random thoughts

5:55PM - This blog has moved...

This blog is now being updated at my personal website. Please do visit http://www.saravade.in to see the latest entry. See you there!

Posted via LiveJournal.app.

12:37PM - Surveillance Cameras in Police Stations

Ajay Shah has quoted an article in New York Times on the viability of the idea of putting surveillance cameras in police stations to ward off instances of police brutality. I do not think India has political persecution the way the NYT story on Uzbekistan depicts. The stories on police brutality in India are more about third degree methods in crime investigation than political dissidence. Further, surveillance in police stations may merely shift the objectionable activity elsewhere.

Many people subscribe to a school of thought that mere deployment of technology will address many of the ills in the society, but, IMO, the real change will happen through a combination of providing viable alternatives for enhancing effectiveness of crime control and maintenance of public order and 'softer' projects focusing on culture change within police and then holding those who veer off the straight path, accountable with exemplary punishment. Putting surveillance cameras in police station is a sign of mistrust, which is the wrong position to start with.

8:08AM - 'Humans Want to Share Information': Some Musings

'Humans Want to Share Information': This podcast in Scientific American turned up today morning in my daily trawling of Internet through newsletters and alerts. It puts forth an interesting hypothesis. Here it goes.

Shirky [media scholar from New York University] referenced Michael Tomasello of the Max Planck Institute who says that humans share three kinds of commodities: goods, services and information.

Imagine you are walking down the street and you see an elderly woman. She asks you for money. How would you feel? Now imagine that she asks you to help her cross the street. A different feeling. Now imagine she just asks for directions. A different feeling again.

It is this last case, the sharing of information, that humans do freely and actually want to do, according to Shirky.

Speaking about the demise of the music industry, he reminded us that we held on to our compact discs, goods we could touch. But when the music-sharing site Napster launched—and music became a digital file easily copied—sharing took off, and “the music industry freaked out.”

Shirky’s catchphrase serves as a guideline to predict future events: Behavior is motivation filtered through opportunity.

This looked intuitive enough and I started musing about its application to the problem of information security. In an organisatoinal context, this feeling that information ought to be shared freely, especially with co-workers who need it anyway, would held sway. This is where data labelling may be critical to prevent its leakage. If the information security team in an organisation is building a culture of data labelling and then clearly articulating and reinforcing the do's and don'ts, data loss prevention can be that much easier.

Employees also believe that they are producing information as they work and that they have concurrent ownership rights over the intellectual property along with the organisation. That's why when they change jobs, they want to carry along some of it. How to reconcile individual and organisational priorities is another problem.

8:02AM - A Small Tip on Contact Management

A couple of years ago, I went to meet a batchmate of mine, whose moniker in the National Police Academy was Taqat for obvious reasons. He was posted at the police headquarters and was in a high volume job, having to deal with establishment matters. Several people would come to meet him with their grievances every day, expecting and getting a patient hearing. I managed to get his attention in the midst of the bustle and informed him that I have a new job and a new address. I handed over my visiting card to him. Despite being a busy man, he fished out his address book and said,"Wait. Let me write it down. Baad mein card nahee milta."

Coming from Taqat, it was a very pleasant surprise. The time management guru, David Allen, prescribes keeping one Inbox for all one's incoming messages. That makes dealing with them and managing them very easy. Most of us have such information bombardment that it is easy to get overwhelmed. Having some simple rules and following them scrupulously helps. While visiting cards have their value in projecting the organization/person and his station in life, they also have a very short life. Once the information in the card is extracted and fed in a database, the card has served its purpose and has to go. Electronic organisers like Palm PDA/software programs like Outlook are excellent for this job. I am partial to the former category of beasts and over the last five years learnt a few tricks and taught a few. But that's a topic for another post. For the time being, here's a nod to Taqat and his system!

6:04PM - Change Blindness and Impact on Investigations

During an investigation and trial, a great deal of reliance is placed on eye-witnesses. However, modern research suggests that the ability to notice details may vary from person to person. The video at http://www.youtube.com/watch?v=38XO7ac9eSs&feature=player_embedded illustrates the point.

This would indicate that greater weight may need to be attached to scientifically collected circumstantial evidence. Our criminal investigators would need to be equipped accordingly.

