The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 3.
Indic Wikisource Community Consultation 2018
http://editors.cis-india.org/indic-wikisource-community-consultation-2018
<b>A group of Indian Wikisource leader from 12 different language communities gathered in Kolkata to attend the Indic Wikisource Community Consultation 2018</b>
<p> </p>
<p> </p>
<p>There was a long time required of <a href="https://en.wikipedia.org/wiki/Optical_character_recognition">Optical Character Recognition (OCR)</a> for Indic language computing. There was not at per OCR available in Indic languages before 2015. Most of the Indic subdomain was created in 2007 to 2011, but due to not availability of OCR, the Indic Wikisource Community used to type the whole book or import the Unicoded text from other non-reliable sources. In 2015 the after Google Drive OCR released Indic community relief from the typing era.</p>
<p>Later <a href="https://github.com/tshrinivasan">Shrinivasan T</a><strong> </strong>developed an <a href="https://github.com/tshrinivasan/OCR4wikisource">OCR4wikisource</a> script to use the Google Drive OCR as Bot. Since the implementation of the OCR, there has been a lot of progress in Indic Wikisource. But we have realized the there should be a common platform where we can share our knowledge. Then one-month planning we have organized <a href="https://meta.wikimedia.org/wiki/Indic_Wikisource_Community_Consultation_2018">Indic Wikisource Community Consultation 2018</a>. in Kolkata. this is first such consultation at this scale, convened by the CIS A2K team. </p>
<p>The meeting had a representation of one volunteer from the Assamese, Bangla, English, Gujarati, Hindi, Kannada, Malayalam, Marathi, Odia, Punjabi, Telugu, and Sanskrit language Wikisource communities. <a title="User:Ananth subray" href="https://meta.wikimedia.org/wiki/User:Ananth_subray">Ananth Subray</a> (Kannada ) <a title="User:Bodhisattwa" href="https://meta.wikimedia.org/wiki/User:Bodhisattwa">Bodhisattwa</a> (Bengali) <a title="User:Hrishikes (page does not exist)" class="gmail-new" href="https://meta.wikimedia.org/w/index.php?title=User:Hrishikes&action=edit&redlink=1">Hrishikes</a> Sen (English ) <a title="User:Gurlal Maan" href="https://meta.wikimedia.org/wiki/User:Gurlal_Maan">Gurlal Maan</a> (Punjabi ) G<a title="User:Gitartha.bordoloi" href="https://meta.wikimedia.org/wiki/User:Gitartha.bordoloi">itartha Bordoloi</a> (Assamese ) <a title="User:Pooja Jadhav" href="https://meta.wikimedia.org/wiki/User:Pooja_Jadhav">Pooja Jadhav</a> (Marathi ) <a title="User:Pmsarangi" href="https://meta.wikimedia.org/wiki/User:Pmsarangi">Pankajmala Sarangi</a> (Oriya ) <a title="User:Shubha" href="https://meta.wikimedia.org/wiki/User:Shubha">Shubha</a> (Sanskrit ) <a title="User:Sushant savla" href="https://meta.wikimedia.org/wiki/User:Sushant_savla">Sushant Savla</a> (Gujurati ) R<a title="User:Ranjithsiji" href="https://meta.wikimedia.org/wiki/User:Ranjithsiji">anjith siji</a> (Malayalam ) <a title="User:अजीत कुमार तिवारी (page does not exist)" class="gmail-new" href="https://meta.wikimedia.org/w/index.php?title=User:%E0%A4%85%E0%A4%9C%E0%A5%80%E0%A4%A4_%E0%A4%95%E0%A5%81%E0%A4%AE%E0%A4%BE%E0%A4%B0_%E0%A4%A4%E0%A4%BF%E0%A4%B5%E0%A4%BE%E0%A4%B0%E0%A5%80&action=edit&redlink=1">A</a>jit Kumar Tiwari (Hindi ) <a title="User:Ramesam54 (page does not exist)" class="gmail-new" href="https://meta.wikimedia.org/w/index.php?title=User:Ramesam54&action=edit&redlink=1">Ramesam54</a> (Telugu ) <a