Naavi.org

A ransomware attack which crippled many hospitals in UK is now creating waves of alarm by spreading into other countries. According to one researcher, more than 45000 attacks have already been flagged in 74 countries of having been caused by a ransomware by name WanCry or WCry.

The ransom demand is reported to have begun with around $300 to be paid in the form of Bitcoins.  In an related development the Bitcoin exchange rate has spiked to US $1850 on May 12 and is presently hovering around US$ 1650. The ransom demand says that the ransom will double if not paid within 3 days and the encrypted files will become unrecoverable after a week.

Though no report of largescale infection has yet been reported from India, the infection map indicates that India has also been affected. The map shows infected computers that attempted to communicate with the server between 11 a.m. and 6 p.m. Eastern time on Friday according to NY Times.

It is stated by experts that the ransomware exploits a vulnerability which was identified and used by National Security Agency (NSA) of USA to infect user’s computers as a part of its intelligence activities. Recently in April, a bunch of such Cyber Tools used by NSA were leaked by the underworld and it has now been exploited.

It appears that the exploit has hurt companies which have not applied one of the latest Windows patches. Also some anti virus companies are claiming that they already have the exploit covered in their product and hence the lack of adequate security measures by the users may be one of the main reasons why the attack has succeeded in the current proportions.

According to Kasparesky, “It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.”

Naavi.org had warned the IT users that Ransomware attacks are nothing but “Cyber Terrorism” and we need to guard against such attacks through various means including keeping an “Off Network Back Up”. Kasparesky advocates use of its “System Watcher Component” and other prominent Malware detection softwares also have suggested some added security features to be subscribed.

It is essential for all IT users to explore the feasibility of protecting their computers and the data through appropriate measures suitable to them.

Issues Raised By this Incident

The incident raises at least two main ethical issues that the society needs to address. First is that if NSA was aware of this vulnerability got some time, should it not have disclosed it and helped the safeguarding of the society rather than keeping it to themselves as a tool to watch terrorists. it is like the security agency having intelligence of a bomb attack but keeps the information itself until the citizens suffer by the execution of the attack while the agency was only trying to gather more information from its informers.

The attacks have now affected hospitals and must have caused even death of individual citizens. It has caused economic loss which is not limited to US$ 300 per infection (estimated total equal to US $ 30 million (Rs 210 crores) and the follow up costs.

Should this have been prevented by NSA by getting the vulnerability patched? Did they do it selectively to critical sectors?, Did they share the information with security agencies of other countries? are questions which will never be answered. NSA may however defend their position that in the larger interest of a need to watch the terrorist actions such as what happens in Syria or Pakistan, it is necessary to hold available Cyber tools as secret weapons to be used by the State only. Unfortunately the tools were not secured and was therefore used by exploiters. This is a typical scenario like terrorists of ISIS getting hold of Pakistani Nuclear weapons and causing damage to others.

The second ethical issue is whether the Victims should pay the ransom? ..and use Bitcoins?… thereby emboldening the attackers further and legitimizing the Bitcoin as a currency?

It is difficult to preach the victim who may have only the short term selfish interest of recovering his data at $300 rather than spending more subsequently.

But we understand that some Cyber Insurance Companies are paying claims for such ransom payments which in our opinion both unethical and illegal. Cyber Insurance claim even if higher than $300 should be paid for recovery of the data without paying the ransom and not for paying the ransom.

I urge all Cyber Insurance companies not to encourage payment of the ransom than the higher data recovery cost in the long term interest of the society. Of course, they should encourage their insurance customers to adopt better security preparedness by not only using the available prevention tools but also an effective disaster recovery mechanism and upgrade of patches.

Also after April 14, 2017 when the hackers are reported to have published a suite of NSA exploits, it is interesting to know if any Cyber Insurance company advised their customers about the possible risks ahead. This alert generation is normally the role of a CERT. But I expect Cyber Insurance Companies to be CERTs for their own interest.

I also would like to know what action CERT IN took after April 14 when NSA exploits were available and now after May 12 when the UK attacks became public.

Other regulatory agencies like RBI should also start sending their own advisories to their subordinate stake holders.

Action To Be Taken

In the meantime it is the duty of each IT users big and small and more importantly the critical sectors like the Hospitals, Banks and Government to review their security measures today.

