamentally changed and they will no longer be able to match their past growth depending on the western markets. They wilfully get on this bandwagon just for the monetary benefits and short-term balance sheet requirements. It is a multi-billion rupee bonanza for the companies for software, hardware (IT, biometric scanning) and consultancies. What we are seeing is a scam similar to the Common Wealth Games, but on a much larger scale. UIDAI will need many of those Rs 4000 toilet paper rolls to wipe away the stink.

Another is that there is an intellectual arrogance by people far removed from their roots and Indian ethos, that seeks to drag the country to modernity… that technology is the solution. It has come under criticism for [mis]-selling itself to the millions of poor in the country to create ‘legitimacy for itself against the valid criticism of it being misused, technologically unproven and costly’ and claiming to be the foundation for public service delivery.

That the stated intent is noble is not in doubt, nor that the people will adjust to the ‘new normal’—we always do. That we will see some hype of how effective the scheme is for a while—and some real substantial benefits too—is also not in doubt. Aadhaar could generate 350,000 new jobs in the country, collecting the biometric data and registering citizens and in software services, but excluding jobs created for updating UID data as addresses and other personal details change. These jobs would largely bypass the unskilled workers. Perhaps the whole scheme is to keep professionally educated youth employed and not let them stray into extremism and the spiral of violence, perhaps it is all for the good.

However, the crunch will come when this becomes a white elephant. Are we really prepared for when we realise that this is an egotistical project whose cost is far above the scattered, transitory benefits. The media hype of these scattered benefits will not keep the people ignorant for long… and then will come the costs of decommissioning. We will have to dismantle it at great economic and social cost. Jobs will be lost. There will be disruption.

When asked to take-up this task, Nilekani’s only request to the prime minister was that he be given the rank of a union minister, so that he could deal with the reluctant intractable politicians being higher up on the protocol than mere Members of Parliament. The ‘simple request’ is turning out to be like Gandhi’s poverty—everyone else has to pay a very high price for it.

The IBM Hollerith D-11 card sorting machine, used by Germany to identify Jews in its census of 1933, at the United States Holocaust Museum in Washington DC should be sufficient warning for India’s technocratii. As Bill Clinton wistfully reminiscences, just because something can be done does not mean it should be done.

Security Compromised at UIDAI Head Office

Virtually everyone has now heard how all the US based email providers routinely provide all the data to their government. One would think that UIDAI would use secure email, so that their communication is not compromised. Well, then you thought wrong. Here are the email IDs right in the UIDAI head office ... and in the Chairman's office itself on 23 October 2013 five months after the lack of security of US mail providers and US NSA snooping were disclosed by Edward Snowden in June 2013.

Note how many are unsecured IDs (hotmail, gmail, yahoo...). It looks like the initial ones were with nic.in then uidai.gov.in and finally uidai.net.in. Then either due to laziness or because it was cumbersome to get IDs for the junior staff, the later recruits just created new IDs or used their personal IDs--in one case with his wife's (?) name! It is this kind of laziness that will result in data breach... and once it is gone, its gone.

Overall, of the 99 staff, 92 have email IDs. Of this 92, 62 (67%) have compromised emails--50% (2 of 4)of the Chairman's office, 82% (9 of 11) of the Monitoring, Legal Affairs & Audits Division and a whopping 92% (8 of 11) of the Finance and Accounts Division.

We always knew that the data entry at the last point would be done by the illiterate brother-in-law of the lowest sub-contractor who bid the least. But this seems a bit much. Makes you wonder doesn't it? How soon before CDs with the Adhaar data--your fingerprints and other personal details--are sold on the roadside, or freely downloadable from the net?

Chairman's Office
# Name Designation Tel No. E-mail
1 Nandan Nilekani Chairman 011-23752680 nandan.nilekani@nic.in
2 Anand Jain PS to Chairman 011-23752669,23752680 anand.aadhaar@gmail.com
3 Gururaj Addl PS to Chairman 011-23466802, 23752669, 23752680 mukundgururaj@uidai.gov.in
4 Vijay Joshi First PA to Chairman 011-23752669, 23752680, 23466813 vijayjoshi_2002@yahoo.com

Director General & Mission Director's Office
1 Vijay S Madan Director General & Mission Director 011-23752675, 011-23466835 dg@uidai.gov.in
2 Alok Shukla OSD to DG 011-23466805 alok.shukla@uidai.gov.in
3 Ram Roshan PSO 011-23466804 ramroshan59@gmail.com
4 Navin Kumar PS to DG 011-23752675, 011-23466835 nvinindguidai@gmail.com
5 Tayyab Khan PS to DG 011-23466806 tayyab.khan@uidai.net.in

Reg. Onboarding, Enrollments, Updation Process, Monitoring, Legal Affairs & Audits Division
1 Sandeep Verma Deputy Director General 011-23752696, 23466818 sandeep.verma@nic.in
2 Kundan Singh PS to DDG 011-23752696, 23466818 kundan.aadhaar@gmail.com
3 Ashish Kumar Asst Director General 011-23466828 ashishkumar@uidai.gov.in
4 Ashok Kumar Asst Director General - ashokumar100@gmail.com, ashok.kumar@uidai.net.in
5 R.K. Gautam Asst Director General 011-23466850 rkgautam.adg@gmail.com
6 Biswajit Ghosh Section Officer 011-23466852 bghosh60@yahoo.co.in
7 Prashant M Section Officer 23466868 shaanmenon@outlook.com
8 RB Sagar Section Officer 011-23466844 sagarrb.uidai@gmail.com
9 SS Bisht Section Officer bishtss@rediffmail.com
10 Anil Tanwar Assistant 011-23466885 anilbobbytanwar@gmail.com
11 Pratysha Kumar Mishra Assistant 011-23466866 pratyushrb.uidai@gmail.com

Financial Inclusion, Strategic Planning & Project Management Division
1 Ashok Pal Singh Deputy Director General 011-23466816, 011-23752757 ap.singh@nic.in
2 P R Biswas PS to DDG 011-23466816, 011-23752757 prbiswas2011@gmail.com
3 Amutha Arunachalam Asst Director General 011-23462615 amutha@uidai.gov.in
4 Ranjan Kumar Asst Director General 011-23466824 ranjan65@gmail.com
5 Rajesh Bansal Asst Director General 011-23466831 rajeshbansal@uidai.gov.in
6 Pramod Kumar Deputy Director 011-23462619 pk_rtk@yahoo.co.in
7 Simranjot Singh Deputy Director 011-23466847 simranjot.singh.2010@gmail.com
8 Sheela Rana Section Officer 23466893 sheela@uidai.gov.in
9 Ajay Kumar Sharma Assistant 23466879 ajaysonali2003@gmail.com

IT & Technology Procurement Division
1 Kumar Alok Deputy Director General 23752761,23466808 kumaralok@uidai.gov.in
2 Vivek Nangia Asst Director General 011-23466604 viv_nangia@yahoo.com
3 Salil Das Asst Director General 011-23462611 adgtech.hqr@uidai.gov.in
4 Amutha Arunachalam Asst Director General 011-23462615 amutha@uidai.gov.in
5 MK Chahar Deputy Director 011-23462620 mk.chahar@nic.in
6 Subrata Das Deputy Director 011-23462619 rajrinadas@gmail.com
7 Subodh Saxena Technical Director - IT 011-23466891 subodh.saxena@nic.in
8 Ram Mohan Sangal Scientist C 011-23466891 rmsangal@nic.in
9 Manish Kumar Mehta Section Officer 011-23462630 mehtamanish71@gmail.com
10 Saibal Sen Section Officer 011-23462629 sotech@uidai.gov.in
11 VR Visalakshy Section Officer - visalakshyvr@gmail.com
12 Kundan Kumar Assistant - -
13 Satish Kumar Assistant 011-23462645 -

Enrollment Training & Testing & Establishment Division
1 D Kumar Deputy Director General 011-23752755, 011-23466812 dk@uidai.gov.in
2 AK Viswanathan PS to DDG 011-23752755, 011-23466812 akutty.viswan@gmail.com
3 S D Sharma Asst Director General 23466869 sureshdutt@uidai.gov.in
4 Shrish Kumar Asst Director General 011-23466823 shrish.uidai@gmail.com
5 D. P. Singh Asst Director General 011-23466839 dpsingh@uidai.gov.in
6 Rajesh Kumar Deputy Director 23466894 rajeshdd.uidai@gmail.com
7 Rajiv Sharma Section Officer 011-23466814 rajivs1961@gmail.com
8 Mahabir Singh Section Officer 011-23466849 so.training.uidai@gmail.com
9 Anil Kumar Assistant 011-23466897 aniluidai73@gmail.com
10 Rakesh Kumar Assistant 23466895 rakeshkumaruidaihq@gmail.com
11 Shambhu Choubey Assistant 011-23466897 choubey_sham@hotmail.com
12 Suvash Kumar Pandey Assistant 011-23466897 pandey.suvash@gmail.com
13 Vinod Sharma Assistant - -

