Naavi.org

Since 1971 when the first concept of a “Malware” surfaced we have been fighting the menace of Virus, Trojan, worm etc which are all “Malicious” programs that automatically spread into the user’s computer. The initial purpose of the viruses was to disrupt the operations of the user for fun or revenge. Gradually it was identified as an attempt to sell an “Anti Virus Software”. But the “Virus Eco System” turned greedy in financial terms and in later years it has become a “Criminal Extortion Tool” in the form of “Ransomware”.

India introduced ITA 2000 as a legislation which identified introduction of Computer virus or any computer contaminant as an offence punishable with 3 years imprisonment. After 2008, the amendments gave CERT In the powers under the statute to regulate the cyber security measures implemented in the industry. CERT In has been issuing many guidelines as well as advisories including the advisory on how to handle ransomware attacks. (September 27, 2022 advisory)

Indian companies are however oblivious to the existence of ITA 2000 and a regulatory agency like CERT IN. They are more enamoured by the ISO 27001 type of business driven audits and remain complacent.

With the advent of Artificial Intelligence, while responsible security professionals speak of using of AI for Cyber Security, the criminals have already started using AI for sending phishing mails and launching malware attacks. Hence even the ransomware attacks will increase.

We therefore urge organizations to take suitable steps to protect their organizations against AI supported cyber attacks.

Despite ChatGPT claiming that it does not support criminals, Cyber Security professionals have pointed out how ChatGPT can be misused. Just like a criminal lies when asked directly if he is a criminal, ChatGPT also denies its involvement in creating malware.

There have been earlier ransomware attacks where amateurs had used an e-mail contact for ransom discussion through “Crimeware assisting services ” like Proton mail. Now professional ransomware attackers are using ToxID to discuss ransom demand. (See here for information on Tox).

Tox which began in the light of the Snowden leaks, started with the idea of creating an instant messaging application that ran without requiring the use of central servers. The system would be distributed, peer-to-peer, and end-to-end encrypted, with no way to disable any of the encryption features; at the same time, the application would be easily usable by the layperson with no practical knowledge of cryptography or distributed systems.

During the Summer of 2013 a small group of developers from all around the globe formed and began working on a library implementing the Tox protocol. The library provides all of the messaging and encryption facilities, and is completely decoupled from any user-interface; for an end-user to make use of Tox, they need a Tox client.

Tox is a FOSS (Free and Open Source) project. All Tox code is open source and all development occurs in the open. Tox is developed by volunteer developers who spend their free time on it, believing in the idea of the project. Tox is not a company or any other legal organization.

Now there exist several independent Tox client projects, and has thousands of users, hundreds of contributors, most of whom are criminals engaged in cyber crime and ransomware attacks.

Tox proudly says that it does not accept any donations probably because all the ransomware attackers pay their own contribution to this “Voluntary Criminals who developed Tox”.

It is unfortunate that law enforcement and law makers donot take sufficient steps to control these malware services and allow them to continue to be in business.

I request CERT In to take steps to ensure that Tox service does not enter the Indian cyber space. I am sure that some experts say this is impossible. But I donot believe that anything is impossible if there is a will. Where there is a will there is a way.

Tox is an intermediary which assists ransomware attackers and hence is ultra-vires the Indian law. Powers are already available within ITA 2000 to take action to declare Tox service as illegal in India. Hope CERT In has the will to use the power available to them under law.

Naavi

The saga of India passing a new data protection law to replace ITA 2000/8 has still not reached the final chapter. There are completely contradictory statements coming from the Government and the Opposition. We are aware that the opposition political parties in India are determined not to allow any significant legislation to pass through the Parliament and the Data Protection law is one such law considered politically significant.

Some time back the minister of IT Sri Ashwini Vaishnaw stated (according to press reports which many times are false and unreliable) that the Standing committee has passed the draft. Now some members of the opposition say that they have suggested 40 amendments to the Bill and they will discuss this further in the next meeting. Mr Rajeev Chandrashekar had suggested regarding the cross border transfer of data that India would opt for a “Positive list” based on mutual agreements with some countries. Of late he has changed his version (again according to press reports which many times are false and unreliable) and is now indicating that there will be a negative list of countries to which data transfer would be regulated and all other countries would be in the “Adequacy and Allowed” list.

There is a slew of articles published from Dr Amar Patnaik in some part of the media suggesting a complete revision of the approach to the law itself. (Refer here).

Mr Karti Chidambaram as a member of the IT Standing committee has indicated (As per the George Soros supported “Wire”) has said that 40 amendments have been proposed by the committee.

Some of the concerns expressed by the committee are said to be

These are the laundry list of objections that have been raised in every draft presented earlier. He has also pointed out that since the Bill was never introduced in Parliament, it was never referred to the standing committee for discussion and whatever discussions happened were preliminary in nature and happened when the bill was put out for public consultation. He has also said that it does not address the concerns of the Supreme Court on Privacy.

