In this blog we will explore the emerging disruptive technologies that are changing the world & the way we do business. For technology consultation you can contact me on ajay.barve@gmail.com Please share your suggestion and feedback to me at projectincharge@yahoo.com or else if you want to discuss any of the posts.
Thursday, January 11
Monday, January 8
Whats is wrong with Aadhar Software System ? (Part-1)
I can't say I was shocked to hear about The Tribune (link) report on how their reporter purchased Aadhar data for 500 INR and for another 300 INR purchased a software that could print Aadhar Card ( India's Social Security Number card) but I was surprised at the poor design and operating model of the system. I expected the system to be much more smarter, secure and foolproof than it seems to be now. UIDAI has denied the data leak but Tribune seems to have material evidence and they have published a response to UIDAI statement today (link).
This kind of data leak does not happen because of a single point of failure. There has to be issue with the
1) Solution architecture (architectural description of a specific solution)
2) Application architecture (describes the behavior of applications),
3) Security architecture (unified security design that addresses the necessities & potential risks),
4) Operation architecture (defines control of operational procedure & execution of operational tasks)
5) Finally the Software testing plan seems to have failed to detect the flaws in the software.
As long as there is valuable data, hackers will try to attack the system but fortunately this was not a hack or else hackers would have wiped the data and held Indian government for ransom. Politicians who are enforcing Aadhar just don't seem to understand a badly designed software can play havoc and that delayed software system is better than a faulty software system. I don't think we need any more proof to call for an immediate software audit conducted by 2 independent reputed agencies. If we are so sure that system has no flaw then software audit will help regain the confidence of billion Indians. Every big software is audited periodically so why not audit Aadhar System which is a critical system for the government as well as billion Indians. I don't understand why government has not initiated a software audit after multiple 'reported' incidents of data lapses over last 2 years. If the audit highlights any issue then the Aadhar software architects are to be blamed and not the government. The other issue could be the change in Vision, possibly Aadhar system is made to do what it was not designed to do when it designed.. A software audit will only validate that you have a well designed, robust and secure software system and its operations are being managed well by the team.
When there are multiple issues in a software system they can only be addressed by conducting a detailed software audit followed by fixing the issues identified in the audit. ( Do read my earlier post Why you should be concerned about #Aadhar being made mandatory for citizen of India? ) Having worked as a fire fighter on solving complex issues on many complex software systems for fortune 100 companies I must say I have not encountered such a large software system that seems to have been put in production without due diligence. I have seen projects where leads & managers have been removed on the spot for much smaller issues than what was reported by The Tribune. Software systems are custom made to solve a particular business challenge and if there is a failure in basic operation of the software then it is because the project leadership was incompetent to handle the project right from the solution design stage to development stage and onto the operations stage.
Here is a simple picture that will give you an idea of what all could have gone wrong with Aadhar System, I am not privy to the Aadhar architecture so the picture highlights the potential issues in the software based on what we know from reports on data leaks. I am concerned that a software system has become a prestige issue and UIDAI is defending reports rather than publishing a whitepaper on health of the Aadhar System so Indians don't worry about the most critical software that is going to affect every Indian. I want to find out , what is wrong with Aadhar system? What needs to be fixed to avoid the known issues in future?
2) The data access should have been restricted at application service layer, data service layer as well as database level for additional security and I think all 3 layers have design flaws.
2) The system should have different levels of user authorization that limits user access to certain services and this authorization framework seems to be flawed or else missing from the system.
3) Creation of new user is an activity that should be restricted to a limited set of super users & if we go by the news report then it seems that a use who is not administrator has the right to create new users without approval of any superior authority and this is poor design and a big security risk. A new user creation process is typically performed by the administrator and for critical systems like Aadhar, there should be an 'approval workflow for user creation' where clearance is taken from 'access control board' or at least a super admin before creating new users. A ordinary system user who accesses the system for routine transaction should not be allowed to create new user at his will. This flaw allows the system to be misused as it seems to have happened in this case.
4) Authorities have responded that system activities are monitored so it is surprising that when users are being created at will without approval no one noticed it, when system was being accessed by unknown new users no one noticed it, when user data was being downloaded no one noticed it and even the network administrator did not notice unusual activity on the network when billion records were being accessed/downloaded.
5) In an ideal system that has Business Activity Monitoring, rules are defined on what services needs to be monitored, what alert should be sent by email or by SMS in case of some user accessing a set of services and what action should be taken by the team who is responsible for monitoring the software. None of these things seem to be in place or else UIDAI would have nabbed the culprits before the whistle blower initially complained to authorities and long before reporter investigated the story.
As I mentioned earlier this looks like case of multi point failure and if one of the checks had failed still the monitoring system should have automatically notified the authorities about the suspicious activities within minutes if not seconds of the suspicious event. My guess is a good Business Activity Monitoring tool which is must for any critical enterprise system is either not implemented or the implementation is flawed.
Obviously there could be other issues in Aadhar system that we are not aware of. For example scalability and availability issues and performance issues - and I have reason to believe that the way it is being implemented today Aadhar system is going face major performance issues one day. The 1 lakh plus municipal employee in Mumbai are using Aadhar bio-metrics to sign-in & sign-out at work. (I have got proof that municipal employees get emails twice a day from Aadhar system when they scan their finger prints). Which means Aadhar system is being accessed for employee attendance 2 lakh times every day by Mumbai municipality alone! There are around 4000 cities in India which makes 4000 x 2 lakh = 800,000,000 hits to Aadhar server everyday by municipal employees alone! I assume if municipality is using Aadhar for attendance then other government employees will also be using Aadhar verification for attendance and a conservative guess would be 1 lakh government employees across 4000+ cities in India ( I am not considering the employees working in smaller town & remote areas). This means there will be 1.6 billion hits to Aadhar server everyday just verification of attendance of government & municipal employees! At 9 am when all employees reach office there will be at least 80,000 hits to the server every 3 second (assuming 4000 cities , 10 offices in each city, 2 bio-metrics scanner in each office) Did UIDAI plan for this? Is Aadhar Architecture built to take this kind of peak load? Why the heck should we use national bio-metrics server to verify that employee in each city has reached office! Did we create Aadhar for such stupid mundane tasks? Which other SMART DIGITAL COUNTRY in the world has implemented this kind of verification system for government employee? Which software architect gave this idea to goverment to use Aadhar for employee attendance verification and what are other redundant uses that Aadhar is going to be used for? It is absurdly, insanely, mind boggling crazy to implement Aadhar based attendance! Imagine when Hospitals, Railways, Airlines, Jios & every other company starts using Aadhar for verification we will need a new Aadhar Hardware City to host the servers required to cater to such large population! (Ok! Ok! I exaggerated it! Wont need a new city but a huge number of computing nodes on a Cloud since it is quite likely that Aadhar system is hosted on a Cloud)
In my next post I will explain the potential missing blocks that could lead to such system failure in a software system (again I am assuming The Tribune report is reliable and they have indeed purchased billion records for 500 INR. Damit!)
My next post will be about Whats needs to be fixed in Aadhar Software System ? (Part-2) & after that 3rd post will be on How blockchain or similar trust framework could have prevented the Aadhar Data leaks in Aadhar System? (part-3)
This kind of data leak does not happen because of a single point of failure. There has to be issue with the
1) Solution architecture (architectural description of a specific solution)
2) Application architecture (describes the behavior of applications),
3) Security architecture (unified security design that addresses the necessities & potential risks),
4) Operation architecture (defines control of operational procedure & execution of operational tasks)
5) Finally the Software testing plan seems to have failed to detect the flaws in the software.
