162 comments

[ 2.6 ms ] story [ 207 ms ] thread
Govt should recover $1 Billion from Nilekani
Absolutely. That man should be behind bars for designing this atrocious system.
The current government possesses a type of thinking that considers reporting an embarrassing problem a bigger crime than those responsible for that problem.
I wonder if there is a way to detect/assess fraudulent entries or will this require massive re-enrolement. Total shitstorm, WTF!!!!
He definitely has a very arrogant tone about aadhaar as well as his another body shop company.

This massive massive data leak could cost Indian citizens very dearly. Everything is being forced to link with aadhaar.

If some digital lord in future decides to colonize people in few secs, I believe Indian shores and as well as people sitting in capital might provide a very lucrative proposition!

I just hope it isn't Jio! Jio phone itself has very intrusive OS!

> In 2017, the UIDAI said it had blacklisted 49,000 enrolment centres for various violations, and in February 2018, the UIDAI terminated all contracts with common service centres as well.

Seems like they are well aware of this hack.

Skimming through the article, it seems the attacker can register himself in the system but not read data from the system. Also, there's no mention of 1.2B records being compromised.

Actually, the records are already public, remember the fiasco where Telecom Regulatory Authority of India’s Chairman RS Sharma had posted his Aadhar number online. The whole point of the Aadhar Challenge was to demonstrate leaked database/Aadhar number is not an issue. Apart from the curated datasets that can be bought even on Facebook groups, it is actually very easy to mine large datasets from Google itself.
Any references on this topic?
I don't want to post any direct link to anything but you are google 'Aadhaar data leak through Google search' to vast amounts of links/references. Kinda Meta right, I know. If you want to know more about the incident you can google 'aadhaar challenge'.
¯\_(ツ)_/¯ I wish I could express some kind of outrage, really, I do. This should be awful and undermines what I believe a sincere attempt to make India a better place. But really, what could they or anyone possibly expect?
If I get it:

India has a biometric database with 1B people on it!

... wow ... just wow ...

And adding new people to it is now compromised by a publically available hack, although getting 1B biometrics on board must have had an error rate that would be scary anyway.

The UUID created is needed almost everywhere, like driving license numbers elsewhere.

How much of the scare is "People can be added once but under incorrect names" perhaps wiping out criminal pasts? or "people can be added more than once"

The second is surely a search problem?

Good luck to the government changing everyone's biometrics now. This is why biometrics should never be used for something like this, especially when it requires a centralized entity to store all the biometric data, making it a very appealing target to all the malicious hackers in the world.

At least Apple, etc, keep the a hash of the biometric data in a secure enclave on each device. Storing biometric data in a centralized database is beyond reckless, no matter who does it.

They don't use UUID do they? Just a 12-digit UID.
Maybe I'm in the wrong here, but I imagine most civilised countries have a database with biometrics of all of its citizens, at least fingerprints.
Not a lot: https://en.wikipedia.org/wiki/Countries_applying_biometrics

There are restrictions on how vast this database is allowed to be and what all it can be linked to, in most cases.

I live in Spain and they take your fingerprint when they make your ID card. I'm pretty sure that goes into a database, so they have the fingerprints of all citizens.
Same in Sweden, but in the UK there’s no national database of citizens, and therefore no fingerprints associated.
Biometric collection is always for specific purpose. General purpose, compulsory biometric ids exist only in Malaysia IIRC.
> Biometric collection is always for specific purpose.

But if you add up all the specific purposes, most/all people are included.

In the Anglosphere we've traditionally been quite wary of national ID databases for our own citizens, for better or worse.

Most governments of foreign countries I have visited (US, many parts of Asia) have my fingerprints. The Australian government doesn't (to my knowledge, anyway).

Any Australian with a driver's license or passport most definitely has their facial biometrics stored. Any visitor to the country also is subject to it.

This has been in existence for over a decade and I'm astonished people aren't aware of that.

Right, I do know that (The Capability(tm)!) and for some reason I just mentally exclude facial recognition from the term "biometrics". OP specifically said "at least fingerprints" - it's good to have a reminder that facial biometrics still count as biometrics too, and they're lower on the hierarchy than fingerprints.
From my experience going from clean shaven to a small beard can throw the whole system off and requires manual intervention rather than going through the automatic gates. Fingerprints surely would be more accurate.

Have no idea whether foreigners have to give fingerprint scans at Australian customs, it's common practice throughout Asia.

There is a court case pending judgement in the Supreme Court on the "needed almost everywhere" part. The judgement is expected soon. https://www.bloombergquint.com/aadhaar/2018/03/21/the-key-ar...

The ability to add people is problematic - once you have unverified additions, you can't trust whether even real biometrics were used for it, so it wouldn't even necessarily show up as a duplicate.

Search: Biometrics matching has a lot of failures (5% of 1billion is still a huge number).

without any hack, one person can be enrolled multiple times if it is done from different zones (mandal/district). There are brokers who can arrange this (and ofcourse charge upto 5k INR)

I guess the search is only limited to these zones.

Undeniably bad, but I'm fighting off a slight sense of schadenfreude here, due to their prior claims[1].

[1] https://www.troyhunt.com/is-indias-aadhaar-system-really-hac...

Yes it looks like their security was really amateur hour stuff too, with a lot of the authentication done on the client side. This makes their claims that it was "hack-proof" look particularly embarrassing.
Is this complete incompetence? Why wouldn't they generate these numbers on some centralized secured servers only for the verified individuals? Why give away the software that generates them at all? That's like giving away your signing servers.
That is answered in the article

> B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.

Of course, anyone who put id generating software on these laptops with the expectation that it would somehow remain secret was being extremely foolish. The system should have been designed taking that into account.

Even then, they could have batched the requests for IDs on the laptop, and then submitted them daily/weekly by driving the laptop to wherever the internet is.

And of course, each such laptop must have a unique hardware key that would sign these requests, so copying the software wouldn't compromise anything.

