Has the CIA already stolen India's Aadhaar database?

[Project Dharma]

So what?

The advantages of aadhar out weigh the disadvantages by a factor of unimaginable proportions.

Open you damn minds n do your own homework rather than coming under someone elses propaganda.

If you are incapable of that sort of thinking then I recommened you show a little faith in PM Modi, he is here to fix this mess of a country and bring us back to our glorious days.

What has happened to us (Indians), we used to be leaders; guiding the world in ways unimaginable to others. People from different continents used to come visit us just to learn our ways.

Now we have turned ourselves into followers aka slaves, do things only if it is approved by Uncle Sam. Shame!!!

I honestly don't understand the outrage in your post. Yes, there are advantages of the government having a way to identify its citizens. Uncle Sam itself has such a database.

That doesn't mean that the implementation can be insecure so that private details are leaked to a third country. You personally might be alright with it but it is presumptuous to tell the person who is not to "deal with it coz Modi".

 

[Akshay Fenix]

I honestly don't understand the outrage in your post. Yes, there are advantages of the government having a way to identify its citizens. Uncle Sam itself has such a database.

That doesn't mean that the implementation can be insecure so that private details are leaked to a third country. You personally might be alright with it but it is presumptuous to tell the person who is not to "deal with it coz Modi".

Google, Facebook, Skype; aka Internet Apple, Android, Windows; aka devices.

If you have used even 1 of these services or devices then sorry to say Your Identity has been Compromised.

People aka Indians do not bat an eye when these foreign companies ask for your name, addr, mobile number, your profile pic. But when Indian government asks for it then What if this, what if that, why, what use, all these questions people start to ask.

The same people then write big speeches about how IA n IAF are sell outs when they don't buy indi products.

Long live this nation made up of hypocritical people.

 

[Project Dharma]

Lol we haven't even gone there whether this program should exist or not. We're discussing whether the implenentation was secure and the implications of the leak if it happened.

Relax bud, we get it. You've drank the koolaid. Some of us haven't.

Google, Facebook, Skype; aka Internet Apple, Android, Windows; aka devices.

If you have used even 1 of these services or devices then sorry to say Your Identity has been Compromised.

People aka Indians do not bat an eye when these foreign companies ask for your name, addr, mobile number, your profile pic. But when Indian government asks for it then What if this, what if that, why, what use, all these questions people start to ask.

The same people then write big speeches about how IA n IAF are sell outs when they don't buy indi products.

Long live this nation made up of hypocritical people.

 

[Akshay Fenix]

Lol we haven't even gone there whether this program should exist or not. We're discussing whether the implenentation was secure and the implications of the leak if it happened.

Relax bud, we get it. You've drank the koolaid. Some of us haven't.

Agreed, I did drank the koolaid but atleast its not getting shoved up my ass without me knowing it.

Like I said nothing is secure. 1 billion records will not be stored in a single location they will be spread out between every state.

Suppose if someone does decide to hack then at most he will have access to only a lakh records or even less depending on how it is set up.

The government can even set up fake records to lure these hackers, intentionally let them in n then game over.

Possibilities r endless.

 

[charlie]

Adhar card Information was hacked by an M.tech student of IIT Khadagpur .

if he can do this then CIA can also do this .

http://indianexpress.com/article/india/iit-grad-his-firm-booked-for-hacking-aadhaar-data-4772220/

That's a clear case of leak of credentials and anyway company are allowed to authenticate info of an indvidaual, all he did is build a app that's access that data with the sold out credentials. I can call that stealing not hacking.

Nor CIA or NIA (which is much ahead of CIA in case of resources for these kind of things) can hack into central database which has more then 128 bit (forget about 256)encryption period.

Now there might be loop holes at which parts things start getting encrypted for that you have to see Nandan Nilekani videos. I guess in one of his videos he reveals the info at what level things start getting encrypted.

 

[charlie]

He hacked and exposed DARPA's files and uncovered it. He became a criminal for USA.Now he is in Russia.Heck he asked for shifting his asylum to Bharat.

He was a less then average system admin who stole the data. this is the perfect examples of biting more then he could chew.