I expect all listed Companies who are stake holders to report to SEBI if they are holding an emergency Board Meeting today to assess their security positions. If not SEBI should itself advise the companies to disclose their vulnerabilities and action taken in the context of the knowledge of this Cyber attack now available.

The compliance requirements under different law require that when a “Knowledge of a Risk becomes known, appropriate remedial action needs to be initiated”. So all CISO s need to wake up and work over time this week end and ensure that the threat perceptions are updated for their management to take immediate action. Even if the Managements donot ask, CISO s should shoot out  an e-mail to the Board members to hear out an assessment presentation and take remedial action.

If necessary, simply forward the copy of this article to your CEO since bringing the risk to their knowledge is part of the “Due Diligence” of the CISO.

Naavi

Related Articles:

In Naavi.org: Start a War on Ransomware. It is Cyber Terrorism

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool

Alarm grows over global ransomware attacks

WannaCry ransomware used in widespread attacks all over the world

NHS left reeling by cyber-attack: ‘We are literally unable to do any x-rays

UPDATE: 13th May 2017: 12.45

In an interesting development, one security researcher has found and executed a kill switch that seems to have stopped spread of the WannaCry ransomware. He found the hard coded code indicating that the ransomware would stop if a random domain name named therein becomes live. It is presumed that the code writer wanted to hold the power to stop the ransomware and had introduced this kill switch. This was identified by the security researcher who checked up the domain name and found that it was available for registration. He registered the domain name and the ransomware died.

See the report here: Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack

Wish all cases of malware were solved so quickly. We must however congratulate the person responsible for killing the ransomware….may his tribe increase!

Update: 13th May 2017 : 1452

In a tweet the person who identified the kill switch says that he was not aware that the registration of the domain would act like a kill switch. It was therefore an accidental discovery.

This is interesting to note because if the domain name was indicated in the hard code and it was found to have been registered in the name of the security expert, he could have been connected with the writing of the ransom ware code. He had unknowingly created an incriminating evidence against himself. It was fortunate that it turned out to be a blessing in disguise.

CERT IN now issues an alert

It appears that CERT In has now issued an advisory which is a replica of what Kasparesky and others have given. Hopefully next time CERT IN will be quicker. RBI and SEBI also needs to issue an advisory of their own or link to CERT In.

The claim of Saurabh Chaudhary that EVMs can be tampered and the demo he ran in the Delhi Assembly is a fraud on the Indian public.

Mr Chaudhary brought his own EVM lookalike which had a self introduced code which could render it to function in a particular way. He used this to demonstrate that EVMs can be tampered with.

If this logic can be applied to any demo, I can bring a Mobile or Computer with pre-inserted virus and say that all computers behaves in a particular manner. If this argument has to be extended then we need to also state how the malicious code can be introduced in Computers or EVMs that are not under our control.

We had a similar situation some time back when a technology expert demonstrated that the Bank’s Internet Banking systems could be tampered with a user side virus which carries out as a “Man in the Browser” attack. It was with the disclosure that it is true only of that virus is present in the computer. Since we know that there are many ways that a computer of the public can be infected, the demo was legitimate and urged the Banks to introduce counter safety measures.

In the EVM issue, the devices are always with the Election Commission and its officers. Changing of the mother boards in say 10000 EVMs require 10000 fraudulent mother boards to be prepared and installed in the EVMs. It requires compromise of the human beings more than the machines themselves. Unless all the EC members are cheats, the allegation is an empty allegation and not a realistic process.

If Mr Chaudhary had shown that an EVM is susceptible to a WiFi signal or some other remote signal system which could alter the embedded code or otherwise tamper with the results, then there would have been some credibility.

The detractors of EVMs are quoting Mr Subramanya Swamy and GVN Rao who are BJP sympathizers. They may aswell quote me also since all of us have made statements about the tamperability of EVMs in different contexts. But EC has taken some counter steps including the VVPAT to address the vulnerabilities pointed out.

Now EC has also given an opportunity to the EVM detractors to prove that the machine can be tampered with in a hackathon invitation. But it is necessary for the detractors to prove that EVM is hackable while it is in the custody of the EC and not when it is taken over unless they also prove that a large number of EVMs can be taken over and manipulated.