Finance & Accounts Division
1 Saroj Punhani Deputy Director General 011-23466810, 23752672 saroj_punhani@hotmail.com
2 Rajalakshmi Devaraj Asst Director General 011-23466834 rd.uidai@gmail.com
3 Ranjan Kumar Asst Director General 011-23466824 ranjan65@gmail.com
4 Harish R Deputy Director 011-23466855 harish.ramanathan@uidai.net.in
5 NN Subramanian Deputy Director 011-23466859 nns.uidai@gmail.com
6 R. Renuka Deputy Director 011-23466898 rrenuka.uidai@gmail.com
7 Mahabir Singh Section Officer 011-23466867 mahabirkadian@gmail.com
8 Vijayanandan K Section Officer 011-23466872 kvauidai@gmail.com
9 Deepak Kumar Assistant 011-23466881 dksinha51272@gmail.com
10 Vinod Kumar Pay & Accounts Officer 011-23466888
11 Rajesh Goswami Assistant Accounts Officer 011-23466864 goswami.rn17@gmail.com
12 Subhash Chand Assistant Accounts Officer 011-23466864 -
13 Mukesh Dwivedi Accountant - dwivedimukesh29@gmail.com
14 Navjeevan Bharti Accountant - vicky210187@gmail.com

Administration, Logistics, Contact Centre, Media & Volunteer/Sabbatical & Interns Division
1 Kumar Alok Deputy Director General 011-23752761, 011-23466808 kumaralok@uidai.gov.in
2 Neelam Kapahi PS to DDG 011-23752761, 011-23466808 neelam@uidai.gov.in
3 Sandeep Bhardwaj Asst Director General 011-23466613 sandeep.bhardwaj@uidai.net.in
4 D C Sharma Deputy Director 011-23462625 dcsuidai12@gmail.com
5 Manoj Kumar Deputy Director 011-23466842 kmrmanoj.delhi@hotmail.com
6 DK Sharma Section Officer 011-23466851 dksainath@yahoo.com
7 Mahesh Chandra Section Officer 011-23466890 mchandra@uidai.gov.in
8 Sonia Maheshwari Section Officer 011-23466887 smaheshwari.uidai@gmail.com
9 Tek Ram Sharma Section Officer - -
10 VK Sudharsana Devi Section Officer 011-23462624 sudhauidai@gmail.com
11 Devender Singh Assistant 011-23462625 devuidai@gmail.com
12 KM Pandey Assistant 011-23466886 pandey.kmp@gmail.com
13 KN Bangwal Assistant 011-23466860 kamal.bangwal@gmail.com
14 Manoj Kumar Assistant 011-23466845 manojpatna1974@gmail.com
15 RK Narula Assistant 011-23466892 narula.ravi123@gmail.com
16 Shekhar Kumar Sinha Assistant 011-23466877 shekhar.uid@gmail.com
17 Shamsher Singh DDO 011-23466832 ddohq@uidai.gov.in
18 Chandra Sekhar Prasad Assistant 011-23466880 -

Aadhaar Applications, Authentication & Updation Process Division
1 YLP Rao Deputy Director General 011-23753706,011-23462602 ylprao@uidai.gov.in
2 Lalita Avneesh Tomar PS to DDG 011-23462602 lalitatomar.uidai@gmail.com
3 SK Jha PS to DDG 011-23462602 skjha@uidai.gov.in
4 Dinesh Kumar Yadav Asst Director General 011-23466829 dkyadav.ips@gmail.com, dk.uidai@gmail.com
5 Sameer Gupta Asst Director General 011-23462609 sameer.gupta@uidai.gov.in
6 Yashwant Kumar Asst Director General 011-23242607 yas_its@hotmail.com
7 Hari Om Aggarwal Deputy Director 011-23462617 ddauthdelhi@gmail.com
8 Govind Singh Section Officer 011-23462621 gsingh.uidai@gmail.com
9 Ram Pal Singh Section Officer 011-23462621 rpsingh.uidai@gmail.com
10 Abhilasha Sharma Assistant 011-23462647 abhi1977sharma@yahoo.in
11 P. K. Dagar Assistant 011-23462608 pawandagar2003@gmail.com
12 Seema Mehta Assistant 011-23462647 seemamehta.uidai@gmail.com

Security and your UID Aadhaar

The Sonia/Manmohan/Nilenkani UID for everyone residing in India is fraught with security implications.
Databases of passwords and verification details (which is what your stored finger prints and iris scans are... except that you cannot change your iris, and it is expensive to change your fingerprints once the data base is hacked) is a hackers dream. But don't take our word for it.

We will list actual instances where significant government and commercial databases have been compromised, and actual security issues of Aadhaar in practice. We do not add what are obviously teething problems, such as giving a man a UID with the photo of a woman, or the 10,000 IDs sent to the wrong addresses due to a technical snag by an agency that received the 'Aadhaar Excellence Award' at the programme's first anniversary celebrations. Here we focus on the serious, systemic issues like the 2 lakh returned letters which make a mockery of the system.

We also do not have here government misuse such as the elite National Technical Research Organisation (NTRO) set up to prevent Kargil-like intrusions and aid other intelligence agencies in gathering and analysing terror inputs placing hightech pinhole cameras in women's toilets.

The page was started on 30 June 2011. We stop (for now!) with the Minister for Home Affairs P Chidambaram confirming security fears.
.... amazing how regular the security breaches are. In this short span, we have compiled--all from opensources--security breaches of entire countries, highly 'security conscious' companies including those taked with cyber-security(!) and multinational corporations that amount to more than 500 million, half a billion IDs.

Cybersecurity expert Bruce Schneier notes in Cryptogram: None of this is new. None of this is unprecedented. To a security professional, most of it isn't even interesting.... It's not that things are getting worse; it's that things were always this bad. ... The recent news epidemic also illustrates how safe the Internet is.

A report placed in parliament in June 2011 says that in past three years, till June 2011, 117 government websites were hacked in India while the number of other hacked sites is 90,119, 252.

The US FBI Executive Assistant Director Shawn Henry quotes 2011 Norton Cybercrime Report to put the global cost of cyber crime at nearly $400 billion a year, that there are more than one million victims of cyber crime every day.

... and on 15 November, the Deputy Section Chief Richard Downing admitted before the US House Judiciary Subcommittee on Crime, Terrorism and Homeland Security that the United States' critical infrastructure – such as the electrical grid, financial sector, and transportation networks that underpin our economic and national security – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. Sensitive information is routinely stolen from both government and private sector networks, undermining confidence in our information systems, the information collection and sharing process, and the information these systems contain.

He admitted that they confront a dangerous combination of known and unknown vulnerabilities, strong and rapidly expanding adversary capabilities, and limited comprehensive threat and vulnerability awareness. Within this dynamic environment, we are confronted with threats that are more targeted, more sophisticated and more serious.

... and our own home minister P Chidambaram admitted in a note (No 9/502011- CRD(NPR)) to the Prime Minister that
"the data collected by multiple registrars of the UIDAI does not meet the degree of assurance required under the NPR from the point of view of internal security" . (Note No 9/502011- CRD(NPR) Office of the Home Minister, Ministry of Home Affairs, Subject: Comments of MHA on the convergence between UID and NPR exercises).

Another list of hacks can be found on the CNET website.

In the next pages, we start with the leak of the UID policy note on wikileaks and come up to the more recent. Upto 2011 this is what they look like.

31 December 2011
To end the year on a high, wanted criminals also get Aadhaar numbers. Easily. Low grade, international ones. Not the hi-tech 'Mission Impossible' kind.

This is what the Times of India reports:
Suspected Afghan national Bashir Shah alias Ayub Khan was arrested by crime branch on December 31. This is the second arrest of Shah by city police. Shah was arrested by Lakadganj police in February 2006 for alleged act of staying in India without valid documents. He was then booked under the Foreigners' Act and for also violating the provisions of passport. Shah's younger brotherAmir Khan was also booked along with him. The case is still pending for trial. It was, however, not clear as to how Shah sneaked away from India despite being an accused. Earlier he held an Afghan passport, Shah has claimed to have destroyed his documents and was in the process to establish himself as an Indian when the security agencies zeroed in on him. The crime branch found that Shah had managed to procure a driving licence from Nagpur'sRegional Transport Office (RTO) in 2002. With the help of a local contact, Shah prepared a second driving licence in 2010 under the same name. He had also made an 'Aadhar' card for identification in May 2011 and was trying to make a passport when the cops caught him.

Police did not rule out possibility of others like him present in the city and further investigations are on in that direction.

13 November 2009
The confidential plan for the UID in India of the UID authority of India. It was leaked even before it was available to the citizens of India, and when Nilenkani was reluctant to share it. Do note that the UID team at the time was fully hand picked by Nandan Nilenkani.

If he cannot ensure security with his handpicked team, how he will when the cheapest contractor does it.... we leave to your imagination.

Security breaches 2011

31 December 2011
To end the year on a high, wanted criminals also get Aadhaar numbers. Easily. Low grade, international ones. Not the hi-tech 'Mission Impossible' kind.

This is what the Times of India reports:
Suspected Afghan national Bashir Shah alias Ayub Khan was arrested by crime branch on December 31. This is the second arrest of Shah by city police. Shah was arrested by Lakadganj police in February 2006 for alleged act of staying in India without valid documents. He was then booked under the Foreigners' Act and for also violating the provisions of passport. Shah's younger brotherAmir Khan was also booked along with him. The case is still pending for trial. It was, however, not clear as to how Shah sneaked away from India despite being an accused. Earlier he held an Afghan passport, Shah has claimed to have destroyed his documents and was in the process to establish himself as an Indian when the security agencies zeroed in on him. The crime branch found that Shah had managed to procure a driving licence from Nagpur'sRegional Transport Office (RTO) in 2002. With the help of a local contact, Shah prepared a second driving licence in 2010 under the same name. He had also made an 'Aadhar' card for identification in May 2011 and was trying to make a passport when the cops caught him.

Police did not rule out possibility of others like him present in the city and further investigations are on in that direction.