As long as there is valuable data, hackers will try to attack the system but fortunately this was not a hack or else hackers would have wiped the data and held Indian government for ransom. Politicians who are enforcing Aadhar just don't seem to understand a badly designed software can play havoc and that delayed software system is better than a faulty software system. I don't think we need any more proof to call for an immediate software audit conducted by 2 independent reputed agencies. If we are so sure that system has no flaw then software audit will help regain the confidence of billion Indians. Every big software is audited periodically so why not audit Aadhar System which is a critical system for the government as well as billion Indians. I don't understand why government has not initiated a software audit after multiple 'reported' incidents of data lapses over last 2 years. If the audit highlights any issue then the Aadhar software architects are to be blamed and not the government. The other issue could be the change in Vision, possibly Aadhar system is made to do what it was not designed to do when it designed.. A software audit will only validate that you have a well designed, robust and secure software system and its operations are being managed well by the team.
When there are multiple issues in a software system they can only be addressed by conducting a detailed software audit followed by fixing the issues identified in the audit. ( Do read my earlier post Why you should be concerned about #Aadhar being made mandatory for citizen of India? ) Having worked as a fire fighter on solving complex issues on many complex software systems for fortune 100 companies I must say I have not encountered such a large software system that seems to have been put in production without due diligence. I have seen projects where leads & managers have been removed on the spot for much smaller issues than what was reported by The Tribune. Software systems are custom made to solve a particular business challenge and if there is a failure in basic operation of the software then it is because the project leadership was incompetent to handle the project right from the solution design stage to development stage and onto the operations stage.
Here is a simple picture that will give you an idea of what all could have gone wrong with Aadhar System, I am not privy to the Aadhar architecture so the picture highlights the potential issues in the software based on what we know from reports on data leaks. I am concerned that a software system has become a prestige issue and UIDAI is defending reports rather than publishing a whitepaper on health of the Aadhar System so Indians don't worry about the most critical software that is going to affect every Indian. I want to find out , what is wrong with Aadhar system? What needs to be fixed to avoid the known issues in future?
My understanding of Aadhar System
< Click image to zoom >
So what are the key take away from this data leak incident?
1) Critical software system like Aadhar are used for verification of Aadhar user's identity and when user input is passed to the system, the systems responds as verification success or failure. The system should not allow users to download Aadhar number or details of Aadhar users. This is a grave software design flaw and there is no doubt about it whatever UIDAI might claim.2) The data access should have been restricted at application service layer, data service layer as well as database level for additional security and I think all 3 layers have design flaws.
2) The system should have different levels of user authorization that limits user access to certain services and this authorization framework seems to be flawed or else missing from the system.
3) Creation of new user is an activity that should be restricted to a limited set of super users & if we go by the news report then it seems that a use who is not administrator has the right to create new users without approval of any superior authority and this is poor design and a big security risk. A new user creation process is typically performed by the administrator and for critical systems like Aadhar, there should be an 'approval workflow for user creation' where clearance is taken from 'access control board' or at least a super admin before creating new users. A ordinary system user who accesses the system for routine transaction should not be allowed to create new user at his will. This flaw allows the system to be misused as it seems to have happened in this case.
4) Authorities have responded that system activities are monitored so it is surprising that when users are being created at will without approval no one noticed it, when system was being accessed by unknown new users no one noticed it, when user data was being downloaded no one noticed it and even the network administrator did not notice unusual activity on the network when billion records were being accessed/downloaded.
< Click image to zoom >
As I mentioned earlier this looks like case of multi point failure and if one of the checks had failed still the monitoring system should have automatically notified the authorities about the suspicious activities within minutes if not seconds of the suspicious event. My guess is a good Business Activity Monitoring tool which is must for any critical enterprise system is either not implemented or the implementation is flawed.
Obviously there could be other issues in Aadhar system that we are not aware of. For example scalability and availability issues and performance issues - and I have reason to believe that the way it is being implemented today Aadhar system is going face major performance issues one day. The 1 lakh plus municipal employee in Mumbai are using Aadhar bio-metrics to sign-in & sign-out at work. (I have got proof that municipal employees get emails twice a day from Aadhar system when they scan their finger prints). Which means Aadhar system is being accessed for employee attendance 2 lakh times every day by Mumbai municipality alone! There are around 4000 cities in India which makes 4000 x 2 lakh = 800,000,000 hits to Aadhar server everyday by municipal employees alone! I assume if municipality is using Aadhar for attendance then other government employees will also be using Aadhar verification for attendance and a conservative guess would be 1 lakh government employees across 4000+ cities in India ( I am not considering the employees working in smaller town & remote areas). This means there will be 1.6 billion hits to Aadhar server everyday just verification of attendance of government & municipal employees! At 9 am when all employees reach office there will be at least 80,000 hits to the server every 3 second (assuming 4000 cities , 10 offices in each city, 2 bio-metrics scanner in each office) Did UIDAI plan for this? Is Aadhar Architecture built to take this kind of peak load? Why the heck should we use national bio-metrics server to verify that employee in each city has reached office! Did we create Aadhar for such stupid mundane tasks? Which other SMART DIGITAL COUNTRY in the world has implemented this kind of verification system for government employee? Which software architect gave this idea to goverment to use Aadhar for employee attendance verification and what are other redundant uses that Aadhar is going to be used for? It is absurdly, insanely, mind boggling crazy to implement Aadhar based attendance! Imagine when Hospitals, Railways, Airlines, Jios & every other company starts using Aadhar for verification we will need a new Aadhar Hardware City to host the servers required to cater to such large population! (Ok! Ok! I exaggerated it! Wont need a new city but a huge number of computing nodes on a Cloud since it is quite likely that Aadhar system is hosted on a Cloud)
In my next post I will explain the potential missing blocks that could lead to such system failure in a software system (again I am assuming The Tribune report is reliable and they have indeed purchased billion records for 500 INR. Damit!)
My next post will be about Whats needs to be fixed in Aadhar Software System ? (Part-2) & after that 3rd post will be on How blockchain or similar trust framework could have prevented the Aadhar Data leaks in Aadhar System? (part-3)
Saturday, January 6
Is blockchain viable for a Business Process Management solution?
When we talk to people about Blockchain we realize people seem to have various perceptions that is formed in the context of Cryptographic Currency and since the technology is incubation I guess each perception has to be respected. After 19 years in the industry working for fortune 100 clients I have acquired habit of doing postmortem of each new technology and try to predict the acceptance of the technology. I have been proven right on many occasions and not so right on few occasions.
I agree with people who looks at Blockchain an interesting technology advance that may solve some challenges (and create new challenges) but I don't agree that blockchain is he biggest thing since Internet as some people claim, in fact it is far from maturity and at the most it is a good prototype according to me. Taking a step back.
We implemented something called as a BPM Workflow Reference Database for one of our clients ( I concede that we were not smart enough to think of a distributed ledger) . So adding a new database that kept a track of state of the work-item by referencing it with a workitem-key helped reduce the network calls from the business process to a maximum of one call to get the state of the input reference data at each step of the process and this optimized our solution by a huge margin but we had to create some database triggers and batch processes to keep the Reference Data updated.
What do enterprises achieve by implementing business process management?
Great! So we have implemented BPM for years and clients have benefited immensely but there are some challenges that create bottleneck in BPM solutions and blockchain can solve them. But how about using a traditional centralized database to perform like a distributed ledger? I am not suggesting we deploy a database at each node rather we add a independent database that acts as Ledger Database & can be accessed by all trusted systems over the network. The Ledger Database should have add-on features of blockchain namely immutability, no central authority & global availability of asset over network. Unlike crypto-currencies a BPM solution does not have unknown participants so I think it should work well.