In a country of the scale of India, if your security relies on no laptop being compromised, you have no security. One is bound to be lost or stolen (or its user to accept bribes).
You didn't read my comment well. The security in my scenario doesn't rely on the laptop not being stolen. There's a hardware key. If it gets stolen, it gets blacklisted.
It will not work in India. The whole problem is that the govt pissed off the operators and incentivized them to create fake aadhar. He whole investment to setup aadhar enrollment centre was marketed as a good business which will make people decent sum of money. But that was a very optimistic approximate. Reality turned out to be far more different. Almost all operators went into a loss. To recuperate the losses, they started creating fake aadhar. Money earned for genuine aadhar is Rs. 20, vs Rs. 500+ for a fake aadhar. It was stupid for operators to not exploit the opportunity.

In this scenario a hardware key is not going to help. It'll only limit the ubiquity of the hack, but not much else.

You are assuming this is unintentional. Giving bureaucrats and criminals working with them power through incompetence of the central government ... forgive me for doubting that this was a design feature. It redivides the power between individuals and the state, including criminals working with (small parts of) the state. I believe anyone who can get a majority of 1.3 billion people to vote for him did not miss this.

I mean what's with the "Caesar can do no wrong" attitude on this site ?

States are evil. The best possible case is that they might be, at times, the lesser evil.

>States are evil. The best possible case is that they might be, at times, the lesser evil.

Calm down there American.

I am European. Just because it's a less popular opinion, it's not any less true.

I don't even understand the logic itself. States are supposedly not evil, and we need them because ... well because people are more evil. That's the idea.

But states are people. Isn't that by itself a massive contradiction ?

The difference between, say, the Netherlands and Monsanto is the method of incorporation, and the legal authority it therefore has. Not the resulting decisions. That's, of course why the Netherlands got rich by having it's military protect and pay raping pirates, in trade for their loot, including of course, if they had to sell the passengers to prostitution houses and mines, and still does things like extracting money from it's poorest citizens through mental health "care".

Monsanto merely mass-poisons people.

But the big difference is:

1) the dutch state has never apologized

2) has never paid any restitution to anyone

3) never will

You picked one of the countries with the most evil government (historically, I make no claim either way about the current situation) as an example. Of course it's going to look bad in that case.
Okay. Name one that's decent. A single one. And let's look up what they've done ... I mean perhaps the really tiny ones are better, but that's really more for lack of options, not lack of will to commit atrocities.

Recently there was -yet another- mental health (for children no less) scandal in the Netherlands. Yes, the government that supposedly fairly hosts the international court can't even respect basic human rights in it's own country. Which brings the question if either of these things is really their goal (where for instance mental health "care" is often accused to be about locking people out of sight, at any cost (to those mental patients), and the international court is about international politics, not justice (for instance the Jugoslavia tribunal only ever convicted people from one side of the conflict)).

The numbers are not generated on the client side. An enrollment packet is, containing biometrics and demographics, for which a number will be generated using biometric deduplication server-side.

The catch: only residents (not citizens) of India are authorised to have a number. Because one person technically cannot have more than one Aadhaar number (reality: ha!), the theory is that a government subsidy database needs one unique Aadhaar number per beneficiary.

This theory breaks down when you enroll an individual who does not need an Aadhaar number because they are not a resident. That number can be misused by another resident to get a second entry into the database, and it's a perfectly legitimate number linked to an Indian phone number that can receive an OTP and behave indistinguishably from a resident.

Fake enrolments are the equivalent of a hack of the US SSN system that would allow anyone anywhere in the world to make an SSN for themselves. What could they possibly do with that?

Apparently the breach is now being proxied by the fired private operators through government offices. Can this cashless money flow be traced? Even burner mobile phone numbers are linked to the same compromised national identity database.

Who could benefit indirectly from the breach? Could the Indian government turn to Facebook and WhatsApp for help with identity profiling? Is Facebook Indian data held in Indian data centers?

This story will find its way into future documentaries on the history of "Papers Please".

> in February 2018, the UIDAI terminated all contracts with common service centres as well .. Henceforth, only banks and government institutions like the postal service can enrol Aadhaar users. As a consequence, tens of thousands of young men, with rudimentary education but great familiarity with the Aadhaar system, were put out of work.

> In interviews, out-of-work operators claim they can still use the hacked enrolment software to generate enrolment ids (the first step in the Aadhaar registration process) and have tied up with sources working in authorised centres who complete the registration process for a fee.

> ... creates a whole new set of problems and could defeat many of Aadhaar's purported aims, such as reducing corruption, tracking black money, eliminating fraud and identity theft. It also means that the Aadhaar database is vulnerable to the same problems of ghost entries as any other government database

> the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.

> Sourcing the patch is as easy as gaining access to one of thousands of WhatsApp groups where the patch, and the usernames and passwords required to login to the UIDAI's enrolment gateway, are sold for as little as Rs 2,500. Payments are made through mobile wallets linked to phone numbers that quickly go dead after the transactions are complete.

>>> Who could benefit indirectly from the breach?

This and who will buy those data ?

Everybody scream about the hack but I've never found a comprehensive study over how these personal data are sold, abused. Maybe to break gazillions of FaceBook/github/you-name-it accounts ? Then what, who will use those data ? Thieves ? Criminals ? If it's just that well, that's a minor inconvenience.

If it's secret services of adversary powers, well, that's a whole lot different.

Anybody has facts on that ?

I don't have facts/pointers but just an educated guess.

The most probable beneficiaries are food/gas etc., distributors. Pre Adhaar days they used to create fake ration/gas cards and sell food at un-subsidised prices in black market.

A prime (purported) driver for Adhaar to stop creation of these ghost people. Now that ghost Adhaar accounts can be created (per the report) these distributors will get back to their old ways of making money.

India has lot of poor people so the threat vector isn't yet FB/github :-).

> Then what, who will use those data ? Thieves ? Criminals ? If it's just that well, that's a minor inconvenience.