24 December 2011
Stratfor who provides strategic intelligence on global business, economic, security and geopolitical affairs was defaced by Anonymous Group of Hackers who boasted that " Over 90,000 Credit cards from LEA, journalists, intelligence community and whitehats leaked and used for over a million dollars in donations". Private Clients List of Stratfor is also leaked on a Pastebin note.
Documents from the hack posted to date by both Anonymous and AntiSec, according to Identity Finder, include:
• 50,277 unique credit card numbers, of which 9,651 are not expired.
• 86,594 e-mail addresses, of which 47,680 are unique.
• 27,537 phone numbers, of which 25,680 are unique.
• 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked.

23 December 2011
Hackers broke into Chinese websites and compromised the identity of 38 million users. Some of these were also published online (see screenshot after the break). The affected portals are gaming websites including hacking178.com, 7K7k, Duowan, etc. This also included an attack on the CSDN attack where user names and passwords of more than 6 million programmers were hacked. 7K7K lost as many as 20 million user details while 178.com is claimed to have lost 10 million accounts and even some social networking sites like Renren have reportedly been affected by the attack.

9 December 2011
The congress worthies Sonia Gandhi and Manmohan Singh released the first UID together. They cannot even protect their own website. Hackers broke into the official website of India's ruling Congress party Friday and defaced the profile page of party president Sonia Gandhi with a pornographic message. On her birthday.

So much for Communications Minister Kapil Sibal's pledge to crackdown on "unacceptable" online content earlier this week.

5 December 2011
Another direct goof up. UIDAI registrars have been found to be selling data collected for UID or Aadhaar number scheme to private firms, and worse, UIDAI knows about this and can do nothing about it.

According to media reports, in October, the UIDAI banned Madras Security Printers Pvt Ltd and Alankit Assignments for sub-contracting work to other vendors. The Andhra Pradesh state government also received several complaints against both the vendors for misuse and sale of data to private firms. Some sub-contractors of Madras Security and Alankit are also accused of collecting Rs200 to enrol and issue acknowledgement receipt from people in Ranga Reddy, Chittoor and East Godavari districts of the state.

Despite a confirmation of these allegations against these vendors in a report prepared by the AP government, there is no action and both Madras Security and Alankit continued to enrol people for Aadhaar numbering scheme.

Alankit Financial Services sub-contracted enrolling at Bangalore to another private company, ID Global Technology Solutions. The latter is alleged to have indulged in franchising enrolling business to many other private companies. ID Global Technology Solutions is alleged to have been taking deposits of Rs2.5 Lakh from the franchisees. Surprisingly the UIDAI chairman had stated that he was not aware of this illegal activity.

28 November 2011
OK, this is a direct goof up. Remember that we predicted that the lowest bidder would get the contract and put in unqualified illiterate people on the job. It has happened earlier than we thought (we thought Nilenkani would at least be smart enough to let that happen only after the pilot phase). But no. In Bangalore itself, the enrollers are mechanically ticking columns violating the privacy of those dumb enough to enroll.

27 November 2011
If you thought that the National Technical Research Organisation (NTRO) would protect you, here is some news you will not like to hear: When the CAG decided, in 2010, to go into the backgrounds of the staff of NTRO, it was surprised to see that most were not even technically qualified for the posts they occupied.
Every self-respecting nation harbouring threat perceptions always uses, as a rule, indigenously developed crypto systems. Algorithms are customised by each agency without sharing with others within the country. However, India, notwithstanding its history of four wars, victimhood to terrorism, and “IT superpower” and “emerging giant” claims, still depends on German and American intelligence software and, increasingly, Chinese hardware fitted with Chinese source codes.

22 November 2011
Not strictly a goof up of UIDAI, what one can expect, given the data with their registrars etc. The Power Finance Corporation published names, complete addresses, telephone or mobile numbers and email IDs of around 1.2 lakh individuals .

It is still there on 30 November--a week after they promised to "act upon the issue at the earliest". You can download them (as of 30 November 2011) at http://www.pfc.gov.in/Content/Bond_Holder_80CCF.aspx in the following 5 files:

PFC Infrastructure Bonds u/s 80CCF

1. Series-I.
2. Series-IIA.
3. Series-IIB.
4. Series-III.
5. Series-IV.

If you are a PFC bond holder, pray that the links are broken.

18 November 2011
Facebook was hit by porn spam attack which users' newsfeeds were unexpectedly flooded with graphic content, including images and videos showing pornography and violence. As usual, they said that no user data or accounts were compromised during the attack.

17 November 2011
UID data not secure . Home Minister P Chidambaram has said that the biometric census done by the Unique Identification project does not pass security criteria. He has called for an immediate meeting of the Cabinet Committee on the issue since “The possibility of fake identity profile in the UID data is real,” Chidambaram said in the recent letter to Montek Singh Ahluwalia, Deputy Chairperson of the Planning Commission.

Also on 17 November 2011, in another serious security breach, it has come to light that Indian government servers have been used by foreign entities to target the computer networks of third countries.

The finding comes at a time when a dispute rages within the government over who should be responsible for protecting India's critical IT infrastructure. According to sources, foreign entities have penetrated the servers of the National Informatics Centre in recent months and used them to launch attacks on countries, including China. Among other things, the NIC hosts the official websites and emails of the Indian government.

As is wont, a turf battle is raging within the government about who should be protecting it. The department of IT and the National Technical Research Organisation had laid claims to being responsible for safeguarding India's IT infrastructure. The department of IT believes the job should vest with the Computer Emergency Response Team while the NTRO says it must have the responsibility for both defensive as well as offensive cyber security.

Meanwhile, conventional cyber attacks from foreign entities to extract confidential data from Indian government systems are on.

This comes when there are reports that a U.S. water utility was hacked. Intruders compromised a water utility network last week and destroyed a pump. The water utility had noticed minor glitches in the remote access to the SCADA system for two to three months before it was identified as a cyber attack, Weiss said. This is similar to the 2000 hacking (PDF) in Queensland, Australia, in which a wastewater treatment plant failed to notice dozens of attempts to access the system. Using wireless radio and stolen control software, a consultant on the project who was angry over not getting a job was eventually able to get in and release up to one million liters of sewage into the river and coastal areas, killing marine life and turning a creek black.

10 November 2011
If you can't hack, you can get expert guidance from, where else?, a call centre. An underground call-centre for identity theft was uncovered by security researchers. Researchers from security vendor Trusteer have come across a professional calling service that caters to cybercriminals. The business offers to extract sensitive information needed for bank fraud and identity theft from individuals.

And not for the first time either, as the report notes.

7 November 2011
Websites of Israel, Finland, Portugal were hacked by Anonymous. The attacks affected websites of Israel’s Mossad and Shin Bet intelligence services as well as the Israel Defence Force.

6 November 2011
The 35 million user database of Steam users was accessed by hackers.
. In an IM to Steam users, Valve said, "Our Steam forums were defaced on the evening of Sunday, November 6. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information." The company went on to say, "We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely." Steam has 35 million users who purchase digital copies of PC games.

1 November 2011
Nitro hack steals R&D and defense secrets. Hackers used email scams distributing a notorious malware tool to steal research & development secrets from chemical manufacturers, defense companies and other targets in a huge industrial espionage attack dubbed Nitro, it has been revealed. Poison Ivy, a Windows-based trojan which allows covert remote access to infected PCs, was distributed among firms between April and September this year, according to a paper [pdf link]
from security firm Symantec, with 29 chemical sector companies and a further 19 – primarily in defense – in other sectors targeted.

31 October 2011
Pakistani hackers breached the security of the CID website. The hackers claimed themselves as members of the Muslim Liberation Army.

On 29 October Pak hacker "khanastic hoX Or" defaced the websites of Indian Meteorological Department, Jute Corporation of India, Bharat Sanchar Nigam Ltd and Chennai Metro Rail.

27 October 2011
A US congressional commission report blames China for hacking US satellites
in four attacks in 2007-2008. COMPUTER HACKERS from China could have interfered with two US government satellites between 2007 and 2008. The hackers, who allegedly were working on behalf of the Chinese military, gained access to the satellites on four occasions through a ground station in Norway.

Also today, the website of the Japanese Parliament was hacked. Two cyber-attacks have recently struck the Japanese government, the Chief Cabinet Secretary acknowledged. Media reports allege that the problem originated from China, since one of the hacked computers was forcibly linked to the mainland.

24 October 2011
The Biometrics of 9 Million Israelis' was hacked and leaked on to the web.

The personal information of 9 million Israelis living and dead included the birth parents of adoptees and sensitive health information. The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis--including children--and detailed health information on individual citizens.

18 October 2011
A Global Fraud report by Kroll and Economic Intelligence Unit said that 84% Indian firms hit by fraud and data theft most common.. Kroll is the world’s leading risk-consulting company. The report mentions that India has actually improved from 88% last year. Thank god for small mercies.

17 October 2011
CabinCr3w, which is affiliated with the Anonymous online activist group released the personal data of Citigroup CEO Vickram Pandit over protest arrests. The data includes phone numbers, address, e-mail address, family information, and some legal and financial information. The Register, a British newspaper called it Hackers expose Citibank CEO's privates: Revenge strike against cuffing of Occupy Wall St protesters. Previous victims include the CEOs of JP Morgan Chase, James Dimon, and Goldman Sachs, Lloyd Blankfein.

11 October 2011
CabinCr3w released personal data on bankers in support of Occupy Wall Street protests. Information was posted to the Web about Kerry Killinger who was removed as CEO of Washington Mutual shortly before it collapsed in 2008. Earlierthe target was Joseph Ficalora, CEO of New York Community Bancorp. The information released isn't all that sensitive--mostly phone numbers, addresses, compensation, legal and other information. The move is more symbolic than punitive.