I agree with people who looks at Blockchain an interesting technology advance that may solve some challenges (and create new challenges) but I don't agree that blockchain is he biggest thing since Internet as some people claim, in fact it is far from maturity and at the most it is a good prototype according to me. Taking a step back.
What is blockchain?
A block is the ‘Current’ part of a blockchain which records all of the recent transactions, and once completed goes into the 'Chain of blocks' as permanent data record. Each time a block gets completed, a new block is generated. There is a countless number of such blocks in the blockchain. The blocks are linked to each other like a chain in proper linear, chronological order with every block containing a hash of the previous block.
And what is blockchain in Bitcoin context?
A blockchain is a public ledger of all Bitcoin transactions that have ever been executed. It is constantly growing as ‘completed’ blocks are added to it with a new set of recordings. The blocks are added to the blockchain in a linear, chronological order. Each node (computer connected to the Bitcoin network using a client that performs the task of validating and relaying transactions) gets a copy of the blockchain, which gets downloaded automatically upon joining the Bitcoin network. The blockchain has complete information about the addresses and their balances right from the genesis block to the most recently completed block.
So whats great about Blockchain in the BPM context?
Have you implemented workflow solution where a work-item has to pass through different people who work on it in a sequence before the work-item is processed and work is flagged as complete? Or maybe implemented a BPM solution where a business process has multiple tasks and has interface with multiple internal systems for validation and reference data which makes the process slow and consumes resources. What if each work-item in a business process was 'Smart Work Item' and could carry all the data references required to process the work item so that network IO was minimum? The processing would be faster, we would eliminate wait times and dependency on related tasks and business would run with optimum efficiency. I am assuming you are familiar with BPM so I wont give examples to explain the above statements. This can be achieved by a distributed ledger (as in Bitcoin Blockchain) or a Smart Business Object (as I like to call it) that is accessible only to the authorized parties across the internal or external network. The Smart Business Objects (SBO) are encrypted data objects with a private and public key and they can be viewed, updated by the authorized parties but they cannot be deleted by anyone and at the end of business process flow/s, when the life of the SBO is over the object would still be available on the internal network in view only mode.We implemented something called as a BPM Workflow Reference Database for one of our clients ( I concede that we were not smart enough to think of a distributed ledger) . So adding a new database that kept a track of state of the work-item by referencing it with a workitem-key helped reduce the network calls from the business process to a maximum of one call to get the state of the input reference data at each step of the process and this optimized our solution by a huge margin but we had to create some database triggers and batch processes to keep the Reference Data updated.
What do enterprises achieve by implementing business process management?
- Operational Efficiency – Streamlined business processes lead to streamlined operations, with greater visibility and control. The automation of repetitive, low value tasks can also lead to cost savings.
- Compliance – All business processes are carried out in-line with a company’s procedures and process documentation can be generated for demonstrating compliance in an audit.
- Competitive Advantage– A BPM solution ensures that processes drive operational efficiency, business visibility and can quickly adapt to customer requirements, which helps to provide a strong edge over the competition and shorter time to market
- Scalability – Automated processes scale much better than manual processes – ideal if an organisation is expanding.
- Agility – A BPM solution will enable a company to quickly update its processes in response to developments in its operational environment.
Great! So we have implemented BPM for years and clients have benefited immensely but there are some challenges that create bottleneck in BPM solutions and blockchain can solve them. But how about using a traditional centralized database to perform like a distributed ledger? I am not suggesting we deploy a database at each node rather we add a independent database that acts as Ledger Database & can be accessed by all trusted systems over the network. The Ledger Database should have add-on features of blockchain namely immutability, no central authority & global availability of asset over network. Unlike crypto-currencies a BPM solution does not have unknown participants so I think it should work well.
Disadvantages of using a Blockchain / Distributed Ledger -
The blockchain as a database is not so great, measured by traditional database standards: throughput is just a few transactions per second, latency before a single confirmed write is 10 minutes, and capacity is a few dozen GB. Furthermore, adding nodes causes more problems with a doubling of nodes, network traffic quadruples with no improvement in throughput, latency, or capacity. Worst thing is that Plus, the blockchain essentially has no querying abilities.
Advantages of using a Ledger Database-
- Globally accessible database to store data & documents
- High capacity and throughput for millions of records and documents
- Interchangeability to store large files and media
- Data immutability that brings trust and audit-ability to the records
- Query technology that enables quick retrieval records and documents
- Reduced security and liability in managing data
There is need to prototype and compare the 2 solutions, one with blockchain ledger and another with database ledger. I seriously doubt if the investment in Blockchain is really worth for enterprise computing that usually takes places between known & trusted partners. Ledger Database that I have mentioned here has been implemented successfully in the past by and it is only a design pattern. Database can be designed to act more like a blockchain without the surprises that under construction blockchain technology has to offer. Bitcoin has been successfully running on block with few exceptions-where system was hacked. Databases are not hack proof either but the benefit of creating a new database to work a Ledger Database comes very close to achieving the benefits that Blockchain offers without fully sacrificing the control of your database which is important for enterprise computing. Let's keep discussing , build come prototype for comparison and find a new cost effective design pattern using proven technologies
Friday, January 5
Whats is wrong with Aadhar Software System ? (Part-1)
You can read this post Whats is wrong with Aadhar Software System ? (Part-1) on this link :
https://digitaltechnologyarchitecture.blogspot.in/2018/01/whats-is-wrong-with-aadhar-software.html
https://digitaltechnologyarchitecture.blogspot.in/2018/01/whats-is-wrong-with-aadhar-software.html
I can't say I was shocked to hear about The Tribune (link) report
on how their reporter purchased Aadhar data for 500 INR and for another
300 INR purchased a software that could print Aadhar Card ( India's
Social Security Number card) but I was surprised at the poor design and
operating model of the system. I expected the system to be much more
smarter, secure and foolproof than it seems to be now. UIDAI has denied
the data leak but Tribune seems to have material evidence and they have
published a response to UIDAI statement today (link).
This kind of data leak does not happen because of a single point of failure. There has to be issue with the
1) Solution architecture (architectural description of a specific solution)
2) Application architecture (describes the behavior of applications),
3) Security architecture (unified security design that addresses the necessities & potential risks),
4) Operation architecture (defines control of operational procedure & execution of operational tasks)
5) Finally the Software testing plan seems to have failed to detect the flaws in the software.
As long as there is valuable data, hackers will try to attack the system but fortunately this was not a hack or else hackers would have wiped the data and held Indian government for ransom. Politicians who are enforcing Aadhar just don't seem to understand a badly designed software can play havoc and that delayed software system is better than a faulty software system. I don't think we need any more proof to call for an immediate software audit conducted by 2 independent reputed agencies. If we are so sure that system has no flaw then software audit will help regain the confidence of billion Indians. Every big software is audited periodically so why not audit Aadhar System which is a critical system for the government as well as billion Indians. I don't understand why government has not initiated a software audit after multiple 'reported' incidents of data lapses over last 2 years. If the audit highlights any issue then the Aadhar software architects are to be blamed and not the government. The other issue could be the change in Vision, possibly Aadhar system is made to do what it was not designed to do when it designed.. A software audit will only validate that you have a well designed, robust and secure software system and its operations are being managed well by the team.
