Thursday, June 10, 2010

India Should Not Use SaaS For Crucial Governmental Functions

Software as a Service (SaaS) is in media reports for long. SaaS is a web-based version of proprietary software that performs computing on its servers on behalf of the client. Cloud computing is one of the most famous forms of SaaS. It is projected as a panacea for many infrastructure related problems and cost saving. While cloud computing has considerable cost benefits but it has drawbacks as well.

Richard Stallman, the founder of Free Software Foundation, says that on the Internet, proprietary software isn't the only way to lose your freedom. SaaS is another way to let someone else has power over your computing. He totally rejects the idea of cloud computing and opines that the real meaning of “cloud computing” is to suggest a devil-may-care approach towards your computing. It says, “Don't ask questions, just trust every business without hesitation. Don't worry about who controls your computing or who holds your data. Don't check for a hook hidden inside our service before you swallow it.” In other words, cloud computing means think like a moron.

There are many security and regulatory factors that must be complied with by SaaS and cloud computing before their deployment in India. Out of these I would presently like to stress upon three aspects alone. These are Security and Privacy, Compliance, and Legal or Contractual Issues.

As far as Security and Privacy is concerned, India has a very weak cyber security and no dedicated privacy law. Even there is no dedicated data protection law in India. The data of end users and governmental agencies is not safe in the absence of these essential regulations that the government of India is willingly not interested in enacting.

As far as Compliance aspect is concerned, that is an alien concept in India. For instance, the Aadhar project of India/UID project, National Intelligence Grid (NATGRID) project of India, etc all are running in India even in the absence of any legislation ensuring proper safeguards. When there is no legislation even for the most basic projects like Aadhar and Natgrid, there is no question of compliance in India. Outsourcers and foreign clients, keep this in mind while sending your crucial details and data to India.

Finally, the Legal and Contractual issues also cannot provide much protection against illegal and negligent data sharing and data thefts in India. The sole cyber law of India is enacted in the form of Information Technology Act, 2000 (IT Act 2000). Cyber crimes like cracking, data theft, privacy violation, etc are all bailable leaving much room for commission of these crimes.

India should not use SaaS and Cloud Computing for governmental purposes in the absence of strong cyber law and cyber security. As Stallman says, in the meantime, if a company invites you to use its server to do your own computing tasks, don't yield; don't use SaaS. Use a real computer and keep your data there. Do your work with your own copy of a free program, for your freedom's sake.

Saturday, June 5, 2010

The Extra Steps That TOR Users Must Take

Praveen Dalal

The “Decloaking Engine” invented by HD Moore was one of the most effective ways of showing how exit nodes of TOR system can sniff the unencrypted, plain text and insecure information and data passing through it. A malicious or e-surveillance capable exit node is the weakest link of the privacy and security chain of a TOR user. However, the problem is not with the TOR’s system as this is the way TOR works. The real problem lies with the end user’s perception regarding TOR’s use in general and anonymity and privacy in particular.

There are various media reports that suggest that Wikileaks acquired its whistle blowing ammunition by sniffing or intercepting the traffic flowing through TOR networks. Whether this is true or not is not the real question here. The real question is what TOR is actually offering to the end users?

Interestingly, TOR is very clearly and openly explaining the scope of anonymity and privacy offered by it to the end users. Actually TOR is great for anonymity but average at privacy protection and poor at data security. This is because although the entry node encrypts the data and forwards it to the next node, the exit node sees it in clear text and unencrypted form. This means that although the ultimate site that you wish to access would see the IP address of the exit node and not your original IP address yet the exit node itself is very sure about the data you are sending to the website.

Think about a malicious exit node as a man-in-the middle attacker (MITM).that can sniff your traffic that you are sending to the ultimate website. It may include confidential information like bank accounts, passwords, governmental secret documents, etc. All of these travel in a plain text form and can be sniffed easily by the exit node. To some extent a malicious exit node is also a form of “Extended MITM” attack as the normal MITM attack occurs either at the local network or local wireless network/access point. But in case of MITM attack occurring at the exit node of TOR system, this is happening at a place far beyond your network(s) and jurisdiction. This scary fact must be kept in mind while sending unencrypted and unprotected data across TOR network.