7 October 2011
111 Indicted in One of the Largest Identity-Theft Cases in the U.S.: The identities of 'thousands' were stolen through forged American Express, Discover, MasterCard, and Visa cards with the stolen credit-card numbers. The details were stolen when the credit cards were used--and the similar thing can happen with the Aadhaar cards. "These weren't holdups at gunpoint, but the impact on victims was the same," New York Police Commissioner Raymond Kelly said. "They were robbed."

The $13 million theft enterprise has been running since 2010, and specialized in selling Apple Inc. products overseas. Police said they seized $850,000 worth of computer equipment that had been stolen from the Citigroup Building in Queens, $650,000 in cash, thousands of dollars' worth of Apple computer products, seven handguns, as well as designer watches, shoes, clothes, and bags.

"Thieves have an amazing knowledge of how to use technology," Kelly told Reuters. "The schemes and the imagination that is developing these days are days are really mind-boggling." 13 of the 111 indicted are Indian. And if you think that it cannot happen in India, scroll down to 21 July 2011.

4 October 2011
Computer Virus Hits U.S. Drone Fleet: A computer virus infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. “We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.” Of course they kept it a secret and even the cybersecurity unit did not know about it till it was reported in the press.

Technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.” However, insiders say that senior officers at Creech are being briefed daily on the virus.

7 October 2011
UIDAI website was down for 9h 27m and was up again at 04-10-2011 08:49:54AM. Since authentication of the UID has to be done via the website authentication was also down at this time. (See also 1 July 2011).

29 September 2011
The personal information of some 4.9 million US military clinic and hospital patients was lost by TRICARE and SAIC. The data was unencrypted, since the contractor wanted to save costs. The data covers the period 1992 to 7 September 2011--almost 20 years. The data may include Social Security numbers, addresses, phone numbers and personal health data such as clinical notes, laboratory tests and prescriptions.

27 September 2011
In what is at least the second time, the website of the Supreme Court of Pakistan was hacked presumably to force the SCP to shut down all pornographic sites in Pakistan.

Also today two online activist groups RevoluSec and Anonymous said they hacked several official Syrian websites in the latest tactic to oppose President Bashar Assad's authoritarian regime.

19 September 2011
The group 'Anonymous' attacked the websites of the Japan's defence industry .

Mitsubishi Heavy Industries Ltd said that its computers had been hacked into, with one newspaper saying the target was Japan's biggest defence contractor's factories for submarines, missiles and nuclear power plant components. The Yomiuri newspaper said about 80 virus-infected computers were found at the company's Tokyo headquarters as well as manufacturing and research and development sites including Kobe Shipyard & Machinery Works, Nagasaki Shipyard & Machinery Works and Nagoya Guidance & Propulsion System Works.

Kobe Shipyard currently builds submarines and makes components to build nuclear power stations, while the Nagasaki Shipyard makes escort ships. The Nagoya plant makes guided missiles and rocket engines, the paper said citing unnamed sources.

It is the country's biggest defense contractor, winning 215 deals worth 260 billion yen ($3.4 billion) from Japan's Ministry of Defense in the year to last March, or nearly a quarter of the ministry's spending that year. "The Japanese make large conventional submarines that are among the world's most sophisticated ... (they) have very nicely integrated solutions with their own mechanical, electronic and control systems, so it a pretty attractive hacking proposition, to get the design of a Japanese submarine," he added.

17 September 2011
The group 'Anonymous' attacked the websites of the Mexican government.

Predictably the Mexican government says that 'despite this attack, data security and the intranet used by federal government agencies "are not at risk"'. The Public Safety Department confirmed the attack and said that there occurred a "brutal and unusual number of hits by simulated users, causing the site's firewall defense system to activate".

12 September 2011
Intelligence and National Security Alliance (INSA) a "premier intelligence and national security organization" of the USA was hacked and then hundreds of intelligence officials, ranging from the NSA, FBI, CIA, the Pentagon, the White House, Office of Director of National Intelligence and the State Department , had their names, email addresses, some phone numbers and even home addresses posted on Cryptome.

The attack was within 48 hours after INS published a Cyber Intelligence report [PDF] about the need to develop better cyber intelligence sharing, analysis and defenses against the "cyber threat environment" where hackers are cracking into everyone's systems, from government agencies to private companies.

MSNBC reported that "in apparent retaliation, INSA's 'secure' computer system was hacked and the entire 3,000-person membership posted on the Cryptome.org." There were 95 email addresses belonging to the "supersecret National Security Agency, as well as scores of others in key positions at the White House, the Pentagon, FBI, CIA, the Office of Director of National Intelligence and the State Department." John Young who runs Cryptome said in a telephone interview with NBC that he had no reservations about publishing 'INSA Nest of Official and Corporate Spies.' Young said, "We would love to name every spy that lives on Earth."

In what should be a direct warning to to UID, The Daily Beast quoted Wired's Danger Room editor and cybersecurity expert Noah Shachtman as saying, "It used to be that if you wanted to steal secrets from the U.S. government, you would have to go to the Pentagon or Langley, Va. But now, because so much of what our military and intelligence agencies do is actually in private contractor hands, one of the easiest ways to get sensitive information is to break into these corporate and association networks." Wonder how secure the networks of all the 'registrars' and their subcontractors is.

4 September 2011
When a bank robber was asked why he robbed banks, he said 'coz thats where the money is'. So well here it is... attacking the protector: In a daring attack of unknown duration, hackers stole SSL certificates used for CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service. They acquired over 500 DigiNotar digital certificates, prompting Mozilla and Google issue 'death sentence' for all sites with digital certification from DigiNotar.

Google and Mozilla will permanently block all the digital certificates issued by DigiNotar. The Netherlands's Minister of the Interior, said the government could not guarantee the security of its websites because of the DigiNotar hack, and told citizens not to log into its sites until new certificates had been obtained from other sources. Mozilla will update Firefox 6 and Firefox 3.6 to permanently block all DigiNotar-issued certificates, including those used by the Dutch government. Google updated Chrome to do the same.

Helsinki-based antivirus company F-Secure said it had found signs that DigiNotar's network had been compromised as early as May 2009. DigiNotar went public only after users reported their findings to Google.

1 September 2011
The ultimate irony... wikileaks itself came on the receiving end of a security breach when a journalist put out the full archive and passwords into the internet and entire stash of documents could be accessed online to its former partners' dismay. The blame game could be comic, but only a curtain-raiser to the deadly implications of UID.

11 August 2011
McAffee, the security firm says that the National Informatics Centre has been National Informatics Centre (NIC), backbone of the government's IT network, has borne the brunt of sustained cyber attacks by Chinese hackers.

The report in The Times of India goes on to add that NIC, according to cyber security experts, is a sitting duck... that it's almost open season, where Indian government data is concerned.

Last year, when the CBI website was attacked, which is hosted by NIC, the government, led by national security adviser Shivshankar Menon, set up a committee of secretaries to work out a defensive plan to secure government networks. But there is still no integrated cyber security plan. Cyber security analyst Ravi V. Prasad said, "The '.in' registry is not well guarded, so sites hosted in this domain remain vulnerable."

He avers that India and the US remain favourite targets for Chinese hackers. Earlier, he said, hackers would indulge in what is known as "distributed denial of service" (DDOS). "But, now its large-scale mining of data. You could call it national espionage, business espionage."

7 August 2011
Anonymous stole 10 gigabytes worth of data from 70 police websites in the US. The data breach included leaked information about an ongoing investigation, e-mails stolen from officers, tips that appeared to come from members of the public, credit card numbers, and other sensitive information.

5 August 2011
Just when you thought that it couldn't get worse. Read how Operation Shady RAT a five-year, high-level global cyber-espionage hacking campaign infiltrated computer systems of more than 70 governments, corporations and public and private organizations in 14 countries (including India) and how Hackers Take $1 Billion a Year from Company Accounts Banks Won’t Indemnify

21 July 2011
The innovative Indians! Even before the full roll out, we have the fakes, and in Bangalore itself.
Not only were fake UIDs issued but they even had the gumption to sell franchisees for Aadhar enrolment by charging a non-refundable sum of Rs 250,000 per enrolment kit.

17 July 2011
Rupert Murdoch's media house hacked into the mobile phones of victims of murder and kidnapping for those exclusive 'scoops' for years on end. Finally the CEO was forced to resign and was arrested on 17 July in a scandal that reached up to the British prime minister's office. The scandal also claimed the top two policemen for being complicit in the affair. This was only a media organisation, but they had the politicians and the policemen in their pockets....

13 July 2011
The US military's emails were hacked and about 90,000 email accounts were compromised.

6 July 2011
Oh dear. Yet another, and this time the website of India's premier anti-terror probe body The National Investigation Agency (NIA) is shutdown following reports of security breach. This site is under maintenance. Sorry for inconvenience. The government claims that the move was aimed at tightening safety mechanism following recent incidents of hacking of government websites like the National Security Guard and the Central Bureau of Investigation. On 11 July 2011 the site still says "This site is under maintenance. Sorry for inconvenience."

5 July 2011
Oh, oh! In a bizarre case of the pot calling the kettle black the department of information technology of Maharashtra conducted a 'surprise inspection' at a centre in Fort on Friday. The inspection revealed violations that could jeopardise the security of the information stored... and it would be more dangerous as the details of millions of citizens are stored in one machine.

