Sunday, December 16, 2018

As I complete 27 years in Industry

This is an edit on top of the blog post that I wrote five years ago when I completed 25 years. The original post is here.
Today I complete 27 years in the workforce. I started working for Bharat Electronics exactly 27 years on today's date, i.e. 16-December-1991. It is an important personal landmark so I thought I would summarize the last 27 years of my life through this post.
Joining BEL
I completed my graduation in June-1991 and was asked to join BEL on 16th December 1991 in Bangalore unit. We had three months of training and we were called probationary engineers till our training was completed. Once we completed our training, we were designated Deputy Engineer and posted to our units which in my case was BEL Kotdwara in the foothills of Garhwal mountain ranges.
BEL Kotdwara
I, along with the group of other 5 engineers from the batch, joined BEL Kotdwara on 11th March 1992. I still remember it was one day before the festival of Holi. BEL Kotdwara was fun, regular visits to Siddhabali, Lansdowne. We even drove our bikes to Dehradun, Mussoorie once. On 28th of September, 1994, I left BEL to join Motorola India Electronics Ltd. in Bangalore.
Motorola India Electronics Ltd., Bangalore
I joined MIEL on 3rd of October, 1994 in Bangalore at their office on St. Marks Road. The building was called "The Presidency". Since the building was full, after joining and training I was sent to work at a rented facility at Manipal Center at the junction of Dickenson Road and Cubbon Road. In a few months the new facility of Motorola, called The Senate, was ready at Ulsoor Road. We moved there and I worked out of that facility for next almost 10 years. Eventually, Motorola built another facility in C. V. Raman Nagar in Bagmane Tech Park. We moved to that facility on 27th February 2004. I worked out of that facility till 2010.
Leaving Motorola
In June 2010, Motorola decided to close the group (Enterprise Applications Research Labs, Applied Research Center, Bangalore) in which I was working and I was one of the causalities of that decision. Anyway, it was time to leave the place.
Entrepreneurship
In July 2010, I joined the startup with a few of my friends, to build a product in the telecommunication infrastructure space. We built a prototype, demonstrated to few tier-1 operators across the world and then we were acquired by Movik Networks in October 2010.
Movik Networks
I joined Movik Networks as part of that acquisition, did some interesting work for the next few months and finally left them on 31st March 2011.
In April 2011,   I joined Hewlett-Packard in Bangalore.
Hewlett Packard
I worked at HP in the storage group. We built a scale-out file system for large storage systems. The work in place was reasonably good but the politics of the place just got to me. I left in October 2014 after little more than three years in the place.
Oracle
I joined Oracle's cloud group and worked on Application PaaS. I found the company very suffocating for technical people. Even architecture documents were approved by managers there. So finally left the place after little more than one year.
Hubble Connected India Private Limited
Joined the company because they were running a cloud service that required a refresh and needed to be rearchitected to run at a much higher scale.  We built a brand new service, scaled it from a little over 100,000 subscribers to close to one million subscribers. Finally had a disagreement with the management and left the place.
Tesco
Joined Tesco in January 2018.

To summarize, it has been an interesting ride for the last 27 years. What is the most disappointing is the level of technology ownership in most of the Industry? I had expected that we would see more technology and product ownership with Indian industry, which does not seem to be the case. Hope things would improve in the next few years.

When I started working 27 years ago, I was of the view that I will not work as an employee for more than 25 years. That is one milestone that I have unfortunately missed. I have not been able to transition from a salaried job to either freelance consulting or build a company of my own. That is probably the biggest regret that I have as I complete 27 years.

Monday, March 26, 2018

Fixing Aadhaar

It is an academic discussion whether any country or society needs something like Aadhaar or not. There are pros and cons of having a single identity system. I am not going into merits or demerits of a system like Aadhaar here. What I want to discuss here are the methods to secure a system like Aadhar.

How should we view the Aadhaar number? The closest equivalence that I can see here is a username to any website. Should the username be secure or not? Making username secure does make it harder for somebody to hack into the account. This is one of the reasons why in case of a failed authentication, we want the developers not to disclose what was wrong, was it username that was wrong? or the password that was wrong?

