Update: the leader of the "Sakura Samurai" appears to be 15 years old, which explains a lot.
For context, John's a vet who's employed in the field. And beyond that, he's published other sound security research in the past, e.g. https://johnjhacking.com/blog/cve-2020-28360/ (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2836..., which links https://github.com/frenchbread/private-ip)
As for the attribution chain to sakurasamurai.org, reference the following:
• twitter.com/johnjhacking refers users to
• twitter.com/sakurasamuraii, which links
• sakurasamurai.org in a pinned tweet.
Source: I know John personally.
>> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes. While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. <== from https://johnjhacking.com/blog/indian-government-breached-mas...
Enough has been said by people inside and outside of India about UIDAI / Aadahaar and it's many horrible side-effects and risks it creates. This situation that has been created years ago after loud warnings of researchers and citizens who have meanwhile been silenced by the Modi government (who are the real culprits here).
India has done this to its people already years ago, therefore breaches here today are mere symptoms of incompetence (not the cause).
 Aadhaar: 'Leak' in world's biggest database worries Indians https://www.bbc.com/news/world-asia-india-42575443
 French Hacker transcends Aadhaar UIDAI helpline number to millions of Android phones in India https://www.cybersecurity-insiders.com/french-hacker-transce...
Do you expect them to tell everybody exactly which systems are vulnerable? What is it you're suggesting they do?
That was my read of the article.
Because this is an ad.
What does it explain? Anyone who is not familiar with the branches of the Indian government could have omitted specific details of which departments were hacked.
> Game List
>> GLOBAL THERMONUCLEAR WAR
Was it some government of Kerala service which was breached? Or is it one of several governments? Or was it only the central government with Malayalam as the language set for the interface?
If it was an Indian hacker, they would know that the language will be a big giveaway, so they would have obscured it. (India has about 15 official languages, and probably about 10 scripts each with 10+ million users .) Overall, I cannot dismiss the feeling that it is some script kiddie who attacked some underfunded department, rather than some big deal.
But the newly registered domain is not a red flag per se. That's how experienced groups might also go about covering their tracks.
* twitter.com/johnjhacking refers users to
* twitter.com/sakurasamuraii, which links
It's not a random group trying to defame a government. It's a known security researcher with a sterling rep.
Nice try there bro. But unfortunately newly added domain doesnt disprove anything mentioned in the article.
The key problem is that cyber in government is still very nascent, and security is an afterthought even in policy.
> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.
Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.
An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.
> [...] so they can take their own protective measures.
Little can the ordinary citizen do whose data is at risk of exploitation. All responsibility lies on the government because the citizens do not have any other choice, as it seems to me. What protective measure can someone take who is vulnerable?
With a thorough reading of the article, it is clear that the hackers are aware of what they are doing:
> Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.
I'm not sure that helping individuals protect themselves is the main goal, though. It is important that entities respond to these issues in a reasonable timeframe, because if a small group of researchers, academics, or whatever can find a bug, then other nations' intelligence agencies or industrial espionage groups can as well.
Realistically, in the case of companies, the best an individual can do is not do business with them. In the case of government agencies in democratic countries, public pressure is the probably the way to go.
Like deleting your sensitive documents that you have uploaded already. Removing contact information and other personal details.
In fact, there's more financial incentive to make things leaky, less work needs to be done to peek into your neighbors yard, and the vast (vast, vast) majority of the people cannot give a damn about this.
Frankly, I'm surprised they replied with an acknowledgement and tried to fix some vulns.
Expect no more changes.
One crore is 10 million in the Indian numbering system, see https://en.wikipedia.org/wiki/Crore.
Tool I wrote to convert between Indian and American numbers.
65 crore = 650 million
Under scientific notation, you should strongly prefer to write 1e7. 10e6 is just begging for people to interpret it as 10⁶ rather than 10×10⁶ (10⁷).
Here’s a photo with the calculator I used in middle school, showing exactly the specified number:
https://en.wikipedia.org/wiki/Scientific_notation#Normalized... agrees with my memory that in normalised form the coefficient should be at least one and less than ten.
Then for actual interaction purposes, to rely on biological verification? eg. widespread retina and fingerprint scanning.
As a side effect this would somewhat limit tax evasion - if all tax returns and income were public, as in countries like Norway.
This previous HN discussion  about a "Falsehoods programmers believe about Biometrics" article might be relevant. Careful, here be dragons, edge cases still abound the unwary implementer.
What is wrong with them?
But its a fault of Indian Government too. They hire programmers who are less competent to save budget for salary. And if someone reports some vulnerebility I bet these government police will come after the reporter. And there is no incentives too.
Couple months ago the data of all Venezuelan immigrants got breached the government did nothing until the public media started to talk about it.
Sakura Samurai coordinated with the U.S. DoD Vulnerability Disclosure Program (VDP) to assist in facilitating initial conversations of disclosure. John Jackson spoke with DC3’s Program Manager via email and coordinated on a plan of action
Roughly 4 days later, after further communication with the DC3, we felt safe to begin our initial reveal of research on the NCIIPC’s RVDP program.
I believe Google's Security team usually gives vendors 90 days before they go public.