It's only a minor inconvenience if you can sit in a comfortable place and pontificate on Hacker News about these things. Seems like you're not even aware that people have already lost their pension money or bank account balances or didn't get food that they were entitled to and died in the process — everything related to the coercion in the Aadhaar system and how it can be misused by others for fraudulent purposes.

Perhaps your privilege in life is standing in the way of understanding how bad things are with the Aadhaar system. Please search for #AadhaarFail on Twitter, look for articles on scroll.in and thewire.in (two sites that some people do hate) and rethinkaadhaar.in.

Now I'm reading my comment again, I see how I offensed some people here. My idea was more like "globally thinking", like in "geopolitics", in that case, even a few deaths is not much (it's like people who allocate money for cancer research : they have to make sure the population is globally better; it doesn't mean every one should get out alive). And my wording was rather poor. Sorry it was absolutely not the idea I wanted to convey. Mea culpa.
Unfortunately our government doesn't accept the truth. If someone tries to educate people about the vulnerability, they are labelled anti-national.
Ironic, considering the fact that protecting the privacy of citizens is in a nation's interest.
I need you to show your work on that one, guy.
It is hard to believe by relying on just one source. I just checked other news sources in India, and no one has any news about any recent Aadhaar breach.
Do You think Times group, India Today and others will report this? They don't have backbone to do that. Maybe You should read the article first, before commenting.
Kindly understand this article seems to come out of investigative journalism where the author seemed to have gotten hold of the patch presumably by paying 2500 and then did in-person research to create the article. Once published, other newsrooms usually do their own pieces if they find it relevant. Since this article has just been published (only 2 hours ago at the time of writing this comment), I wouldn't refute the article just on the basis of this criteria. I would usually wait for 1-2 days before using the above criterion to evaluate the article.
You've actually reworded what I have already said. Since there is no official statement from UIDAI or multiple private news sources reporting the same incidence; this article/blog is not worth believing yet.
On the contrary. This was _investigated_ by a reporter(s) from the mentioned source and published. Other news publications need to verify it independently before publishing it themselves.

And on the "official statements" part, it's kind of naive to expect that they (UIDAI) would put out any statement given that in the past they have

- Not acknowledged security issues or made any efforts to do their own investigation in spite of the numerous reports

- Turned hostile towards entities who have exposed or reported weaknesses instead of rewarding them and plugging the loopholes

(comment deleted)
Did you read the article? It's not about a "Aadhar breach" in the sense of data being stolen. The news is about a software hack that has been doing the rounds among operators that allows them to compromise the aadhar database by introducing duplicate or weaker biometric information.

"The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.

The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.

The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person."

Time and Time again Aadhar's privacy data have been compromised and Yet, Officials have strongly denied all those claims - only possible because still people believe all the false claims by those officials and government in terms of Aadhar. Even to the level that a guy once wrote a scraper (opensourced on github) that can fetch Aadhar info online.

It's no doubt that Aadhar was a blatant copy of bringing an SSN-type ID in India but failed terribly as the Government was more interested using Aadhar to show their domination rather than put it for actual purpose. Eg: Govt made Aadhar mandatory for Tax filing, India's Top Supreme Court denied. The same thing happened in many instances.

This is a nice lesson, why simply coping a solution from the US can't be made to work in a developing nation because the system and officials are so fragile that they need to be first fixed than the solution itself!

Aadhar is nothing like SSN. I wish it was. SSN doesn’t require biometrics — Aadhar takes fingerprints and iris scans. School kids don’t need SSNs to sit for their school boards. You can sit for university exams without SSNs. You can shop at Amazon without giving them your SSN[1].

[1] https://news.ycombinator.com/item?id=15796242

In fact SSN use has become more restricted over time, thanks to various pieces of privacy legislation. Meanwhile in India they still don’t have any privacy legislation last I checked, so it’s open season on your data.

Aadhar is ambitious all right — an attempt to assign every every Indian resident a number and use that number as a unique key for almost everything (public or private). The surveillance opportunities this presents is breathtaking.

Of course the good folk at India Stack love this because it enables them to build better apps. Move fast and break things, indeed.

> Time and Time again Aadhar's privacy data have been compromised.

I hate the implementation of Aadhar as much as any person, and believe the architecture is terrible that a patch can allow authentication to be bypassed. And that there could be more vulnerabilities. However, at least in this instance, existing data has not been compromised.

Off topic: I simply can't find how to opt out of tracking on HuffPost. I get a GDPR popup and the opting out path leads endless cycles (with occasional captcha solving).
I just keep using browser extensions like uBlock and Ghostery (caveat: it seems they also have a "we sell your data" opt-out) and every GDPR pop-up I just click "OK", knowing the extensions will block them. (Honestly, more believing than knowing, so maybe I'm not the best person to talk to about protecting data...)
HuffPost works without javascript. Use Quick Javascript Switcher or similar extension and disable js for the whole site.
Well if we needed one more datapoint on why government shouldn’t get involved in computer security then here we have it. Politicians don’t get technology - they believe they can order any design they can imagine and that it’ll just work.

Secondly, I’ve worked with hundreds of Indian IT engineers. I’ve yet to meet one who didnt subscribe to the view that ‘the solution to all problems can be coded in software’ - maybe it’s just how they are educated at uni.

However, put them next to politicians and you get a real recipe for disaster.

So what next? Those who claimed they could make this system secure should pay a HEAVY price. There really isn’t a humane punishment strong enough - I’d go as far as firing them; stripping them of any retirement benefits and banning them from any paid position in the public sector.

I have to admire the courage of the people who have investigated and reported this, given that the entire leadership of UIDAI and its backers in the central government are intolerant of any criticism and have been known to file police complaints[1] against journalists, critics and whistleblowers. Even its visionary and leading cheerleader from the private sector preferred to imagine conspiracies rather than acknowledging its weaknesses [2].

[1]: https://thewire.in/tech/uidai-files-fir-tribune-reporter-aad...

[2]: https://timesofindia.indiatimes.com/india/theres-an-orchestr...

