Your Privacy is an Illusion

WhitehatWhat would you do if your laundry-shop published your laundry bills online, along with your name, address and phone number, for the whole world to see?

 

A couple of months ago, while trying to understand Pakistan’s perpetual energy crisis situation, I entered the LESCO website hosted at http://www.lesco.info/. As soon as I clicked the Customer Service link, I was teleported to a consumer privacy and security hell. I closed my browser after going through a few pages, hoping that the website would disappear like a bad dream, and tried to forget about it. Two months later, the website is still online, so I think LESCO doesn’t have any plans to take it offline. Meanwhile, I have gone through the five stages of grief, laced with a few non-standard stages like ‘hilarity’ and ‘helplessness’ that Kubler-Ross probably hadn’t thought of, so now I can write about this joke without affecting my blood-pressure and general sanity.

When you enter the webite, you are rewarded with a pre-filled login form. You heard me right – the form is pre-filled with the username “Guest” and password “*******” (hehe) for your convenience. The links at the top are pointing to a certain firm called Clicksoft and are broken, but you can still visit the Clicksoft website to hear their amusing pitch:

ClickSoft is a groundbreaking software development organization providing high-end technical solutions. Our customers benefit from our vast experience of Enterprise Resource Planning (ERP) software solutions for demanding mission critical environments in, retail and wholesale, manufacturing, financial services.

I will not pass any judgement on their claims, but I do wish that their prospective clients do a little research on them before handing them any business.

 

After you “log on” to the LESCO /mc/ website homepage as a “Guest”, you are handed a search form, but not just any form – this one has the special power of letting you search the complete LESCO database!. You can search by any field, including customer name, their address and even their neighbor’s bill. By the way, from the search forms, it looks like many people are born with “through”, “Col” and “Officer” in their names.

I am a big proponent of transparency, but LESCO has taken it a bit too far! You can search in Applications and you can search for Consumers and even browse various LESCO locations. The real gem, though, is the Feedback Form. It allows you to “Change Password”! Yes, the same password that was embedded in the login page (*******)… A classic case of WTF!

If you think it ends here, you are wrong, LESCO has one more surprise for you. Visit the Reports section and you will come across URL masterpieceslike:http://www.lesco.info/mc/default.php?action=35&where=%20where%20c.app_date%3C=’2008-05-06′
%20%20and%20substring(c.loc_code,2,1)=’2’&circle=&desc=Demand%20Note%20Paid
All ten year old script kiddies and their pet parrots know the kind of malicious things that are possible with a little bit of SQL Injection, so I will not spell them out here, but apparently, the “Regional Training Centre LESCO”, who own the website, are still trying to figure out how to create websites. With employees like these, who needs corporate saboteurs?

So, coming back to the original question (“What would you do if your laundry-shop published your laundry bill, along with your name, address and phone number online, for the whole world to see?”), if your answer is “Nothing.”, I will understand. The rising oil and food prices have probably pushed things like data privacy towards the bottom of the list of things to worry about. Consider yourself lucky though, if a telemarketer discovers this treasure trove and a vaccum cleaner salesman comes aknocking at your door two days after you apply for an electricity connection. It would certainly be better than having your identity stolen. and a lot more entertaining if you are like me.

I did some research on consumer privacy and identify protection in Pakistan to see where the consumers (that’s you and me) stand, and discovered that Pakistan is yet to have a consumer rights protection law. Besides Babar Bhatti of telecompk, who writes about the topic frequently, and Dr. Awab, who urged me to write this post, I did not find any Pakistani bloggers who have shown serious concern about consumer data privacy in Pakistan on their blogs (though my google search session was brief). I did stumble upon websites for entities like Consumer Rights Commission of Pakistan and The Network, but have yet to read what they are all about.

On the bright side, incidents like this make one think that perhaps the lack of ecommerce in Pakistan is actually a blessing in disguise. What do you think?

PS. For those too busy to visit the actual website, I’ll try to upload some screenshots soon.

PPS. No bytes were harmed or abused in the writing of this post.

Arthur C. Clarke, Pakistan, Terror and Science Fiction

I started reading Arthur C. Clarke's novel Time's Eye the day before he died. The novel is set in the NWFP, and it is a world where Lahore has been blown up by a nuclear bomb (ouch!). Here's a page from the novel's beginning that reminded me of the recent US missile strikes inside Pakistan:

He had been just four when he had first encountered the helicopters of the west. They had come at night, a pack of them. They flew very low over your head, black on black, like angry black crows. Their noise hammered at your ears while their wind plucked at you and tore at your clothing. Market stalls were blown over, cattle and goats were terrified, and tin roofs were torn right off the houses. Moallim heard, though he did not see it for himself, that one woman’s infant was torn right out of her arms and sent whirling up into the air, never to come down again.