title="User:Jayprakash12345" href="https://meta.wikimedia.org/wiki/User:Jayprakash12345">Jayprakash</a> (Indic Tech team) <a title="User:Chinmayee Mishra" href="https://meta.wikimedia.org/wiki/User:Chinmayee_Mishra">Chinmayee Mishra</a> (Oriya ) as well as Tito Dutta, Tanveer Hasan, Subodh Kulkarni and Jayanta Nath, four members of the <a href="https://meta.wikimedia.org/wiki/India_Access_To_Knowledge">Access to Knowledge Programme</a> of the <a href="https://en.wikipedia.org/wiki/Centre_for_Internet_and_Society_%28India%29">Centre for Internet and Society</a> (CIS-A2K) .</p>
<p>The <a href="https://meta.wikimedia.org/wiki/Indic_Wikisource_Community_Consultation_2018#Objectives">objectives</a> of the consultation are:</p>
<ol><li>Share views and preferences on the most effective ways to pursue our shared vision of creating and sharing free knowledge in India and in the Indian languages (including English) around the world through the Indic Wikisource Project.</li><li>Attempt to come to an agreement on a roadmap for a future where our resources are better utilized, our volunteers are better served, and progress on our mission is more steadily attained.</li></ol>
<div> </div>
<p>We have started our discussion on day zero with the agenda of the main aims of this consultation and what all participants want from this program. The discussion was started at 6 PM and ended at 10 PM night. After discussion, we have summarized and set-up for two days agenda which was actually coming from the participants. The CIS-A2K team arranged for the travel and stay of all participants, as well as a night stay for all participants between the zero and second day, to ensure that the programme started on time on.</p>
<p>Day one started with Introduction of Wikisource by me were introduce the workflow of Wikisource, adding text, finding the source, basic copyright checking, creating Index pages, OCRed the page, Proofreading, layout with typography, Validation, Transclusion and Finishing touch. Later on, <a title="User:Hrishikes (page does not exist)" class="gmail-new" href="https://meta.wikimedia.org/w/index.php?title=User:Hrishikes&action=edit&redlink=1"><span id="gmail-1205" class="gmail-gr_ gmail-gr_1205 gmail-gr-alert gmail-gr_gramm gmail-gr_inline_cards gmail-gr_run_anim gmail-Style gmail-replaceWithoutSep">Hrishikes</span></a> Sen demonstrated each segment broadly. <a title="User:Bodhisattwa" href="https://meta.wikimedia.org/wiki/User:Bodhisattwa"><span id="gmail-1204" class="gmail-gr_ gmail-gr_1204 gmail-gr-alert gmail-gr_gramm gmail-gr_inline_cards gmail-gr_run_anim gmail-Style gmail-replaceWithoutSep">Bodhisattwa</span></a> (Bengali) demonstrated Wikisource Tool, like IA-UPLOAD, Vicuna Uploader, URL2COMMONS, Fill index Gadget etc. And all participants implement hands-on. Bodhisatta showed the <a class="external-link" href="https://commons.wikimedia.org/wiki/File:%E0%A6%A6%E0%A7%81%E0%A6%A8%E0%A6%BF%E0%A6%AF%E0%A6%BC%E0%A6%BE_%E0%A6%AF%E0%A6%96%E0%A6%A8_%E0%A6%A6%E0%A7%8B%E0%A6%B0%E0%A6%97%E0%A7%8B%E0%A6%A1%E0%A6%BC%E0%A6%BE%E0%A6%AF%E0%A6%BC.webm">Bengali Wikisource promotional videos.</a></p>
<p>Day two was started with Google <span id="gmail-94" class="gmail-gr_ gmail-gr_94 gmail-gr-alert gmail-gr_gramm gmail-gr_inline_cards gmail-gr_run_anim gmail-Punctuation gmail-only-ins gmail-replaceWithoutSep">Drive</span> OCR without using Bot solution developed by <a title="User:Jayprakash12345" href="https://meta.wikimedia.org/wiki/User:Jayprakash12345">Jayprakash</a> (Indic Tech team). Later on OTRS process by Jayanta Nath, Wikisource Roadmap by Tanveer Hasan, Institutional Partnership - by Subodh Kulkarni and Transclusion in Wikisource by Susant Salva presented. The most achievements of this meeting were the second day, <a title="User:Jayprakash12345" href="https://meta.wikimedia.org/wiki/User:Jayprakash12345">Jayprakash</a> leads the task myself to clear the <a href="https://meta.wikimedia.org/wiki/Indic-TechCom/Requests/IWCC2018">Wikisource technical backlog</a>. </p>