In what indicates an indefinite delay, he has suggested “In a letter to Union IT minister Ashwini Vaishnaw on Monday, Mr Karti Chidambaram has sought to widen the scope of consultation for the Bill as well as the Digital India Bill, and hold stakeholder consultations across states, and ensure that the discussion is also held in regional languages.”

There was one report that the Bill now be presented in the Monsoon session but it is yet to be confirmed.

For those who are aware of the Indian political scenario, the situation is very clear. Whatever be the proposition from the Government, it will not be accepted by the opposition. Hence there is no way the legislation can be passed by consensus. The Minister also should be aware of this.

If despite this, Ministers are making statements that the bill will be presented, passed etc., they are to be treated nothing more than political statements.

The current version of DPDPB 2022 is one of the most industry friendly provisions suggested by the Government and if the opposition stalls the Bill then there is no option for the Government to continue to use the current law namely ITA 2000 with Section 43A, Intermediary guidelines etc as the Data Protection regulation of India. The Adjudicators and CERT need to become more active and provide the “Regulatory oversight in the absence of the Data Protection Board” for which the law as is present now can be sufficient.

The objections raised by the IT Standing committee are related to the Regulatory authority, Government powers and the Cross border transfer. Other than this the Bill should be considered as “Acceptable”. Out of these two categories of objections, Regulatory authority and Government powers are not affecting the “Compliance” in the industry. Whoever is the regulator and whatever are the exemptions granted, industry level compliance is not directly affected. The Cross border related issues and the exemptions to the industry are being covered by the ITA 2000-Section 43A rules which will continue to apply as “Due Diligence” under ITA 2000.

What is required is for some Adjudicating officer taking up a data breach issue and imposing a fine of Rs 500 crores to stamp the authority of ITA 2000 and CERT In to initiate a prosecution. Then the industry will realize that there is already a law in India and what DPDPB 2022 is likely to do is only to replace it with an improved version. Politicians will also realize that what they are stalling is not the law itself but an improvement of the existing law.

Hence irrespective of the statements of the politicians, industry needs to go ahead and continue its Privacy and Data Protection implementation from the current “Best Practices Perspective”.

But what is disappointing is that the Government has shown no commitment to pass the law and is happy to play along with the opposition to postpone the passing of the law.

Naavi

I would recall my several writings on naavi.org regarding how to handle fake news on the internet.

Today, read an article about Wikipedia inventor who had a noble objective in giving away knowledge free. But when I reflect back on the developments of Internet, I have realized that Wikipedia is not longer a source of information relied upon on many aspects of our society . In aspects related to information which is Political and Social, Wikipedia has been poisoned and often needs to be read with circumspection. This is a tragedy.

Similarly the P2P media like Twitter or FaceBook has become totally unreliable except as a propaganda vehicle for vested interests.

Further, I also saw a video where AI was used to create a fake video by just taking a few mobile pictures and inserting it into a video in an app. This appears to be the final straw that breaks the back of the camel. We will see rogue techies creating fake videos of all politicians to ensure that Internet as a news purveying media becomes completely worthless since it will be filled with false information alround.

We are aware that the last USA election was defrauded with manipulation of postal ballots. We can expect that the next elections both in USA and India will be full of fake videos of all political figures including Joe Biden, Donald Trump, Narendra Modi and Rahul Gandhi created by AI. Hence any video or any article that appears on the Internet need to be fact-checked and the entity doing the fact-check itself need to be fact-checked.

We have also discussed the solution for countering the misuse of Internet for spread of fake news. The first suggestion was way back in December 2000 when I wrote “How to Respond to Rogue web Sites” which was further referred to in the latest article in March 2023.

In terms of solutions, I had discussed the “Mandatory Counter Views link display”, “Mandatory Identification of content contributors” through verification of IDs including Aadhaar type of reliable verification methods, “Intermediary Liabilities with self regulation in the form of Uniform Intermediary Dispute Resolution” on the lines of UDRP.

Out of this, Mandatory verification of contributors to Twitter kind of platforms have been introduced int he form of “Verified” status and Indian Data Protection laws are expected to carry it through. The Intermediary guidelines are being introduced through ITA 2000/8 and the Grievance Redressal Committee set up by the Government (instead of a self regulatory set up which was suggested by the Government but not accepted by the industry).

Now we are learning that Mr Adani the person who is being used by the opposition to defame Mr Modi has been moving in to introduce the other strategy of taking over some of the rogue media houses. Accordingly after NDTV, we understand that substantial interests have been bought in “Quint”. With such moves, there is a competition being created to George Soros who was holding the control on one sided narrative through paid journalists.