It is ofcourse possible as in the days of booth capturing that EVM booths can be captured and machines tampered with. But today CCTVs do watch over such intrusions and representatives of all parties are present in the polling booth. Hence unless it is a security compromised area such as the parts of Kashmir or Naxal infected areas, capturing the EVM booths and changing the mother boards is not possible elsewhere.

Comparisons with some foreign systems are also not valid since the systems used are different from the stand alone machines used in India.

Political parties are raising this issue only to defame the Election Commission which has been hailed world over. They should stop this short term publicity stunts in the interest of the country’s reputation as a large democracy.

As an Information Security observer, I would like to add that the EC need not be complacent and should always be alert to the possibility that new technologies can be used to tamper any electronic device. If so, it should happen at the manufacturing level and hence proper controls there are required. EC may continue to review the security measures and take necessary measures.

I would not like to discuss any other speculative vulnerabilities in the public but express the confidence that EC should have access to proper security advise with which they can take all measures that are required to keep the possibility of frauds or errors within a range of probability within which the risk can be absorbed.

EC should not agree to some suggestions made by AAP that the voter should be asked to testify if the VVPAT coupon now shows what he himself voted. AAP is capable of bribing some voters to say that the VVPAT coupon is showing some thing different from what he swears.

Similarly, EC should not succumb to the pressure and re-introduce paper ballots just to satisfy the critics. It is even more vulnerable to tampering.

I hope that after today’s meeting of all Political parties with the EC, the controversy is laid to rest.

Naavi

The drama played by the Justice Karnan  having been convicted for 6 months imprisonment and suspension of judicial powers indicates that he is now standing in the shoes of a convict evading arrest.

The rumors floated by one of his lawyers that he may be in Nepal or Bangladesh etc while he is available to his lawyers to sign an affidavit in front of a Notary makes him a self declared fugitive from law.

There is a rumour that he may move the International Court of Justice to claim that injustice has been done to him like in the case of Mr Jadhav by Pakistan Military Court.

I donot see much difference in his conduct from that of Mr Vijay Mallya who is holed out in London. In fact, Mr Vijay Mallya appears to be in comparison a better gentleman than Mr Karnan because Mr Mallya is only fighting his financial charges and not denigrating the country and its democratic institutions which Karnan is trying to do.

What surprises me however is that many in the law community are standing in support of Mr Karnan for their own reasons. Most of these lawyers have a grudge against Judges in general and the Judges in Supreme Court in particular and find Mr Karnan a hero who has stood upto the mighty.

Their present wrath on the Supreme Court judges may be genuine because they feel that the Collegium system of appointment is not transparent, there is nepotism, there is corruption etc. Since Mr Karnan’s problems originated because of his complaints about his brother judges that they are corrupt, some of the lawyers think he is a crusader like Mr Arvind Kejriwal and deserves to be supported.

However, the statements that Indian Judiciary is corrupt is a generic statement similar to what we say about all politicians or all bureaucrats being corrupt. Such statements may be fine for a discussion in a party but not to be highlighted in the national and international media to further personal interests.

Besides some bad elements who may be present or perhaps are definitely present, Indian Judiciary still has some committed and principled Judges and it is uncharitable to carry individual grudges against some in the Judiciary to the entire community and dishearten even those who are honest and dedicated.

If the system of appointment of Judges is incorrect and not transparent, we have every right to fight for it. My lawyer friends should continue to fight for this cause.

But the same lawyers failed to support Modi’s Government when there was the difference between the Government and the then CJI because they had their own prejudices against Mr Modi which were more important to them than Judicial reform.

Today their prejudice for Karnan is making them take up cudgels for a person who is bent upon destroying the credibility of the Indian Judicial system.

This appears to me a hypocritical attitude.

Karnan is not fighting against the restoration of NJAC or some thing similar. He is only fighting what he calls as harassment of a “Dalit Judge”. He has in the past also raised the religion card Hindus Vs Muslims and Christians etc. He basically represents a corrupt mind that is dysfunctional to the society and will be detrimental to the society in the long run. If left unchecked he will divide the Judicial society on religion and caste basis and has to be checked before further damage can be done.

Mr Karnan has shown scant regard for the higher Court by passing his own Kangaroo Court order sentencing 7 Supreme Court judges to 5 years imprisonment without a trial while his lawyers cry injustice that he was himself sentenced by the Supreme Court without trial.