8:56AM - Our Attitude to Violence

Ajay Shah writes about the consequences of exposure to violence. This is an interesting post. While there has been no violence caused by external aggression, there is no dearth of internal violence in India. Domestic violence seems rampant. So is the tendency to be lawless (just watch the traffic behaviour in all metros/cities/towns, with or without traffic lights and the traffic cop) and Left Wing Extremism has only grown, accounting for half the country's districts now. This latent violence feeds upon itself. The wherewithal of the law enforcement to extend and maintain the writ of law (which includes the ability to enforce traffic rules uniformly and consistently, investigate cases against the high and mighty fearlessly and deter the marginalised and the desperate from articulating their grievances through the barrel of the gun) has consistently dwindled due to increasing politicisation and shrinking resources. Unfortunately, this is not a topic which catches attention of the intelligentsia, the media or the ruling class. The other day, there was a new report about the large losses caused by the 26/11 attack. On reading the news article, one senior police officer bitterly recounted to me how his proposal for equipping the Anti Terrorist Squad of Maharashtra involving an outlay of Rs 20 crore was laughed away a couple of years ago by the mandarins of Home Department as a fanciful plan.

10:12PM - Human aspects of security

During a recent visit to UK, I had the occasion to listen to Alex Conran at Experian's Identity and Fraud Forum 2009. He spoke about social engineering techniques in duping people and why people get cheated. Conran runs a show on BBC called the Real Hustle (http://en.wikipedia.org/wiki/The_Real_Hustle). It was easily the most entertaining talk I have ever heard on the subject of crime by deception.

Based on the various episodes of the show, a paper has now been put together by a couple of researchers at the Cambridge University, which has an illuminating discussion of the principles of the human aspects of security. Titled 'Seven Principles of Systems Security', it is a recommended read for all practitioners of security. It can be downloaded from http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf.

8:30AM - Reputation Management for Police

Recently, a young IPS officer went to meet a well-known social worker, who advised him to focus on 'reputation management' of police. This is a new, interesting thought. Increasingly, organisations, especially those which are in the service sector, are realising that their intangible assets, such as the human capital, the intellectual property, the information resources they possess and most importantly, the trust of their customers, are more important than their physical assets. So much so, that the Basel-II norms (http://en.wikipedia.org/wiki/Basel_II_Accord) of capital management of banks contain reputation risk management as a separate risk to contain.

It would be good to get the IPS leadership thinking about reputation management - to build, protect and maintain the image of police as slayers of evil and defenders of the righteous. This can be done without feeling manipulative, by keeping in mind what Abraham Lincoln said about reputation: “Character is like a tree and reputation like a shadow. The shadow is what we think of it; the tree is the real thing.”

3:53PM - De-duping of the UID database

There have been several suggestions to the newly set up Unique ID Authority of India (UIDAI) about how to achieve quick results. One of these relates to using the mobile phone as the surrogate for identification of the users (http://blog.taragana.com/n/mobile-phone-to-authenticate-your-identity-nilekani-179579/).

With my limited knowledge of the mobile phone technology involved, it appears that the device ID (IMEI number) and the SIM ID (IMSI number) combination, which will be stable in bulk of the population, is likely to be used. However, the process for issuing mobile connection is not consistent across the operators/circles and the integrity of the database may not be up to the mark, as can be seen from a recent news item in ToI (http://infotech.indiatimes.com/articleshow/msid-4989944,prtpage-1.cms).

The enrollment process for this route of populating the UID database needs to be designed well and sound anti-fraud measures (systems and processes) need to be baked in at the beginning. Banks do a lot this kind of stuff in identifying dodgy applicants and the learnings would be relevant. The user behaviour profiling would also be an important input for eliminating identity frauds. Question is: "Do the mobile phone companies capture and store the additional data beyond billing requirements?"

4:02PM - TopCops and Teachable Moments

A couple of high profile stories: FBI director almost got phished (http://www.computerworld.com/s/article/9139106/Citing_cybercrime_FBI_director_doesn_t_bank_online?source=rss_security) and the wife of the future chief of MI6 posts sensitive family details on Facebook (http://www.guardian.co.uk/politics/2009/jul/05/mi6-facebook-sawers-wife-miliband).

Interestingly, the FBI Director's speech (http://www.fbi.gov/pressrel/speeches/mueller100709.htm) mentions that he got to know the seriousness of the cyber threats, when he read the book 'The Cuckoo's Egg', something I have been planning to do for a long time, but haven't found time to do yet! It also shows no chinks in his thinking, despite his candid admission that he almost got phished. Indeed, there are interesting insights into the FBI's approach to cyber crime and cyber security.

8:32AM - What's different about this India?