When there are multiple issues in a software system they can only be addressed by conducting a detailed software audit followed by fixing the issues identified in the audit. ( Do read my earlier post Why you should be concerned about #Aadhar being made mandatory for citizen of India? ) Having worked as a fire fighter on solving complex issues on many complex software systems for fortune 100 companies I must say I have not encountered such a large software system that seems to have been put in production without due diligence. I have seen projects where leads & managers have been removed on the spot for much smaller issues than what was reported by The Tribune. Software systems are custom made to solve a particular business challenge and if there is a failure in basic operation of the software then it is because the project leadership was incompetent to handle the project right from the solution design stage to development stage and onto the operations stage.
Here is a simple picture that will give you an idea of what all could have gone wrong with Aadhar System, I am not privy to the Aadhar architecture so the picture highlights the potential issues in the software based on what we know from reports on data leaks. I am concerned that a software system has become a prestige issue and UIDAI is defending reports rather than publishing a whitepaper on health of the Aadhar System so Indians don't worry about the most critical software that is going to affect every Indian. I want to find out , what is wrong with Aadhar system? What needs to be fixed to avoid the known issues in future?
2) The data access should have been restricted at application service layer, data service layer as well as database level for additional security and I think all 3 layers have design flaws.
2) The system should have different levels of user authorization that limits user access to certain services and this authorization framework seems to be flawed or else missing from the system.
3) Creation of new user is an activity that should be restricted to a limited set of super users & if we go by the news report then it seems that a use who is not administrator has the right to create new users without approval of any superior authority and this is poor design and a big security risk. A new user creation process is typically performed by the administrator and for critical systems like Aadhar, there should be an 'approval workflow for user creation' where clearance is taken from 'access control board' or at least a super admin before creating new users. A ordinary system user who accesses the system for routine transaction should not be allowed to create new user at his will. This flaw allows the system to be misused as it seems to have happened in this case.
4) Authorities have responded that system activities are monitored so it is surprising that when users are being created at will without approval no one noticed it, when system was being accessed by unknown new users no one noticed it, when user data was being downloaded no one noticed it and even the network administrator did not notice unusual activity on the network when billion records were being accessed/downloaded.
5) In an ideal system that has Business Activity Monitoring, rules are
defined on what services needs to be monitored, what alert should be
sent by email or by SMS in case of some user accessing a set of services
and what action should be taken by the team who is responsible for
monitoring the software. None of these things seem to be in place or
else UIDAI would have nabbed the culprits before the whistle blower
initially complained to authorities and long before reporter
investigated the story.
As I mentioned earlier this looks like case of multi point failure and if one of the checks had failed still the monitoring system should have automatically notified the authorities about the suspicious activities within minutes if not seconds of the suspicious event. My guess is a good Business Activity Monitoring tool which is must for any critical enterprise system is either not implemented or the implementation is flawed.
Obviously there could be other issues in Aadhar system that we are not aware of. For example scalability and availability issues and performance issues - and I have reason to believe that the way it is being implemented today Aadhar system is going face major performance issues one day. The 1 lakh plus municipal employee in Mumbai are using Aadhar bio-metrics to sign-in & sign-out at work. (I have got proof that municipal employees get emails twice a day from Aadhar system when they scan their finger prints). Which means Aadhar system is being accessed for employee attendance 2 lakh times every day by Mumbai municipality alone! There are around 4000 cities in India which makes 4000 x 2 lakh = 800,000,000 hits to Aadhar server everyday by municipal employees alone! I assume if municipality is using Aadhar for attendance then other government employees will also be using Aadhar verification for attendance and a conservative guess would be 1 lakh government employees across 4000+ cities in India ( I am not considering the employees working in smaller town & remote areas). This means there will be 1.6 billion hits to Aadhar server everyday just verification of attendance of government & municipal employees! At 9 am when all employees reach office there will be at least 80,000 hits to the server every 3 second (assuming 4000 cities , 10 offices in each city, 2 bio-metrics scanner in each office) Did UIDAI plan for this? Is Aadhar Architecture built to take this kind of peak load? Why the heck should we use national bio-metrics server to verify that employee in each city has reached office! Did we create Aadhar for such stupid mundane tasks? Which other SMART DIGITAL COUNTRY in the world has implemented this kind of verification system for government employee? Which software architect gave this idea to goverment to use Aadhar for employee attendance verification and what are other redundant uses that Aadhar is going to be used for? It is absurdly, insanely, mind boggling crazy to implement Aadhar based attendance! Imagine when Hospitals, Railways, Airlines, Jios & every other company starts using Aadhar for verification we will need a new Aadhar Hardware City to host the servers required to cater to such large population! (Ok! Ok! I exaggerated it! Wont need a new city but a huge number of computing nodes on a Cloud since it is quite likely that Aadhar system is hosted on a Cloud)
In my next post I will explain the potential missing blocks that could lead to such system failure in a software system (again I am assuming The Tribune report is reliable and they have indeed purchased billion records for 500 INR. Damit!)
My next post will be about Whats needs to be fixed in Aadhar Software System ? (Part-2) & after that 3rd post will be on How blockchain or similar trust framework could have prevented the Aadhar Data leaks in Aadhar System? (part-3)
This kind of data leak does not happen because of a single point of failure. There has to be issue with the
1) Solution architecture (architectural description of a specific solution)
2) Application architecture (describes the behavior of applications),
3) Security architecture (unified security design that addresses the necessities & potential risks),
4) Operation architecture (defines control of operational procedure & execution of operational tasks)
5) Finally the Software testing plan seems to have failed to detect the flaws in the software.
As long as there is valuable data, hackers will try to attack the system but fortunately this was not a hack or else hackers would have wiped the data and held Indian government for ransom. Politicians who are enforcing Aadhar just don't seem to understand a badly designed software can play havoc and that delayed software system is better than a faulty software system. I don't think we need any more proof to call for an immediate software audit conducted by 2 independent reputed agencies. If we are so sure that system has no flaw then software audit will help regain the confidence of billion Indians. Every big software is audited periodically so why not audit Aadhar System which is a critical system for the government as well as billion Indians. I don't understand why government has not initiated a software audit after multiple 'reported' incidents of data lapses over last 2 years. If the audit highlights any issue then the Aadhar software architects are to be blamed and not the government. The other issue could be the change in Vision, possibly Aadhar system is made to do what it was not designed to do when it designed.. A software audit will only validate that you have a well designed, robust and secure software system and its operations are being managed well by the team.
When there are multiple issues in a software system they can only be addressed by conducting a detailed software audit followed by fixing the issues identified in the audit. ( Do read my earlier post Why you should be concerned about #Aadhar being made mandatory for citizen of India? ) Having worked as a fire fighter on solving complex issues on many complex software systems for fortune 100 companies I must say I have not encountered such a large software system that seems to have been put in production without due diligence. I have seen projects where leads & managers have been removed on the spot for much smaller issues than what was reported by The Tribune. Software systems are custom made to solve a particular business challenge and if there is a failure in basic operation of the software then it is because the project leadership was incompetent to handle the project right from the solution design stage to development stage and onto the operations stage.
Here is a simple picture that will give you an idea of what all could have gone wrong with Aadhar System, I am not privy to the Aadhar architecture so the picture highlights the potential issues in the software based on what we know from reports on data leaks. I am concerned that a software system has become a prestige issue and UIDAI is defending reports rather than publishing a whitepaper on health of the Aadhar System so Indians don't worry about the most critical software that is going to affect every Indian. I want to find out , what is wrong with Aadhar system? What needs to be fixed to avoid the known issues in future?
My understanding of Aadhar System
< Click image to zoom >
So what are the key take away from this data leak incident?