Most of the data he stole i assume he could even understand what he stole. Some of the data is available online check what he stole.

Russian evaluated and knew he was worthless that's why he stayed in airport for a while instead of granting him permission right away. If he was a really sharp you could have seen a complete different reactions from the Russians.

 

[Project Dharma]

That's a clear case of leak of credentials and anyway company are allowed to authenticate info of an indvidaual, all he did is build a app that's access that data with the sold out credentials. I can call that stealing not hacking.

Nor CIA or NIA (which is much ahead of CIA in case of resources for these kind of things) can hack into central database which has more then 128 bit (forget about 256)encryption period.

Now there might be loop holes at which parts things start getting encrypted for that you have to see Nandan Nilekani videos. I guess in one of his videos he reveals the info at what level things start getting encrypted.

There are rumors that the NSA has developed specialized hardware to break AES encryption. Of course they deny everything. Also depends on the vendor of the encryption. If it is Oracle or some other proprietary company, you can bet that there will be a backdoor for the NSA. Even if it is open source, these guys have the best minds to study vulnerabilities.

If we wrote our own, hopefully we know what we are doing.

Agree about Snowden being an unsophisticated sysadmin.

 

[Project Dharma]

Agreed, I did drank the koolaid but atleast its not getting shoved up my ass without me knowing it.

Like I said nothing is secure. 1 billion records will not be stored in a single location they will be spread out between every state.

Suppose if someone does decide to hack then at most he will have access to only a lakh records or even less depending on how it is set up.

The government can even set up fake records to lure these hackers, intentionally let them in n then game over.

Possibilities r endless.

You do know the origin of "drinking the koolaid"? It refers to slowly poisoning yourself.

https://en.wikipedia.org/wiki/Drinking_the_Kool-Aid

The fact that it is being shoved up our ass is precisely the reason we want to make sure the information is secure. Facebook, Google etc do not have our bank account, tax information and health records.

 

[Abhijat]

^ Bhai have you even read the article posted on first page ?

It's not that stored database is compromised , but even before that a company who at first stage takes enrollment task is compromised. So your biometric detail is going to CIA before it even reaches GoI.

Also, the internet and associated services you mentioned doesn't ask for your biometric detail and as such are not reliable instrument to assure ones identity . But Aadhar is.

Let me give you an example of what this can mean : hopes not but by blunder if pappu and his courtier came into power again , and by their true nature start's pushing 'hindu terrorist's narrative , again. So as proud Hindu Internet Warrior you take up the task of lambasting such narrative to ground on facebook or such . So start visiting commentary section of news portal on facebook and going all rambo there , of course with fake profile. And , you turn out to be good at that with number of followers behind your back, a rising proud internet Warrior indeed.

But , here comes the twist. What if congi cyber cell decided to suppress your views and take down the above movement, which in future can result in political upheaval for them ? . So how are they going to do it ? . One , they can via facebook itself I.e report your profile to facebook technical section and block it. But it won't be fruitful as you already know.

OTOH , they can target yourself in real life as of how is the question. You using fake profile as such so not much can be done about that . Internet social service provider like facebook etc. can only help as to give GoI information which you yourself presented at time of creating profile , which of course I assume is fake. But, their are other ways to get I.P address of user . So now we have information about your I.P. Now cyber cell can approach internet service provider and ask them for user who was using such I.P as such time . But here also , your information may be fake. But with Aadhar compulsory for availing any simcard it can't. So I got your identity associated with your facebook profile , and when you next time use your digital wallet , your transaction detail , your family history .

Now question is what anyone can do with such details. Answer : "PROFILING".

But, I will admit the above scenario is good against tracing real terrorist, as they can't hide behind "Anonymous" I.P address as such.

But Pappu can also use this to suppress dissenting view . What is needed is strong institutional mechanism so that at every stage of above scenario , their are laid down rules and regulations backed by institutional integrity of those who follow them religiously , and prevent misuse of them. This is what I like about Modiji , he is trying to rebuilt institutions with clear laid out policy , so that even after his tenure a strong mechanism remains in place to follow such regulation.