This can't be upvoted enough. The organization which outsources critical authentication to CIA-MI6 linked companies, and yet find the courage to indulge in the Orwellian-doublespeak of 'nationalism' is something that needs grave attention.
(comment deleted)
This is one of the main reasons that this report doesn’t touch upon read access of the database. Rachna Khaira, one of the reporters already has a police case against her for her previois reporting on Aadhar database compromise. Getting even one user record would have landed all three journalists behind bars. It is left for the reader to conclude, and validated by various experts, that whole database is hacked. If a $5 tool can give you write access to a database, it is obvious whole database can be accessed too.
I mean, you need a client to access it, and presumably having a patch for such means you have the client too...
aadhar card operators get paid 30ruppees an hour. i'm sure you can get access to a client pretty easily
It’s actually even better. There is no server side authentication on the application. And this keygen type of crack removes the client side authentication too. Full firehose access.
you link anything to `thewire.in`, I would call it propaganda. The other commenter on the thread asked a question about why can't the said journalist back up the claims about a $10 app.

Hate the govt all you want, but the Aadhar as you know is started by previous govt. It is if designed properly a good way to eradicate corruption for welfare schemes, so any ideas on how to do that are more appreciated than playing blame game on HN.

> you link anything to `thewire.in`, I would call it propaganda.

So you would colour everything by a certain journal with the same brush, without even looking into the reported claims? In the cited case, the content in the link (and the claim for which they were cited) is easily verified from multiple sources: [1], [2], and [3]. Even when The Daily Mail reports something outrageous and easily verified I verify it, and The Daily Mail is a tabloid.

> Hate the govt all you want, but the Aadhar as you know is started by previous govt.

This is neither here nor there. The "previous govt." was four years ago. In these four years, the current govt. — who used to claim to be staunchly against Aadhaar back then — have turned tail and zealously forced people into registering for Aadhaar and linking it with their phones, bank accounts, and even made it mandatory for kids to attend school. "But four years ago, someone else started it!" is a pointless argument when the current party has far more than enough time to fix it, or even just acknowledge the flaws.

> so any ideas on how to do that are more appreciated than playing blame game on HN.

Criticism is not a "blame game", unless the criticised turns it around and blames someone without accepting or refuting the criticism. Entertaining and listening to criticism IS a good way to improve one's product, not stuffing one's fingers into one's ears and claiming your product is the best ever and "unhackable" and filing police complaints against your critics to silence them.

----

1: https://www.livemint.com/Politics/hZGXG4q43ZeeTp2HH5QlaK/Aad...

2: https://www.tribuneindia.com/news/nation/uidai-responds-afte...

3: https://www.firstpost.com/india/uidai-files-fir-against-the-...

> you link anything to `thewire.in`, I would call it propaganda.

Care to provide any reasoning why you call it a propaganda ?

its kind of weird that they call the vulnerability itself "a patch"

I can be pedantic too and can see how there isn't really a distinction between an exploit and a patch as they both modify the software, but thats a weird colloquialism right?

It sounds to me like a game crack which are basically patches since they make the software concerned more user friendly.
Indian government site asking for aadhar data in Bihar:

http://210.212.23.57/online/OnlineApply/Notice.aspx

They just made aadhar mandatory for every school kid in Mumbai Maharashtra. Good luck to anyone who has to share share their childrens details on an insecure platform.

According to the article the database has not been compromised. It's a compromise of the client which can be used to add new Aadhar entries.
Yeah, that means a lot of false data has been added into the system given how widely this patched client has been circulated. I don't know what about this tells you that the database hasn't been compromised?
The first thing that came to my mind when I read the title was that all the biometrics and all were out. Which would have been much worse and which is not the case.
This is equally bad, maybe even more so given there is a good chance that a substantial number of aadhaar accounts are fake. There is, quite simply, no reasonable defense for this state of affairs.
A compromise in this case being that illegitimate entries are being added when they should not be able to. You don’t need write to consider this specific case broken.
Sorry, I meant to say "You don't need read to consider this specific case invalid." Didn't have my coffee yet!
The database has also been compromised in the read direction. In fact, one of the authors of this article, Rachna Khaira, got in hot water with the police earlier this year for reporting on that breach.

That's probably why this article doesn't mention it.

I don't know how many times this will have to be repeated. Aadhar, GST, all implemented by the worst possible companies in terms of talent. WTF is wrong here, there are plenty of talented people around. Or just crowdsource it or give it to the universities to build or something.
I want to say that maybe the really talented people / good companies have no interest in building a central database with such dystopian potential. But then again... fb, twitter, ...
Erm, Google, Microsoft, ... most of SV ?
like I said, I really want to say that. Sadly that wouldn't make it true...
Is there any success story about crowdsource in India?
I expected better discussion on HN (apart from sensationalist articles), the article does a poor job intentionally though.

Summary

1. Existing data is not compromised

2. Duplicate data can't be entered or overwritten

3. BUT, ghost accounts can be created easily.

Aadhar was introduced to fight ghost accounts who siphon off subsidies provided for poor. This hack/patch defeats that purpose.

I still think this is not a big problem as it looks on surface, if Enrollment software is hacked to accept iris data from photograph,

Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data with poor quality iris data and they be monitored and deleted ?

Another problem is still there, what if the operators enroll citizens from a different country as indians, essentially creating ghost accounts (from citizens of different country). i dont know how to stop such a situation.

Biometrics is never a good model for authentication, i dont know what these people were think when they designed it.

It _is_ a big problem, because apart from the ones you mentioned above, it is unclear how many more vulnerabilities are possible.
Isnt that true for every system?
When a system is shown to have fundamental security flaws — this one uses client-side validation to authenticate biometric operators — it is natural one's trust in the system's robustness would drop low.

Like when Intel's chips were shown to completely disregard security when speculatively executing instructions, it wasn't just a new vulnerability; it was a whole class of vulnerabilities that was now open

Aadhar is not a client side authentication, what is client side even mean in this context ?
Please read TFA: "The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers."