Besides, he is absconding like a common criminal and not surrendering before the Court.

We therefore have no reason to extend our support to Mr Karnan. He needs to be condemned as a person who is trying to denigrate the whole system of Judiciary in India and making our country a laughing stock in the eyes of the world.

The lawyers who have now filed a review petition before the Supreme Court for recall of the order have raised several legal issues including that the “Constitution” does not provide for dismissal of a High Court judge except by impeachment process and Supreme Court has no powers against High Court Judges except to decide on appeal of their decisions.

Their argument may indicate a lacuna in our Constitution that needs to be corrected. According to his detractors which include the Supreme Court judges themselves, Mr Karnan’s orders appear to be the decisions of a person who has lost his mental balance and hence does not fall under “Recognized Legal Contracts” let alone “Judicial Decisions”. Hence to defend them on “Constitutional Rights” is unjustified.

I donot see that it was the intention of the Constitution that a mentally unsound person could continue to occupy a Judicial position and exercise the constitutional privileges meant for the Chair.

If this indiscipline shown by Mr Karnan is not curbed, tomorrow we will have a judicial chaos in the Country with different High Court judges passing orders against brother judges and Supreme Court judges including orders to arrest them. It is better not to discuss the ugly consequences of such a possibility.

Mr Karnan and now his lawyers are giving a handle to Indian Anti Nationals to cock a snook at Indian Democracy.

If we dispassionately look at the developments of Mr Karnan Vs Supreme Court, it appears that Mr Karnan is fit to be declared as either

a) A person of unsound mind and hence all his actions are to be ignored or

b) A person who is an anti national who wants Indian Democratic reputation to be brought down in the eyes of the world

If the first presumption is taken, the review petition has to be dismissed forthwith.

If the second presumption is taken, the trial should be upgraded to a trial under other sections of IPC applicable to anti nationals and the appropriate punishments are considered.

If both the Supreme Court and the lawyers of Mr Karnan want a middle ground, the petition may be  dismissed on the grounds that the signature of Mr Karnan on the affidavit needs to be attested by his personal appearance since there is a probability that it could be a forgery.

It may be taken up again if Mr Karnan surrenders and appears in person.

In the meantime the Notary who attested the signature could be summoned to testify if the signature is true and if so, why the Notary knowing fully well that the person swearing before him was a fugitive from law, did not inform the Police voluntarily.

If Supreme Court is lenient on Karnan because he was a “Judge”, then it would indicate that Supreme Court is discriminating between a common citizen and a past Judge. They will not be able to exercise authority in the case of Mr Vijay Mallya who may raise a defense that the Court is  not consistent.

Naavi

Also Read

Curious case of Justice CS Karnan: How he defied the Supreme Court and created legal history

The Supreme Court Order Sentencing Justice Karnan to Six Months’ Imprisonment Sets A Wrong Precedent

Justice Karnan vs SC: Playing the lead in his own courtroom drama

Where is justice Karnan? Police struggle to arrest judge convicted by SC

CS Karnan vs Supreme Court: Ongoing stand-off a national shame, harms dignity of Indian judiciary

‘Missing’ Justice Karnan files counter appeal in Supreme Court

Justice CS Karnan ‘missing’, police of 3 states can’t find him

15-yr run: From AIADMK booth agent to judge to jail

Why are India’s top judges doubting each others’ sanity?

At Naavi.org 

Justice Karnan escalates fight with the system

A Sad Day for Judiciary.. at Madras High Court

“Cyber Insurance-a dog that can bite you and itself” says my friend  Mr Dinesh Bareja (Information Security Expert) in an interesting article. Mr Dinesh has well brought out the risk of an insurance company being sued by its client when there is a rejected claim. He has also pointed out how many insurers may find themselves unable to enforce the insurance claim even after incurring the cost. He has rightly concluded that both the Insurer and the Insured will learn in due course how to keep the Cyber Insurance dog under a tight leash.

Let me add to the comments of Mr Dinesh….

Cyber Insurance is a legitimate tool of an Information Security Manager for “Transferring the Risk” at a cost to an insurer. This is after he has taken reasonable steps to mitigate and avoid. The goal of an Information Security manager (ISM) is to ensure that the “Residual Risk” is within the “Risk Absorption” capacity of the organization as set by the Financial Managers.