The real problem is that an averageTOR user cannot differentiate between a trusted and untrusted exit node. This differentiation is not within his direct control. But he has something great that can reduce his risks of exit node attacks. The TOR users must use great services like OpenSSH or PuTTY while sending confidential information. They may also use their own preferred end to end encryption software and systems but the main idea remains the same. TOR provides the anonymity and a secured connection provides additional privacy and security.

Using Firefox after disabling Add-ons, Active X Controls, Java Scripts, Cookies, etc can also bring additional anonymity and privacy. If you need all these functionalities, you can use two different browsers with different setting i.e. Firefox for TOR and other browser for your other tasks. These steps may not make you absolutely anonymous but would definitely solve the problem of malicious exit nodes sniffing to a great extent.

Thursday, June 3, 2010

Linux On The Top

Praveen Dalal

Linux is synonymous with open source and free software movement. The name "Linux" comes from the Linux kernel, originally written in 1991 by Linus Torvalds. Linux being technical in nature, users were shying away from using the same. The proprietary software also played a major role in the limited growth of Linux as these proprietary software are more easy to use than command based Linux environments.

Realising this hurdle many committed Linux enthusiastic dedicated their time and energy to simplify the usage of Linux distributions. Today Linux is available for a wide range of products. Linux has become increasingly popular in recent years, partly owing to the popular Mandriva Linux, Fedora, Debian or Ubuntu distributions. In fact these distributions now come with user friendly GUI that gives a look and feeling of other proprietary operating systems that user are currently using.

The user friendly GUI coupled with command based options gives a user the ultimate control over a machine. Realising this aspect many hardware and other information technology service providers are not only switching to Linux but are also pre installing it in their hardware and products. Even the smart phones are using many Linux features and distributions.

However, with the numerous benefits of Linux we also have some cyber security issues as well. It would be wrong to presume that Linux, in itself and without further efforts, is a safe option from cyber security perspective. This is a myth as now the crackers would start exploring the vulnerabilities of Linux instead of other operating systems. The cyber security community of Linux must make some additional efforts to make Linux safer from the increased and unexpected vulnerabilities and cyber attacks.

The cyber security problem is common to both open source and proprietary software and this should not bother the potential and future Linux users from switching from traditional operating systems to the Linux environment.

Tuesday, May 25, 2010

Ubuntu Live CD As A Forensics Tool

Ubuntu is one of the best open source computer operating system based on the Debian GNU/Linux distribution. Ubuntu provides an up-to-date, stable operating system for the average user, with a strong focus on usability and ease of installation. The Ubiquity installer allows Ubuntu to be installed to the hard disk directly from the Live CD, without requiring the computer to be restarted prior to installation.

Among many benefits and functions of Ubuntu one function has not received much publicity and exposure. This pertains to data recovery using an Ubuntu Live CD. In this great tutorial Lifehacker has shown how to recover deleted files and partitions by using the Live CD.

According to the article the examined four tools can recover data from the most messed up hard drives, regardless of whether they were formatted for a Windows, Linux, or Mac computer, or even if the partition table is wiped out entirely.

Even otherwise Ubuntu is worth trying especially when it is open source and free of cost.

Thursday, May 20, 2010

Metasploit Version 3.4.0 Released

The penetration testing professionals must rejoice the latest Metasploit Version 3.4.0 release. This is a wonderful tool that can be downloaded from here. It has many crucial improvements from its predecessor.

Metasploit now has 551 exploit modules and 261 auxiliary modules. It has got a brute force support and the release includes several major improvements, especially to Meterpreter, which is one of the available shellcode modules.

Meterpreter is now claimed to be capable of switching seamlessly between 32-bit and 64-bit processes on compromised systems. The Meterpreter is a critical component of Metasploit in that it provides the ability to perform advanced post-exploit automation on a target system. The release has also added new Java and exploit automation technologies.

The version is still freely available though its professional and paid version is also available. Metasploit is used world wide for security and pen testing purposes. It is also part of many security distros like Backtrack ( may be in modified form).