1) Critical software system like Aadhar are used for verification of Aadhar user's identity and when user input is passed to the system, the systems responds as verification success or failure. The system should not allow users to download Aadhar number or details of Aadhar users. This is a grave software design flaw and there is no doubt about it whatever UIDAI might claim.2) The data access should have been restricted at application service layer, data service layer as well as database level for additional security and I think all 3 layers have design flaws.
2) The system should have different levels of user authorization that limits user access to certain services and this authorization framework seems to be flawed or else missing from the system.
3) Creation of new user is an activity that should be restricted to a limited set of super users & if we go by the news report then it seems that a use who is not administrator has the right to create new users without approval of any superior authority and this is poor design and a big security risk. A new user creation process is typically performed by the administrator and for critical systems like Aadhar, there should be an 'approval workflow for user creation' where clearance is taken from 'access control board' or at least a super admin before creating new users. A ordinary system user who accesses the system for routine transaction should not be allowed to create new user at his will. This flaw allows the system to be misused as it seems to have happened in this case.
4) Authorities have responded that system activities are monitored so it is surprising that when users are being created at will without approval no one noticed it, when system was being accessed by unknown new users no one noticed it, when user data was being downloaded no one noticed it and even the network administrator did not notice unusual activity on the network when billion records were being accessed/downloaded.
< Click image to zoom >
As I mentioned earlier this looks like case of multi point failure and if one of the checks had failed still the monitoring system should have automatically notified the authorities about the suspicious activities within minutes if not seconds of the suspicious event. My guess is a good Business Activity Monitoring tool which is must for any critical enterprise system is either not implemented or the implementation is flawed.
Obviously there could be other issues in Aadhar system that we are not aware of. For example scalability and availability issues and performance issues - and I have reason to believe that the way it is being implemented today Aadhar system is going face major performance issues one day. The 1 lakh plus municipal employee in Mumbai are using Aadhar bio-metrics to sign-in & sign-out at work. (I have got proof that municipal employees get emails twice a day from Aadhar system when they scan their finger prints). Which means Aadhar system is being accessed for employee attendance 2 lakh times every day by Mumbai municipality alone! There are around 4000 cities in India which makes 4000 x 2 lakh = 800,000,000 hits to Aadhar server everyday by municipal employees alone! I assume if municipality is using Aadhar for attendance then other government employees will also be using Aadhar verification for attendance and a conservative guess would be 1 lakh government employees across 4000+ cities in India ( I am not considering the employees working in smaller town & remote areas). This means there will be 1.6 billion hits to Aadhar server everyday just verification of attendance of government & municipal employees! At 9 am when all employees reach office there will be at least 80,000 hits to the server every 3 second (assuming 4000 cities , 10 offices in each city, 2 bio-metrics scanner in each office) Did UIDAI plan for this? Is Aadhar Architecture built to take this kind of peak load? Why the heck should we use national bio-metrics server to verify that employee in each city has reached office! Did we create Aadhar for such stupid mundane tasks? Which other SMART DIGITAL COUNTRY in the world has implemented this kind of verification system for government employee? Which software architect gave this idea to goverment to use Aadhar for employee attendance verification and what are other redundant uses that Aadhar is going to be used for? It is absurdly, insanely, mind boggling crazy to implement Aadhar based attendance! Imagine when Hospitals, Railways, Airlines, Jios & every other company starts using Aadhar for verification we will need a new Aadhar Hardware City to host the servers required to cater to such large population! (Ok! Ok! I exaggerated it! Wont need a new city but a huge number of computing nodes on a Cloud since it is quite likely that Aadhar system is hosted on a Cloud)
In my next post I will explain the potential missing blocks that could lead to such system failure in a software system (again I am assuming The Tribune report is reliable and they have indeed purchased billion records for 500 INR. Damit!)
My next post will be about Whats needs to be fixed in Aadhar Software System ? (Part-2) & after that 3rd post will be on How blockchain or similar trust framework could have prevented the Aadhar Data leaks in Aadhar System? (part-3)
Tuesday, January 2
Tech Tip - Microsoft has a utility to fix issues with installation / uninstall of programs on Windows
Fix problems that block programs from being installed or removed
Link https://support.microsoft.com/en-in/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed
Microsoft has released another Fix-It tools to "diagnose and fix program installing and uninstalling problems automatically". A Fix-It is a small portable program that Windows users can run to resolve and repair issues on their operating system semi-automatically.
The Microsoft Support page, which is also the page where the Fix-It can be downloaded, lists the following issues that are repaired by the application:
- Removes bad registry key on 64 bit operating systems.
Windows registry keys that control the upgrade (patching) data that become corrupted. - Resolves problems that prevent new programs from being installed.
- Resolves problems that prevent programs from being completely uninstalled and blocking new installations and updates.
- Use this troubleshooter for an uninstall only if the program fails to uninstall using the windows add/remove programs feature.
Wednesday, December 27
Tech Tips - Is your personal computer optimized? How to keep your PC optimized for best performance?
Another tech-tip to keep your personal computer healthy and fit. We keep installing applications, creating/deleting folders and each time an entry is made in the registry. When we remove the application & do not do a clean uninstall or cut-paste some folders it leaves junk data in your hard-disk & registry and your computer is no longer working optimally.
Here are few things you can do to keep your computer healthy, fit & optimized
Here are few things you can do to keep your computer healthy, fit & optimized
- Don't install software that you don't need. Once every 3 months do a quick check of the installed software and remove the applications that are not used frequently.
- If you use some software just couple of times a year I suggest you download a portable version of the software and keep it on your pen-drive and save your computer from unnecessary clutter. Portable.com is my favorite site to fins reliable and malware free portable apps. They even provide a portable app manager that (When you download a software do donate a dollar to help the guys maintain their good work)
- Use a free tool to clear junk files from the computer and defragment the hard disk. I use CCleaner freeware to clean junk files and optimize the hard disk once a week.
- Use a good registry cleaner tool to keep your registry healthy. Make sure you create restore-point before you clean the registry and do not keep more than 4 restore points on your computer as they occupy real estate. I use a wonderful tool called Wise Registry Cleaner to maintain my registry (wisecleaner.com). The tool is smart and reliable and you can take my word that it will not mess the registry.
- Backup your assets to a portable hard-disk and only keep the data that you access frequently. I use DSynchronize portable application (installed on portable drive) to take backup of my downloads and I always maintain enough free space on my hard-disk ( more than 50% of the HDD capacity)
Tuesday, December 19
The New BPM - The Real Time Business Process Management
Enterprises have
embraced BPM and have optimized their business processes making their
enterprise efficient, agile & adaptive. Business users have most intimate
knowledge about the business operations and understand the process improvements
required. Business-driven process management lets them manage the design,
execution and improvement of business processes. The targets for BPM are the processes that are most important to creating value, those that will yield tremendous benefits if optimized, those that most need to rapidly change and evolve to keep pace with competitive markets. So for large enterprises moving to service based design and degree of process automation of high value processes will provide high business value.
New BPM - Business and IT collaboration and
business empowerment are necessary so that business applications can keep pace
with fast changing world. Today no body talks about Service Oriented
Architecture & Service Oriented Design because they are now integral part
of the IT standard guidelines and critical for success of any enterprise
application. The new entrant Blockchain Distributed Ledgers on the other hand, creates a
business network which can spans across enterprises, introducing
disintermediation, distributed ownership and the risks while enabling near-real
time exchange of data that can help enterprise in making faster informed
decisions. The value add of blockchain is that it would provide means to prevent
erroneous or outdated data within the business process. Blockchain
adoption will impact existing business processes and they will have to be re-engineered to use Blockchain
but it will have a positive impact by further improving quality, agility, trust and networking across business entities.