The officials found that the IT company Tera Software had violated the norms and sub-contracted the enrolment process to another firm, M/S Infotech, which could potentially endanger the security of the entire process. Predictably, Umamaheshwara Rao, project manager, Tera Software denied sub-contracting.

4 July 2011
Hackers took control of the FoxNews.com twitter account to claim thatObama was shot dead.

1 July 2011
The website of the country's elite National Security Guards was hacked anonymous programmers according to a report by The Times of India. Apparently the e-mails of certain officers were also hacked. All officers and the NSG unit posted at the Palam headquarters were ordered to avoid using internet services.

Also on 1 July 2011
UIDAI website was down for around 8 hours, and about 3 to 4 hours on 24 June. Remember, uidai.gov.in is not just a website. As per Aadhar authentication API doc available on uidai.gov.in website (when it is up!) , authentication of the UID has to be done via the website. So, one can safely conclude that authentication was also down at these times.

After spending billions, uidia.gov.in cant keep a mere website up where they have all the facilities of back up and 24x7 power supply etc. And these guys are going to maintain identity for a nation of more than a billion? Oh well, thank god for the small mercies. Better down and even better down and out.

29 June 2011
Groupon says India users' data leaked . The passwords were posted in plain text on the net. This is a minor leak (only 300,000 in comparison to Sony's 100 million)

27 June 2011
Anonymous steals data from world governments . Hacktivist group Anonymous dumped onto the Web data that it claims was taken from the government servers of "Anguilla, Brazil, Zimbabwe and Australian Government Servers." The group indicated this was part of its AntiSec operation, to steal data from governments it did not agree with.

26 June 2011
Anonymous Puts US Counter Terrorist Program Online . Anonymous released a set of files which includes documents and links to security and hacking resources on the internet, many of them free, various template letters, hacking and counter hacking tools as well as the addresses of FBI bureaus in the US.

The 625MB file (SENTINEL Security Utilities - Cyberterrorism Defense and Analysis Center) is now widely available online and seems to have come from the US FEMA (Federal Emergency Management Agency) Counter Terrorism Defence Initiative training program.

23 June 2011
Bathinda UID agency may have violated norms in sensitive data collection. This is a direct goof up of UIDAI.

7 June 2011
Hackers steal info on military, defense personnel. Email addresses and names of subscribers to DefenseNews, a highly-regarded website that covers national and international military and defense news, were accessed by hackers and presumed stolen, Gannett announced yesterday.

16-19 April 2011
Details, including credit card details, of 100 million--yes 100 million--customers of Sony hacked.

4 April 2011
Epsilon email hack: Computer hackers stole the names and email addresses of millions of customers in one of the largest internet security breaches in US history. The names and email addresses of customers of Barclaycard US, Capital One and other large firms were taken in an attack on the marketing email provider Epsilon.

17 March 2011
RSA, a security solutions company that sells SecurID tokens that are used by corporations and government agencies, shocked the security world when it announced that it was victimized by an "extremely sophisticated cyberattack" in which sensitive data related to the SecurID technology had been pilfered and could be used by attackers to get access to networks of RSA customers who rely on the technology.

SecurIDs are the industry standard for two-factor authentication.

Though RSA in an open letter tried to say that nothing of importance was stolen--"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers"--it soon become evident that security was compromised. Two defense contractors--Lockheed Martin and L-3 Communications--reported attacks on their systems that exploited data stolen from RSA. Another, Northrop Grumman, unexpectedly shut down remote access to its network last month, which led to speculation that it had had a SecurID-related incident. Following news stories about the incidents, which experts speculate may have a tie to China, RSA said it would replace SecurIDs for customers concerned about the risks.

About 250 million IDs, at the very minimum were compromised.

17 December 2010
Iraqi insurgents Intercept Drone Video in King-Size Security Breach that was known to the Pentagon for over 10 years. In Iraq insurgents tapped into the drones’ broadcasts, to see what the flying robot spies see. The U.S. military found pirated drone video feeds on militant laptops. Using cheap (US$26), downloadable programs like SkyGrabber, militants were apparently able to watch and record the video feed — and potentially be tipped off when U.S. and coalition forces are stalking them.

Those who intercept could potentially start to conduct ‘battles of persuasion’; that is, hacking with the intent to disrupt or change the content, or even ‘persuade’ the system to do their own bidding,” says Peter Singer, author of Wired for War. This has long been the nightmare scenario within Pentagon cybersecurity circles: a hacker not looking to take down the military grid, but to exploit it for his own purposes. How does a soldier trust an order, if he doesn’t know who else is listening — or who gave the order, in the first place? “For a sophisticated adversary, it’s to his advantage to keep your network up and running. He can learn what you know. He can cause confusion, delay your response times — and shape your actions,” one Defense Department cybersecurity official tells Danger Room.

3 December 2010
The Pakistan Cyber Army hacked the website of the Central Bureau of Investigation (CBI) supposedly one of the "most secure" ones in the country. The also claimed to have hacked 270 more. This was apparently in response to the 'Indian Cyber Army's' hack on their website.

28 November 2010
The United States diplomatic cables leak (also known as Cablegate) in which 251,287 documents were published by WikiLeaks—an international new media non-profit organization that publishes submissions of private, secret and classified information from anonymous news sources, government whistleblowers, and news leaks—started to publish classified documents of detailed correspondence between the U.S. State Department and its diplomatic missions around the world, releasing further documents every day. WikiLeaks forwarded diplomatic cables to five major newspapers around the world, which have been publishing articles by agreement with WikiLeaks.

The publication of the U.S. embassy cables is the third in a series of U.S. classified document "mega-leaks" distributed by WikiLeaks in 2010, following the Afghan War documents leak in July, and the Iraq War documents leak in October. The contents of the cables describe international affairs from 300 embassies dated from 1966–2010, containing diplomatic analysis of world leaders, an assessment of host countries, and a discussion about international and domestic issues.

22 October 2010
The Iraq War documents leak
disclosed 391,832 United States Army field reports, also called the Iraq War Logs, of the Iraq War from 2004 to 2009 to several international media organizations and published on the Internet by WikiLeaks on 22 October 2010.

September 2010
Stuxnet attack on Iran's uranium enrichment facility at Natanz – where the centrifuge operational capacity has dropped over the past year by 30 percent.

28 July 2010
Like most (all?) US Companies, Google partners with the CIA to Invest in ‘Future’ of Web Monitoring. It’s not the very first time Google has done business with America’s spy agencies. Long before it reportedly enlisted the help of the National Security Agency to secure its networks, Google sold equipment to the secret signals-intelligence group. In-Q-Tel backed the mapping firm Keyhole, which was bought by Google in 2004 — and then became the backbone for Google Earth.

25 July 2010
Afghan War Diary, 2004-2010
Perhaps the most famous of them all. WikiLeaks released a document set called the Afghan War Diary, a compendium of over 91,000 reports covering the war in Afghanistan from 2004 to 2010. The reports, while written by soldiers and intelligence officers, and mainly describing lethal military actions involving the United States military, also include intelligence information, reports of meetings with political figures, and related details.

November 2009
Shadows in the Cloud Hacking by the Chinese on the Dalai Lama’s offce between January and November 2009. The compromised computers included National Security Council Secretariat, India, The National Security Council Secretariat (NSCS) (including the Joint Intelligence Committee, the National Security Council) Embassy of India, Kabul, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria, Military Engineer Services, India (MES-Bengdubi, MES-Kolkata, MES(AF)-Bangalore, and MES-Jalandhar) 21 Mountain Artillery Brigade in Assam, the Air Force Station, Race Course, New Delhi and the Air Force Station, Darjipura Vadodara, Gujarat, Army Institute of Technology in Pune, Maharashtra and the Military College
of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh, Institute for Defence Studies and Analyses, India.

13 November 2009
The confidential plan for the UID in India of the UID authority of India. It was leaked even before it was available to the citizens of India, and when Nilenkani was reluctant to share it. Do note that the UID team at the time was fully hand picked by Nandan Nilenkani.

If he cannot ensure security with his handpicked team, how he will when the cheapest contractor does it.... we leave to your imagination.

Security breaches 2012

This page is in continuation of the page Security breaches 2011 (http://openspace.org.in/UIDaadhaarsecurity2011), and goes on up to 11 June 2012. After the incidents of that day and 29 May, and the revelation of cyberwarfare sanctioned at the highest levels, those who are not convinced never will be.

Remember, though a website can always be backed up (and the password changed), when the Aadhaar website is hacked, the data once gone (your finger prints and iris scans) cannot be put back and neither can you change them--your fingerprints and iris--and they are essentially going to be your biometric passwords for a variety of services.

"There are only two types of companies those that have been hacked and those that will be." Robert Mueller, Director, FBI, keynote speech at the RSA conference, 1 March 2012

11 June 2012
Over 1,400,000 IDs were compromised in US based public health databases alone (in 2012 to date). These were linked to their social security numbers.

10 June 2012
Hours ahead of its planned protest against certain incidents of internet censorship in India , hacker collective Anonymous attacked and brought down the website run by Computer Emergency Response Team India (CERT-I n), the country's premier agency dealing with cyber security contingencies.

The site was restored later in the evening. The group organized street protests in 16 cities, including Chennai ,in theevening . "This is your response team #india ! They can't even protect themselves . How will they protect others ," read a tweet from @opindia _revenge , the group'stwitter handle . "We will keep attacking http://certin .org .in and http ://india.gov .in ! #GOI, ready to face ups and downs ?" the hackers said .