Sunday, April 4, 2010

Techno-Legal Online Cyber Security Research, Training And Educational Centre of India

Cyber security management is a tough task especially if it is techno-legal in nature. In that case one has to manage not only the technical aspects but also the legal aspects. Perry4Law is the leading Techno-legal ICT law firm of World. It has many techno-legal segments like Perry4Law Techno-Legal Base (PTLB), Perry4Law Techno-Legal ICT Training Centre (PTLITC), etc. Perry4Law is also running various online techno-legal research, training and educational centre in India. Techno-Legal Cyber Security Research, Training and Educational Centre is one of them.

Cyber security in India is not in a good shape. India is on the verge of a technology revolution and the driving force behind the same is the acceptance and adoption of Information and Communication Technology (ICT) and its benefits. This technology revolution may, however, fail to bring the desired and much needed result if we do not adopt a sound and country oriented e-governance policy. A sound e-governance policy presupposes the existence of a sound and secure e-governance base as well. The security and safety of various ICT platforms and projects in India must be considered on a priority basis before any e-governance base is made fully functional. This presupposes the adoption and use of security measures more particularly empowering judiciary and law enforcement manpower with the knowledge and use of cyber forensics and digital evidencing, says India’s leading techno-legal expert Praveen Dalal.

India cannot achieve a good cyber security till it takes care of both technical as well as legal aspects of cyber security. There is no doubt about the proposition that Indian Parliament is not technology sound and we need to empower it through ICT. At the same time we must also train the governmental officials holding key positions in crucial ministries and departments about basic technology, cyber law and cyber security. These individuals must be trained suitably so that cyber security of crucial systems may not be compromised.

Cyber security is very important to protect businesses, governments and general public at large. The same must be a part of the national policy of a nation. Another crucial aspect related to a secure and strong cyber security in India pertains to critical ICT infrastructure protection in India. Critical infrastructure is becoming increasingly dependent upon ICT these days. If we are unable to secure an ICT system we are also risking critical ICT infrastructure as well.

On the one hand India has a weak and criminal friendly cyber law whereas on the other hand it does not possess tech-savvy law enforcement machinery. Even lawyers and judges are not that much aware about the nitty-gritty of cyber laws. It is high time for India to take some serious steps towards not only making the cyber law of India stronger but also to streamline cyber security of India.



Saturday, March 20, 2010

Online Dispute Resolution In India Strengthened

India is not using ICT for dispute resolution whether it pertains to e-courts or contemporary out of court dispute resolution in the form of online dispute resolution. Fortunately, the first ever Techno-Legal Online Dispute Resolution Centre of India has been launched by Perry4Law that would cater the dispute resolution, training, educational and many more such crucial requirements in India.

Online dispute resolution (ODR) in India is in its infancy stage and it is gaining prominence day by day. With the enactment of Information Technology Act, 2000 (IT Act 2000) in India, e-commerce and e-governance have been given a formal and legal recognition. Even the traditional arbitration law of India has been reformulated and now India has Arbitration and Conciliation Act, 1996 in place that is satisfying the harmonised standards of UNCITRAL Model. Even the Code of Civil Procedure, 1908 has been amended and section 89 has been introduced to provide methods of alternative dispute resolution (ADR) in India.

However, the fact is that the increasing backlog of cases is posing a big threat to the judicial system of India. The same was even more in the early 90 but due to the computerisation process in the Supreme Court and other courts that was reduced to a great extent. However, the backlog is still alarming. This is because mere computerisation of courts or other constitutional offices will not make much difference. What we need is a will and desire to use the same for speedy disposal of various assignments.

There is a lack of training among police, lawyers, judges, etc regarding use of information and communication technology (ICT) for legal, judicial and ADR /ODR purposes. Judges in India need cyber law training, e-courts training, ADR/ODR training, etc that allow them to effectively understand and use ICT for judicial and ADR/ODR purposes.

India has to cover a long gap before the benefits of ICT can be used for effective day to day functioning of its courts. The easy task of computerisation has already been achieved to some extent but the real task is still yet to be achieved. For instance, although computerisation efforts are satisfactory regarding courts in India yet till now India does not have even a single e-court. This is because the difficult part of establishment of e-courts in India is yet to be achieved.