The client here is the enrollment software, not "Aadhar" (whatever you meant by that). The Aadhar service should haven been authenticating enrollment operators on the server side, instead of relying on the enrollment software to verify identity (that too by via biometrics, which is NOT authentication).

Then why does the article claim that aadhar is hacked. why not just call it as aadhar enrollment hacked (which is more appropriate title).
While more specific titles are better for descriptive purposes, the title as it is is not wrong. The name "Aadhaar" does not unequivocally mean "The Aadhaar service backend".
Isnt that true for every thing around you? just because your bank is not hacked, does not mean it will not be in future.

this is an attitude a system designer should have, allways be on lookout of vulnerabilities.

if media starts writing articles on would be vulnerabilities, then it is just fear mongering.

>> Isnt that true for every thing around you? just because your bank is not hacked, does not mean it will not be in future.

But if my bank is widely reported to be hacked, my trust in it would degrade. And I would probably not trust it with any more of my money. A lot also rides on how the bank responds to this in public.

>> this is an attitude a system designer should have, allways be on lookout of vulnerabilities.

Agree, but that is besides the point here.

>>if media starts writing articles on would be vulnerabilities, then it is just fear mongering.

This is something which has occurred, it's not "would be".

> Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data with poor quality iris data and they be monitored and deleted ?

Not so easy. Every effort that's made to reduce fraud (false positives), might affect genuine beneficiaries who depend on the system for food, healthcare and education - by increasing exclusion (false negatives). A probabilistic auth platform with a really wide scope is a recipe for failure.

well, i am neither an expert in analyzing bio metric data, but i know that current government is hell bent on ploughing through our lives. i dont know what will be a better future.
> I expected better discussion on HN (apart from sensationalist articles)

There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

> "Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.

> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

OP is not negating the problem. However, the title implies that the existing database has been breached, which is not true. Author could have given a better title which implies that ghost entries could be added and existing data has not been compromised.

The whole point of the system is to give a single confirmed Identity for citizens of India.

at this point the purpose of the exercise has been voided.

Saying that "the data has not been compromised" is a red herring, thats the case for when our biomterics are lost and our privacy breached which is a whole different issue with this database, one among many of its other problems.

At this point if the data is crud, whats the point of using this system?

Actually, having an Aadhar number does not imply that the person is a citizen - this is one of the statements present in the application form itself. So, it is possible for non-citizens to have an Aadhar number.
So Aadhar is meant for the whole world including our neighbouring citizens (and Intelligence agencies) of Pakistan and China ? Thank you for educating me, I didn't know that. Its truly wonderful and neighbourly that they get the convenience of self-registration without providing proof and customizing their bio-metrics during upload. Only Indian citizens should be held to a higher standard.
I am not questioning authenticity of report, that is UIDAI to do.

i am questioning choice of title. offlate, i am seeing too many articles about aadhar breach, and when i study in detail, its mostly related to social engineering/phishing attacks stealing OTP/enrolling unsuspecting customers etc.,

I am worried that when an actual breach happens, the people will probably dont care. (cry the wolf?)

> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

Put out the patch in public domain or at least provide some technical information on the vulnerability itself (by making the said report public).

Every time a story of this sort comes out it inevitably ends in a lot of hand waving and sensationalism: how a reporter got access to a secret WhatsApp group that sells a patch in exchange for 2500 rupees and it allows access to the UIDAI system.

What makes it worse is that we are supposed to just accept whatever this CTO and his two other researcher friends have to say without any way to validate it ourselves. I don't see this happening with any other vulnerability disclosure: be it Spectre, Meltdown or plethora of other exploits which have detailed explanation of the exploit itself. Considering that it affects a billion plus people and as claimed by the article that Aadhaar is "compromised" and "cannot be fixed without requiring a fundamental change in the system" there is no reason now to hold back on technical details.

"This is pretty feasible, and looks like something that would be possible to engineer"

On the one hand you say the patch which can be bought for 2500 rupees already does this and at the same time you use words like "possible to engineer" and "feel pretty comfortable". Since when have feelings and possibilities gotten more prominence than technical explanations?

I'm not saying that the system is foolproof. On the other hand I am waiting for that one article that goes into technical details of the exploit than just sensationalism.

There's a professor in there too who verified it. Putting the patch out is going to see reporters being jailed and the story being buried. Especially when with the patch we will see 4chan like flaming and the database being filled up with bogus entries from all around the world.
Professor means nothing. I know a lot of professors who have plagiarised to obtain PhDs. So I would never accept a professor's word to technical details.

> Putting the patch out is going to see reporters being jailed and the story being buried

That's a ridiculous assertion. Wasn't a reporter from Tribune already booked for spreading the same nonsense a while back? Why so? Because she was unable to provide any evidence for the said software that could gain access to UIDAI database.

If you are going to be worried about being arrested then don't get into journalism. Journalism is all about taking risks. By putting out the patch in public domain the reporters are actually going to get immunity from arrests as everyone will know the facts and any arrest by the government would be seen in a negative light. Right now, the reporters have a higher probability of being arrested for indulging in spreading false information, to their own detriment.

> Especially when with the patch we will see 4chan like flaming and the database being filled up with bogus entries from all around the world.

What better proof of breach than having the entire database filled with bogus entries? That should make it amply clear to everyone involved including the public that the system is not secure. What is surprising is that reporters use the garb of national security when it pleases them. You can't have it both ways. If you truly believe in national security and that the entire database is compromised and that there is no way to fix the problem without fundamental change to the system then release the patch. Withholding the patch is detrimental to national security as you are deliberately allowing nefarious activities to take place unchecked and unhindered.

Two points:-

1. Surprise, there's a separate $10 application which can access all the Aadhar database entries. Exposed by one of the journalists of this story, for which she got a police case filed against her. [a]

2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]

a. https://www.tribuneindia.com/news/nation/rs-500-10-minutes-a...

b. https://ia802809.us.archive.org/26/items/Aadhaar_Whistleblow...

Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm

> 1. Surprise, there's a separate $10 application which can access all the Aadhar database entries. Exposed by one of the journalists of this story. [a]

Can the said journalist just release the application in public domain? If not, why not?