The New BPM |
Saturday, December 9
Tech Tips - Securing personal computer with Microsoft Safety Scanner, Defender, Avast & Malwarebyte
There are times when Windows OS on your computer misbehaves and you are not sure if it is because of some malware or is it a Windows issue. I started getting a message that said "Interactive Service Detection - A program running on this computer is trying to display a message".
I had never seen such message in Windows and I suspected a virus or Malware had affected my laptop. I checked Microsoft website and found that this error could also be because of some Windows issue. But when you are not sure you should DO A COMPLETE SCAN FOR MALWARE. I found Microsoft Safety Scanner tool (freeware) from Microsoft which can detect & remove malware from laptop. Safety Scanner gave a cleanchit to my laptop which meant the issue was because of some corrupt files. Next I ran Windows System File Checker tool (it is part of Windows OS) and repaired few corrupted files. A clean shutdown and start confirmed that the issue was resolved. I assume like me, not many people would be aware of Microsoft Safety Scanner so I am sharing the link on my blog. This tool works for 10 days after download ( Microsoft keeps updating the tool virus database) so if you have to again execute it on 11th day you will have to download a fresh copy.
By the way I have free version of Avast Antivirus & Malwarebites freeware protecting my laptop & I also have Windows Defender installed (only one of the antivirus will be actively monitoring the Windows). There is another good tool called Sourceforge HJT that I use to do random scans for Adware/Malware. Every time I feel the computer is acting a bit funny or is getting slow I run these tools to check for malware & unwanted software.
Other useful links -
1) https://www.avast.com/
2) https://www.malwarebytes.com/
3) https://sourceforge.net/projects/hjt/
4) Repairing a corrupted file in Windows using sfc command
a) Using Deployment Image Servicing and Management (DISM) tool for Windows 8. 8.1 &10
b) Use the system file checker tool to repair missing or corrupted Windows system files
By the way I have free version of Avast Antivirus & Malwarebites freeware protecting my laptop & I also have Windows Defender installed (only one of the antivirus will be actively monitoring the Windows). There is another good tool called Sourceforge HJT that I use to do random scans for Adware/Malware. Every time I feel the computer is acting a bit funny or is getting slow I run these tools to check for malware & unwanted software.
About Microsoft Microsoft Safety Scanner ( text from Microsoft website)
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats. Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
NOTE: This tool does not replace your antimalware product. For real-time protection with automatic updates, use Windows Defender Antivirus on Windows 10 and Windows 8 or Microsoft Security Essentials on Windows 7. These anti-malware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on removing difficult threats.
Click on this link to download Microsoft Safety ScannerOther useful links -
1) https://www.avast.com/
2) https://www.malwarebytes.com/
3) https://sourceforge.net/projects/hjt/
4) Repairing a corrupted file in Windows using sfc command
a) Using Deployment Image Servicing and Management (DISM) tool for Windows 8. 8.1 &10
b) Use the system file checker tool to repair missing or corrupted Windows system files
Tuesday, December 5
Linking Aadhar to Bank is a redundant exercise & bad software design
Today PAN & Aadhar are linked (31st Dec 2017 was the last date to link Pan with Aadhar) and this is already approved by the Supreme Court. Now Govt is trying to explain to the court why linking of Bank account to Aadhar is necessary. I am surprised that Indian goverments IT experts have not realized that this is such REDUNDANT exercise because once government links Pan with Aadhar number, and since it is mandatory to provide PAN for a bank account the bank account automatically get linked to Aadhar ( as Bank account is already linked to PAN number). So there is no need for citizen to provide Aadhar details to the bank (by virtue of PAN-Aadhar data linkage) and Banks can STOP sending threatening mails to the customers!
Wish Finance Ministry & UIDAI would hire few experienced data architects & software engineers who could explain to the government 'how data association works' and stop the bank & government from wasting tax payers money in a redundant effort to link Aadhar to Bank account!
So bank has practically no need to ask customers to give their Aadhar number. Even for new bank customers there is no need to provide Aadhar number because once they provide PAN number bank automatically comes to know if the person has linked the Aadhar with PAN and only then they would enable his new bank account. It id critical that government does not go on distributing Aadhar access to 'private entities that çan acheive the purpose of authenticating a customer without knowing their Aadhar number and by just knowing their PAN number.
The following picture explains it. The Income Tax department has PAN-Aadhar linked for each PAN card holder. Bank account is already linked to PAN. The way data association works if someone has not provided Aadhar to income tax department his PAN will automatically be deactivated and bank will be come to know about customers PAN deactivation.
Obviously government has not thought about this because their IT experts have not educated them how data linkage works. I put the blame of this useless exercise on the IT experts who are being consulted by the government of India. Indian IT engineers from private sector are designing state of art software for fortune 100 companies and it is a pity that our government is not consulting these Indian IT experts.
Wish Finance Ministry & UIDAI would hire few experienced data architects & software engineers who could explain to the government 'how data association works' and stop the bank & government from wasting tax payers money in a redundant effort to link Aadhar to Bank account!
So bank has practically no need to ask customers to give their Aadhar number. Even for new bank customers there is no need to provide Aadhar number because once they provide PAN number bank automatically comes to know if the person has linked the Aadhar with PAN and only then they would enable his new bank account. It id critical that government does not go on distributing Aadhar access to 'private entities that çan acheive the purpose of authenticating a customer without knowing their Aadhar number and by just knowing their PAN number.
The following picture explains it. The Income Tax department has PAN-Aadhar linked for each PAN card holder. Bank account is already linked to PAN. The way data association works if someone has not provided Aadhar to income tax department his PAN will automatically be deactivated and bank will be come to know about customers PAN deactivation.
Obviously government has not thought about this because their IT experts have not educated them how data linkage works. I put the blame of this useless exercise on the IT experts who are being consulted by the government of India. Indian IT engineers from private sector are designing state of art software for fortune 100 companies and it is a pity that our government is not consulting these Indian IT experts.
Monday, December 4
Linking Aadhar to Bank is such a Dumb Idea & waste of tax payers money!
Govt of India has asked citizen to link PAN-Aadhar and this is already approved by the Supreme Court. Now Govt is trying to explain to the court why linking of Bank account to Aadhar is necessary! It is such foolish thing to do because once you associate Pan with Aadhar the bank account automatically get linked to Aadhar without citizen providing Aadhar details to the bank by virtue of PAN-Aadhar linkage!
Wish Finance Ministry & UIDAI would hire few experienced data architects & software engineers who could explain to the government 'how data association works' and stop the bank & government from wasting millions of tax payers money in effort to link Aadhar to Bank account! Why ask citizen to provide the Aadhar data to bank when bank account is already linked to the PAN which in turns is getting linked to Aadhar number?
Thursday, November 30
When will government start using Artificial Intelligence (AI) ?
AI is making an impact across indudsry verticals and AI can make even bigger impact when the Indian government's start using AI because governments touch more people's life than any other organization. Often agencies are understaffed or overworked and people have to wait in queue for ages. AI can't replace humans but it can reduce the work load of humans. These are some areas where government should start implementing AI.
1. Process Automation
Through out the government departments, there are backlogs of many types: cases, requests, applications, etc. AI enabled software could speed through these backlogs and prioritize critical tasks and even find solutions to some basic Yes/No tasks thus reducing long pending tasks. AI could reduce the size of the backlogs, let humans focus on the challenging requests and speed up the processing.
