V. Anand | வெ. ஆனந்த் Profile picture
Co Founder: @DeepStrat_LLP Mastodon: anand_venkatanarayanan@infosec.exchange
Sep 15, 2018 4 tweets 3 min read
FIR Series #2: The first report in 2017, which blew open the ECMP hack.
1. Authorized operator login/passcodes hacked.
2. Their biometrics were cloned.
3. ECMP was compromised.
4. All (1),(2),(3) was sold as a package for 5000 rupees.

indiatoday.in/mail-today/sto… The most interesting part are the quotes from @UIDAI official that "It has jeopardized the project. So they knew". And the deactivation of 81L identities for various reasons, mean, the deduplication engine was defeated as early as 2017. @HuffPost report was on ECMP Only.
Sep 14, 2018 4 tweets 2 min read
OK. @HuffPostIndia has done more code analysis done by an Israeli Security researcher, that verifies the extent of hack. The code level changes are close to 26, whereas the ones I found was about 20 and the list matches.

huffingtonpost.in/2018/09/14/uid… Here is a public challenge to the @UIDAI and it's @ceo_uidai. Do you really want me to put out the source code of the patch and your original ECMP client, in the public domain, so that every JAVA developer in this country can verify if the hack is real by themselves?
Sep 11, 2018 9 tweets 3 min read
As we eagerly await the SC judgement on #Aadhaar, a short thread about the "Crisis management cell" in @UIDAI and how it operates.

1. It knows that the systems that are required to make Aadhaar work have failed and are continuously failing.
2. Everyday the data stares at it. 3. It can't however even attempt to fix these failings because of the implications. For instance, why is the enrollment software still not fixed? Because fixing means pausing enrollments and that is catastrophic admission of defeat.
4. Same with biometric quality captures.
Sep 10, 2018 7 tweets 3 min read
There is a video interview of a dealer doing rounds @rohanduaTOI. I think you have seen it. But let me explain the modus operandi. May be it will help others to understand it.

Our first Q:
1. How does Aadhaar authentication in PDS work? A PDS DB is a (Ration Card, Aadhaar number, Ration Eligibility). So when you give your ration card and ask for your rations, the PDS System, sends (Aadhaar, Fingerprint) to @UIDAI. If it says Yes, you get ration. @UIDAI has no control on the PDS DB. It is with PDS department.
Sep 7, 2018 15 tweets 7 min read
Time to do a @ZetaIndia thread, because it is a text book case of not getting caught out in the public domain. Let us begin.

1. First the @RBI notifications. It is true that they had put a Master KYC document that mandated Aadhaar.
Link: rbi.org.in/ScriptS/BS_Vie… 2. There is a glorious S-15 regarding Identity information mandating Aadhaar biometric OTP, but however a subsequent Gazette notification kept it at abeyance.

Link: egazette.nic.in/WriteReadData/…

(Our context is still existing accounts)
Aug 27, 2018 9 tweets 3 min read
So @HuffPostIndia thinks that the SC could halt the rollout of Aadhaar, but that is only half accurate. I will explain why.

Link: huffingtonpost.in/entry/india-aa… 1. Any court in India, has no real power. The real power lies with the executive/state. A court order only works if the executive pushes it with the power of the state. Sure there is contempt proceedings. But that also depends on the court and the executive.
Aug 26, 2018 11 tweets 7 min read
The TOI article by @rohanduaTOI needs it's own thread. What made it possible to change people's #Aadhaar number linked with ration cards again and again and again? The answer to that simple question will establish how @UIDAI is part of the problem. Let us begin. 👇 First Question:
1. If any database needs to be seeded with #Aadhaar number, does it require the holder's consent? Here is Sri A B Pandey @ceo_uidai saying explicitly "Consent is not required".

Link: rediff.com/money/intervie…
Jul 24, 2018 4 tweets 3 min read
Move Over China. @NCBN with his IT Advisor Satya narayana, has built India's first Real Time Governance system (aka) Surveillance State using #Aadhaar. CC @virsanghvi

A perfectly ordered Society can only result from Perfect Surveillance System

huffingtonpost.in/2018/07/23/how… What is that "VID" thing again @matthan Sir? Can you explain again?

You can't use a law, to prevent what technology can build, particularly by a state that ignores "Rule of Law" in every stage of the project.

Got it?
Jul 21, 2018 6 tweets 3 min read
Well @virsanghvi . I am not sure, if you know this. But in 2012 @NandanNilekani said this:

If you do not have the Aadhaar card, you will not get the right to rights.

Link:
thehindu.com/opinion/lead/c… And then there is this:

"Nothing wrong in making Aadhaar Mandatory"

Link: hindustantimes.com/india-news/not…
Jul 9, 2018 5 tweets 2 min read
AAha, The @UIDAI has admitted that it does not have the documents used for POI/POA. eKYC Start-ups, Banks, Wallets, SIM Card providers, Passport offices. You can forget about the authenticity of the Aadhaar eKYC. So good that it lasted this long.

Digital != Real. Reconstruction orders for the Tech center here. Very similar to the Excel sheet sent by the whistle blower.