Sent from my SM-A700FD using Tapatalk

 

[Project Dharma]

^ Bhai have you even read the article posted on first page ?

It's not that stored database is compromised , but even before that a company who at first stage takes enrollment task is compromised. So your biometric detail is going to CIA before it even reaches GoI.

Were you referring to me? Asking because we posted at the same time almost. I did read the article eventually. And I wasn't saying that the stored db is compromised, was just discussing encryption in general terms.

 

[charlie]

There are rumors that the NSA has developed specialized hardware to break AES encryption. Of course they deny everything. Also depends on the vendor of the encryption. If it is Oracle or some other proprietary company, you can bet that there will be a backdoor for the NSA. Even if it is open source, these guys have the best minds to study vulnerabilities.

If we wrote our own, hopefully we know what we are doing.

Agree about Snowden being an unsophisticated sysadmin.

Don't belive everything you read on internet there is no hardware that can break DES encryption, forget about AES.

We just sold Brazilian army a system with DES encryption do you think they will buy it if they though it's hackable ?

I worked for a company which works really close with NSA on encryption and of course provide communication, the highest level recommend encryption for all federal level agency who's data is really imp comes under NSA level 2(just a bit above 256) encryption i assume, they make sure that it should be should be double the level to something they can hack it.

CIA used a old system called alpha 9 now just upgraded by a company i used to work for.

 

[Project Dharma]

well they cannot, I worked for a company which works really close with NSA on encryption and of course provide communication, the highest level recommend encryption for all federal level agency who's data is really imp comes under NSA level 2(just a bit above 256) encryption i assume, they make sure that it should be should be double the level to something they can hack it.

CIA used a old system called alpha 9 now just upgraded by a company i used to work for.

I will defer to your wisdom then. I am just an old neckbeard who follows security closely.

Do you know if this is true for GPG as well as AES?

 

[Project Dharma]

^ Bhai have you even read the article posted on first page ?

It's not that stored database is compromised , but even before that a company who at first stage takes enrollment task is compromised. So your biometric detail is going to CIA before it even reaches GoI.

Also, the internet and associated services you mentioned doesn't ask for your biometric detail and as such are not reliable instrument to assure ones identity . But Aadhar is.

Let me give you an example of what this can mean : hopes not but by blunder if pappu and his courtier came into power again , and by their true nature start's pushing 'hindu terrorist's narrative , again. So as proud Hindu Internet Warrior you take up the task of lambasting such narrative to ground on facebook or such . So start visiting commentary section of news portal on facebook and going all rambo there , of course with fake profile. And , you turn out to be good at that with number of followers behind your back, a rising proud internet Warrior indeed.

But , here comes the twist. What if congi cyber cell decided to suppress your views and take down the above movement, which in future can result in political upheaval for them ? . So how are they going to do it ? . One , they can via facebook itself I.e report your profile to facebook technical section and block it. But it won't be fruitful as you already know.

OTOH , they can target yourself in real life as of how is the question. You using fake profile as such so not much can be done about that . Internet social service provider like facebook etc. can only help as to give GoI information which you yourself presented at time of creating profile , which of course I assume is fake. But, their are other ways to get I.P address of user . So now we have information about your I.P. Now cyber cell can approach internet service provider and ask them for user who was using such I.P as such time . But here also , your information may be fake. But with Aadhar compulsory for availing any simcard it can't. So I got your identity associated with your facebook profile , and when you next time use your digital wallet , your transaction detail , your family history .

Now question is what anyone can do with such details. Answer : "PROFILING".

But, I will admit the above scenario is good against tracing real terrorist, as they can't hide behind "Anonymous" I.P address as such.

But Pappu can also use this to suppress dissenting view . What is needed is strong institutional mechanism so that at every stage of above scenario , their are laid down rules and regulations backed by institutional integrity of those who follow them religiously , and prevent misuse of them. This is what I like about Modiji , he is trying to rebuilt institutions with clear laid out policy , so that even after his tenure a strong mechanism remains in place to follow such regulation.

