I could send any text message from Indian government IDs
kmskrishna.meI like that in the middle of that, a wild "block-chain" appeared. Congrats to whichever consulting company managed to sell that bullshit to the government.
I think the author went way over the line here and should probably retract ASAP for his own well being.
You are totally right. Hope he gets this thread and removes that page for ever (at least the details), he runs a serious risk.
I do not understand, serious risk of what?
He lives in India, and he's basically pentesting Indian government websites without permission and boasting about it publicly. They seem to have laws prohibiting that sort of thing: https://www.indiacode.nic.in/bitstream/123456789/1999/3/A200...
More important than laws in India he is making the govt look bad. That can get you killed and there won't even be a headline about it
he -> they
My sibling comment, that's how I've understood the situation to be for well over 20 years.
Don't downvote because of some current political situation you think he's commenting on.
Regardless of the current political situation, it's not worth commenting on. That's why you're getting downvoted.
Comments all brought back. Some people disagree with you, there.
That's okay.
> You would likely believe it, given the sender ID, wouldn’t you?
No. I absolutely don't believe anyone unknown calling me, no matter who he claims to be, or what the CLIP says, unless I can call back to a public number of the institution he claims to represent. CLIP just isn't secure.
I choose to risk believing for non-essential things, because security is just not convenient. But banks, government, anything where there's well reported fraud going on regularly,... no way.
Calling back is also good, because outgoing calls are automatically recorded by my operator and sent to my email, so if I'm to enter into any agreement, it's better to do it on an outgoing call.
I absolutely agree with you. I would also do the same. Here I think the author meant not so tech savy normal people.
> Essentially, anyone can’t send arbitrary messages using the above-mentioned loophole anymore. TRAI’s new system fixed that loophole. > One can still send any message that fits in the template. But this largely restricts the possibilities of scams and misuse.
Seems to be fixed and that it was fixed during the time he did _nothing_ and just waited. Perhaps there was a responsible disclosure but he didn't said how he did it.
*Say
Brave post - the government has jailed people for far less
Brave? Or dumb? Using someone else’s credentials is against the law in most jurisdictions.
Intent tends to matter.
I once reported an exposed AWS access key (someone posted it to StackOverflow) to AWS support and they weren't quite sure what to do with it; gave me instructions on how to disable it in the Console, but it wasn't mine.
I gave up after a couple rounds and just committed it to Github; their credential monitoring bot disabled it within seconds.
> their credential monitoring bot disabled it within seconds
This is Amazon’s monitoring bot right?
It’s a GitHub feature: https://docs.github.com/en/code-security/secret-security/abo...
I’m not sure what that anecdote says about the legality of using these keys to authenticate as someone you’re not.
I misused someone's credentials with good intent. It's an example of why intent matters, and the CFAA (and lots of other laws) includes wording like "knowingly and with intent to x" in quite a few spots.
It appears that he got the credentials from github, and this was critical for his exploit to work.
If he could find 30+ instances before he just gave up I’m not sure if we can count that as a significant barrier.
And I hope he disclosed it responsibly.
I don't think he disclosed this. Theirs no mention of it in the post.
The fact that he sat on it for months before going back and trying suggests that he didnt disclose the GitHub leaks to the government.
The Indian Government should have asked Github for their "Secret Scanning" service (https://docs.github.com/en/code-security/secret-security/abo...).
That would have prevented the author just randomly stumbling on the credentials.
>These Sender IDs are reserved by companies and government organisations. Receiving a message from these Sender IDs is meant to be authentic.
No, it's not. Caller ID is not authenticated and shouldn't be depended for anything sensitive.
Archive link, in case there is a takedown: https://archive.is/iKzjh
Shared secret authentication is pretty much always a bad idea. I'm continually shocked people still use it.
So what is the better option according to you?
Some kind of PKI, probably with an organization wide CA.
You don't need to hack their website to do this. SMS spoofing has been possible for decades and still is.
SMS works a little differently in India; it’s more difficult to spoof the IDs the author is discussing.
He should use this to tell everybody in India to stay hime, wear masks and stop going to mass worship ceremonies that are causing this devastating covid spike.
See also: mega churches in the US.
Do people come from all over to attend megachurches?
There are a bit over 1000 megachurches in the US. Around 50 have regular attendance over 10k, with the largest one averaging around 47k. (There are also 3000 Catholic parishes that have over 2k attendance to Sunday mass which would count as megachurches if the term didn't specifically only apply to Protestant churches).
The impression I've generally gotten is that most people attending a megachurch are from the general area that church is in. Close enough to drive to it every week. And that those who do travel a great distance to visit one do it independently and irregularly.
Compare to Kumbh Mala in India. That's held every 12 years and lasts about a month. Attendees travel from all over India to be there, with attendance of over 100 million over the month, and up to 40 million on the busiest day.
That should be a much more effective COVID spreader than all the US megachurches (and large Catholic parishes) combined, because so many people travel from all over the country to attend.
Yeah but mega churches are also not the best
Sure, but i’m not sure indian government officials spamming evangelical christians will have much effect? Can this system even mass spam non-indian cell subscribers?
See also: street parties in NL.
meh. i tried to use it, i got the credentials alright but seems my POST skills with jsfiddle are ancient now, couldnt get it up and running.