> 2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]

If authority has no way to audit them then how did the whistleblower arrive at this magical "40%" figure.

What's worse than the 40% figure is the way the entire letter is written. No way a professional would write a letter with all caps, typographical errors, paragraphs upon paragraphs of sensationalism with little to show for "proof". Even the table which shows the details of "AadhaarCount v/s Aadhaar Records" is not something available in public domain so it cannot be validated as authentic.

> Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm

I have seen this crop up in every discussion but no where in the screenshot does it say that the data hosted in US was the "Aadhaar database". All this screenshot details is some files were hosted by the UIDAI team on a US based server to share among themselves. The files could be anything. In fact, the email itself says the files are flat files with names:

1. Bill_Desk

2. Total_EXP

How did you arrive at the fact that this is the Aadhaar database itself? I can easily assume that "Total_EXP" can mean total expenses and "Bill_Desk" to do something with bill desk. No where does it say "Aadhaar_DB" or something along those lines. This is laughable!

Also, this same screenshot exists in the so called "whistleblower's letter" to Supreme Court judges as well. There is no confirmation of any such correspondence by the Supreme Court judges about being in receipt of any such letter.

Sorry to say but the way the entire letter is written screams of fake news you typically forward through WhatsApp only to realise later that the entire story was fraudulent to begin with.

>Can the said journalist just release the application in public domain? If not, why not?

Pretty simple. Do you want everyone in the world to have access to the database? Now at least it is hidden through obscurity. This is exactly why in this report the said journalist got it verified by three external experts, one of them a professor.

>If authority has no way to audit them then how did the whistleblower arrive at this magical "40%" figure.

Authority has no way to audit the fake accounts, authority does know for which entries backup documentation exists or not. In fact, he attaches official documentation later on as an evidence.

Forget the grammar, typos it doesn't matter. Ignore the whole of his letter except the official correspondence that is attached and does in fact validate his/her point.

I meant to write Aadhar data. So you are totally over loooking the fact that some of the Aadhar related data was on US servers, and more importantly the password is being relayed over E-mail? Also, no secure way to host the government data, except HP servers?

Government has been so opaque regarding this project that we have to rely on journalists, researchers and whistleblowers to help us with any sliver of info.

Do you have a conflict on interest with this project? I see on your Twitter that you have retweeted some posts from Ministry overlooking this project. Not casting doubt, just needing a clarification due to the tone of your posts in this thread. Sounds very government'ish.

> Pretty simple. Do you want everyone in the world to have access to the database? Now at least it is hidden through obscurity. This is exactly why in this report the said journalist got it verified by three external experts, one of them a professor.

Don't you think this is pretty convenient an excuse? The report is also not in public domain nor is the exploit. We have to just rely on a journalist, a CTO, a professor and another person as "proof". Meltdown and Spectre are way more serious exploits as it affects pretty much the entire World and it was disclosed but this exploit is supposedly so much more heinous that it cannot be disclosed.

> Do you have a conflict on interest with this project? I see on your Twitter that you have retweeted some posts from Ministry overlooking this project. Not casting doubt, just needing a clarification due to the tone of your posts in this thread. Sounds very government'ish.

It always sounds government'ish to people who rely on conspiracy theories. I am an open supporter of the Government in many policies. As far as conflict of interest with this project I am no way connected to the UIDAI project. So don't try to find connections where there are none.

> I see on your Twitter that you have retweeted some posts from Ministry overlooking this project.

I haven't retweeted anything to do with Aadhaar. The retweets are GST related and another one to do with AI. It's ridiculous to assert that just because I support the government and I retweet some of the policy decisions I end up becoming a supporter of Aadhaar. Don't forget that Aadhaar was formulated and ratified by the previous government. Also, I dislike Nandan Nilekani for how he handled implementation of GST and Aadhaar itself. If at all there is something Aadhaar seriously lacks: it is proper communication with the people about how data is stored and stupid decisions by the UIDAI to link Aadhaar for anything and everything (including the recent one with requiring Aadhaar for sending posts overseas). I don't support such ridiculous decisions.

> Forget the grammar, typos it doesn't matter. Ignore the whole of his letter except the official correspondence that is attached and does in fact validate his/her point.

I am rational in my thinking and approach. When I see fake news I call it out. You relied on it not me.

> Authority has no way to audit the fake accounts, authority does know for which entries backup documentation exists or not. In fact, he attaches official documentation later on as an evidence.

Which official document? There is nothing in the letter that is "official document". Even the table that he mentions is not available in public domain to authenticate. I can create a table myself and call it "official document". Would that be sufficient evidence in the court of law?

Also, if such a letter was indeed written, why haven't any Supreme Court judge confirmed receipt of such a letter?

> I meant to write Aadhar data. So you are totally over loooking the fact that some of the Aadhar related data was on US servers, and more importantly the password is being relayed over E-mail? Also, no secure way to host the government data, except HP servers?

You are assuming a lot here. There is no indication that the data on the US servers was Aadhaar related.

> Government has been so opaque regarding this project that we have to rely on journalists, researchers and whistleblowers to help us with any sliver of info.

No it's the other way around. The journalists, researchers and whistleblowers are the ones who are being opaque with their findings. At the end of the day, if you find a loophole, it's your responsibility to make it known to the public if the Government refuses to acknowledge it. Media is the fourth arm of democracy for a reason. If you know that the Government is deliberately trying to hide details of exploits from the public, it automatically becomes your responsibility to disclose the...

>I am rational in my thinking and approach.

Your post on this topic, two notches down questioning a Rice University professor: "I know a lot of professors who have plagiarised to obtain PhDs. So I would never accept a professor's word to technical details."

I will safely ignore your frivolous replies. You are anything but rational.

I'm not talking specifically about this professor. I'm stating that in my experience of seeing various professors plagiarizing their qualifications I inherently don't trust their word. I instead trust technical details. That is rational.

Irrational is when you trust someone's word as the holy grail.