However, in most practical situations, Cyber Insurance Contract is not conceived and structured with a good assessment of “Total Risk” reduced by  “Avoided Risk”, ” Mitigated Risk” and “Risk Absorption capacity”. (All reduced to a common denominator of Money).

I am not sure if any ISM has ever made a presentation to the Board stating to the effect that….”Our Cyber Risk is estimated to be around 100 crores to the best of our knowledge and ability…. By avoiding this process we can reduce it to Rs 80 crores….. By our ISM we can bring it down to Rs 10 crores…… Beyond this ISM cannot mitigate and the organization needs to absorb or cover through Cyber Insurance if possible.

In order to make an assessment of the kind above, we need to have metrics to evaluate our ISM program. If we intend to cover the residual risk with  Insurance, the best option is to work along with the Cyber Insurance Company what they consider as adequate “Information Security” and develop a mutually acceptable information security program.

If the Information security program of a company is approved by the Cyber Insurance Company, there will be less opportunities for rejection of claims and litigation between the Insurer and the Insured. But the Insurance industry is not interested in this approach for reasons stated below.

We should always remember that Indian Insurance Industry is working under the concept of “All Insurance Contracts are “Uberrimae Fedei Contracts”. Uberrimei Fedei contracts are contracts of “Utmost Faith” where the insured (applicant) has the onus of disclosing all matters that may affect the decision of the Insurer (The Cyber Insurance Company) in accepting the proposal. The Insurer has no obligation to verify and accepts the proposal as declared. But when a claim situation arises, the Insurance Company will undertake an investigation to find whether the Insured had disclosed all risks as were known to him on the date of the proposal and if there is any short fall, the claim would be rejected. The Insured will end up paying the premium but does not enjoy the benefit of the policy.

This system is to the advantage of the Insurance industry and there is no incentive for them to change it while the user industry has every reason to challenge this proposition.

This nature of the Insurance Contract as a “Contract of Utmost Faith” if accepted, puts the CISO in a spot. If he highlights all the risks, the management may say.. “too bad that you are the CISO”. If he does not…then he is postponing the day of reckoning to the day when the Insurance claim may arise.

In most companies, the CISO is not even consulted when a Cyber Insurance deal is negotiated with a Cyber Insurance Company. Some times, Cyber Insurance is taken because the Business Manager says that the vendor of a data processing contract has made it mandatory. It is only the CFO who takes the decision since he has to write the cheque. He will chose to insure to the extent his budget allows or to the extent a business contract mandates. It would be great if he checks with the CISO but it may not happen all the time. (This was corroborated in our Cyber Insurance Survey 2015).

IS specialists know that apart from all the risks that they are theoretically expected to assess and mitigate there are “Zero Day Risks” that no CISO knows. Ransomware payments in “Bitcoins” may involve an illegal acquisition of bitcoins which the Insurance company may refuse to fund. There is also a difficulty in stating the “Value of the insured assets” since financial valuation of data is difficult. Further most of the insurance claims are not for pre-determinable costs but liabilities that arise based on the third party claims. Hence to state in Good faith that “This is the Risk I face and this is the risk I can mitigate and this is the Risk which I want the Insurance Company to cover” is a near impossibility if we want to respect the “Uberrimae Fidei” nature of Insurance contracts.

Another risk that a CISO finds himself in is that when all the risks that he has identified are not mitigated and/or covered through insurance, when the claim arises, the Insurance company may hold the company of undervaluing its assets for insurance and either call it a fraud or at least reduce its coverage under the clause that “Insured is considered a Co-Insurer to the extent of under insurance”.

It is therefore clear that the decks are stacked against the Insurance seeker and this is one of the reasons that Cyber Insurance is slow to take off. In turn this also puts the Insurance industry in a state that they are not able to spread their risks and bring down the premia. If business expands, it is better for both the insured and the insurer. Efforts are therefore required in this direction.

I refer to my earlier article “If China can have a PRC law, Can we not too have a similar law?..for Insurance?“.

In this article I had highlighted the fact that In China, the Insurance law has been modified to make Insurance contracts, “Contracts of Honest Disclosure” and not “Contracts of utmost Faith”.

We in India need to introduce a similar modification to our Insurance law if we want the Cyber Insurance contract to be a useful tool in the hands of the industry.