These days I don't follow cricket with the religiosity of olden days. Still, when I got up yesterday to the sounds of the unmistakable shouts of cricket buffs in the building, I realised that the India-New Zealand match was on and hurried to settle down before the TV. It was a wise decision as the Sachin-Yuvaraj partnership was just beginning to take off and I was treated to some extraordinary exhibition of batting. Obviously, the morning plans got rearranged and I managed to watch the match till the end. The true bonus was the century from Sachin (who being from our generation - kind of - is still the primary idol).

Two moments stuck in my mind after the euphoria had ebbed and replaced by a happy glow. The first one was the end point of the easy nonchalance of Yuvaraj's innings. He was going great guns, overshadowing Sachin and nothing seemed impossible. Then he got out caught behind, and walked without as much as a single glance towards anyone. The wicket keeper was standing up and the umpire could have had his doubts. But such was the flow of Yuvaraj that he had no hesitation in doing the right thing. That is the essence of a man in 'the zone.' Reminded me of the Kipling poem, 'If''.

The second moment came when Dhoni was batting. His energy, enthusiasm and the busy manner immediately changed the mood of batting from languid grace to frenetic urgency. At one point, he played a great shot where the ball went sailing over the mid-wicket in to the stands. It's my guess that the coaches in cricket stress the importance of a proper follow through (as we were taught while learning firearms handling and marksmanship in our basic police training). However, here was a picture of Dhoni frozen, looking at the place where the bat had met the ball and happy at the flawless process than looking up at the ball's trajectory and worrying about the result.

To me, these two moments are what is so special about today's Indian team and the young India as well. We can look forward to great things if we enhance and maintain our process focus.

On another note on the new India, Vir Sanghvi's article in the Hindustan Times, titled 'The Same People? Surely Not' was a refreshing perspective on the divergent paths taken by India and Pakistan after 1947. The older people are always prone to the secret hope of returning to 'the good old days'. It never happens and is a dangerous pitfall in the thought process. The past can be a good guide to understand the changes around us, but not as a model for shaping the future.

8:57AM - Credit Card Fraud and an Unusual New Year Gift

Recently, I received a new year greeting mail from Hemant Rath. With my memory being what it is, the name failed to ring a bell and I had to search through my mail archives to find out more. I also clicked on the links in the mail and landed up at Hemant's blog. The latest entry in the blog 'Credit Card Fraud and an Unusual New Year Gift' explained a lot.

So, I promptly decided to copy the title of his blog post for mine. It is gratifying when whatever good deeds you do come back to visit you in an unexpected fashion. Thanks for the joy, Hemant.

However, Hemant's experience with the police (as narrated by him) is not very enthusing and that's where the need for police reforms (a theme I keep harping on) comes in. After the recent Mumbai terror attacks, there is a greater interest and awareness about police working among citizens. This is a very welcome sign and if sustained, will lead to the pressure of public expectation on the vested interests in government and police to be open for the much-needed change.

9:49PM - SIM Card Cloning and Cops in India

Bruce Schneier blogs about the discovery of cloned SIM cards in Assam and attributes the surprise and the lack of expertise on the part of the police to his favourite theme of the 'Ill Effects of Banning Security Research.' Apparently, an expert from IIT Guwahati said that no one has actually done any research on SIM card cloning because the activity is illegal in the country. The assumption about the lack of expertise is simply not true: one can find a detailed, one-year old post online about cloning cards of the various Indian telecom operators. Indian Express wrote about cloning in February 2005.

In 2005-06, when I used to work in NASSCOM, we did several training programmes for police officers which started with the demonstration of SIM cloning. The idea was to catch their attention and then talk of the various kinds of cyber crimes. It used to work well, but applications of such cloning were difficult to cite. Finally, a real life situation turns up where a terrorism suspect has used cloned cards. It would be interesting to find out what advantages he saw in doing so.

11:14PM - Political aspirations

We were watching the Obama - McCain debate the other day on TV. As McCain held forth on what he was going to do on becoming the President of USA, I asked my son, who is in fifth standard: "Would you want to join politics when you grow up?"

His emphatic and immediate "NO!", with a rueful shake of head, surprised me. "Why not", I asked him. "I will have to learn so many speeches", he said!

10:24PM - Global Innovation Outlook - Security and Society

Since 2004, IBM has been periodically hosting a very interesting brainstorming exercise, called Global Innovation Outlook (GIO) on various themes. I was invited by them to participate in a 'Deep Dive' session of GIO 3.0, with the theme of 'Security and Society'. This was held in Taipei on 20-21 May 2008. Similar sessions were held at Moscow, Berlin, Tokyo, Chicago and Vancouver. The GIO blog gives more details of the individual sessions.

