I don’t like to visit government offices but was forced to do so recently. Primary motivation was constant hassle of proving my identity and address. I have quite a few documents but some offices will accept only passport or ration card (don’t be surprised- Indian government still issues ration cards to distribute whatever grain doesn’t get rotten after rains). So I started on a crusade to get my address changed in passport. Unfortunately my earlier passport was from Kolkatta so I had to go through entire process of a new passport in Mumbai. Here are details of process for those who might need the info in future.
First thing I did instinctively was to google for any info that might be available on net. I found a few nice blogs and also “online passport website” of government of India. Obviously I was pleasantly surprised to find Indian government Online! I immediately checked the website and found that online application is possible only for issue of new passport / reissue. Idiots like me who wanted to get foolish things like address updated must go and burn in the Agni of great Indian bureaucracy. Motivated by possibility of avoiding babus and chaparasis, I decided to wait till I was eligible to apply for reissue of passport (That’s one years before your passport expires. I just happed to be lucky that my passport was expiring soon). On exact date when I became illegible, I applied online for reissue of passport. When I finally finished the online application I almost cried with joy. Not only I was given very clear instructions on which documents to bring but I was also given an appointment time in passport office so that I wouldn’t have to wait in those long queues. I reported cheerfully with documents to worli passport office on given time. But alas! That was territory of babus! I was flatly told that the appointment time given in acknowledgement from the website was only for decorative purposes and I would have to join the long queue like everyone else. Since I know better than arguing with government chaps, I joined the queue and waited for two hours before the great moment of appearance before the passport clerk came. Next was another well known trouble with government clerk- The lady there told me that no matter what was written in her ministry’s website I must bring two of the documents mentioned in list instead of one to prove my address. I have many bank accounts and I produced account statements from 3-4 banks. But she told me only state bank account statements are considered a valid address proof! Luckily I had one state bank of travancore account from my college days. She didn’t notice travancore and was impressed by state bank logo. But I still had to submit another proof as per her rules. When I told her to give in writing that the website rules don’t apply she simply managed to find some stupid typo in my application and rejected my application on that basis. Having wasted my 5 hours and wiser by years, I headed back to office.
Better informed now, I again applied online for a fresh appointment and insured no typos this time. I also arranged to get a leave on that date so I can devote entire day to the serious business at hand. This time I was certainly better prepared. I packed a huge folder with every possible document with my address in it. In addition, I packed myself well for the battle ahead- few horlicks bars, water bottles, umbrella, all sorts of stationary- blank papers, photographs, scissors, glue etc, And finally few nice thick novels. I started early in morning only to find myself in after 100 odd people in the queue. Somehow, I was called before I ran out of my stock of water and food. I presented my case to the clerk and started throwing various address proofs one by one at him. But this clerk found it amusing and told me that all those documents were not needed and whatever I had given in the beginning was perfectly fine! Maybe speed with which I started throwing documents had a shock effect J Anyway this chap turned out to be extremely professional and quickly finished the scrutiny. Then I was directed to join another queue where fees were to be deposited. Unluckily for me the ancient computer in the counter breathed its last just when I was to submit my fees. That accounted for another 30 minutes of misery but finally I emerged victorious from the battle. War, as they say, was a different story.
