January 24, 2011 04:50 PM
Moneylife Digital Team
Whether the super-worm was created in the US, Israel or China, we will never know. Nevertheless, India is still collaborating with companies from these countries without any background checks. Take for example, L-1 Identity Solutions, UIDAI’s partner for the Aadhaar project
Last week, the New York Times published an article that claimed that Stuxnet, an Internet worm, which infects the Windows operating system (OS), was a joint project of the US and Israel and its testing was done on nuclear centrifuges identical to those used by Iran at its Natanz nuke facility.
Even since Stuxnet made its appearance, it is alleged that the worm is mainly responsible for hampering Iran's nuke project. Some even claimed that the same worm was responsible for the launch failure of India's Geosynchronous Satellite Launch Vehicle (GSLV) rockets. However, the Indian Space Research Organisation (ISRO) has denied this claim.
Stuxnet was first discovered in July, but is confirmed to have existed at least one year prior and likely even before. The majority of infections were found in Iran. According to security company Symantec, Stuxnet represents the first of many milestones in malicious code history-it is the first to exploit four zero-day vulnerabilities, compromise two digital certificates, and inject code into industrial control systems and hide the code from the operator. The worm hit primarily inside Iran, Symantec reported, but in time also appeared in India, Indonesia and other countries.
"Stuxnet is of such great complexity-requiring significant resources to develop-that few attackers will be capable of producing a similar threat, to such an extent that we would not expect masses of threats of similar in sophistication to suddenly appear. However, Stuxnet has highlighted (that) direct-attack attempts on critical infrastructure are possible and not just (in) theory or movie plotlines," Symantec said in its latest report titled "W32.Stuxnet Dossier".
Last year in November, Mahmoud Ahmadinejad, president, Iran broke the country's silence about the worm's impact on its enrichment program, saying that a cyber attack had caused "minor problems with some of its centrifuges and fortunately their experts discovered it."
The most detailed portrait on the damage caused by Stuxnet came from the Institute for Science and International Security, a private group in Washington. In December, the group issued a lengthy report on Stuxnet, which said that Iran's P-1 machines at Natanz suffered a series of failures in 2009 that culminated in technicians taking 984 machines out of action.
The history of the P-1 machine is quite interesting and appears to be lifted directly from a James Bond movie. Early in 1970, the Netherlands designed a tall and thin machine for enriching uranium. A Pakistani metallurgist, Abdul Qadeer Khan, was working for the Dutch at that time. Later he stole the machine design and in 1976 fled to his homeland. There he built the machine, known as P-1 for Pakistan's first-generation centrifuge, which helped that country to make the bomb. Dr Khan, believed to have established an atomic black market, illegally sold the machine to Iran, Libya and North Korea.
Although Dr AQ Khan, often labelled as "Father of Pakistan's atomic program" is not a spy, there are others who after their first innings as superspy are turning entrepreneurs and selling machines and services to other countries. For example, our own Unique Identification Authority of India (UIDAI)-the 'de facto' agency assigned to tag all residents, has partnered with a company that is full is such 'retired' secret agents.
L-1 Identity Solutions, chosen by UIDAI to implement the core biometric identification system for the Aadhaar programme, has names associated with the Central Intelligence Agency (CIA) and other American defence organisations in its top management or as directors.
In 2004, George Tenet, ex-director of CIA, joined L-1 Identity Solutions as director on the board. L-1's chief executive Bob LaPenta, in 2006, had said, "You know, we're interested in the CIA, and we have George Tenet." Mr Tenet is also accused of being one of those who deliberately furnished false evidence to US diplomats in order to garner support for the US 'intervention' in Iraq, post 2001.
Over the years, particularly after taking some top-notch 'retired' intelligence and defence officials on board, L-1 Solutions has made rapid progress. According to an IT expert, L-1 and NADRA, the Pakistan unique identity agency, appears to have been created on the same business model.
"Staffed strongly by persons with intelligence (quasi-military) links, the major goals of both agencies are to do business with their respective governments, and they succeed to the extent that they have virtually no competition. And this is the company UIDAI has welcomed into India," said the expert.
You may ask, what does L-1 or UID have to do with Stuxnet? Read again, L-1 Identity Solutions has been chosen by UIDAI to implement the core biometric identification system for the Aadhaar programme. What if someone wants to implant the backdoor in the machines used for storing UID data? This kind of backdoor engineering would prove to be disaster in the waiting.
This ambitious and expensive project uses biometric information like fingerprints, IRIS scans and face photos to create a UID number. The authority has already started roping in fat-profit organisations as its partners, which will very likely result in the database being used for targeted marketing. (Read: Fat profit institutions continue to board UID bandwagon )
Last year, India's Department of Telecom (DoT) asked all telecom operators to get clearance from the government before importing telecom equipment due to security reasons. Later, the government allowed private telecom companies to import equipment from Chinese vendors only after meeting certain criteria with regard to national security.
The major concern for the Indian government was that telecom equipment from certain countries, including China, could contain spyware that would give intelligence agencies access to our country's telecoms networks. This type of spyware installed into a chip of equipment is called remote access Trojan or backdoor software.
The appearance of Stuxnet and the reported sabotage it has carried out in Iran is one of the best examples of spyware being used to usher in the new age war. Whether Stuxnet was created by the US or Israel or by China, we will never know for sure. However, what is important is we are blindly welcoming everyone into our homes and sharing all personal information without a simple background check.
Normally this should have rung an alarm bell. But it seems there has been no reaction, let alone any action from UIDAI or the government. So, what is the control over these databases and what is there to prevent any unauthorised use of this data?
A few days ago, Moneylife asked a couple of questions through email to internationally renowned security technologist and author Bruce Schneier whether there is any way or method to detect a backdoor in telecom equipment and whether the Indian authorities would be able to address privacy and security concerns related with the UID project. Mr Schneier's answer was in the negative. On detecting the backdoor, Mr Schneier, who is also the chief security technology officer of BT said, "Study the source code and chip layouts and hope for the best. So no, there is no guaranteed way to detect it."
No doubt, the UIDAI and its key officials including Nandan Nilekani are experts in IT, but we do not know if they posses any capabilities to check spyware installed in machines or reverse engineering. This leaves an open question, what if something like Stuxnet hits the UIDAI's ambitious project?
According to Symantec, the real-world implications of Stuxnet are beyond any threat it has seen in the past. "Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again," it concludes.
Why this Blog ? News articles in the Wide World of Web, quite often disappear with time, when they are relocated as archives with a different url. Archives in this blog serve as a library for those who are interested in doing Research on Aadhaar Related Topics. Articles are published with details of original publication date and the url.
In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.
Aadhaar
The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018
When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy
First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi
In matters of conscience, the law of the majority has no place.Mahatma Gandhi
“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi
“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.
Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.
Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Rajeev Chandrasekhar, MP Rajya Sabha
“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh
But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP
“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.
August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution
"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden
In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.
Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.
Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.
UIDAI's security seems to be founded on four time tested pillars of security idiocy
1) Denial
2) Issue fiats and point finger
3) Shoot messenger
4) Bury head in sand.
God Save India