The idea of the brainstorming exercise was simple and well-executed. A lot of bright and accomplished thinkers on the subject of security were put together and asked to express their thoughts on the emerging aspects of security. The IBM co-ordinating team laid down the protocol of engagement and guided the discussions in the productive direction. Personally, I enjoyed meeting people from different nationalities and getting to know their assessment of the problem.

IBM has recently put out the report of the Deep Dive on Security on Society. Though a largish file (6 MB), it is worth a good look for some unusual perspectives from a diverse group of people, capable of stimulating some novel thoughts.

8:12AM - Blast in Kabul

Terrorism continues to target the Indian nation within the country and outside. The latest in this series is yesterday's blast in the Indian embassy in Kabul which killed 41 people. The risk of such incidents is higher in 'frontier' places like Kabul and one only hopes the lessons from this incident are not lost. One name in the list of embassy officials killed caught my eye. V. Venkateshwara Rao, an IFS officer of 1990 batch is the first IFS officers to be martyred. [C.Raja Mohan has paid a tribute to Venkat (http://www.indianexpress.com/story/332701.html) in the Indian Express].

I had met Venkat during my first visit to US at a dinner at the residence of Dr V.S. Seshadri, then Minister in the Indian embassy in Washington DC. My colleague in NASSCOM, Sunil Mehta, who is also no more, was with me and, I remember, the evening was spent in some small talk, but mostly in a deep discussion about the Indian IT industry. I was impressed with the Venkat's easy-going nature and his keenness to absorb information about the issues important for the IT industry. During my next visit, I enquired about him and was told about his moving out of the US assignment.

I always assumed that our paths will cross sooner or later. Obviously, one can't make too many things for granted...

7:24AM - The Fringe Benefits of Failure, and the Importance of Imagination

J.K. Rowling is an iconic figure in today's age when there are not too many believers. Needless to say, our family is a member of the fan club and went through the breathless experience of buying and reading the Harry Potter series, as soon as the books were released for publication.

Rowling gave a commencement speech at Harvard recently. It is wonderful and deeply moving, like much of her writing. The closing part of the speech:

Unlike any other creature on this planet, humans can learn and understand, without having experienced. They can think themselves into other people's minds, imagine themselves into other people's places.Of course, this is a power, like my brand of fictional magic, that is morally neutral. One might use such an ability to manipulate, or control, just as much as to understand or sympathise.

And many prefer not to exercise their imaginations at all. They choose to remain comfortably within the bounds of their own experience, never troubling to wonder how it would feel to have been born other than they are. They can refuse to hear screams or to peer inside cages; they can close their minds and hearts to any suffering that does not touch them personally; they can refuse to know.

I might be tempted to envy people who can live that way, except that I do not think they have any fewer nightmares than I do. Choosing to live in narrow spaces can lead to a form of mental agoraphobia, and that brings its own terrors. I think the wilfully unimaginative see more monsters. They are often more afraid.

What is more, those who choose not to empathise may enable real monsters. For without ever committing an act of outright evil ourselves, we collude with it, through our own apathy.

One of the many things I learned at the end of that Classics corridor down which I ventured at the age of 18, in search of something I could not then define, was this, written by the Greek author Plutarch: What we achieve inwardly will change outer reality.

That is an astonishing statement and yet proven a thousand times every day of our lives. It expresses, in part, our inescapable connection with the outside world, the fact that we touch other people's lives simply by existing.

But how much more are you, Harvard graduates of 2008, likely to touch other people's lives? Your intelligence, your capacity for hard work, the education you have earned and received, give you unique status, and unique responsibilities. Even your nationality sets you apart. The great majority of you belong to the world's only remaining superpower. The way you vote, the way you live, the way you protest, the pressure you bring to bear on your government, has an impact way beyond your borders. That is your privilege, and your burden.

If you choose to use your status and influence to raise your voice on behalf of those who have no voice; if you choose to identify not only with the powerful, but with the powerless; if you retain the ability to imagine yourself into the lives of those who do not have your advantages, then it will not only be your proud families who celebrate your existence, but thousands and millions of people whose reality you have helped transform for the better. We do not need magic to change the world, we carry all the power we need inside ourselves already: we have the power to imagine better.

I am nearly finished. I have one last hope for you, which is something that I already had at 21. The friends with whom I sat on graduation day have been my friends for life. They are my children's godparents, the people to whom I've been able to turn in times of trouble, friends who have been kind enough not to sue me when I've used their names for Death Eaters. At our graduation we were bound by enormous affection, by our shared experience of a time that could never come again, and, of course, by the knowledge that we held certain photographic evidence that would be exceptionally valuable if any of us ran for Prime Minister.