Another way to look at the Aadhaar number would be a credit card number. The credit card number, on its own, is not sufficient to do any transaction but it is a big piece of the credit card transaction puzzle.

As we have observed in past weeks, there is a case to be made that Aadhaar data center is probably secure but for it to be useful, it has to be connected to the internet. It is this part of the puzzle that completely breaks the Aadhaar architecture.

Aadhaar expects its third-party partners to capture the Aadhaar number and OTP and send it over to UIDAI server for identity verification. This leaves them completely open to misuse by third-party partners. Given that UIDAI has not really shown great foresight in security audit of their partners and has no way to make sure that the partner systems are secure, they really can't depend on their partners (government and private) to secure the system. Any system is as secure as the weakest link in the network. So if a state government has a spreadsheet with Aadhaar details in an open directory all the security of UIDAI data center is just useless. Any malicious user is not going to try to breach the strongest parts of any system, they will go after weakest parts of the system.

I don't really know the details of Aadhaar architecture, but my guess is that at top level following things are happening.

The problem lies in the fact that Aadhaar number is captured by the third party and UIDAI depends on them to handle it properly. To get control over this problem, the best way is to move the capturing of Aadhaar number to the UIDAI server. This problem has been solved in FinTec domain by companies like Visa and Master. The secure information is only captured by UIDAI server and the third-party is just informed of success or failure.

This small modification will at least take the burden of securing Aadhaar system from the hands of third-party. They are only concerned with one information whether the person's identity is verified or not. The persistent verification id can solve that problem.
This does not mean that this makes the system completely secure. A large system like Aadhaar should have their complete source code in public domain so that security researchers can review it and notify changes. Source codes don't implement security, security is implemented by certificates and encryption keys.

Wednesday, March 21, 2018

Why it is the time to leave Facebook

I am not one of those naysayers who believe in completely getting out of Social Media. Social media is a double-edged sword, you are letting go of some of your privacy in return for connectivity that you might not achieve otherwise. When I sign up with a Social Media Platform, I expect them to safeguard my data with some seriousness. It is because of that specific concern, I have decided to single out Facebook here. Facebook seems to have following two specific issues.

  1. As a technology platform, it just seems to be badly designed. Something as fundamental as "friends permission" should not be part of any platform which wants to be a serious player in a business that is primarily about access to ones' personal data. For the uninitiated, friends permission was the feature in the Facebook API where Facebook will share your data with a third party even if you have not explicitly given permission to share this data. If any of your friends have given the permission to share data, your data could also be shared. 
  2. As a company, it is clear that Facebook has very little interest in being on the side of its users. If anytime they need to make a call where they have to forego some revenue to safeguard the privacy of a user, they will lean on the side of revenue.
What is Cambridge Analytics issue


Facebook's friends permission concept was allowing data of people to go to third parties who had not authorized third-party themselves and was relying on terms of service and settings that people didn’t read or understand to safeguard themselves against any legal action. Global Science Research was run by Cambridge University psychologist Aleksandr Kogan who built an app for a personality test for Facebook Users. The app automatically downloaded data from friends of people who took the quiz for academic purposes. 
The app had only about a quarter of a million users who took a paid quiz but they were able to download the data for close to 50 million Facebook users by using friends permission feature of the API.
Facebook takes a 30% cut from the revenue of any app in return for allowing access to friends permission.

The I have done nothing wrong argument or I have nothing to hide
This is an argument that I hear from my friends often, why worry if you have done nothing wrong. It automatically means that if you are worried about online privacy, you must have done something wrong. 
Daniel J. Solove stated in an article for The Chronicle of Higher Education that he opposes the argument; he stated that a government can leak information about a person and cause damage to that person, or use information about a person to deny access to services even if a person did not actually engage in wrongdoing, and that a government can cause damage to one's personal life through making errors.
Schneier also argued "Too many wrongly characterize the debate as 'security versus privacy.' The real choice is liberty versus control.
Closer to home, Supreme Court of India recently said:
 Explaining why it is necessary to enshrine right to privacy as a fundamental right as opposed to a statutory right, Justice Rohinton Fali Nariman said, "Statutory law can be made and also unmade by a simple Parliamentary majority. In short, the ruling party can, at will, do away with any or all of the protections contained in the statutes mentioned hereinabove. Fundamental rights, on the other hand, are contained in the Constitution so that there would be rights that the citizens of this country may enjoy despite the governments that they may elect... The recognition of such right in the fundamental rights chapter of the Constitution is only a recognition that such right exists notwithstanding the shifting sands of majority governments." 
If we agree that privacy is a right, then the burden of proving its utility doesn't lie on me but on the person or entity that wants to infringe on it and frankly, Facebook has not made a very good case.

