Last week, Apple CEO Tim Cook called on Bloomberg to retract a highly controversial story suggesting Chinese spies planted microchips in the Supermicro server motherboards used in Apple’s data facilit…
mac hacker – read more
Earlier this year, we wrote about what seemed to be a fairly serious breach of security at the world’s largest biometric database, India’s Aadhaar. The Indian edition of Huffington Post now reports on what looks like an even more grave problem:
The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
According to the article, the patch can be bought for just Rs 2,500 (around $ 35). The easy-to-install software removes three critical security features of Aadhaar:
The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software’s in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
As the Huffington Post article explains, creating a patch that is able to circumvent the main security features in this way was possible thanks to design choices made early on in the project. The unprecedented scale of the Aadhaar enrollment process — so far around 1.2 billion people have been given an Aadhaar number and added to the database — meant that a large number of private agencies and village-level computer kiosks were used for registration. Since connectivity was often poor, the main software was installed on local computers, rather than being run in the cloud. The patch can be used by anyone with local access to the computer system, and simply involves replacing a folder of Java libraries with versions lacking the security checks.
The Unique Identification Authority of India (UIDAI), the government body responsible for the Aadhaar project, has responded to the Huffington Post article, but in a rather odd way: as a Donald Trump-like stream of tweets. The Huffington Post points out: “[the UIDAI] has simply stated that its systems are completely secure without any supporting evidence.” One of the Aadhaar tweets is as follows:
It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.
The need to throw 50,000 operators off the system hardly inspires confidence in its overall security. What makes things worse is that the Indian government seems determined to make Aadhaar indispensable for Indian citizens who want to deal with it in any way, and to encourage business to do the same. Given the continuing questions about Aadhaar’s overall security and integrity, that seems unwise, to say the least.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Permalink | Comments | Email This Story
Techdirt.
Perhaps you thought that the legal drama between the famous San Diego Comic-Con and the Salt Lake Comic Con was over. Our ongoing coverage of this trademark dispute stemming from SDCC somehow having a valid trademark on “comic-con”, a shortened descriptor phrase for a comic convention, largely concluded when SDCC “won” in court, being awarded $ 20,000 after initially asking for $ 12 million in damages. With the focus now turning to the roughly gazillion other comic conventions that exist using the “comic-con” phrase in their names and marketing materials, this particular dispute seemed to have come to a close.
But not so much, actually. In post-trial motions, SDCC petitioned Judge Battaglia to consider the case “exceptional” so that SDCC can recover attorney’s fees from SLCC. The arguement for SDCC appears to mostly be that they spent a shit-ton of money on attorneys for the case.
U.S. District Judge Anthony Battaglia heard a host of posttrial motions Thursday, including San Diego Comic-Con’s request for over $ 4.5 million in attorney fees which have already been paid in full. San Diego Comic-Con attorney Callie Bjurstrom with Pillsbury Law told Battaglia Thursday he should find the case is “exceptional” so that attorney fees and costs can be awarded.
“This was a very expensive case; the reason this case was so expensive was because of defendants and their counsel and the way they litigated this case,” Bjurstrom said.
It will be interesting to see how Judge Battaglia rules on the assertion that SLCC’s defense of itself warrants its paying SDCC’s attorney’s fees. What exactly was SLCC supposed to do, not try to defend itself in the best way possible? One also wonders if SDCC would be petitioning for attorney’s fees had the jury found that SLCC’s infringement was not willful, resulting in the paltry $ 20k award. Perhaps, perhaps not. What this sure looks like is the SDCC realizing that this “win” came at the cost of a hilariously large amount of money and it is attempting to mitigate that loss.
SDCC also petitioned the court to bar SLCC from using its trademarks. That sort of thing would be par for the course except for two things. First, again, this trademark is ridiculous. It’s purely descriptive. Second, hammering home that fact, SDCC doesn’t want SLCC to even be able to properly describe the type of event it is.
But San Diego Comic-Con’s request went a step further than simply asking Battaglia to enjoin the Salt Lake convention operators from infringing its trademarks: it asked the judge to bar the Salt Lake convention from using the words “comic convention” or phonetic equivalents to “Comic Con” or “comic convention.”
That request should lay plain how dumb this all is. If a comic convention cannot refer to itself as such because that is too close to the trademark “comic-con”, then it should be plain as day that “comic-con” is purely descriptive and, therefore, invalid as a trademark. I wouldn’t be surprised to see this petition to the court turn up at the USPTO in a bid to cancel SDCC’s trademark entirely. That’s certainly what I would be doing if I were heading up any of the hundreds of comic cons out there.
Permalink | Comments | Email This Story
Techdirt.
A couple of years ago, I said something to the press that became a minor meme.
My suggestion was that people should “stop calling it ‘the cloud'” and start referring to it as “somebody else’s computer” instead.
After all, as soon as you start using language like that, your brain makes an important shift when it comes to thinking about privacy and security considerations.
Security Memetics refined things further, suggesting “There is no cloud, just other people’s computers”.
Lo-and-behold today you can purchase any number of t-shirts and stickers bearing the message, many using an image designed by Chris Watterston.
Don’t believe me? Check out “The many faces of There is no cloud“.
I wish I had been so entrepreneurial. I haven’t made a single cent out of it!