Out of passport office, I proudly took out my fees receipt (making it a point that unfortunate ones still waiting outside in queue see it and burn with envy). Surprise again- helpline numbers of both passport office and mumbai police are printed on receipt to check status of police verification and passport issue. That’s some mix of professionalism and babuiri! Anyway, after few days I checked online and got to know that my file had gone for police verification. So I called the mumbai police help line from the receipt. Few hiccups and finally the lady there manage to figure out that my file had gone to andheri police station for verification. Since the file had already been rotting there for 10 days, next day I visited police station for enquiry. The chap in charge there turned out to be quite nice and told me that he will send someone that day itself. And sure enough shortly came a havaldar to my home and made serious inquiries indeed. He even asked neighbors and security guard if I stayed there. Satisfied that I had little probability of links with terrorists, he issued a challan to me. The challan instructed me to come to police station with documents within three days. Next evening I visited the station as per time mentioned in challan. There I notice a huge board telling everyone to visit only between 10:30-1:30 in the morning. So, next day I took passport leave number two and presented myself to in-charge there. He was very amused that I had submitted only two documents at passport office. Not satisfied by my argument that no document was needed for re-issue, he told me to bring telephone/ electricity bill. Since I had already taken leave for the day to take care of such contingencies, I had no difficulty in satisfying his requirements. Once he was happy with my telephone bills he finally approved my file and told me to appear for “interview with bada sahab” next day evening. Luckily for me, the time he gave was 830 so could manage without a leave. Next day, I found a motley bunch of people waiting for the mysterious interview with bada sahab. Soon my turn came and I had to go and tell bada saab my name, date of birth and address. Satisfied, he put some ticks on file and signed it and I returned home happily. Think once passport office gets police verification they will issue me a passport. But you never know how Indian government can surprise you. So keeping my fingers crossed and praying to hanumanji everyday morning for now.
Friday, August 27, 2010
Monday, August 16, 2010
The senseless blackberry controversy
Suddenly the eternal debate between privacy and security has found itself in focus after some governments have suddenly seemed to have found a new security threat- humble blackberry. Of course, public is whole heartedly supporting governments- The word “security” has magical effects.
I personally think this latest controversy is essentially a hoax. Governments are simply misusing people’s lack of understanding of how encryption works to stroke public outrage. What essentially is encryption? Any information is a number for computers. Everything is saved as a sequence of 0 and 1. Now when you encrypt something you provide the data and a password to encryption software. The software simply performs complex mathematical operations on these two “numbers”. For simplicity sake lets say the original data is 10 and you provide password 8. Let’s take a very simple encryption. Say, we raise 10 to power of 8 and store the result 100,000,000(in binaries). Now, this stored number is utterly unless you know the password and mathematical operation that was performed on data. If you know that, then you simply take 8th root of 100,000,000 and get the original data as 10. If you don’t know the password, knowledge of encryption algorithm only is useless. In simple terms, x (data) y (password) =z (encrypted data). If you have only encrypted data, z then there is no way to know original data x without knowing password, y. Of course, modern encryption algorithms are much more complex than this simple example. That rules out any way to mathematically solve the equation to get possible pairs of x and y.
When you send sensitive information over internet/ mobile network, the data is routinely and automatically encrypted (without any password from you). This is to protect against hacking attacks to steal data before it reaches the intended recipient (Notice https instead of http in secure WebPages?) Once your data reaches the target server, it is again decrypted and stored securely. If blackberry is forced to share its encryption logic, the security agency can intercept and read data sent by users. Or maybe blackberry can give access to decrypted mails on its server. I am not sure of technical details of how blackberry stores data. But in essence what security agencies are trying to intercept is the communication that has been sent in good faith by user without any encryption by user himself.
Surprisingly, to circumvent security agencies armed with blackberry encryption codes is hilariously simple. Those who don’t want their communications to be sniffed will surely not rely on routine automatic encryption. They can simply encrypt the data using their own password before sending it. There are many softwares freely available to do this (TrueCrypt is a good one. You can Google it). What is happening is you are sending encrypted data z (100,000,000 instead of 10) to begin with. Blackberry will encrypt it again to say q and security agencies can again “decrypt” it back to z. But that doesn’t help if z itself is encrypted and is useless without password. Is there any way security agencies can still sniff out original data x (10) from encrypted data z (100,000,000)? NO. Without knowing the password there is no way. Only possible way is what is called brute force attack- trying to guess the password by trying out all possible combinations of keys. But a strong password and that method will take years (maybe decades for 256 bit encryption) even for supercomputers to crack. And then certain types of encryption, by their mathematical properties are immune to even this attack (http://en.wikipedia.org/wiki/Brute_force_attack ). Not surprisingly, security agencies (not only our technologically challenged police, but also FBI) have failed time and again to crack encrypted data. (Not convinced? Here are the examples- http://g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html, and http://www.infoworld.com/d/security-central/red-brigades-pda-highlights-encryption-controversy-298?page=0,0 )
So what’s all this hue and cry about? I think it’s simply a backdoor entry for governments to private communications of unsuspecting users. Those who don’t want their communications to be intercepted (terrorists/ criminals) will be encrypting their data before sending anyway. Only loser is innocent end user. If any techie can give more insight on it please comment.