So today, I can wish you nothing better than similar friendships. And tomorrow, I hope that even if you remember not a single word of mine, you remember those of Seneca, another of those old Romans I met when I fled down the Classics corridor, in retreat from career ladders, in search of ancient wisdom:

As is a tale, so is life: not how long it is, but how good it is, is what matters.

I wish you all very good lives.

Thank you very much. 

 

8:40AM - The next level of detail

Yesterday, on way to Taipei, where I will be attending the Deep Dive session on Society and Security of the IBM Global Innovation Outlook, I passed through the Hong Kong airport. In the transfer area, there was the usual queue for security. When I neared the security portal (a.k.a. Door Frame Metal Detector or DFMD), I noticed that the trays being given to the passenger to put their laptops, phones, coins and watches were coming back to the originating point thorugh a nicely designed pair of guide rails and there was no unnecessary shuffling and bustle for the security people who were focusing on their assigned parts of the task. What is more, each tray had two A-5 size laminated and serially-numbered paper tokens, one stuck to the tray itself and the other given to the traveller to help him collect his stuff on the other side. Now, I found this to be a nice touch of thoughtfulness. A person is on tenterhooks when passing through security. At that point, when he is asked to give up his precious possessions even for a few moments, this assurance of comfort through providing the token is indeed welcome.

This was in contrast to the near-chaos at Mumbai airport security, where there were multiple queues for the same gate and no queue management in sight. The failure of the Indian planners to provide us with world class of airport is all the more galling when one sees the excellence elsewhere.

6:21PM - Slicing and dicing

Jairam Ramesh, Union Minister of State for Commerce for  recently shared his thoughts on the IT industry with the Executive Council of NASSCOM.  The entire speech is available here.

I found the speech refreshing for the way it presented data about the Indian IT industry.  To illustrate, an extract is given below.

A couple of months back, the securities firm CLSA came out with detailed analysis of the Indian IT industry which revealed that:
• 20-25% of India’s GDP expansion over the next 3-4 years will come from IT;
• India’s IT exports will cross India’s oil imports from 2007/08 onwards assuming that oil prices are at around $ 65 a barrel;
• The IT industry –directly and indirectly—will pick up a third of the addition to the urban labour force over the next three-four years.
• Over the next three-four years, the IT industry will pick up around 80-85% of India’s employable engineers.
• One in seven income tax payers in the country will be a IT professional by 2010 up from the current one in ten.

There is more insightful analysis in the speech.  It is this kind of approach to present statistics which make them meaningful and relatable.

9:12PM - ITU Regional Workshop on Cyber Security

I just returned after spending a week in Hanoi, Vietnam, where a regional workshop, involving the countries of Asia Pacific region, on evolving a framework for ensuring cyber security, was held.  This workshop (http://www.itu.int/ITU-D/cyb/events/2007/hanoi/) was hosted by the International Telecom Union, which is trying to bring uniformity of approach among all countries which are grappling with the issue of how to promote the safe use of information technology.  I had attended the Council of Europe Convention on Cybercrime Conference recently.  The ITU approach goes beyond the Council of Europe approach, which seeks to put in place a comprehensive legal framework, harmonisation of laws, capacity building in enforcement of laws in cyber space and international co-operation in criminal investigation. The ITU approach includes this as one element among other equally important elements.  The remaining four are as follows.

• a national strategy
• incident management
• government-private sector collaboration
• development of a culture of cybersecurity

The conference schedule can be seen at http://www.itu.int/ITU-D/cyb/events/2007/hanoi/agenda.html and the presentations can be downloaded from http://www.itu.int/ITU-D/cyb/events/2007/hanoi/presentations.html.

I observed that there were no police officers among the participants of the workshop and most of the attendees came from the technical side of security, namely the CERTs (Computer Emergency Response Teams) of various countries.  Cyber security is an evolving area where there are very few experts.  The technical experts tend to move in to occupy the vacuum, but in the ultimate analysis, security is a human problem and there are few groups who understand human psychology like police officers do.  The technical experts can diagnose the problem, but the response in many situations has to come from the law enforcement.  They can help with monitoring, preventing and mitigating the large scale attacks on the Internet and should work more closely with law enforcement in protecting the ordinary users from fraud and harm. 

The ITU approach seeks to bring all the major stakeholders together and deserves a serious look by the policy makers everywhere.