Sent from my SM-A700FD using Tapatalk

To expound on your example of profiling, what if said person wants to go underground because of persecution by the government. They can stop using Facebook, Whatsapp etc. But then they go to the bank, scan their Aadhar Card and bingo. Pappu has a location as well.

 

[Project Dharma]

Don't belive everything you read on internet there is no hardware that can break DES encryption, forget about AES.

Eh? You edited your post after I responded. DES was cracked by the EFF, that is the reason, it was deprecated and is no longer used by Murica. It is susceptible to brute force attacks.

In cryptography, the EFF DES cracker (nicknamed "Deep Crack") is a machine built by the Electronic Frontier Foundation(EFF) in 1998, to perform a brute force search of the Data Encryption Standard (DES) cipher's key space – that is, to decrypt an encrypted message by trying every possible key. The aim in doing this was to prove that the key size of DES was not sufficient to be secure.

https://en.wikipedia.org/wiki/EFF_DES_cracker

 

[charlie]

I will defer to your wisdom then. I am just an old neckbeard who follows security closely.

Do you know if this is true for GPG as well as AES?

I never heard of GPG encryption, so don't have a clue.
I only know about AES and DES encryption which I use. But I can say even DES encryption is not hackable with the current computing capabilities

Do a search if you have time to see what encryption new comms are coming in our army.

 

[Project Dharma]

Do a search if you have time to see what encryption new comms are coming in our army.

I can't find the link now but I remember they use AES with 256 bit keys.

 

[charlie]

Eh? You edited your post after I responded. DES was cracked by the EFF, that is the reason, it was deprecated and is no longer used by Murica. It is susceptible to brute force attacks.

In cryptography, the EFF DES cracker (nicknamed "Deep Crack") is a machine built by the Electronic Frontier Foundation(EFF) in 1998, to perform a brute force search of the Data Encryption Standard (DES) cipher's key space – that is, to decrypt an encrypted message by trying every possible key. The aim in doing this was to prove that the key size of DES was not sufficient to be secure.

https://en.wikipedia.org/wiki/EFF_DES_cracker

"DES key in 22 hours and 15 minutes (see chronology). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible to mount in practice."

Lets me give you an example with today computing power you crack one packet in lets says 2 hour do you know how many packets are generated in a min ?

it's theoretical possible but practically not just trust me on this one world armies don't buy a billion dollars stuff if they think just any tom can hack it. Again reading the internet too much.

will continue the conversation tomorrow.

 

[Project Dharma]

"DES key in 22 hours and 15 minutes (see chronology). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible to mount in practice."

Lets me give you an example with today computing power you crack one packet in lets says 2 hour do you know how many packets are generated in a min ?

it's theoretical possible but practically not just trust me on this one world armies don't buy a billion dollars stuff if they think just any tom can hack it. Again reading the internet too much.

Once you have the key you have everything since it is a symmetric key algorithm. Doesn't matter how many "packets" are being generated. If you are implying that each packet is encrypted using a new key, then why not use a more secure encryption system since you have all that memory for multiple keys in the first place?

Theoretically, you could rotate the keys every x seconds or something. But evidently, it can now be broken in near realtime. Why use an obsolete encryption method when newer ones are available?

A chosen-plaintext attack utilizing a rainbow table can recover the DES key for the specific plaintext 1122334455667788 in 25 seconds. This allows DES-based challenge-response authentication systems, such as MSCHAPv1, to be broken in real time.[21][22]

As for why the Brazilian Army bought a billion dollar system with DES, I don't know. They are stupid? Corrupt? Poor and can't afford newer hardware? They are using it for applications that are not security sensitive? I don't have inside knowledge so I can't presume to know.

As for "reading too much internet", it is my business as a developer to read the internet. Please don't be presumptuous.

 

[Abhijat]

Were you referring to me? Asking because we posted at the same time almost. I did read the article eventually. And I wasn't saying that the stored db is compromised, was just discussing encryption in general terms.

Nope not you but kool-aid one.

 

[Bharat Ek Khoj]

Eh? How does it matter how many computers are involved if any one of the chain is compromised and is able to do a man in the middle https attack?

How many times you have used Tor ???