7 June 2012
Anonymous brought down the website of MTNL in a DDoS attack.

6 June 2012
Over six million passwords were stolen in a hack of the professional networking site linkedin.com. Earlier today, it was reported that a user in a Russian forum uploaded 6,458,020 hashed LinkedIn passwords.

Later in the day, Ars Technica reported that a list of about 1.5 million passwords appeared to include users of dating website eHarmony.

29 May 2012 (2)
Do you really think Aadhaar is going to use all Indian hardware and software made by patriotic Indians?... when the vendors list proves otherwise.... and here is what happened to the Americans when they did this kind of outsourcing (apart from the perils of the Internet that is). UK researchers discover backdoor in American military chip made by the Chinese.

U.K.-based security researchers have found a backdoor that was “deliberately” inserted into an American military chip to help attackers gain unauthorized access and reprogram its memory, according to a draft research paper.

Sergei Skorobogatov, a researcher at Cambridge University, discovered that a military-grade silicon device made by California-based Microsemi Corp., the ProASIC3 A3P250, contained a glitch that would allow individuals to remotely tweak its functions. “This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself,” the paper suggests. The Stuxnet worm, discovered in 2010, targets industrial systems.

The backdoor was obscured within the security mechanism of the chip with robust countermeasures to prevent access by others, a likely indication that it had been deliberately implanted, said Christopher Woods, a researcher at U.K.-based Quo Vadis Labs who collaborated on the research. The duo did not disclose further details in their paper, citing a “confidentiality agreement.”

The backdoor is “close to impossible to fix on chips already deployed” because software patches can’t fix the bugs.

27 May 2012 (2)
Protesting Anonymous hackers defaced BJP websites.

Through its Twitter account (@opindia_back) it announced thatwww.mumbaibjp.org and www.bjpmp.org.in were hacked by the group. After the hacking, the group posted a message to web users, asking them to organize protests against "web censorship" in India on June 9.

While the message was displayed on the homepage of www.mumbaibjp.org, on www.bjpmp.org.in it was inserted as a page at bjpmp.org.in/ads/anon.html. On Mumbai BJP website the message was accompanied by a catchy tune embedded through a YouTube link.

27 May 2012 (1)
Protesting hackers target social sites on RComm platform . Users of the service who tried to access popular websites like Facebook, Twitter, Yahoo and Gmail instead saw a message from the hackers announcing their protest against their "freedom being taken away".

Anonymous released admin logs from servers they hacked at http://pastehtml.com/view/bz8kycy0o.html, Anonymous OpIndia alleged that Reliance had blocked certain web pages, including the Facebook pages of staff protesting against Air India. Reliance Communications spokesperson said that they had "investigated the matter and confirm that all R-Com servers and websites are intact.

20 May 2012
Hackers Target Police, City of Chicago Websites before the NATO summit (supposedly when security would be high!) temporarily crippling them.

17 May 2012
Protesting hackers took down the websites of the Supreme Court of India and the Congress party .

29 April 2012 (2)
In a major systemic flaw (not teething problem) that involves programming error, venal humans and official culpability at senior levels over 30,000 Aadhaar cards were issued using the ID of a person who was not even employed by the UIDAI sub-contractor.

Mohammed Ali, 22-year-old data entry supervisor of Vattepally in Falaknuma blamed for the scam, was terminated by Infrastructure Leasing & Financial Services Limited (IL&FS) in September 2011. He supposedly enrolled 30,000 people, including 870 in the physically-disabled category, after termination in just two months. The physically disabled people did not have hands (no fingerprint) or eyes (no iris), and were not traceable in their declared addresses.

Investigators discovered that after his exit from IL&FS, enrolling agents at the 20 centers in the Old City had been using Mohammed Ali's login and password to carry on enrollments. To upload the Aadhaar card details of an individual, the agent has to log in using a special ID, password and also authorise the details using his thumb impression in the biometric scanner. The probe revealed that the operators at the 20 centers managed to upload details of 30,000 people by authorising them with their own fingerprints. "The system has a flaw. When an agent provides wrong authorisation fingerprint, it rejects on two occasions, but at the third instance it automatically takes the default authorisation print and completes the enrollment process," a civil supplies department (nodal agency for UIDAI) source said.

Probe agencies have realised that some IL&FS officials were in the know of things, but for reasons unknown, allowed the fraudulent enrollments to happen.

Ideally, the enrollment through Ali's ID should not have happened as he was not present at these centres to authenticate details using his fingerprints, but a flaw in the registration mechanism allowed them to carry out the fraud.

29 April 2012 (1)
We all know that VIPs get better security than the commoners in India, and with the craze for 'phoren' foreign dignitaries even more so. But wait a minute. There was an embarrassing security situation when police wireless system failed during the BRICS meeting. This after the 'switch over' was done ahead of the commonwealth games in 2010 itself and in the national capital! Any guesses on how robust the Aadhaar authentication system will be in rural areas?

In March, when the five heads of state (Brazil, Russia, India, China and South Africa) were in Delhi for the BRICS summit, the Delhi Police’s communication system collapsed. The Rs. 100-crore Tetra system was brought in to replace the old wireless sets. Terrestrial Trunked Radio (Tetra) — a professional mobile radio and two-way transceiver — collapsed during a major mock drill in the city on February 15 too, and gave the police problems during the April 15 MCD polls.

28 April 2012
The website of the Afghan Taliban was repeatedly taken down for the third time in less than a year crippled the main website of the Afghan Taliban, with a Taliban spokesman on Friday blaming Western intelligence agencies amid an intensifying cyber war with the insurgents. The unidentified hackers broke into the Taliban's El Emara

Taliban spokesman Zabihullah Mujahid told Reuters that the website was hacked around 12:30 am on Thursday and fixed in three hours, before being breached again at midday and put out of commission again. It was still being repaired on Friday. Unknown hackers brought down the main Taliban website earlier this month, when El Emara's English language page was replaced temporarily with images of Taliban atrocities and photographs of roadside bombs, according to the Long War Journal website, which tracks progress in the war, now dragging into its eleventh year.

Another cyber attack took place on June 20 last year, when false messages were distributed about the death of the Taliban's one-eyed leader, Mullah Mohammad Omar, from both the website and the phones of Taliban spokesman.

23 April 2012
Iran Took Systems Offline After Cyber Attack Hit Oil Industry Multiple targets were hit including the control systems of Kharg Island oil terminal, which handles the majority of Iran's crude oil exports, Iran's Oil Ministry and its national oil company.

Oil Ministry spokesman Ali Reza Nikzad-Rahbar told Mehr News Agency on Monday that the attack had not caused significant damage and the worm had been detected before it could infect systems. Iran disconnected computer systems at a number of its oil facilities in response... but Aadhaar will have that luxury, since authentication will be needed 24x7.

12 April 2012
In a rather bizarre case, but probably true of most of the 'undeliverable' numbers, ‘Coriander’ was issued an Aadhaar number--with the photograph of a mobile phone.

An Aadhaar card with number : 4991 1866 5246 was issued in the name of Mr Kothimeer (Coriander), Son of Mr Palav (Biryani), Mamidikaya Vuru (Village Raw Mango), of Jambuladinne in Anantapur district. As the card displayed the photo of a mobile phone, officials have no clue of the address where the card has to be delivered.

“We have completed all formalities, got ourselves photographed almost an year ago after standing in the long lines for days but haven’t received the card so far. The Kothimeer is lucky,” said an old man at the Jambuladinne Panchayat office.

11 April 2012
‘Anonymous’ Knocks CISPA Supporters Offline.

Anonymous knocked offline the websites of prominent defense contractor, Boeing, and two trade associations, TechAmerica and USTelecom.

The website of TechAmerica remained down Wednesday afternoon. USTelecom confirmed that they had been targeted by Anonymous with denial of service attack on Monday morning. The attack on Boeing occurred around 3 PM EST on April 10.

The attacks were in retaliation for the company’s support of a controversial piece of cybersecurity legislation, the Cyber Intelligence Sharing and Protection Act (CISPA).

7 April 2012 (2)
‘Anonymous’ took down the website of the British Prime Minister.

They launched a cyber attack on the website of 10 Downing Street. Hacktivists took down the website at about 10.30pm on Saturday despite announcing it days in advance, raising questions about the effectiveness of Whitehall internet security. Screenshots showed that the Home Office website was inaccessible from 9pm and service was reportedly patchy until Sunday morning.

The spokesman for the Prime Minister said it only lasted for a “couple of minutes”
[We have included the last comment since the government of India and UIDAI will also be using the same lies]

7 April 2012 (1)
‘Anonymous’ took down the Home Office website of the British government.
The hacking group ‘Anonymous’ appeared to have shut down the Home Office website on Saturday night, in an apparent protest against extraditions of British citizens to the US and so-called “draconian surveillance proposals.”

6 April 2012 (2)
Hackers break down Mac Firewall; over 6 lakh Apple's Mac computers affected.

6 April 2012 (1)
Sky News admits hacking emails in a case of 'responsible' journalism.

5 April 2012
Anonymous hacked and defaced 485 Chinese government, company, and other general websites . Targets hit in the mass defacement included government sites, its official agencies, trade groups and many others. Some sites were just defaced, but others have had administrator accounts, phone numbers, and e-mail addresses leaked.

The announcement about the defacements was made via an Anonymous China account that was established in March. A list of the 485 sites affected was put on the Pastebin website. Separate Pastebin messages posted email addresses and other personal details stolen when sites were penetrated.

China has one of the most comprehensive web surveillance systems in the world, known as the Great Firewall of China, that reinforces its broader social controls.

