random thoughts

This blog is now being updated at my personal website. Please do visit http://www.saravade.in to see the latest entry. See you there!

Posted via LiveJournal.app.

Ajay Shah has quoted an article in New York Times on the viability of the idea of putting surveillance cameras in police stations to ward off instances of police brutality. I do not think India has political persecution the way the NYT story on Uzbekistan depicts. The stories on police brutality in India are more about third degree methods in crime investigation than political dissidence. Further, surveillance in police stations may merely shift the objectionable activity elsewhere.

Many people subscribe to a school of thought that mere deployment of technology will address many of the ills in the society, but, IMO, the real change will happen through a combination of providing viable alternatives for enhancing effectiveness of crime control and maintenance of public order and 'softer' projects focusing on culture change within police and then holding those who veer off the straight path, accountable with exemplary punishment. Putting surveillance cameras in police station is a sign of mistrust, which is the wrong position to start with.

'Humans Want to Share Information': This podcast in Scientific American turned up today morning in my daily trawling of Internet through newsletters and alerts. It puts forth an interesting hypothesis. Here it goes.

Shirky [media scholar from New York University] referenced Michael Tomasello of the Max Planck Institute who says that humans share three kinds of commodities: goods, services and information.

Imagine you are walking down the street and you see an elderly woman. She asks you for money. How would you feel? Now imagine that she asks you to help her cross the street. A different feeling. Now imagine she just asks for directions. A different feeling again.

It is this last case, the sharing of information, that humans do freely and actually want to do, according to Shirky.

Speaking about the demise of the music industry, he reminded us that we held on to our compact discs, goods we could touch. But when the music-sharing site Napster launched—and music became a digital file easily copied—sharing took off, and “the music industry freaked out.”

Shirky’s catchphrase serves as a guideline to predict future events: Behavior is motivation filtered through opportunity.

This looked intuitive enough and I started musing about its application to the problem of information security. In an organisatoinal context, this feeling that information ought to be shared freely, especially with co-workers who need it anyway, would held sway. This is where data labelling may be critical to prevent its leakage. If the information security team in an organisation is building a culture of data labelling and then clearly articulating and reinforcing the do's and don'ts, data loss prevention can be that much easier.

Employees also believe that they are producing information as they work and that they have concurrent ownership rights over the intellectual property along with the organisation. That's why when they change jobs, they want to carry along some of it. How to reconcile individual and organisational priorities is another problem.

A couple of years ago, I went to meet a batchmate of mine, whose moniker in the National Police Academy was Taqat for obvious reasons. He was posted at the police headquarters and was in a high volume job, having to deal with establishment matters. Several people would come to meet him with their grievances every day, expecting and getting a patient hearing. I managed to get his attention in the midst of the bustle and informed him that I have a new job and a new address. I handed over my visiting card to him. Despite being a busy man, he fished out his address book and said,"Wait. Let me write it down. Baad mein card nahee milta."

Coming from Taqat, it was a very pleasant surprise. The time management guru, David Allen, prescribes keeping one Inbox for all one's incoming messages. That makes dealing with them and managing them very easy. Most of us have such information bombardment that it is easy to get overwhelmed. Having some simple rules and following them scrupulously helps. While visiting cards have their value in projecting the organization/person and his station in life, they also have a very short life. Once the information in the card is extracted and fed in a database, the card has served its purpose and has to go. Electronic organisers like Palm PDA/software programs like Outlook are excellent for this job. I am partial to the former category of beasts and over the last five years learnt a few tricks and taught a few. But that's a topic for another post. For the time being, here's a nod to Taqat and his system!

During an investigation and trial, a great deal of reliance is placed on eye-witnesses. However, modern research suggests that the ability to notice details may vary from person to person. The video at http://www.youtube.com/watch?v=38XO7ac9eSs&feature=player_embedded illustrates the point.

This would indicate that greater weight may need to be attached to scientifically collected circumstantial evidence. Our criminal investigators would need to be equipped accordingly.