This was the smoking gun I was looking for to confirm the whistle blower account.
Jul 7, 2018 9 tweets 5 min read
Every Successful Aadhaar enrollment must have a list of supporting document. The number of Aadhaar numbers with no supporting documents - 40% as on Nov 2016. Remember this meeting @ceo_uidai? Oh, and it was sent to the Supreme Court by an internal @UIDAI Whistle Blower on Nov 2017. So I don't have privilege access to your email systems or any such thing.

I must say that the email trail is indeed interesting. More analysis, once I understand the trail in depth.
Jun 15, 2018 12 tweets 3 min read
1. @ceo_uidai claimed in the SC, that auth. failures happen because of Vested Interests.

The implication is that there are people out there to make Aadhaar fail, but the reality is @UIDAI's enrollment software is the *reason* for failures. Explanation follows: 2. Authentication is basically a comparison b/w two templates. So Quality of the capture is *very* important for biometric authentication success. Higher quality capture > 90% is how you get 98%+ success rates in the lab. So if you lower quality of capture, you get auth failures.
Jun 6, 2018 8 tweets 3 min read
Looks like #mAadhaar is back in news again because of @fs0c131y . For those who are wondering, what the problem is with the OTP code, of mAadhaar, a short primer follows: 👇 1. Clients need secrets to talk with servers. Usually clients need to authenticate themselves. (Password).
2. In this case, the password is the OTP. Unlike a password, which is in *your head*, the OTP is a dynamic password sent to the phone via SMS. So if OTP is revealed?
May 30, 2018 11 tweets 5 min read
Thread on Public risk and private profit.

First: Even people's basic life needs are conditional even with Aadhaar because of fingerprint gods, link failures and what not.

Link: thenewsminute.com/article/mercy-… Second: Private entities argued in the SC that
"They are entitled to use it".

May 28, 2018 10 tweets 4 min read
Catching up on @cobrapost expose on @Paytm . Long ago, I learnt that, when others see features, security professionals see vulnerabilities. The govt. is a big vulnerability for all regulated businesses. And most requests in India, are verbal. It is a fact of life. /1 So if we expect businesses to only give up user data on court orders, then I guess, we have not run a regulated business. It is easy to outrage about the video, but can you actually deny the verbal request and survive as a business? 100%, the answer is no. Why is it so? /2
Mar 30, 2018 7 tweets 3 min read
is not going like this twitter thread, but here it goes about the really rubbish Android App that @TRAI puts out for "Spam" Detection. For context look at this report from Reuters.

Link: in.reuters.com/article/apple-…

All code is obtained via dex2jar. 👇 1. Who in this world uses HTTP? Only Trai. 🤦‍♂️. This is the registration API which needs all kinds of stuff and sends it unencrypted. I know that govt. agencies don't like encryption, but this is too much....
Mar 29, 2018 12 tweets 5 min read
So everyone is citing Authentication failures on @ceo_uidai's authentication history, but I can understand quite a bit about his life with just that. Let us begin. 👇 He has a Vodafone phone and did not link it until last week for the court demo (OR) He just bought a new one. Given his position and status, this is most likely a Post Paid connection.
Feb 6, 2018 9 tweets 5 min read
Question to Journalists: @nit_set @AnujSrivas @IndianExpress @the_hindu @thetribunechd

Why did @UIDAI not file an FIR on Airtel after they admitted "routing" 190 Crores, but filed it on @rachnakhaira?

Want to know the answers? The real one?

Wait till tomorrow. 😯 Answers:
1. @UIDAI still keeps a lot of it's data in the Airtel Data Centre in white field.
2. That makes the relationship b/w UIDAI and Airtel as Tenant and Landlord.
3. So Airtel's data center is crucial for UIDAI's continuing operations.
4. Hence no FIR.
Jan 15, 2018 9 tweets 3 min read
A story that I worked for 4 months is out today.

thewire.in/213761/uidai-a… It is weird story that is in the realm of bizarre.
1. A Pakistani Spy Mohammad Akthar gets an Aadhaar using fake feeder documents (PoI and PoA)
2. Gets caught and ejected as persona non grata.
3. For *One year*, @UIDAI did not cancel his Aadhaar, till I reported it.
Jan 8, 2018 6 tweets 2 min read
Today in Kārana:

Aadhaar enrolment costs. Even w/o all the budget masking GOI did to hide the *true cost* of enrolment by pushing out costs to others (including citizens), it is much higher than @UIDAI's budgeted cost.

medium.com/karana/aadhaar… Why is this important? Because of the following:
1. Aadhaar is *not* free for residents.
2. Everyone bears the cost including operators, enrolment agencies.
3. This unaccounted cost is pushed to residents as bribery, time wasted on Qs etc.
Jan 5, 2018 12 tweets 6 min read
Long thread on the @thetribunechd story by @rachnakhaira. First of all good reporting, but I must say, it is not "excellent" and could have been excellent. Here is why.
1. The report explicitly did not call out portal.uidai.gov.in/cas/login was the one that is compromised first. 2. It did not actually connect the dots on "How". For instance @buzzfeed reported that the person from which she got the login details is a stupid guy who knew nothing.
Link :buzzfeed.com/pranavdixit/in… .
3. So the seller is not the king pin, but a cut-out.