I personally think this latest controversy is essentially a hoax. Governments are simply misusing people’s lack of understanding of how encryption works to stroke public outrage. What essentially is encryption? Any information is a number for computers. Everything is saved as a sequence of 0 and 1. Now when you encrypt something you provide the data and a password to encryption software. The software simply performs complex mathematical operations on these two “numbers”. For simplicity sake lets say the original data is 10 and you provide password 8. Let’s take a very simple encryption. Say, we raise 10 to power of 8 and store the result 100,000,000(in binaries). Now, this stored number is utterly unless you know the password and mathematical operation that was performed on data. If you know that, then you simply take 8th root of 100,000,000 and get the original data as 10. If you don’t know the password, knowledge of encryption algorithm only is useless. In simple terms, x (data) y (password) =z (encrypted data). If you have only encrypted data, z then there is no way to know original data x without knowing password, y. Of course, modern encryption algorithms are much more complex than this simple example. That rules out any way to mathematically solve the equation to get possible pairs of x and y.
When you send sensitive information over internet/ mobile network, the data is routinely and automatically encrypted (without any password from you). This is to protect against hacking attacks to steal data before it reaches the intended recipient (Notice https instead of http in secure WebPages?) Once your data reaches the target server, it is again decrypted and stored securely. If blackberry is forced to share its encryption logic, the security agency can intercept and read data sent by users. Or maybe blackberry can give access to decrypted mails on its server. I am not sure of technical details of how blackberry stores data. But in essence what security agencies are trying to intercept is the communication that has been sent in good faith by user without any encryption by user himself.
Surprisingly, to circumvent security agencies armed with blackberry encryption codes is hilariously simple. Those who don’t want their communications to be sniffed will surely not rely on routine automatic encryption. They can simply encrypt the data using their own password before sending it. There are many softwares freely available to do this (TrueCrypt is a good one. You can Google it). What is happening is you are sending encrypted data z (100,000,000 instead of 10) to begin with. Blackberry will encrypt it again to say q and security agencies can again “decrypt” it back to z. But that doesn’t help if z itself is encrypted and is useless without password. Is there any way security agencies can still sniff out original data x (10) from encrypted data z (100,000,000)? NO. Without knowing the password there is no way. Only possible way is what is called brute force attack- trying to guess the password by trying out all possible combinations of keys. But a strong password and that method will take years (maybe decades for 256 bit encryption) even for supercomputers to crack. And then certain types of encryption, by their mathematical properties are immune to even this attack (http://en.wikipedia.org/wiki/Brute_force_attack ). Not surprisingly, security agencies (not only our technologically challenged police, but also FBI) have failed time and again to crack encrypted data. (Not convinced? Here are the examples- http://g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html, and http://www.infoworld.com/d/security-central/red-brigades-pda-highlights-encryption-controversy-298?page=0,0 )
So what’s all this hue and cry about? I think it’s simply a backdoor entry for governments to private communications of unsuspecting users. Those who don’t want their communications to be intercepted (terrorists/ criminals) will be encrypting their data before sending anyway. Only loser is innocent end user. If any techie can give more insight on it please comment.
Subscribe to:
Posts (Atom)
Posts
