November 12, 2012

Response to security concerns raised by GeekGazette

Some of you may have read the latest GeekGazette issue. It includes an article on “Campus Surveillance”, which errs on the side of being a FUD article. If you haven’t already, you can read the article online. The article says, “Managing personal data gives immense power to the authorities and members of IMG and SDSLabs.” Surely this warrants a response.

CCTV Cameras

As far as I am aware, most of the CCTV cameras installed on the campus are networked. None of these include any form of face recognition. Sure, being tracked by these infringes your privacy, but they are also useful in the case of tracking any wrong-doers as well. Pointing out that our institute has cctv cameras, and leaping to the conclusion that we are being watched everywhere, NSA style, is just plain rubbish.

Personal Data

The only personal data available to SDSLabs are the email address and phone numbers, which are provided by the users themselves upon registration itself. The institute provides us with no data at all. This means that all data we have is either provided by the user’s consent itself or publically available (We use course data from 192.168.121.2/studentlist to help users during their registration). We don’t have anybody’s weight/height/bloodgroup/photographs/passport/driving licence/grades/passwords as mentioned in the article. We assure you that we have no interest in selling the limited amount of personal data we have on file (phone/email) and it is only accessible by limited members of our team. Furthermore, our services are protected by HTTPS security to mitigate sniffing and other nefarious activities

DC++

As of now, DC++ is being run in an open mode, which means it does not need any form of registration. We personally log very little data (mostly chat) on the DC network. In truth, the actual downloads themselves are P2P (Peer To Peer) and are not trackable. To track a user download, while theoritically possible, would a) require huge resources, and b) caught immediately as a fake peer.

Web Monitoring

As of now, the browsing activites in campus are not monitored by ISC. They can do it in future but don’t do it as of now. Even if they did, it wont be accessble to student/student groups in any case and will be done just for sake of security. Currently if someone hacks a government website from inside the institute, the institute has no reliable way to identify the hacker.

In conclusion, this article mis-represents the truth, tries to build fear in the mind of its readers, and builds upon little facts to visualize an environment which is completely out-of-reality. However, when the article says “Rest assured, everything can be hacked”, we tend to agree with them. As a result, we are now coming up with our “Security Disclosure Policy”, which we hope will help us in the long run. If you like working in security, or learn about ethical hacking, feel free to try to hack us. As long as you follow our disclosure policy, that is. And, if anyone else has similar doubts regarding the data we have and how we secure it, you are free to approach us via mail or personally and we will surely sort them out.

– Abhay Rana