What this “Honest Disclosure” could imply is that the Insurance Company is given the freedom to ask as many questions as they like on the “Cyber Insurability” of the proposer and even allow them to do their own risk assessment after which a mutually acceptable premium is fixed for the coverage sought and approved. In such cases, the possibility of a claim being rejected and bad blood developing between the user industry and the Insurance industry would reduce.

In the coming days, the GDPR regulations will force more and more IT companies to look for Cyber Insurance and for the benefit of all the contracts should be made acceptable to both the parties so that there is no misunderstanding.

It is for this reason that any organization that intends to take Cyber Insurance needs to have a suitable consultant to advise them to understand the limitations of what the Insurance company proposes rather than being surprised later at the time of claim.

Some of the Insurers particularly the Banks are used to issuing an RFP and chose the lowest bidder. This approach is dangerous since the RFP will become the base on which the “Utmost Faith” is determined on a later date.

Instead, they should enter into a negotiation with a short listed group of Cyber Insurers and discuss what is possible to be insured and take the insurance contract with the full understanding of what is covered and what is not.

This objective of having Cyber Insurance which is acceptable under a “Negotiated Risk Assessment” between the Insurer and the Insured can be achieved by IRDA coming out with necessary guidelines by declaring “Cyber Insurance” as a separate category of Insurance and instituting the “Honest Disclosure” element as part of the Proposal clearance.

So… the power to tame the Cyber Insurance Dog and make it a saviour of the IT industry without biting its master, now lies with IRDA.

Naavi

Two events dominated the news rooms yesterday both of which make us sad that the bizarre nature of some individuals are forcing others to consider equally drastic measures to avoid further disasters. Ultimately the society stands divided and bruised.

The first event was the decision of the Supreme Court of India to declare Justice Karnan, a sitting Judge of Kolkata High Court guilty of Contempt sentencing him to six months of imprisonment. Court ordered his immediate arrest.

Kolkata Police ignored the order and did not act in time. This allowed Mr Karnan to leave Kolkata and go to Chennai. Now he is under the Chennai Police jurisdiction and Kolkata police can say that they were not able to execute the order of the Supreme Court. TN Police may find their own excuses not to arrest him and in the end, Supreme Court will be considered as an “Ineffecive Institution” that cannot enforce a simple diktat of causing arrest of its own convict.

The second event was the demo of a self constructed EVM lookalike in the Delhi assembly and showing how it could be manipulated. This was to discredit the Indian election system and undermine the democratic system in India.

The demo was done within the legislative assembly session so that no action can be taken on “Mis-representation” or “Defamation” without the defense of “Privileges of an MLA”. Election Commission will therefore not be able to take any action on Mr Kejriwal or his party for seeding an element of doubt in the minds of people that our election system is rigged.

On a single day therefore the two events have denigrated two apex institutions of our country which should be handy for India-baiters to dub our democracy and judiciary as a farce.

Both Mr Karnan as well as Mr Kejriwal had an agenda of their own, parts of which can be justified. Mr Karnan can say that he was exposing corruption in higher judiciary and he was targetted in counter action. Mr Kejriwal can say that he is trying to rid the election system of a possible vulnerability.

However, the damage that both are doing to the overall system is some thing that needs to be recognized as an “Irreversible Damage”. At the same time, there are enough reasons to believe that both these crusaders have themselves created a situation where there are leaving no choice for others to take drastic decisions.

If others try to follow propriety and honour traditions of decorum, then we may see far worse days ahead. There is therefore a need to cut our losses and take corrective measures before things go more and more out of hand.

In the case of Mr Karnan, who is himself considered as a “Constitutional Authority”, many legal luminaries consider that Supreme Court does not have a jurisdiction to order arrest or curtail his judicial powers. They suggest that the only way his powers can be taken away is through a process of “Impeachment” knowing fully well that he would retire much before such action can be taken.

At the same time, supporters of Mr Karnan forget that it was even more unconstitutional for Mr Karnan to don his Judicial hat and pass orders of arrest and five year imprisonment on 7 senior judges of the country including the Chief Justice of India. These seven judges together have the powers under the constitution to even amend the Constitution itself. To argue therefore that they donot have the powers to order disrobement of Mr Karnan is “hair splitting”.