With these moves, “Information Warfare” is being commercialized. This development may not be desirable but it is inevitable to atleast correct the skewed behaviour of Internet and the possibility of further damage through biased AI algorithms.

When Adani was attacked for political reasons by Hindenberg report the loss of market capitalization was depicted by media as “Adani’s loss”. But the real loss was actually that of investors who had no stake in the political narrative. Even Mr Modi would be only marginally affected and perhaps will come out strongly after the fake narrative dies down. Adani also will come back albeit with some delays in some projects. But common investors who have lost their hard earned savings will never pardon Indian politicians who tried to use the bear operators of the stock market for their political propaganda.

The latest fake news corroborating the conspiracy of the Soros media was the article in Economic times calling Adani groups statement of premature repayment of debts as unsubstantiated and causing a 5% loss to investors in Stock markets yesterday. With such articles, Economic Times has once again showed its bias and why it is losing credibility.

We therefore welcome Adani’s move of taking over Quint. His control of NDTV and Quint may not fully match the combined weight of George Soros supported media but could at least create a counter weight. We hope that some “Journalists” who are caught in the Soros network by fate would consider defecting to create a better balance in the use of Internet as a news media.

If this does not happen, then the trust of Internet as an “Information Super Highway” would be further eroded.

As Data Security professionals, the preservation of “Integrity” of information does not end with the binary data but also extends to the preservation of integrity of the data as interpreted by the users of the binary data. Under the Theory of Data, I have stated Data is created by technology but interpreted by humans. Hence if the integrity of interpretation is corrupted, it is a “Data Security” issue.

Just has “Privacy Protection” has expanded the domain of Information Security in to the domain of human rights, it is time to recognize that “Prevention of Information warfare” is an extension of the “Prevention of Cyber Crimes” and hence the Information and Privacy protection domain may need to extend itself into preservation of “Information Integrity” .

Naavi

I refer to the article “Punjab and Haryana High Court uses ChatGPT in bail order” which indicates that Justie Anoop Chitkara used ChatGPT while deciding a bail case.

The Judge appears to have added a disclaimer that

“Any reference to ChatGPT and any observation made hereinabove is neither an expression of opinion on the merits of the case nor shall the trial Court advert to these comments. This reference is only intended to present a broader picture on bail jurisprudence, where cruelty is a factor,“.

The use of ChatGPT and making a reference to it in the judgement reflects how the Courts are mis-informed about the natural Language Models like ChatGPT which are prone to bias and hallucination. Also ChatGPT was trained mostly on US data before 2021 and is expected to give wrong answers. It may be good for all of us to use to help our children do their homework but certainly not for other serious work. It is just another tool like the Google Search and needs to be completely supervised by a human being who takes responsibility.

If Courts start referring to ChatGPT, tomorrow petitioners will start quoting ChatGPT as evidence and some judges may be inclined to consider ChatGPT output as gospel truth.

I wish the CJI puts an immediate stop to such use of ChatGPT in arriving at judgements even for reference. The judge is free to use it privately if he wants but should not quote it as one of his aides. This will make ChatGPT output as “Orbiter Dicta” over a time.

Naavi

Blockchain Banking or Crypto Banking has been one of the applications of the Blockchain technology which is being discussed in some security circles. It is being hailed as “Secure”, “Transparent”,” resistant to fraud” and eliminates the need for third party intermediary and therefore is faster than conventional Banking, reduces transaction costs and increases financial inclusion.

This thought process needs to be moderated with the possibility of  destruction of the conventional financial system which would be detrimental to the society.

When Banking system adopted technology, there was a claim that the costs would reduce since back end processing was automated and became more efficient and error free. However this promise did not materialize. Banking became costlier for the customer and more frauds surfaced.

Similarly, the Crypto Banking having all the virtues is also a myth that would destroy the current system and introduce a more risky system in the coming days.

Essence of Block chain technology is that a transaction record is kept in a public ledger and all the “Node Owners” will have copies of all the transaction blocks. The transactions would however be encrypted. Hence the system would multiply the data storage several folds. Since the transactions are encrypted, the node owner may only view a transaction as from X to Y of a certain value and type and not knowing who is X or Y. Hence the claim of “Transparency” is not correct. In fact If X or Y is a fraudster and imposter, the person authorizing the transaction wo views only a hash value representation has no idea of the fraud.

Secondly, if the node owners are members of public there would be no liability attached to their authorization and hence fraud victims cannot hold them responsible. In a Banking environment or a private block chain where the block chain is owned by the Bank itself with its own officers being the nodal controllers, the responsibility can be fixed on the Bank. But this would not eliminate the need for the intermediary. What would change is that the transactions would be stored in terms of encrypted blocks instead of the central server (which also can be encrypted).