2. Recruiting Automation
The Indian government is the one of the largest employer with a huge backlog of vacancies from teachers to officers and the biggest challenges among all organizations: is hiring adequate talent. One way the government could take advantage of AI is to adopt recruiting automation technology to streamline candidate sourcing, automate interview scheduling
3. Disaster Management
Artificial intelligence is a set of powerful technologies that can derive insights from tons of data to keep us safe. From predicting earth quake and aiding in rescue efforts to warning us of external threats and even automating high-risk tasks that we is done by government everyday. By enabling these technologies to help keep us safe governmental bodies can do their part to make India a safer place.
4. Cybersecurity
Cybersecurity is a growing concern for both government and financial institutions. Adversaries are leveraging AI in their tools, techniques and processes. Governments should leverage AI for vulnerability, threat and risk management. AI can help in forecasting, preventing and mitigating risk by using AI enabled self learning * self defending software
.
5. Taxation
One way that government could take the most out of AI is by coordinating the financial analysis from multiple transaction mediums for taxation purposes. No more tax evasion and no more double taxation and faster tax refunds using AI.
7. Irregular Financial Activities
Applying artificial intelligence in the government can make services faster and more tailored. One way that the government can use AI to its advantage is by detecting irregular financial activities like money laundering, terrorist financing and fraud.
8. Health Care Services
Our barely-existent health care systems and pension systems are a major strain on the central and state budget. Governments are trying to improve these systems and with AI and distance medicine the costs can be reduced. AI can also automate government grants, health insurance claims and identify fraudulent claims and fill in for the lack of resources and long queues.For minor illness automated medical system can provide medical advice to those in remote corners of India till they can reach a doctor.
9. Security Agencies
AI is the process of simulating computers to have the capability of imitating intelligent human behaviors.AI can be used in various ways in immigration services, for crime prevention and solving criminal cases using a centralized AI intelligence.
10. Auditing Efficiency
Using AI, the most likely candidates for audit could be quickly brought to the top for human inspection. It's important to keep the human element, but for quick evaluation, AI can have a much better return on investment particularly in prioritizing audit tasks
11. Judiciary / Courts
One of the longest backlogs by any agency is probably in the legal systems. The nature of work is such that the petitioners themselves delay the cases till they get a satisfactory solution but the legal sytem wants to deliver a well informed and just verdict and AI can help judiciary deliver it. One cannot even imagine the new judiciary and they way it will transform the justice delivery by using AI & ML by delivering critical ipupts to the judges and also in dismissing trivalent cases .
Monday, November 27
BPM & Blockchain
Business Process Modelling is a digital automation framework that helps organizations improve overall efficiency and the ability to execute consistently by decoupling the business process logic from the code or service layer. This streamlines business processes within an organization where participants normally trust each other. Innovations in areas such as case management, event processing, business rules, and integration mechanisms help organizations address strategic goals by implementing new and continuously improving existing business processes. Business processes rely on data from information systems outside their control, even data from other enterprises. This data must move between organizations, or even between enterprises, which is not only complex and expensive but often results in stale and inconsistent data. Lack of transparency and trust is the consequence.
Blockchain
Blockchain helps solve trust and transparency issues in business networks that span organizations for the following reasons:
- Participants in the network use a shared ledger to perform transactions on assets.
- Transactions are validated by participants through a consensus protocol.
- Smart contracts control transactions between participants, which therefore do not need to trust each other. Smart contracts ensure that contractual conditions are met, and obligations are enforced
- Permissive blockchains ensure that all information and transactions on the blockchain are available only to network members with the right permission.
BPM and Blockchain
In a combined BPM-Blockchain solution, the shared ledger provides the interface for business processes — a process queries asset information and performs transactions directly on the ledger. Stale or inconsistent data is no longer an issue. In addition, business events on the blockchain initiate or trigger business processes, ensuring that the right organizations are involved and react to events in a timely manner. The integration of both business process management and blockchain helps you to reach the next level of real time integration and automation of business processes that can help significantly improve your business processes.
Monday, November 20
Don't you Blockchain yet?
Blockchain is a distributed digital ledger that enables and records the
secure transfer of data and documents through a public or private
peer-to-peer network. Blockchain allows secure management of a shared ledger & transactions are verified & stored on a network without any governing authority. Blockchain configuration can be on a public opensource network or a private Blockchain network that required explicit permissions to read/write.
The best applied example I have read is of an automotive industry. A car has a manufacturing defect that results in a part being replaced. The typical communication chain could follow the following pattern:
Now let’s look at the customer experience when blockchain & technology platform are combined. In the same scenario, the communication chain will be as follows:
The best applied example I have read is of an automotive industry. A car has a manufacturing defect that results in a part being replaced. The typical communication chain could follow the following pattern:
- The car owner brings the car to the dealer to diagnose a problem
- Car dealer inspects the car and notifies the manufacturer about the faulty part
- Manufacturer works with the part supplier to determine where the fault lies
- Part supplier and manufacturer agree that the part is faulty, then notify the dealer
- Car dealer notifies the customer
- Car owner brings the car back to the car dealer for part replacement
In this scenario, communication among the customer, car dealer,
manufacturer, and part supplier is delayed by incomplete information, so
full and accurate responses along the chain are impossible. Second, all
communication goes through email, telephone, or postal mail, and the
customer has to visit the car dealership multiple times to have the
part replaced, possibly being unable to use the vehicle until the car is
repaired. This is a very shabby customer experience.
Now let’s look at the customer experience when blockchain & technology platform are combined. In the same scenario, the communication chain will be as follows:
- The IoT sensor automatically notifies the manufacturer, car dealer, and car owner about the defective part
- Car dealer contacts the car owner and sets a service appointment for an inspection
- Car owner brings car to the dealer for inspection, which confirms the faulty part
- By now the information about the faulty part is already put on blockchain, which has by now notified all the parties – manufacturer, insurer, part supplier, car dealer, and owner
- Manufacturer, dealer, and part supplier collaborate to analyze the car’s IoT sensors and dealer inspection report to identify where the fault lies
- Manufacturer gives an instant approval for part replacement on blockchain, which automatically notifies all parties
- Car dealer replaces the part and delivers the car back to the owner
Sunday, November 19
Be careful of what you share on Facebook, Google & Internet
Data privacy is important & critical for our own security & safety. We tell our kids, not to talk to strangers & not to share family details with unknown people but what about the data you are 'willingly but unknowingly' sharing on the internet everyday? Let me tell you about a real life incident. Few years back one American company mailed baby product catalog to a couple and they were surprised because they had recently planned to have a baby but the wife was not pregnant. The net savvy couple did some research and found out that the shops and website were selling their credit-card purchase history to marketeers and from the history marketeers were able to predict that the couple were planning to have a baby and sent the baby product catalogs even before the lady was pregnant!
You think it is impossible? I can prove it to you that it is very easy to predict such things using Data Analytics if you have a persons credit history, in other words 'Person's Personal Spend Data'. How could a company share/sell your credit card history with some other company? Well when you took the credit-card you never told the company to not use your purchase history for future marketing (Did you even ask them what they do with your data?) so if you decide to sue the company then it will be a long court fight & few people have sued companies for breach of privacy (or what ever legal term is used now) and managed to get compensated for misuse of complete or partial personal data.
You think it is impossible? I can prove it to you that it is very easy to predict such things using Data Analytics if you have a persons credit history, in other words 'Person's Personal Spend Data'. How could a company share/sell your credit card history with some other company? Well when you took the credit-card you never told the company to not use your purchase history for future marketing (Did you even ask them what they do with your data?) so if you decide to sue the company then it will be a long court fight & few people have sued companies for breach of privacy (or what ever legal term is used now) and managed to get compensated for misuse of complete or partial personal data.