All these philosophical arguments aside,  in this busy life, one has to look at return on investment on time spend on any activity. When it comes to Facebook, there are absolutely zero returns on time spent on it. It looks more and more likely that my life will be better without Facebook in it.

Wednesday, January 10, 2018

My problems with Aadhar and how to fix them

When I first heard of Aadhar, I was excited. It sounded like a good technical solution to the problem of many people without identification in this country. Back in 2009 when it started enumerating individuals, it felt like a great thing. It was supposed to be the following.
  1. Many people in this country are not able to get an identification and it provided a mechanism for them to get an identification. If you did not have any address proof or such thing, you could still get an Aadhar.
  2. It was supposed to be a system which will make sure an individual could not get two Aadhar number and thus would uniquely verify the identity of an individual.
  3. Biometrics was only supposed to be used for de-duplication.
Fast forward to 2017-18, we learned few things about Aadhar.
  1. There was very few instance where people could get an Aadhar number without any supporting proof. So the promise that people without any other identity could get Aadhar was either not needed or could not materialize.
  2. Because of very heavy reliance on fingerprints, many people who have a valid Aadhar number can't be authenticated anymore. These individuals fall into all categories, manual labors, top executives of companies, retired individuals. Once biometrics stops working, there is no recourse for these people.
I was all right with Aadhar, but very soon the worst of my fears came true. The system that was supposed to provide identity to individuals who did not have it because a system to track individuals. I have friends and family who work in government and private institutions who were supposed to handle Aadhar and knowing them I knew very soon it will turn into a large-scale data harvesting system.
Aadhar was supposed to be nothing more than an identity service. The problem with Aadhar are many but in my eyes, the biggest problems are as below.
  1. Because of its hard linkage to Biometrics, it is not like a password that can be changed. If there is a compromise, the only thing one can do is to die.
  2. Every entity that needs to use Aadhar has to have your Aadhar number. It is like that cousin that keeps on asking your Play Store or App Store password whenever (s)he wants to download that next big game. Just think of an OAuth system where the OAuth client needs to have access to your password to authenticate you.
  3. The system itself was extremely poorly designed and the partners on which it depended really were not making any money so they decided to monetize in multiple different ways by asking bribes during enumeration and selling whichever data they could get hold of. 
  4. Anybody who gets access to Aadhar database has just too much information about an individual, his name, email address, physical address, mobile number, his PAN number, all his bank accounts, his vehicles, his driving license. This is almost like putting all your assets in a room and putting a signage on top that says "Come and steal it".
As things stand today, I seriously believe that some political grouping should just run on the promise of abolishing aadhar, but I think that is wishful thinking on my part so I am trying to just think of a way that would reduce the risk.
  1. The complete software of Aadhar needs to be open sourced. (I think that is also true for EVM firmware). 
  2. Aadhar needs to be taken back to what it was envisaged to be. The "Targeted Delivery of Financial and other Subsidies, benefits and services Act" needs to be repealed and a new Law created for "Resident Identity Privacy Control Act". 
  3. The need to share the Aadhar number needs to be done away with. Whichever entity needs to authenticate my identity can send me a signed URL to UIDAI portal that I will click on and enter my aadhar credentials. This should return a signed response that the service provider can hold on to as a proof of authorization. Nobody needs to know my aadhar number.
  4. Complete Aadhar data needs to encrypted both in flight and at rest.
  5. It should be made completely voluntary. Anybody who is willing to prove his identity the good old fashioned way should be allowed to do so.
Not that anybody cares, but I thought I would just get this off my chest.