If the Banking ledger is kept as a “Public Block Chain” then we will be converting the money of the customers into a virtual data chain which if unauthorizedly modified, is no body’s responsibility.

In the legacy Banking system, the depositor lends his money to the Bank with a contractual guarantee of the same being returned with interest. The Bank is expected to invest the money received in loans and earn an income besides contributing to the development of the business and creation of further assets through a multiplier system.

The block chain banking would block the multiplier system that works in the legacy banking system creating money for development. It would be like every depositor keeping his money in his house and is unproductive.

All other arguments that block chain banking system will reduce inflation etc are also unlikely to materialize. If money supply is withdrawn from the system, then to some extent money available for purchase of goods and services would reduce and this leads to deflation and reversing the progress of the economy. In the long run all persons who have held their Bank deposits in the form of Block-Chain-Bank accounts managed by private Block-chain-syndicates would be at the mercy of a coterie that would take over the majority of nodes and play with the money of the public. These owners would convert the Block chain holdings into real cash through fraudulent transactions and enjoy their dollar wealth where as genuine depositors would live in a false sense that they have a “Crypto Wealth”.

I therefore consider that this would be highly harmful and create a large scale bankruptcy.

Invite counter views.

Naavi

Also refer: A Secure Blockchain-Banking Is What The World Needs?

One of the challenges that the Cyber World is facing is in maintaining the trust worthiness of the Internet content. In the coming days there will be increased use of ChatGPT tools by consumers and it is essential to retain the integrity of these applications to the extent possible by adopting appropriate regulatory oversight.

We have already discussed the need for “Accountability and Transparency” of AI algorithms which include a declaration of the owner of the algorithm in all the outputs. The main responsibility for this has to be taken up by the AI based service providers since the algorithm developers would be hiding behind and cannot be easily located. Hence AI based service providers would be held liable for any bias that may be inherent in the algorithm and it would be their responsibility to demand accountability from the AI developers.

Similarly, the Digital Media of the day which create the Internet content and is used as a training base by ChatGPT/Bard etc., needs to also show some accountability. It is well understood that “Hallucination Error” of AI is the responsibility of the Code developer but the “Bias” is created by the training data input. This is easily manipulated by creating an eco system of motivated news spread through the Internet either in the form of Digital Media, or Individual Blogs.

We are aware that Bitcoin authentication frauds can be committed by fraud syndicates taking over of majority of nodes. Similarly by controlling narrative in more than 50% of Internet content on a specific topic, it is possible to inject bias in the AI algorithms that pick up training data from Internet for reinforced learning. While it may be difficult or impossible to poison 50% of the web content, it is possible to create such biased mass of content in respect of a specific issue.

For example, it is possible to create a mass of content on “Adani” or “Khalistan” or “Islamic obligations” etc where more than 50% content may argue that “Adani” is a stock market manipulator, Khalistan is a popular freedom movement or etc. by pumping in articles of a specific nature in the training data/Internet data.

In all such cases, motivated actions of the interested groups cannot be countered by sufficient number of counter views. Hence it is inevitable that the output of AI algorithms like ChatGPT will eventually get corrupted. The corrupted outputs will in due course become the most accepted world view.

If ChatGPT was relied upon when Socrates said Earth is round while everybody else (other than ancient Indians) believed it to be flat, then science would have to struggle harder than it did to establish its credibility.

Currently, a large part of Digital Media is supported by motivated persons like George Soros who invest large sums of money to maintain a hoard of organizations and journalists to spread a prejudiced view have the capability of introducing bias into the ChatGPT4/5 or Bard.

I therefore advocate that as a part of the Intermediary responsibility in India, all Digital Media should be made to declare through a disclaimer the association with a funding agency whether it is George Soros or others.

Naavi had suggested in 2001, the service called “Lookalikes disclosure” (Visit lookalikes.in for more details) to meet the Domain Name disputes arising out of clash of domain names. Similarly a time has come to suggest that every website provide a disclosure “I am not associated with George Soros” or more generically “This website provides independent views and is not funded by vested interests” (Or some thing similar).

Such disclaimers should be considered as “Due Diligence”. Ideally every website expressing “Opinions” should declare its ownership and alignment if any to specific national, political, religious or racial interests.

Just as products are certified for country of origin, Vegetarian or not, etc, websites, blogs, Youtube channels etc can carry Trust Seals indicating their affiliation or neutrality which will be subject to review by the public.

Hope Meity considers this suggestion to be suitable included in the due diligence requirements of Digital Media.

Naavi

Refer:

George Soros vows to fight PM Modi and Nationalists: Here are some Indian ‘intellectuals’ and NGOs connected to him

Is George Soros trying to influence Karnataka elections through his proxies? Here is what a report says

How George Soros’ Propaganda Machine Has Corrupted The Media