On defaced pages, the Anonymous attackers also posted links to advice that could help people avoid official scrutiny of what they do and say online. Government officials denied any had taken place, but many of the sites listed are now offline and a few others displayed a hacked page for a long time rather than their own homepage.

The Anonymous hackers reportedly r successfully attacked some sites a second time once the original defacement was cleaned up .

4 April 2012
A 23 year old British hacker steals 8 million identities

A British hacker has been sentenced to 26 months for stealing 200,000 PayPal accounts, 2,701 bank card numbers, as well as 8,110,474 names, dates of birth, and postcodes of U.K. residents between January 1, 2010, and August 30, 2011, from an undisclosed source.

Using the handle G-Zero, he also hacked into the networks of Nokia and AOL, copying the personal details of more than 8,000 staff members. Following his intrusion, Nokia’s internal network was down for two weeks.

30 March 2012
1.5 million VISA and MasterCard data was hacked. On Friday, March 30, VISA and MasterCard alerted banks about a recent major breach at U.S.-based credit card processor Global Payments.

The alerts also said that full Track 1 and Track 2 data was taken—meaning that the information could be used to counterfeit new cards. This latest breach involved at least 1.5 million accounts.

Krebs on Security, a blog that first reported the incident on Friday, said possibly 10 million accounts had been compromised for over a month, between January 21, 2012 and February 25, 2012. As usual, it wasn’t the company but a security blogger named Brian Krebs who broke the news. It follows a pattern common among other data breaches: customers who may have been affected by the data theft are often the last to know, and they find out weeks—sometimes months—after their credit-card information is extracted.

16 March 2012
112 government websites hacked in the last 3 months
“During the period December 2011 to February 2012, a total number of 112 government websites were hacked,” Minister of State for Communications and IT Sachin Pilot told the Lok Sabha.

IIM-C, Finance Ministry, Planning Commission, Health, Human Resource Development ministries and various State government agencies, were hacked or defaced. The State government websites that came under attack were from Andhra Pradesh, Tamil Nadu, Kerala, Odisha, Uttar Pradesh, Sikkim, Manipur, Madhya Pradesh, Rajasthan, Maharashtra and Gujarat. The website of Bharat Sanchar Nigam Ltd was hacked on December 4, 2011 by the ‘H4tr!ck' hacker group.

Last year the Central Bureau of Investigation website was hacked and defaced by programmers, who identified themselves as the “Pakistani Cyber Army.” It took weeks before the website was restored.

As per industry estimates, over 14,000 government and corporate websites were hacked/defaced in 2011.

10 March 2012
Spies used Facebook to steal Nato chiefs' details

NATO'S most senior commander was at the centre of a major security alert when a series of his colleagues fell for a fake Facebook account opened in his name - apparently by Chinese spies.

It is similar to the so-called "Night Dragon" attacks which targeted executives of some of the world biggest oil and gas companies. The attacks infiltrated the energy companies computer system and looked for how the firms operated. The attackers targeted the Western firms' public websites and specific individuals using Facebook and other social networking sites to learn about them first, and then trying to dupe them into revealing their log in names and passwords.

The hackers were traced to China, to Beijing and investigators found the attacks only happened on week days between 9am and 5pm local time suggesting they were working at an office or a government facility. Last year an executive at a key US defence firm, RSA, opened a personal email with the subject line "2011 Recruitment Plan" and clicked on the attached Excel spreadsheet. The attachment contained a virus, apparently engineered by the Chinese, which opened up RSA's system and allowed access to all its secrets, including its work for the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon and the Department of Homeland Security(DHS).

8 March 2012
Anonymous leaks Symantec source code: Updated Retaliates after Lulzsec arrests THE HACKTIVIST Antisec group has published Symantec Norton AntiVirus 2006 All Platforms Source Code on The Pirate Bay.

Anonymous, with which Antisec is related, has long boasted of its ownership of Symantec code, and this is its latest release in an ongoing campaign against the security firm.

6 March 2012 (2)
Returning the favour, antivirus company Panda Security was apparently targeted after a researcher celebrated reports that LulzSec's former leader had become an informant. An online hacker responded to the arrest of six suspected hackers by hacking and defacing a security firm's Web site.

6 March 2012 (1)
Chinese hackers 'had full access' to Nasa lab that commands 23 spacecraft including missions to Jupiter, Mars and Saturn.

The hackers, operating from an internet address in China, gained full system access in November 2011, allowing them to upload hacking tools to steal user IDs and control Nasa systems, as well as copy sensitive files. The hackers were also able to modify system logs to conceal their actions. ‘The intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL's networks,’ said National Aeronautics and Space Administration Inspector General Paul Martin.

The cyber attack was one of 'thousands' of computer security lapses at the space agency. National Aeronautics and Space Administration Inspector General Paul Martin testified before Congress on the breaches. In another attack last year, intruders stole credentials for accessing NASA systems from more than 150 employees. Martin said the his office identified thousands of computer security lapses at the agency in 2010 and 2011.

2 March 2012
In response to a congressional directive, the US Department of Defense Inspector General has provided to Congress, “an inventory of all identified unauthorized disclosures of SCI [sensitive compartmented information, or classified intelligence] to the public within DoD from the past three calendar years.” The classified IG report also described the actions taken by DoD in response to the leaks, including referrals to the Department of Justice for criminal investigation.

Not strictly a hack, but a good overview, since it lists the leaks ("unauthorized disclosures of SCI to the public") from the US department of defense between December 23, 2008 and December 23, 2011.

1 March 2012
Nothing like turning one of the 'other' side. New Yorker Hector Xavier Monsegur, 28, was exposed as the person behind Sabu, the colorful leader of Lulz Security, a much-feared and talented offshoot of the cyber-activist group Anonymous. Apparently after the 28-year-old entered a guilty plea on August 15 to 12 counts of computer hacking conspiracies and other crimes, he reportedly became an informant, participating in the group's activities while federal law enforcement officials worked to infiltrate the group.

27 February 2012
WikiLeaks began publishing The Global Intelligence Files more than five million emails from the Texas-headquartered "global intelligence" company Stratfor. The emails date from between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defense Intelligence Agency.

23 February 2012
'Anonymous' hacked into the databases of the Los Angelos County Police and Sheriff and posted contact info and nude pics on the net, including on facebook.

17 February 2012
Anonymous defaced several websites owned and operated by the US government as part of latest protest against online censorship in a massive anti-ACTA attack.

At least half a dozen federal websites belonging to the United States government were disrupted in the latest Anonymous-led assault this week including the US Federal Trade Commission, National Consumer Protection Week, the Consumer Protection Agency, the Federal Trade Commission and others.

15 February 2012
The website of Trinamool congress was hacked. It was restored only a day after it was hacked reportedly by a Bangladesh-based group. The party's website was remodelled before the last assembly election by Hotmail founder Sabeer Bhatia (no stranger to web security). A hacker's group, 'Bangladesh Black Hat Hackers', has on their Facebook page written that the state Chief Minister Mamata Banerjee had reneged on her promise on sharing of Teesta river water with the country.

14 February 2012 (2)
Anonymous defaced and then wiped out the website of Weapons Maker Combined Systems on the one-year anniversary of the uprising in Bahrain in retaliation for sales by the company of chemical weapons. They claimed to have stolen employee names, e-mails, addresses, passwords and client lists, and threatened the site’s administrators that if they helped Combined Systems rebuild its Web site, they would expose those companies’ client lists and e-mails as well. The data uploaded contained several employee user credentials as well as emails and account information of customers.

The Anonymous hackers claimed to have been inside the company’s network for some time but said they were forced to take down the site after Google alerted the company that a hacker had broken into its Web hosts. The hackers posted some of the stolen e-mails on the online bulletin board site Pastebin, including one e-mail, dated Feb. 10, from a Combined Systems Web developer who wrote, “Looks like our Web hosts got hacked.”

14 February 2012 (1)
A valentine's day gift from the Climate Change Deniers. The website of Heartland Institute a conservative public policy think tank was hacked. Published information include original documents containing the institute's budget, Climate Strategy for 2012, many details of the group’s operations, including salaries, recent personnel actions and fund-raising plans, donors and setbacks.

13 February 2012
The Microsoft India Store was hacked and usernames and passwords leaked . The usernames and passwords were kept in plain text.

Following the hack, the members of Evil Shadow Team, posted a message on the Microsoft website saying "unsafe system will be baptized". The story was first reported by www.wpsauce.com.

The Microsoft India Store was hacked and usernames and passwords leaked . The usernames and passwords were kept in plain text.

10 February 2012
Anonymous Takes Down CIA Web Site

"CIA Tango down," a member of Anonymous said on @YourAnonNews, a Twitter feed used by the group. "Tango down" is an expression used by the US Special Forces when they have eliminated an enemy.

9 February 2012
Nine official Web sites , including that of the Power Ministry, Maharashtra, Kerala and Uttarakhand Governments, were defaced in the recent past, forcing the authorities to strengthen cyber-security safeguards. The National Informatics Centre (NIC) under the Ministry of Communications and Information Technology said in an RTI reply that
“A number of hacking attempts are made on daily basis on Governments' Web sites hosted on NICNET servers. It is not possible to accurately quantify these. The attempts are usually effectively blocked by security controls put in place,” it said.

The Ministry was asked to give details of hacking attempts being made on the Governments' Web sites in the last ten years (2001-11) along with the names of uniform resource locater (URL) of the portals and source of such attacks.
The Web sites are:

8 February 2012
Hackers from Anonymous post classified German files online, revealing details of the country's military operations in Afghanistan.