Ajay Shah writes about the consequences of exposure to violence. This is an interesting post. While there has been no violence caused by external aggression, there is no dearth of internal violence in India. Domestic violence seems rampant. So is the tendency to be lawless (just watch the traffic behaviour in all metros/cities/towns, with or without traffic lights and the traffic cop) and Left Wing Extremism has only grown, accounting for half the country's districts now. This latent violence feeds upon itself. The wherewithal of the law enforcement to extend and maintain the writ of law (which includes the ability to enforce traffic rules uniformly and consistently, investigate cases against the high and mighty fearlessly and deter the marginalised and the desperate from articulating their grievances through the barrel of the gun) has consistently dwindled due to increasing politicisation and shrinking resources. Unfortunately, this is not a topic which catches attention of the intelligentsia, the media or the ruling class. The other day, there was a new report about the large losses caused by the 26/11 attack. On reading the news article, one senior police officer bitterly recounted to me how his proposal for equipping the Anti Terrorist Squad of Maharashtra involving an outlay of Rs 20 crore was laughed away a couple of years ago by the mandarins of Home Department as a fanciful plan.

During a recent visit to UK, I had the occasion to listen to Alex Conran at Experian's Identity and Fraud Forum 2009. He spoke about social engineering techniques in duping people and why people get cheated. Conran runs a show on BBC called the Real Hustle (http://en.wikipedia.org/wiki/The_Real_Hustle). It was easily the most entertaining talk I have ever heard on the subject of crime by deception.

Based on the various episodes of the show, a paper has now been put together by a couple of researchers at the Cambridge University, which has an illuminating discussion of the principles of the human aspects of security. Titled 'Seven Principles of Systems Security', it is a recommended read for all practitioners of security. It can be downloaded from http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf.

Recently, a young IPS officer went to meet a well-known social worker, who advised him to focus on 'reputation management' of police. This is a new, interesting thought. Increasingly, organisations, especially those which are in the service sector, are realising that their intangible assets, such as the human capital, the intellectual property, the information resources they possess and most importantly, the trust of their customers, are more important than their physical assets. So much so, that the Basel-II norms (http://en.wikipedia.org/wiki/Basel_II_Accord) of capital management of banks contain reputation risk management as a separate risk to contain.

It would be good to get the IPS leadership thinking about reputation management - to build, protect and maintain the image of police as slayers of evil and defenders of the righteous. This can be done without feeling manipulative, by keeping in mind what Abraham Lincoln said about reputation: “Character is like a tree and reputation like a shadow. The shadow is what we think of it; the tree is the real thing.”

There have been several suggestions to the newly set up Unique ID Authority of India (UIDAI) about how to achieve quick results. One of these relates to using the mobile phone as the surrogate for identification of the users (http://blog.taragana.com/n/mobile-phone-to-authenticate-your-identity-nilekani-179579/).

With my limited knowledge of the mobile phone technology involved, it appears that the device ID (IMEI number) and the SIM ID (IMSI number) combination, which will be stable in bulk of the population, is likely to be used. However, the process for issuing mobile connection is not consistent across the operators/circles and the integrity of the database may not be up to the mark, as can be seen from a recent news item in ToI (http://infotech.indiatimes.com/articleshow/msid-4989944,prtpage-1.cms).

The enrollment process for this route of populating the UID database needs to be designed well and sound anti-fraud measures (systems and processes) need to be baked in at the beginning. Banks do a lot this kind of stuff in identifying dodgy applicants and the learnings would be relevant. The user behaviour profiling would also be an important input for eliminating identity frauds. Question is: "Do the mobile phone companies capture and store the additional data beyond billing requirements?"

A couple of high profile stories: FBI director almost got phished (http://www.computerworld.com/s/article/9139106/Citing_cybercrime_FBI_director_doesn_t_bank_online?source=rss_security) and the wife of the future chief of MI6 posts sensitive family details on Facebook (http://www.guardian.co.uk/politics/2009/jul/05/mi6-facebook-sawers-wife-miliband).

Interestingly, the FBI Director's speech (http://www.fbi.gov/pressrel/speeches/mueller100709.htm) mentions that he got to know the seriousness of the cyber threats, when he read the book 'The Cuckoo's Egg', something I have been planning to do for a long time, but haven't found time to do yet! It also shows no chinks in his thinking, despite his candid admission that he almost got phished. Indeed, there are interesting insights into the FBI's approach to cyber crime and cyber security.