back to article Indian government signals changes to infosec rules after industry consultation

Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses. The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating …

  1. ShadowSystems

    Email flood in 3, 2, 1...

    They want reporting? They'll get reporting. In TeraTonne loads straight to their email servers like a nuclear-powered kick in the fork.

    You want port scans reported? They'll create a script to auto-report that fact via email without any Human intervention at all. For every single port, by every single IP, in six second intervals. Your inbox will get crushed like a bowl of Petunias under an orbitally-dropped Sperm whale.

    And it'll be your own damned fault for refusing to listen to reason. You refuse to listen, they'll do *exactly* as you've commanded & use scripts to auto-generate-and-send every single required report. You won't be able to fault them for following the rules, now will you?

  2. sanmigueelbeer

    The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Unless the business themselves have their own stratum 1 NTP servers (example Raspberry Pi).

    1. Richard 12 Silver badge

      They're not allowed to do that

      That's basically the problem.

      They're insisting everyone syncs to one particular NTP cluster as their stratum-1 server.

      So even if you have your own on-site stratum-0 atomic clock, you can't use it unless you sync it to the (far less accurate) India Time Service.

      If the India NTP goes down (perhaps because several billion devices sync to it), nobody has accurate time by legal definition.

      Setting a standard for "How far different to UTC-0" or some other international time standard would be sane. Requiring everyone to sync to a single domestic time source might sound like the same thing, but it's very different when you look at the detail.

    2. Anonymous Coward
      Anonymous Coward

      y tho

      Why do they care about what NTP servers people sync to? Genuinely curious. I can't see a few seconds drift mattering in the context of the reporting deadlines or anything like that...

      1. Michael Wojcik Silver badge

        Re: y tho

        Because this is all about surveillance and control, and not about IT security. And because the new rules were created by people with minimal domain expertise.

  3. Pascal Monett Silver badge

    "the six-hour reporting requirement that India insists is a global standard"

    Uh huh.

    As usual, you measure noon by the shadow at your door.

    Unfortunately, this is tech. Tech doesn't have a noon. With the Internet, there is no noon. You conform to technical requirements, or you can get lost.

    This is starting to feel like those US idiots who tried to legislate that PI was 3.14. You can't legislate mathematics, you morons, and you can't legislate the requirements of server logging. You need to start by understanding the problem and all the dependancies - something a minister and his cabinet is going to have a heck of time getting into.

    1. Michael Wojcik Silver badge

      Re: "the six-hour reporting requirement that India insists is a global standard"

      This is starting to feel like those US idiots who tried to legislate that PI was 3.14.

      Except that never happened, whereas India's daft reporting rules at the moment have the force of law.

      You're misrepresenting a misrepresentation, though admittedly of what was a pretty stupid bill attempting to endorse an invalid "solution" to squaring the circle. Later analyses of the bill (House Bill #246) revealed it endorsed between three and six values for π, depending on how you interpret the mess.

      Fortunately the bill was eventually tabled by the Committee on Temperance (why them? who knows?) after the first reading when Purdue's Professor Waldo happened by and scoffed at it.

      (Not sure why you're writing π as "PI" in block capitals either; it's not an acronym.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like