<p>There were also some ideas coming up by the session by Tanveer. This included awareness, outreach, followups, and evaluation. A report about this meeting was published at <a href="https://www.cis-india.org/indic-wikisource-community-consultation-2018-report-at-asomiya-pratidin-epaper-highest-circulated-assamese-daily">Asomiya Pratidin</a>. Some feedback from the participants can be found <a class="external-link" href="https://meta.wikimedia.org/wiki/Talk:Indic_Wikisource_Community_Consultation_2018">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/indic-wikisource-community-consultation-2018'>http://editors.cis-india.org/indic-wikisource-community-consultation-2018</a>
</p>
No publisherjayantaCIS-A2KOdia WikisourceAccess to KnowledgeCommonsIndic WikisourceAutomationWorkshoparchivesWikisourceKannada WikisourceIndic ScriptsMobile AppsMarathi Wikisource2018-12-08T18:22:29ZBlog EntryDeveloper team fixed vulnerabilities in Honorable PM's app and API
http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryWorkshop on Innovation, Economic Development and IP in India and China
http://editors.cis-india.org/a2k/news/workshop-on-innovation-economic-development-and-ip-in-india-and-china
<b>Anubha Sinha and Rohini Lakshané presented at the SMU-JINDAL-RENMIN Workshop on “Innovation, Economic Development, and IP in India and China,” co-organised by the Singapore Management University, O.P. Jindal Global University, and Renmin University of China, in Delhi during September 27-28, 2016. Amitabh Kant, Chief Executive Officer, NITI Aayog, delivered the inaugural address at the workshop.</b>
<p> </p>
<p>Workshop Brochure: <a href="http://editors.cis-india.org/a2k/blogs/invitation-workshop-innovation-economic-development-and-ip-in-india-and-china" class="internal-link">Download</a> (PDF)</p>
<hr />
<h4>Anubha Sinha - "Investigating Limits to Innovation and Peer Production in India's Mobile Apps Economy"</h4>
<p>Slides: <a href="http://editors.cis-india.org/a2k/blogs/investigating-limits-to-innovation-and-peer-production-in-indias-mobile-apps-economy" class="internal-link">Download</a> (PDF)</p>
<p><iframe frameborder="0" height="420" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/key/hBZDkyN9kkgCfM" width="510"> </iframe></p>
<p> </p>
<h4>Rohini Lakshané - "Exploring Open Hardware in Mass Produced Mobile Phones"</h4>
<p>Slides: <a href="http://editors.cis-india.org/a2k/blogs/exploring-open-hardware-in-mass-produced-mobile-phones" class="internal-link">Download</a> (PDF)</p>
<p><iframe frameborder="0" height="420" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/key/N8TpwEtUAb4hRH" width="510"> </iframe></p>
<p>
For more details visit <a href='http://editors.cis-india.org/a2k/news/workshop-on-innovation-economic-development-and-ip-in-india-and-china'>http://editors.cis-india.org/a2k/news/workshop-on-innovation-economic-development-and-ip-in-india-and-china</a>
</p>
No publisherAnubha Sinha and Rohini LakshanéPeer ProductionAccess to KnowledgeIntellectual Property RightsOpen HardwareOpen InnovationMobile AppsPatents2016-10-09T04:41:38ZNews Item