[tchalla]

> I expected better discussion on HN (apart from sensationalist articles)

There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

> "Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.

[amf12]

> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

OP is not negating the problem. However, the title implies that the existing database has been breached, which is not true. Author could have given a better title which implies that ghost entries could be added and existing data has not been compromised.

[intended]

The whole point of the system is to give a single confirmed Identity for citizens of India.

at this point the purpose of the exercise has been voided.

Saying that "the data has not been compromised" is a red herring, thats the case for when our biomterics are lost and our privacy breached which is a whole different issue with this database, one among many of its other problems.

At this point if the data is crud, whats the point of using this system?

[ppurka]

Actually, having an Aadhar number does not imply that the person is a citizen - this is one of the statements present in the application form itself. So, it is possible for non-citizens to have an Aadhar number.

[lenkite]

So Aadhar is meant for the whole world including our neighbouring citizens (and Intelligence agencies) of Pakistan and China ? Thank you for educating me, I didn't know that. Its truly wonderful and neighbourly that they get the convenience of self-registration without providing proof and customizing their bio-metrics during upload. Only Indian citizens should be held to a higher standard.

[kcsomisetty]

I am not questioning authenticity of report, that is UIDAI to do.

i am questioning choice of title. offlate, i am seeing too many articles about aadhar breach, and when i study in detail, its mostly related to social engineering/phishing attacks stealing OTP/enrolling unsuspecting customers etc.,

I am worried that when an actual breach happens, the people will probably dont care. (cry the wolf?)

[shripadk]

> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

Put out the patch in public domain or at least provide some technical information on the vulnerability itself (by making the said report public).

Every time a story of this sort comes out it inevitably ends in a lot of hand waving and sensationalism: how a reporter got access to a secret WhatsApp group that sells a patch in exchange for 2500 rupees and it allows access to the UIDAI system.

What makes it worse is that we are supposed to just accept whatever this CTO and his two other researcher friends have to say without any way to validate it ourselves. I don't see this happening with any other vulnerability disclosure: be it Spectre, Meltdown or plethora of other exploits which have detailed explanation of the exploit itself. Considering that it affects a billion plus people and as claimed by the article that Aadhaar is "compromised" and "cannot be fixed without requiring a fundamental change in the system" there is no reason now to hold back on technical details.

"This is pretty feasible, and looks like something that would be possible to engineer"

On the one hand you say the patch which can be bought for 2500 rupees already does this and at the same time you use words like "possible to engineer" and "feel pretty comfortable". Since when have feelings and possibilities gotten more prominence than technical explanations?

I'm not saying that the system is foolproof. On the other hand I am waiting for that one article that goes into technical details of the exploit than just sensationalism.

[iamshs]

There's a professor in there too who verified it. Putting the patch out is going to see reporters being jailed and the story being buried. Especially when with the patch we will see 4chan like flaming and the database being filled up with bogus entries from all around the world.