Wednesday, March 09, 2005

Computer Security: A Dangerous Illusion

Any power user will tell you that computer security is just an illusion. The only safety most people have is that there aren't nearly enough people out there with malevolent intent who have significant computer knowledge. Plus, most hackers are benevolent and the real cyber criminals aren't interested in small game anyway. That said, the little security that digital security techniques such as SSL and PGP key encryption offer go a long way in ensuring that you don't make it easy for the casual hacker to snoop on your data.

I say all this because today I realised once again how naive people can be. You see, in India, most of the so-called "cable internet" is actually a euphemism for a local area network hooked up and administered by a cable operator. So, not surprisingly, there are no cable modems involved in a cable internet set up, just a lot of Ethernet cards. What the cable operators and the users don't realise however is that they are setting up a large broadcast network (Ethernet) on which everybody has access to each other's data packets. While it is true that most people won't see each other's packets because they get filtered by the operating system's TCP/IP stack, that won't stop a determined hacker from having a looksy.

That, in a nutshell is exactly what I decided to do today. I was getting bored so I decided to find out exactly how bad the situation is. I have had Ethereal (a network protocol analyzer) set up on my windows machine for a while now. All I had to do is to fire it up and set it up so that it would capture all packets going past my network card. I did that and stored all the frames (network packets) in a log file. I did this for an hour and then ran a simple search filter on the file to bring up all http packets with the request method set to POST. Doing this got me access to six username/password combinations all for different users.

I didn't verify any of the credentials because it wasn't my intent to impinge on anybody's privacy. But I'd willingly bet all my knowledge on the fact that each and everyone of these credentials work. Because I limited my search to just the most obvious way of submitting credentials on web sites (the POST request method), it is also quite possible that this is just a small subset of all the credentials contained within the raw data that I gathered. The worst part is, that this network isn't just used by individuals. I know of actual companies that use my cable operator to provide for their connectivity needs. Having seen the general level of awareness of system admins in this country, I'm pretty sure a lot of them have no idea that it is so easy for anyone to steal data that is potentially valuable to their company or its clients. On top of that, I am sure that 90% of these companies have never bothered/will bother to get a third party security audit done.

So what I'm saying is:

  • Use PGP or any other good free encryption tool to encrypt all important email.
  • If you use a web mail provider, make sure they have a secure (possibly SSL) login mode. Otherwise, close that account.
  • If you use an online banking provider, make sure their login is secure. This is the case 90% of the time, so I wouldn't worry about it too much.
  • Firewalls and Anti-virus scanners won't help in this situation because they only protect your computer and the data that resides on it from outsiders. They DO NOT protect your data in transit, only encryption can do that.

Right now, I don't see much evidence of the data I found being misused. But I am quite sure that it probably won't last for long. Imagine two companies on the same cable provider operated network sending out tenders to the same client. How hard would it be for someone with a little knowledge working in company A to grab company B's mail off the broadcast network? And this is just one of the potential scenarios. The problem becomes even more complex when we consider wireless (802.11 based) networks. My company just put up a wireless network in the office, and although I don't use it (still tied to a LAN cabled desktop) I am quite sure that it is very unsecure. While someone would need to hook up their workstation to an Ehternet cable coming from the office to listen in on the packets earlier, now all it would take is an 802.11 wireless card. I'm pretty sure my network admin has never heard of the term war driving, but if he's not careful he's going to hear it pretty soon, and not in a good way. Same goes for you! Don't think 24-hour connectivity comes without a price.

This post was syndicated from the Blog of Arunjeet Singh who loves technology and can kill for his PlayStation 2 Gaming Console. He also happens to own an N-Gage QD and wants a Windows Powered Mobile Device. Reason being, he lives a .net powered life.

Indian ISP Market

I see many Blogs on Broadband India and India Telecom Market. Before we can talk about the private players in the market, I would like to first define the golden word "Customer service". Sadly, most of the private players in the field think it is "Customer RACKING". I wonder what is the instrument of the private operators to give us such a bad service?

I can think of only the following reasons for giving such a service.

1. They want to make quick money. - (don't they know that such games will not last long before the game ends? All private companies hire top MBA graduates from the best institutes and I think any marketing book, business book, quality policies would explain and stress upon "CUSTOMER IS THE KING and KEY TO SUCCESS", if they satisfy five customers, they would in turn get another 35 people who would be potential buyers!)

2. CUSTOMERS IN INDIA HAVE VERY LESS SAY - For example, I had a problem with TATA Indicom billing, I spoke to every possible rut in the planet that were concerned with TATA that I could get to answer! They understand it is a problem but they don't want to work on it... instead they invited my to disconnect and I was so furious that I had to wait in a long queue to file a complaint because there were so many people who wanted to do the same (I had to wait close to 2 hours every time I wanted to speak to them) END RESULT - WHAT CAN I DO MAXIMUM but to throw the rubbish phone on them though I may have to forgo 6000 bucks.

I came out of the customer center with little to say or do. Were as in the US, the customers have lots to say and do. They can get a refund immediately they can even sue the company because they have a good consumer court! The scare keeps them at the top.

That is service!

I can talk about the pathetic customer service of SIFY, TATA INDICOM, AIRTEL, and BSNL and so on. I think most of us have experienced the same things but this is just falling into the dead ears of private players!

If TDSAT, TRAI or any governing bodies want INDIA to be a super power, TELE DENSITY to increase... It is not going to be companies spending hefty amount to market but it should be companies trying to retain customers. COMPANIES need to remember only when they retain customers with joy will they see more and more people signing-up for the same. Customer’s experience will be a key and will reduce advertisement budget.

Let me again stress that ones a customer has a bad experience you can be rest assured that the customer is never going to sign-up again in is lifetime.

This message is for the governing bodies "PLEASE GIVE THE CUSTOMER A FAIR TEETH TO FIGHT FOR THE SERVICE THAT WE PAY FOR"

What do I mean teeth?
1. Gives us easy and customer friendly ways to file in consumer courts
2. Customer should not be asked to come 100 times to the court. Instead, they should be given the power to fight through a consortium, which could be a discussion board like this.
3. FINISH THE CASE FAST (max 15days). If you do not have the people to do this, charge all customers a cess of 0.5% for this cause. I am sure everyone will be ready to part this money!
4. Finally the defaulting company needs to pay a very hefty fine (I know what you are thinking! The private operator will pass the fine on us...Mr. FM will have a way to track this...suggestion cut the final profit amount in the balance sheet and see to that the next years profit is less than the current year. This will bring tremors that would only make INDIA a place to live with better service).

This is the only way that I think off will bring down unhappy customers.

This post was syndicated from the India Broadband Forum