Anonymous said it obtained the data from a server at the Bundestag or German parliament. The military documents were collected for an inquiry, now finished, into a September 2009 airstrike by US jets under German orders that killed more than 140 Taliban fighters and Afghan civilians. The inquiry criticized the 2009 airstrike.

7 February 2012
Anonymous Hacks Syrian President's Emails
The hacker collective reportedly released emails from the office of Syrian President Bashar Assad that focus on preparation for his recent interview with Barbara Walters. According to Israeli newspaper Haaretz, hackers compromised the Syrian Ministry of Presidential Affairs' server on Sunday night, and accessed the inboxes of 78 staffers. It apparently wasn't too difficult; many people used "12345" as their password.

Anonymous, meanwhile, initially targeted a few Syrian government Web sites with distributed denial of service attacks, but later changed its tune. Crippling the Internet in the region could have adverse effects on those trying to get the word out, Anonymous said. "Taking a site down momentarily in an already oppressive regime = unhelpful," Anonymous said.

3 February 2012 (2)
The internet certificate provider VeriSign Hacked, Successfully and Repeatedly, in 2010.
Reuters discovered the information in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. The company, unsurprisingly, is saying nothing. The problem for all of us, naturally, is if the certificate system was hacked, allowing the bad guys to forge certificates. (This has, of course, happened before.)
Are we finally ready to accept that the certificate system is completely broken? (Bruce Schneier)

[If you read only one blog on security, read Bruce Schneider. There is also a free monthly newsletter that comes like clockwork every 15th of the month]
3 February 2012 (1)
Hackers attacked Greek government (Justice Ministry) website to protest the government’s signing of a global copyright treaty and its handling of the financial crisis. The ministry was forced to take down its site after a video by activists claiming to be Greek and Cypriot members of the international “Anonymous” group was displayed for at least two hours.

25 January 2012
The computer security firm Symantec customers to disable pcAnywhere software saying it is at increased risk of getting hacked after blueprints of that software were stolen.

The company last week warned customers of the 2006 theft of the source code, or blueprints, to pcAnywhere and several other titles: Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities and Norton GoBack.

"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," it said on its website. (bit.ly/wqtxTI) But it did not mention what it did in the intervening 6 years.

24 January 2012
If there can be fake ration cards canfake UIDs be far behind. A generous New Delhi MPs staff signed off address verification for virtually anyone on his behalf--when he was not even in the place!

19 January 2012
In swift retaliation for shutting down Megaupload Anonymous Hits DOJ, Universal Sites

Anonymous was quick to target the Justice Department, Universal Music, the RIAA, and MPAA in the wake of this afternoon's Megaupload announcement, with the Web sites for all four organizations succumbing to distributed denial of service (DDoS) attacks.

Justice.gov and universalmusic.com went offline around 430pm Eastern and have been largely unresponsive for the past 1.5 hours. RIAA.com and MPAA.org are also unresponsive.

"Recording Industry Association of America—Department of Justice—Universal Music—all TT, all TANGO DOWN," Anonymous tweeted this evening with the #OpMegaUpload hashtag.

"The Department of Justice web server hosting justice.gov is currently experiencing a significant increase in activity, resulting in a degradation in service," the DOJ said in a statement. "The Department is working to ensure the website is available while we investigate the origins of this activity, which is being treated as a malicious act until we can fully identify the root cause of the disruption."

17 January 2012
The US Federal Bureau of Investigation (FBI) suffered a major embarrassment when online hacker group Anonymous intercepted a telephone call between FBI agents and U.K. authorities involving a joint investigation of the group.

Members of the hacker-activist group obtained details on a Jan. 17 conference call, including dial-in information, and posted a recording of it on Google Inc.’s YouTube website and other Internet sites, according to messages posted on Twitter accounts associated with Anonymous members.

The phone recording suggests a significant security breach of Federal Bureau of Investigation protocols, according to E.J. Hilbert, a former agent in the bureau’s cyber security division. Anonymous reportedly accessed the call because a foreign police official who received the conference call invite forwarded it to a personal account, where it was intercepted by Anonymous.

Barrett Brown, an informal spokesman for Anonymous, said that in an unrelated attack a team of hackers had also stolen more than two years’ worth of e-mails and attachments relating to the 2005 Haditha massacre, in which 24 Iraqi civilians died from the computer servers of Puckett & Faraj, the law firm that represented Staff Sergeant Frank Wuterich, one of the marines accused in actions related to the deaths of Iraqi civilians. A person who answered the phone at Puckett & Faraj’s offices in Alexandria, Virginia, said the firm had no comment beyond confirming that its website was down. The e-mails, which go back as far as 2009, may contain evidence and undisclosed details about the Haditha incident, as well as other cases the firm has worked on.

The e-mails would be posted shortly on a file-sharing site accessible by the public.

12 January 2012
Anonymous targets Israel by publishing SCADA log-in details

Hacktivist group Anonymous has released what it claims to be a series of log-in details for Israeli SCADA systems. The new @FuryOrAnon account, which has been vouched for by one of the group's most prominent Tweeters, @AnonymouSabu, posted a link to the Pastebin page on Twitter on Wednesday. The Pastebin page in question contains what it claims to be a list of ten IP addresses for Israeli SCADA systems as well as log-in details.

SCADA, or supervisory control and data acquisition systems are a vital part of the industrial control systems found in manufacturing, power generation and other facilities. They were targeted famously by the Stuxnet worm which is alleged to have been created by Israel and the US in a bid to disrupt Iran's nuclear programme.

11 January 2012

Turning tables, India hacked into emails of an official American commission that monitors economic and security relations between the US and China, including cyber- security issues.

Hackers posted on the Internet what purports to be an Indian military intelligence document on cyber-spying, which discusses plans to target the US-China Economic and Security Review Commission (USCC) - apparently using technical knowhow provided by western mobile phone manufacturers.

Stewart Baker, a cyber-security policy expert, said the commission "would be a high-priority target for China, since USCC has been one of the most vocal US agencies in warning against Chinese hacking... If it's genuine, it should cause red faces
all around. At USCC for apparently getting hacked by Indian intelligence, and even more so at Indian intelligence for getting hacked by what may be a bunch of amateurs."

5 January 2012
Worm steals 45,000 Facebook passwords
A computer worm stole 45,000 login credentials from Facebook. The culprit is a well-known piece of malware - dubbed Ramnit - which has been around since April 2010 and has previously stolen banking details.

2 January 2012
To no ones surprise, even terrorists manage to get Aadhaar numbers. A suspected Hizbul terrorist, despite being on the most wanted list , obtained a voter ID card, ration card and even an Aadhaar card using fake documents with a fake name, fake father's name with an address in Ghousenagar in Bandlaguda of Chandrayanagutta, Hyderabad. Cyberabad anyone? Happy new year!

Top ten reasons you should get your UID ‘Aadhaar’ immediately

Top ten reasons you should get your UID ‘Aadhaar’ immediately

1. You want to give all your personal information to the Americans (L1, the subcontractors, have many ex-CIA spies on their staff and board. Another contractor is Accenture which, being an American company, has to give all the data in its possession to the American government under the USA PATRIOT Act ).

They are contractors 23 and 24 of UIDAI for Implementation of Biometric Solution for UIDAI.

2. You want to give all your personal information to the Chinese. You like to live dangerously and/or want your personal details (and your children’s) to be flashed over the internet. (In 8 months, the Chinese hacked into the Indian Embassy in Afghanistan, and the Prime Minister’s Office—twice. The government did not even know, it is a study by a foreign university that brought it to light.).

3. You want to change your finger-prints regularly. When (not if) the database is hacked the biometrics you provided will no longer be usable. You will need another set of ‘unique’ finger prints. Guess who will have to pay for the surgery involved. It is either that or upgrade the whole system to a DNA bank… and when that gets hacked…

4. You like spam and pesky SMS from companies. You think that in a country where MPs ask questions in parliament for Rs 15,000 and arrest warrants for the President and two Judges, including the Chief Justice of the Supreme Court are issued for even less (Rs 40,000 for all three), your data will not be sold to the marketing companies and anyone who can pay for it.

5. You think the government—with about 25% of the MPs involved in crimes such as rape and murder—will not misuse the data. The government will not lie to you.

5. You like having more ID proofs… after a passport, driving licence, ration card. You can also get multiple UID cards... which, if you noticed, is also the reason there are two items at number five on this list.

6. You want to make it easier for hackers to empty out your bank accounts. UIDAI is now working with banks to make it compulsory to have Aadhaar for opening accounts. But stored identification (like passwords for instance) are so insecure that banks now use one time passwords, valid for as little as 5 minutes, to be used from the same computer it was requested.

7. You believe that there will be 100% availability of electricity and a working broadband connexion within walking distance anywhere in this country at all times. There will be no ‘equipment failure’ called ‘human error’ and ‘genuine mistakes’ (as in the case of the terror list given to Pakistan).

8. You think that privacy is a western concept. Like Union Carbide (of Bhopal disaster "plenty good for an Indian" fame) you know that Indians are lesser human beings and do not deserve fundamental freedoms essential to human dignity.

9. You believe that Nandan Nilenkani will personally enter the data and verify it each time. It will not be sub-contracted out to the lowest bidder and entered/verified by a barely literate person. It will not be possible to give a man a UID with the photo of a woman.

10. You believe that Anna Hazare’s campaign against corruption is ill conceived and that the problem with the PDS is technology not human nature of excessive power of the government machinery. You do not believe that power corrupts and absolute power corrupts absolutely but rather that all the officials, including those controlling the data (including your fingerprints) are angels.

For more go to: http://openspace.org.in/UIDaadhaar