Also, in case no restraining action is taken, Mr Karnan could pass other bizarre orders including arrest of the Prime Minister and perhaps even the President of India and claim that he has all the powers to himself. It was therefore inevitable that the Supreme Court had to move and take action which can be called one of the “Rarest of Rare” situations.

Mr Karnan has not only denigrated the superior Judiciary but also brought “Caste” into judicial decisions and for this alone he deserves to be dumped into oblivion for ever, though it is impossible to undo the seeds of doubt he has injected in the minds of the citizens of India that judges are always looking at the Caste and Religion of the litigants and the advocates. This is a great disservice to all the honest judges who have treated the profession as a noble responsibilities beyond the normal discussions of caste, religion or politics.

I am aware that many of my friends in the Legal circles would not be happy with this view but the situation is similar to what a doctor faces when a limb has to be amputated to save the body.

Now the Supreme Court has to demonstrate that they can cause the arrest of Mr Karnan even if he has run away to a sanctury and may go into hiding until the heat subsides. Otherwise how can Supreme Court think that persons like Mr Vijay Mallya will respect the Court?

Coming to Mr Kejriwal’s theatrics, he used one of his MLAs to demonstrate that EVMs can be hacked. But what the AAP MLA Mr Saurabh Bharadwaj has done is to construct a device of his own and demonstrate how it can be hacked. This is a complete fraud enacted to fool the public. The objective is to create a fear among the public that our election system is unreliable and is manipulated by persons in power.

Mr Bharadwaj has not used a genuine EVM but his demonstration was meant to present his device as a genuine machine. There was therefore an attempt to impersonate the fake EVM as the real EVM. Using such a fake device, he is demolishing the foundation of democracy in India. The EVM system which is being hailed as a model by many other nations, is being denigrated so that India could suffer an economic loss and reputation loss in the global market.

All this together should qualify the demo as a punishable offence. It can be debated if his action could even be considered as an act of “Cyber Terrorism” since he used a “Computer Contaminant” to manipulate a “Lookalike EVM” and his intention was to give an impression that he is demonstrating the “Hacking of a genuine EVM”. Though he may be unsuccessful, it is definitely an “Attempt” to create a fear in a section of the society that our democracy has been undermined by the Election Commission at the behest of the ruling party.

However, since the demo was conducted within the precincts of the Assembly session, it may be constitutionally improper to take legal action except with the permission of the Speaker which ofcourse would not be forthcoming.

This again means that if legislative power is in the hands of people like Mr Kejriwal, they would even commit a murder inside the Assembly and exercise their privilege to bar investigation.

It is therefore necessary for the Election Commission and the Government of India to devise a means by which Mr Saurabh Bharadwaj is brought to book for an “Attempt to Destabilize the Democracy of India” under the appropriate legal provision.

Unfortunately neither the Supreme Court may be able to cause the arrest of Mr Karnan nor the Election Commission may be able to take action on Mr Surabh Bharadwaj. It is the Citizens of India who will be kept wondering that when people with power lose their mental balance, they will become the greatest risks to the country and our system is unable to control such mavericks.

I understand that in the US constitution, there is a provision that if the President is suspected to have lost his mental balance, some of his subordinates such as the Secretary of State, the Vice President, the Speaker and the Chief Justice may take a collective decision to remove the Presidential powers.

We need such a power to be exercised now to remove Mr Arvind Kejriwal and Mr Karnan from their respective constitutional positions without the usual procedures such as an “Impeachment” or “No Confidence Motion”.

May be it is time to consider suitable constitutional amendments to make emergent decisions possible in emergent situations…. without of course re-concentrating the powers in another single office including the Prime Minister or the President.

May be the President, Prime Minister together along with the Defence Minister,Chief of Defence, Chief Election Commissioner, Chief Justice of India, Speaker of the Loksabha, and the leader of the recognized opposition party, etc could be declared as a collective body to take such decisions on which the Constitution currently is inadequate to address.

….A point for debate

Naavi

Update: 11th May 2017

As anticipated, Mr Karnan is playing hide and seek and Police parties are shuttling between Kolkata, Chennai, Tindivanam (TN) and Kalahasti (Andhra) to locate him. In the meantime it is reported that he would be filing a petition challenging the order of the Supreme Court in the Supreme Court itself and has successfully executed an affidavit before a notary in Chennai without the Police being able to locate him.