By the way, just so you know why I have this notion. The college I graduated from the Director was exposed for plagiarizing his PhD thesis which resulted in his transfer: http://nanopolitan.blogspot.com/2009/09/plagiarism-charges-a...

I have seen my fair share of such instances that warrants my apprehensions. Any rational person would ask for technical details not just me.

> I will safely ignore your frivolous replies

You can "safely" ignore my "frivolous" replies considering that you rely on conspiracy theories rather than actual facts. Like I said in the post below, I do not claim the system to be perfect but I would rather see someone come out with a technical rebuttal than sensationalise. If that part of what I said is lost on you then I can do nothing about it. There is no stronger an attack on the government than going technical which is what is lacking in all these articles. By sensationalising and spreading fake letters all you are doing is strengthen the government's position.

Has there been any allegation against Rice University professor? So you are willing to undermine every professor out there due to one encounter of yours, but you are willing to trust the government all too quickly. On top, you dole out 'fake news' moniker generously too. Pretty rational.

Also, the plagiarism example: Guy had already obtained his Ph.D from a UK university, and the said Ph.D. was not obtained on basis of that plagiarised paper. Pretty big allegations you have been levelling on basis of something that you are not even comprehending correctly.

> Has there been any allegation against Rice University professor? So you are willing to undermine every professor out there due to one encounter of yours, but you are willing to trust the government all too quickly

All I am stating is that I trust technical details not the person. It can be the CTO, CEO, Professor or any Tom, Dick or Harry including the Government of India. I don't care about anyone's "words" but the fine print. As far as Professors are concerned, it is my experience and hence also adds to my reasoning. You can't stop me from deducing based on my reasoning can you?

As far as Government goes, I don't say I "trust" the Government. I support the policy decisions of the Government because it aligns with my wishes too. If it wavers or does something contrary to my wishes I'll stop supporting it. It's as simple as that. There is no need to conflate this any further than what it actually is. If tomorrow, the Government is indeed found to be complicit in handling of Aadhaar biometrics you can safely assume that i'll actively stop supporting it.

> On top, you dole out 'fake news' moniker generously too

Okay let's forget the contents of the letter. Can you at least show me one piece of article or something that confirms that the Supreme Court judges are in receipt of this letter? It's not just written to the CJI but also to 10 other Judges of the Supreme Court including one who recently came out stating he is not in favour of the Government: Justice J Chelameswar. At least one of them can confirm receipt of this letter. Right?

As far as official documents are concerned, they always have a seal accompanying them with an official signature. Which document in that letter has this basic requirement? The only document that looks official is a screenshot of email communication between the UIDAI team. That email communication also has nothing incriminating.

> Also, the plagiarism example: Guy had already obtained his Ph.D from a UK university, and the said Ph.D. was not obtained on basis of that plagiarised paper. Pretty big allegations you have been levelling on basis of something that you are not even comprehending correctly.

No his Ph.D thesis was also found to be plagiarised. In fact, that was what resulted in his transfer (and I came to know just now that he was also removed from holding any Governmental positions. That is why he is now appointed as a Vice Chancellor of a private university). I just took a look at the article again and the links that lead to the newspaper article which mentioned that are unfortunately dead. If I find a copy of that i'll surely put up the link to it. It still doesn't take away from my fact that a professor, a Director of a premier institute no less, plagiarised papers. This coupled with many other instances I have experienced force me to not trust their words. A lot of prominent professors in Academia always publish their papers. No one says "take me for my word". If the "words" of professors were all that was necessary you wouldn't need publishing and peer reviews.

>> Do you have a conflict on interest with this project?

It's weird that you wrote a detailed point-by-point response to the parent post but dropped this one question.

Re-read my post again. I have clearly mentioned I don't have a conflict of interest. It's ridiculous that I even need to mention this explicitly once. And now have to reassert myself twice. I never knew having a contrary opinion automatically makes you an agent of the government. So much for "inclusiveness".

For your convenience I'll quote what I wrote in my previous comment: "It always sounds government'ish to people who rely on conspiracy theories. I am an open supporter of the Government in many policies. As far as conflict of interest with this project I am no way connected to the UIDAI project. So don't try to find connections where there are none."

Is this clear enough or you want some other proof?

Now I see why you might have had that doubt. My reply was flagged for no apparent reason.
As an Indian developer, I cringe every time the government claims a system is un-hackable. Especially when contracts are handed to one of the big Indian IT companies. Having started my career in one of those companies, I saw firsthand how most of the development process was just filling in gaps. Security through obscurity was thought to be “highly secure” and security experts were non existent.

No surprises that the database was compromised. Aadhar is a fundamentally flawed system and nothing will ever be done about it.

This happens in every country, not just India. And the database has not been compromised.
> And the database has not been compromised.

The database is not known to be compromised.

No amount of 'security' will help here. That's because every one including the people don't give a dime about 'security' in India.

In Aadhar enrollment centers, passwords are shared. You might like to introduce an OTP like concept, but phones are shared too. 2FA? nice try, but then people also share answers to security questions. Next what? DNA authentication? Biometrics? guess what none of those are any where near reliable and they are mostly identity related things and not authentication related things.

There is also government policy. Which is lapse. Mostly run by civil servants who understand nothing about technology. IAS is largely a trivia testing exam with focus on things like meeting and group discussion skills. The head of UIDAI recently claimed that data could not have been possible stolen as the data was still in their database :)

This is a phenomenal lapse at every level.

Software is one thing, but if your people have decided to work around it, its basically all over.

Apparently, the bill passed in the Indian Parliament does not limit the right of the state apparatus to 'bio-authenticate' you. A scientist at CSIR apparently blurted out earlier that DNA authentication was under consideration. The amount of money spent on this BS project is absurd.
+1.

We also need to consider the motivations for working around 2FA or any such authentication systems. One is convenience as you've pointed out.