Have you ever wondered why websites start displaying ads about a product that you have viewed on Facebook or a product relevant to a post that you recently viewed on Facebook? For example I viewed 'Eurovigil Eureka Forbes Page' on Facebook and within seconds when I went to IRCTC website it showed me Eurovigil ads (I disable cookies on my laptop so it was not because of cookie tracking!) One of my friend who is not from software industry was excited that the websites were getting smarter and showing relevant ads! But how does a website get smarter? No magic here, the smartness comes from your personal information/data that you willingly share/upload or worse, data that is getting tracked without your knowledge. To give you a smart personal advice, why does a website have to know about you personal data - Age, M/F, City, Single/Married. Kids, Kids age, your company name, buying pattern, dressing style, electronics you use, financial status, do you use a 95K IPhone or are you a cheapo who uses 1.5k phone? No offense, but that's how marketeers profile us and then sell the information to other marketeers. So if the website smartly suggests a product or service then you should know it has access to some information you directly/indirectly shared somewhere on the internet or else your credit card provider has shared with some company. Those of you who are not from IT would be surprised to know that new age companies keep a watch our your social-media post and use this data to understand customer sentiments, this science is called Sentiment Analytics & Predictive Analytics. Let me tell you that not all companies use this data to spy on you, some companies use this data to prevent crime. For example Credit card companies 'ALSO' use huge computers to collect social media posts (Facebook, Google, Twitter..) to prevent fraud, telecom companies use this data to prevent SIM fraud and also to decide costing of their mobile plans but the point is 'companies are all reading your posts every day and they perhaps know more about you than your close friends!
Software companies internationally have been fined billions of dollars for collecting, storing and misuse of personal data of users without taking users consent. Facebook, Google and other companies can afford to run lakhs of servers and thousands of employee to manage the server across the world & still not charge you a penny because they earn much more by SELLING PERSONAL DETAILS OF USERS. FB account holders like me who are aware usually provided minimal information on my Facebook account & in spite of the precaution FB is still profiling me from every FB post I read, every ad I click on FB, every comment I make on FB and then Facebook is tracking what you do. Facebook is .....(even Google does it)
- Storing the data ( because we gave FB permission to store data when we created an account and accepted the agreement without reading it) Tomorrow if you want to wipe of your personal data from FB you would be able to delete your account but you will never be able to remove the personal data which is already part of FB database and the persona data that FB shared with other marketeers.
- FB is using your data to create a virtual profile of you
- Using your data to push relevant ads to you
- Sharing/selling the virtual profile data to other websites (that's how IRCTC website's 'Advertisement Service' knows I am interested in Eurovigil)
- FB and similar websites know about you, though your post and friends they know 'names of each of your relatives and even have photos of your relatives and friends'
- Data is everything. We can create a virtual person, apply for credit cards and open bank account online without visiting the bank if we have the personal data of a person.
We are caught in the 'Internet Of Things Data Mess' and marketeers & companies that sell personal data are the big winners. As long as you use internet someone will soon get you personal details and your activities ( that's right not just Facebook & Google almost all websites collect personal data including location data). Your husband or wife may not know that you ordered the grocery while you were enjoying Cafe Latte at Coffee Day but "The Internet Companies Know It & Will Use The Information" and there goes your right to privacy. What you can do is be careful while registering on website and using social media and not volunteer personal details that you feel should not be made public. For you to enjoy social media or get discounts from website you don't have to share details like whether you are single/married, who are your relations, your detailed address, your company name etc. These details could be sold to some company and then to another company & so on till every marketeer knows about you.
Facebook collects data from non-registered users in two main ways: From their browsing history and from their friends.
How facebook collects data about users & non-users:
Facebook collects data from non-registered users in two main ways: From their browsing history and from their friends.
- Websites that use Facebook’s advertising pixel (Like/Share button) – send data about those site visits back to Facebook (browsing history, IP…).
- “If those Like/Share buttons are on the page, regardless of whether you touch them or not, Facebook is collecting data,”
- So 'if you’re logged into Facebook with the same browser you use to surf the web, the company knows exactly who you are and the vast majority of the websites you visit' if you’re not logged in, the company can still associate the data with your IP address and all the websites you’ve been to that contain Facebook code.
- The other main way Facebook gets info: its contact upload feature => To link different accounts having same contact email or phone numbers. I would never advice you to share your primary email or phone number with Facebook or social websites.
Solution to avoid/reduce tracking:
There are some tricks, too avoid getting tracked by internet service providers:- Using different email addresses for different services, and even different browsers, can help enhance your privacy, according to privacy experts we consulted. You can use primary email address for communication & create a 2nd email address (provide minimal or psuedo personal details) to register for various sites
- Using privacy browsers: Tor, Brave etc
- Using script blocking: by using browser addon like Ublock origin, NoScript, PrivacyBadger
Friday, November 17
Real Time Tracking of Highway Development & Maintenance
The national highways network of India is a network of trunk roads that is managed and maintained by agencies of the Government of India. India has 100,087 km (62,191 mi) of national highways (NH) connecting all the major cities and state capitals as of June 2016. National highways comprise 1.7% of India's total road network, but carry about 40% of road traffic.
Current government has ambitious plans for increase highway coverage & improving quality of highways. As Digital India spends more on infrastructure maintenance & new highway construction it is important to use Affordable & Available Technology to monitor the development and reduce pilferage of funds. By affordable & available technology I mean use of Mobiles Sensor, GPS, Big Data Analytics & Predictive Data Analytics. Managing & monitoring highway development projects can help government monitor work in REAL TIME' (daily progress, as the works gets completed) and bring transparency. and implement Dynamic Investment by diverting money to projects that are financially more viable as compared to projects that are getting delayed due to unavoidable circumstances like unavailability of work force etc.
A sound IT solution should help help government improve
1) Ensure Consistent Quality of highway construction across India (and also Water Ways which is another project initiated by the government)
2) Real Time Status of work- by collecting daily progress data using mobile phones and GPS sensors in mobiles
3) Avoid & restrict delays by leveraging the daily progress data feeds
4) Perform smarter fund allocation based on trust worthy data collected via GPS sensors and camera
5) Big Data processing can be used to progress this huge amount of data and get meaningful reports that can present reports of all development activities in a single screen, also called Dashboard
6) Predictive analysis as the name suggests uses all past data to predict what can happen in future. For example which projects will complete work before time & which project will make loss and why. How much work will get completed by the year end? Which projects are making optimum use of construction material and which projects are wasting funds?
The following graphic illustrates how we can implement a simple solution to monitor road development with mobile devices.
Digital in not limited to bottom-up or top-down approach, digital is everywhere. Today every one uses a smartphone and we promote use of smartphones to collect data in real time. Real time monitoring will help monitor progress, detect issues faster and avoid pilfering of public funds. Hope Govt of India builds a similar simple solution to monitor the Highway Development.
Subscribe to:
Posts (Atom)
MUSTREAD : How can you use Index Funds to help create wealth? HDFC MF Weekend Bytes
https://www.hdfcfund.com/knowledge-stack/mf-vault/weekend-bytes/how-can-you-use-index-funds-help-create-wealth?utm_source=Netcore...
-
Then internet revolution triggered the Data Avalanche and lead to innovations in Data Crunch Processing technologies and Data Analytics t...
-
https://www.hdfcfund.com/knowledge-stack/mf-vault/weekend-bytes/how-can-you-use-index-funds-help-create-wealth?utm_source=Netcore...
-
Hyper-connected Home Where do buy sugar from? Pay cash and buy from local grocery store? or order sugar on mobile app? If you are using #B...