The game perhaps is to extend this hide and seek, filing a review petition, seeking a stay etc until he retires or until the Supreme Court gets tired. Mr Karnan with all his experience is teaching people like Mr Vijay Mallya some tricks.

We would not be surprised if he turns into a successful practicing advocate after his retirement and replace the aging Mr Ram Jethmalani in defending Mr Kejriwal pro bono.

Also Read:

Justice Karnan Esclates fight

A Sad day for Indian Judiciary

Cyber Law Compliancy and Electronic Voting

EVM Controversy

Many of the app developers develop interesting and useful mobile Apps which are offered free and supported by Ads from Google.

There is no doubt that the creator of the Ad is entitled to monetize his creative work and we also appreciate that Google provides a reasonably good option to monetize and the system needs to be encouraged.

However, one of the risks that such App owners who allow ads to be served from a third party face, is the possibility of law infringing advertisements being served by the Ad servers.

All Ad service providers therefore need to take care that no advertisements which infringe the laws are served when the App is being used by the users.

I had recently (5th March 2017)  came across an incident where an app “A2ZKannada” which provides Kannada radio stations on the mobile displayed an ad on the android mobile with a link to a pornographic site. I notified the same to the app owner who informed as follows.

” Yes the app is ours. Thanks for the information regarding the inappropriate advertisement in our app. Actually its from Google Admob services. We are unaware that Google is approving these ads.

Today, I observed the same ad being displayed on another app.

These ads obviously appear randomly and it is difficult for us to reproduce the same. However, I have provided the date and time of the display and I am sure that Google already has information on who all visited the app at that specific time or there abouts. If Google asks, I am willing to give my mobile information to pin point the incident.

I have information that in the previous instance, the Company contacted Google but could not get any response.

I would like to reiterate that displaying links to “hot video” could be considered as an offence under Section 67,67A and 67B of ITA 2000/8 and the offence would be extended to the CEO and other officers and directors of the company owning the App through the operation of section 79 and 85 of the Act. Hence the App owners cannot take this lightly and brush aside as a technological aberration.

The App owners would have signed an implied contract with Google which should be considered Google as also an intermediary and responsible and liable for similar punishments.

However, if a complaint is actually made, then the Police are more likely to catch hold of the App owner and leave out Google.

It is therefore essential for all App owners using Google Ad service to immediately notify their Google Ad contact with a message to the equivalent of the following.

” We on behalf of ……….., a customer of your Google Ad service with the ID ….. hereby bring to your notice as follows:

We understand (Refer: https://www.naavi.org/wp/google-mobile-ad-server-serious-vulnerability/  ) that  there is a possibility that the ads served by your Company may be violative of the laws prevalent in India and may render us for penal legal action.

We request you to kindly note that under Information Technology Act 2000/8 applicable to publishing of electronic documents, display of ads that link to pornographic content which have been referred to in the said article are liable to be considered as a punishable offence.

We also foresee the possibility of other kinds of offensive ads including racist or terror promoting ads being displayed in similar circumstances exposing us to grave risk of loss of business, reputation and even imprisonment.

Since we donot have any control on the ads served, the entire responsibility to avoid such ads lies with you and you are deemed to have indemnified us completely from the legal consequences arising out of such ads.”

Please ensure that the e-mail is digitally signed or use the services of ceac.in which will provide free notification service as a special case with Section 65B certification of the notice having been sent to the given Google Ad contact. The App owners may also use the services of cyber-notice.com which will also be provided free for this incident reporting.

As regards Google Ad managers, I would like to state that

“The incident indicates that there is a vulnerability in their filter mechanism and this particular ad seems to be getting through whatever filtering mechanism you might have built. I consider this as a “Bug” in your system.

I am aware that your system largely is well designed and does prevent such occurrences most of the time.

Probably such ads are also legal in certain countries and the filter might have failed in identifying the country of origin of the visitor.

You are required to investigate these incidents seriously and let me know how you are eliminating the bug.

Now that you are notified publicly, if the bug is not rectified and in the next such occasion some visitor files a criminal complaint against the App owner and Google, your company would be liable for the consequences. Such liabilities include the possible imprisonment of your officers working in India. I therefore expect that Google will not neglect this open complaint and take necessary action.”

If any other App owner or member of the public observe similar ads being displayed in any App or website, kindly let me know.

Naavi