And then the shooting had started.

Later, more choppers had come, dropping leaflets that explained the “purpose” of the raid: there had been an increase in arms smuggling in the area, there was some suspicion of uranium shipments passing through the village, and so on. The “necessary” strike had been “surgical,” applying “minimum force.” The leaflets had been torn up and used to wipe asses. Everybody hated the helicopters, for their remoteness and arrogance. At four, Moallim did not have a word to describe how he felt.

And still the choppers came. The latest UN helicopters were supposed to be here to enforce peace, but everybody knew that this was somebody else’s peace, and these “surveillance” ships carried plenty of weaponry.

These problems had a single solution, so Moallim had been taught.

The elders had trained Moallim to handle the rocket-propelled grenade launcher. It was always hard to hit a moving target. So the detonators had been replaced with timing devices, so that they would explode in midair. As long as you fired close enough, you didn’t even need a hit to bring down an aircraft-especially a chopper, and especially if you aimed for the tail rotor, which was its most vulnerable element.

Time's Eye – Clarke & Baxter

Science fiction is not always fiction.

A Quote from 100 Years Ago

“…The days when the People could make revolutions are past.”

“I suppose they are,” said Graham. “I suppose they are.” He mused. “This world of yours has been full of surprises to me. In the old days we dreamt of a wonderful democratic life, of a time when all men would be equal and happy.”

Ostrog looked at him steadfastly. “The day of democracy is past,” he said. “Past for ever. That day began with the bowmen of Crecy, it ended when marching infantry, when common men in masses ceased to win the battles of the world, when costly cannon, great ironclads, and strategic railways became the means of power. To-day is the day of wealth. Wealth now is power as it never was power before — it commands earth and sea and sky. All power is for those who can handle wealth…. You must accept facts, and these are facts. The world for the Crowd! The Crowd as Ruler! Even in your days that creed had been tried and condemned. To-day it has only one believer — a multiplex, silly one — the mall in the Crowd.”

Graham did not answer immediately. He stood lost in sombre preoccupations.

“No,” said Ostrog.” The day of the common man is past. On the open countryside one man is as good as another, or nearly as good. The earlier aristocracy had a precarious tenure of strength and audacity. They were tempered — tempered. There were insurrections, duels, riots. The first real aristocracy, the first permanent aristocracy, came in with castles and armour, and vanished before the musket and bow. But this is the second aristocracy. The real one. Those days of gunpowder and democracy were only an eddy in the stream. The common man now is a helpless unit. In these days we have this great machine of the city, and an organisation complex beyond his understanding.”

The Sleeper Awakes – H. G. Wells (1910)

Arthur C. Clarke Died Today

Yesterday, I started reading 'Time's Eye' – the first book of the 'A Time Odyssey' series written by Arthur C. Clarke and Stephen Baxter. I went to sleep after reading 22 Chapters, woke up, checked my emails and RSS feeds, and found out that Arthur C. Clarke passed away some time today at his home in Sri Lanka.

Arthur C. Clarke was one of the greatest scifi writers ever, his writing was an inspiration to millions. Besides his Odyssey, I read a lot of his short stories in the 80s. His three laws of prediction are almost as famous as Asimov's three laws of robotics, and the 3rd law is probably quoted the most:

  1. When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.
  2. The only way of discovering the limits of the possible is to venture a little way past them into the impossible.
  3. Any sufficiently advanced technology is indistinguishable from magic.

I think I am jinxed, and should stop reading series that are not finished yet. But for now, I must move on to chapter 23 of Time's Eye.

Ender’s Game to be a … Game

'Ender's Game' is going to become a video game soon. It is probably one of the best sci-fi novels/short story of the last century, and like 'Lord of the Rings', it is bound (no pun intended) to be discovered and re-discovered by each new generation. If you haven't read it, you should download buy a copy and add it to the top of your reading queue (you do have a queue, right?). Here's the news on the Orson Scott Card official website. The game is going to be based around the "war-room" from the novel, so its probably going to be a lot like a free-form Quake III Arena CTF in zero g. Sounds fun.