The other, much bigger motivation IMO, is opportunity to make money. As the article points out once enrolment was outsourced (Rs30/enrolment) it was immediately seen a money making venture so a whole bunch of these centres with dubious credentials surfaced. They were entrusted with document verification too so they would happily accept just about any piece of paper as proof of address. Then there was a business of charging desperate people money to create Adhaar account without which they wouldn't get subsidies.

And then they shut down (50,000 or so) these enrolment centres. Did they expect that all those employed at those centres who lost their jobs to not do anything about it!? Of course they would figure out ways to enrol people!!

(comment deleted)
You mean security experts were found all around, but patted themselves on the back after preventing a single SQL injection attack.
A single SQL Injection has pretty huge potential, specially if its in an application that deals with sensitive data. I would not downplay it.
I completely agree. But it is the absolute basic level at which you start to secure your application.

I’d expect security experts working on a government ID program to be a bit more distinguished.

(comment deleted)
One of the reasons why India needs some kind of people authentication is rampant corruption! Corruption at a scale that most of people in Europe or US cant even imagine. Add to it the culture which celebrates corruption and eulogizes people who find loopholes in system. As soon as a policy or rule is implement, someone gets to work to find a loophole and profit. Schemes and subsidies for poor get siphoned by rich and powerful by creating fake people, less than 2% of citizen's pay taxes by just disappearing in records, billions of dollars of unnamed properties exist because owners are fake people on record, someone else appears for exam on a student.

While I still dislike citizen's database, I can also see why some kind of person authenticator is needed for country like India. I sat through UIDAI architects presentations, and from what I could tell that substantial thought was given to design. So while I maintain skepticism for such database, I also believe India needs some way authenticate various transactions (monetary or otherwise). SSN is a joke, at least Aadhaar was given substantial thought.

You seem to have sat through a presentation on Aadhaar. Have you sat through any presentations on corruption? On what basis are you making comparisons with other parts of the world?
someone gets to work to find a loophole and profit

Please - this is pretty much how it works everywhere, nothing unique to India.

Why do you think lawyers, accountants etc in the corporate world get paid so much? Do you remember the U.S president saying avoiding federal taxes makes him smart?

the culture which celebrates corruption

What are you basing this on? There is no question there is rampant corruption, but saying the culture celebrates it is taking it a bit far

> avoiding federal taxes makes him smart?

I avoid taxes. I contribute to my IRA, donate to charities and deduct my home office space. What I don’t do is evade taxes by not declaring income.

While this is true, the primary engine of corruption is the government and its agencies. Officials soliciting bribes to move paperwork forward, kickbacks to land projects etc.

An honest assault on corruption should target the government and parties rather than individual citizens. The work in that department seems to be going the other way though. e.g. https://www.thehindu.com/opinion/op-ed/the-danger-of-elector...

Giving something substantial thought does not necessarily guarantee that the thought was any good though.
If your solution for corruption at higher levels is to make a billion (or hundreds of million, since we now know that there are ghost entries in the Aadhaar database too) people suffer, not have access to food, die of starvation, not get their pensions, etc., then it's a useless solution that has no place anywhere in the world, more so in a democracy!
May I know why this comment is flagged?
[Note: I'm anti-Aadhaar, as documented in my profile. My comments below may sound harsh because of that. Also please note that Aadhaar is a resident number, and has nothing to do with citizenship.]

Fantastic work! One of the authors of this investigative piece, Rachna Khaira, was key in exposing a major issue with the "last mile" software and how cheaply (just Rs.500/about USD 7) and easily someone could get the Aadhaar and demographic details of almost any resident in the country who's enrolled in the system. [1] UIDAI's response for her investigation was to file an FIR (First Information Report/police complaint) against her in an attempt to put her behind bars. [2]

Activists have always argued that the lack of transparency and information could mean that there are many "ghosts" (or bogus enrollments) in the Aadhaar system (which claims that it cannot have "ghosts", ignoring technological as well as biometric limitations). Now there's no saying how many of the 1.1 billion entries in the Aadhaar system are bogus. As the article states, private agencies were used to handle the enrollment and capture of biometrics and recording of demographic information. All these agencies were paid on a per-enrollment basis. Guess what incentives they would have in a country with high levels of corruption at many levels? I'm certain that a bulk of the enrollments that have been issued Aadhaar numbers are bogus.

While activists may feel vindicated that more and more holes are being exposed in the Aadhaar system (while UIDAI continues to always remain in denial mode), it's sad that hundreds of millions of people have been left vulnerable by this poorly designed and poorly implemented system.

> B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.

> "People were cranking up generators just to light up power and do the enrolment. How can they do an online upload of those packets?" asked Regunath, who has since moved to a senior technical position at Flipkart.

What utter nonsense!!! I can't imagine someone calling themselves a software architect being so gullible and ignorant. The entire Aadhaar system is dependent on Internet access and connectivity. Post issuance, the authentication of anyone through biometrics needs real time Internet connectivity. There's no way around that (even where an OTP is generated, the initiation of the OTP sent over SMS by UIDAI has to happen by connecting to UIDAI's web based APIs). Even as recent as last year, people in some places were forced to climb trees because they couldn't get a good cellular signal and Internet connectivity. They were forced to do this because the central government pushed this system as a prerequisites for getting subsidized food (through what's called PDS or Public Distribution System). [3] UIDAI also had Windows XP as a recommended OS for these enrollment agencies. [4]

> In 2017, the UIDAI said it had blacklisted 49,000 enrolment centres for various violations.

The sheer hypocrisy and audacity of UIDAI here is that it has blacklisted all these agencies for violations without any legal action. From the time Aadhaar started in 2009/2010, this number averaged to about two agencies blacklisted every hour! But point out some security issue or a gap? You'll be facing a court case!

_____

This whole system has been patchworks of patchworks of patchworks, continuously in denial mode when experts ask questions on security, audit, privacy, etc. I would prefer that it be completely thrown out, like how UK did with its national ID program several years ago. India doesn't need such enemies from within that/who make it easier for hostile entities/groups to disrupt or decimate the country! UIDAI needs to be shutdown as well, since nobody in-charge of ...