ODR and e-courts may hold the key to growing heaps of backlog of cases in India but the political will is essential to achieve the same. In the absence of political will, we have to be satisfied by half hearted, half baked and failed e-governance projects alone.


Tuesday, March 9, 2010

First E-Judiciary Training And Consultancy Centre Launched In India

India is at the initial stages of establishment of electronic courts (e-courts). Though India has done a good job by computerising the courts at various levels yet it is still far from the establishment of even the first e-court of India. It seems the e-courts project of India needs a techno-legal training boost.

Perry4Law and PTLB have launched the first ever e-courts training and consultancy centre of India and perhaps first of its kind in the World. A “prototype” of the same is available to the public and stakeholders till the final website is out.

Efforts in the direction of establishment of e-courts in India have been in process since 2003 and significant development in the sphere of computerisation has already been achieved. It is at this stage that there seems to be stagnation of e-court project of India and this initiative by Perry4Law would facilitate in the smooth and hassle free migration of e-court project to the next level.

India must understand that E-courts are much more that mere connectivity and computerisation of traditional courts. The moment e-filing, presentation, contest and adjudication of the cases in an online environment would start, India would surely be capable of establishing e-courts.

Monday, February 22, 2010

Techno-Legal Education In India Got A Boost

Legal education in India is in the process of transformation. However, there are urgent educational and legal reforms that must be undertaken by India as soon as possible. One such area that requires urgent attention is the amalgamation of legal education with information and communication technology (ICT). For instance, cyber law is an important facet of such an interaction of technology and law.

Indian educational system is more academic than professional. As a result although India has good population that is academically sound yet when it comes to practical and real life experience and work, they do not perform reasonably well. Various studies and research in India have suggested that out of the educated masses only 15 to 25% are fit for being absorbed at job places.

In short, India is running short of institutions that can impart good techno-legal skill development education, training and coaching. Perry4Law and PTLB have launched the first ever “Techno-Legal Online Coaching, Training and Education Centre” in India that aims at developing the skill and talent of the students and professionals seeking a good career in cyber law and allied fields.

Interested students, teachers and partners wishing to be part of the project as well as future projects and initiatives of Perry4Law must contact it as soon as possible. The contemporary skill requirements are multi disciplinary in nature where a computer science student or professional must also have basic level of legal knowledge. The proposed initiative keeps this in mind and students and professionals from all the educational streams are encourage getting themselves enrolled.

The government of India must also come up with a good educational policy as well as sound legal reforms so that legal sector may meet the contemporary international standards and requirements.


Cyber Law Training And Coaching In India Rejuvenated

Cyber law is a subject that is less appreciated and even lesser applied in India. Whether it is the law making in this regard or its execution and enforcement, by and large cyber law scenario in India needs rejuvenation.

The position in this regard cannot be improved till we inculcate appropriate knowledge and skills at the initial stages of education. Cyber law education in India is at its infancy stage and is maturing towards a qualitative one. However, there is a growing need for good “Techno-Legal Institutions” that can manage the growing demand for cyber law coaching, education and training in India.

Fortunately, one such initiative has already been undertaken by Perry4Law and its Techno-Legal Segment known as Perry4Law Techno-Legal Base (PTLB). Perry4Law is the First and Exclusive Techno-Legal ICT Law Firm of India and is World renowned in techno-legal fields like cyber law, cyber forensics, cyber security, etc.

To cater the growing demands for qualitative techno-legal education in India and abroad, the coaching, training and education segment of PTLB has been launched. Presently, it would be providing “Online Cyber Law Coaching and Internship” to law graduates, law students, graduates and professionals of various disciplines and streams, etc. This is a golden opportunity for those who wish to make a mark in the field of cyber law. Since the seats are “limited” an early enrollment would be beneficial for the serious students.

To facilitate an effective two mode communications between students and teachers on the one hand and Perry4Law on the other, an online “Information Centre” has been established. This information platform would announce and publish all the relevant information regarding the proposed initiative from time to time. Students, teachers and other interested persons are advised to regularly visit this platform. This platform also contains many crucial and important information that must be read before finally applying.

For those who are looking forward for “Domain Specific” and “Highly Skilled Training”, a separate initiative has been launched by another segment of Perry4Law. The same would also be functional very soon.