cleartext passwords and transparency

I had originally thought of talking about the recent autonomous car project which killed a homeless lady in Tempe but guess that would have to wait for another day. I saw Lars Wirzenius’s blog post which led me to change the direction a bit.

So let me just jump in with Lars blog post where he talks about cleartext passwords. While he has actually surmised and shared what a security problem they are, the pity is we come to know of this only because the people in question tacitly admitted to bad practises. How many more such bad actors are there, developers putting user credentials in cleartext god only knows. There was even an April Fool’s joke in 2014 which shared why putting passwords in cleartext is bad.

This is one lesson which web developers are neither taught nor learnt. Most web development courses in India may talk about web frameworks, CSS, front-end and back-end web development and even may talk about UX but security will be something which is supposed to be magically gained while you do the above things. Please note I said most, not all but yes there is needed a whole lot of awakening in terms of safe web development practices but that’s time for another day and another tale. Casual interactions with course publishers has been that most students are looking for buzz words and neither the employers look for ‘security’ as a strong point.

There even have been casual studies which shared that 0.01 of financial crimes are reported in India . I myself am guilty of this when a bank mis-appropriates or does something stupid, my only thing is to get the transaction rectified or get it corrected rather than worry about if some small, medium or large-scale conspiracy is happening in the bank. But that malaise has to many factors to put in this small blog post.

Few years back EFF did a tremendous job of pursuing and getting everyday users and vendors like mozilla, chromium to adopt https globally, but to my knowledge many Indian websites including some of the biggest behemoths in India with whom we have day-to-day activity keep all their user passwords in cleartext. What perhaps may or may not be a shocker to many people that many ATM’s at least in India don’t work on https even today. Is there even a wonder why skinners are still able to cheat honest people and taxpayers .

The reasons for all of the above could be ranging from sheer incompetence to being lazy to not being regulated at all. Rather than sharing anecdotes and also not having INR 100 crores or INR 1 billion rupees ( that statement will become clear in a while) with developers who under casual circumstances have shared they neither do one-way-encryption or salting or any of the methods of securing passwords either because financial companies don’t demand it or know about it even though they should know better.

I can however share an anecdote however which resulted in a suit of law which a media house won sometime back. It isn’t so much about unsafe web practices but more about companies lack of morals for financial web gains and our (the commons) own lack of understanding of such matters.

I had to search on my blog before sharing and turns out I didn’t share this anecdote before, surprise, surprise.

Since 2008, I know of a media house called moneylife which is run by a beautiful, very intelligent woman called Sucheta Dalal and her husband Debasis. I believe Debasis is more into the admin side of things while Sucheta bears both the investigative and editorial responsibilities on her shoulders. While I have never met her whole team, to have the kinds of breath and length of news you often find on moneylife.in you do need to have a strong and competent team which I guess she has.

Sucheta Dalal with the compensation cheque

Copyright – Moneylife.in

I have met her twice, and have been a fan of her work since she started reporting the frauds which were happening in SEBI in Indian Express from where she was consequently fired as she had too many ethics. I have been blessed to meet her couple of times but each time was dumb-founded as you meet someone whom you admired so much. I might have flustered and said thank you for the work you do but couldn’t ever muster the courage to say anything more than that to her face-to-face.

Anyways, fast forward a few years or back couple of years back, Sucheta wrote a column in moneylife that there was unauthorized algorithmic trading happening and some traders were profiting from it in National Stock Exchange. This was apparently done by a whistle-blower (A Singapore-based trader and hedge fund owner) and Sucheta and her team confirmed and then printed the same. Interestingly, SEBI which regulates how finance intermediaries (like brokers, stock analysts, stock exchanges and companies share their expansion plans or any news) didn’t say anything and chose to keep mum although this was happening right below their noses. Please keep this in mind, this happened under the present Government dispensation who had the mottos of ‘being the most transparent’ and ‘we will not eat and will not let corrupt people eat’ to paraphrase their election sloganeering.

Before starting with the story, it would also be interesting to state a bit about NSE. IIRC, BSE for a long-time was a monopoly for share trading, there was Kolkatta Stock Exchange also but due to political winds in Kokatta and many other factors they couldn’t keep up with change in technology and kind of faded on the national scene over the years.

Due to BSE’s bullish ways or being the only action in town, quite a few private and public institutions came together and formed NSE. The Harshad Mehta stock manipulation scandal probably also accelerated the formation of the institute. The goals at formation were laudable but as it happens in institutes which work and value money over everything else, it’s possible to be corroded as will be seen shortly.

NSE in many terms is a strange beast with having investors from Public and Private Companies who supposedly counsel and come under the finance ministry and SEBI (as most of their investors are Government Institutions including the finance ministry). There were also talks of taking NSE as a publicly listed company but dunno what happened about that.

What has never made been public if NSE filed the suit on its own behalf or was persuaded to do so either by finance ministry, SEBI or the traders who were doing the illegal trading, guess this is something we will ever know. The significance of this why will be known at the last of the blog post. AFAIK these algo traders control 40-50% of the daily trading so have a huge grip on the market.

I believe NSE filed the first case in Bombay small causes court which moneylife won and subsequently they even tried in Bombay High Court

Unfortunately for them, Sucheta and her teams were no cub reporters as she had years of experience working both with Times of India and then Indian Express hence she had hard documentary proof which she was able to show in the court to which as far as I know the Prosecutor had no answers.

To cut the long story short, NSE had to withdraw their suit and even pay damages of INR 50 lakh or INR 5 million rupees.

There are many things which I have not covered about the case, some of which can be understood by Shri Lokeshwarri SK’s excellent article which was posted in the Hindu Business Line years ago. He has framed many a questions which are still an open question even today.

The reason I shared this story is pretty simple, its only a very tiny amount of people who invest in the share market. I would say 1-2% of the population . Almost all of these people are highly literate and somewhat financially literate as well. If they didn’t know such things were happening then how can a common man/person on the road question or know if his data is being kept safe or not. All the contracts, terms of conditions especially those which either come in Population or finance or actually anything can come under ‘National Security’.

The best part, the irony is that algorithmic trading in India is now a legal activity and apparently was also legal in 2015 when the suit was done. AFAIK, that change could only be done by SEBI. The whole affair has also been framed in an article on Indian Legal Live which actually raises a whole host of disquieting questions. There seems to be lot of back-dating happening but as mere spectators we can’t even talk about that.

Even the judgement narrowly focussed on some of the questions raised as can be inferred from the article but in the present dispensation judicial activism is on the wane.

While I can’t help in the above, I can share about a tor meetup which probably may help in some direct or indirect way,

I do hope to go there and gain as well as much share whatever little I can.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.