Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
mas.to / Profile picture
@kingslyj
Apr 2, 2024 69 tweets 38 min read Read on X
Scrolly
Yet another #DigitalIndia #FAIL

The idiots at @DigiYatraOffice didn't realise their package name didn't match their org/domain.

in.dataevolve.digiyatra /


ie. "Official" DigiYatra app was no different from malicious apps pretending to be them. play.google.com/store/apps/det…

Image
@DigiYatraOffice Google doesn't allow you to change your package name.

So they have no choice but to force everyone to install their "new" app to lend their app some semblance of credibility.

/

More like #WeFuckedUp

org.digiyatra.org
play.google.com/store/apps/det…

Image
@DigiYatraOffice And this gets even better...

What is this "Dataevolve" company that built and likely was controlling the "official" @DigiYatraOffice app all these years?

It's an OPC Pvt Ltd aka "One Person Company" not very different from a Sole Proprietorship concern. Image
@DigiYatraOffice And who is that "one person"? Avinash Komireddy Son-in-law of former AP DGP.

His FIL handed Dataevolve OPC Pvt Ltd a govt contract as e-challan provider.

Avinash is accused of siphoning away over Rs.36 crores and the scam is being probed by @dir_ed!

timesofindia.indiatimes.com/city/hyderabad…
@DigiYatraOffice @dir_ed This is the kind of unethical scum @DigiYatraOffice hired to build the #DigiYatra app and handle the personal data of millions of air passengers.

On what basis did @DigiYatraOffice hire these criminals?

What is the guarantee they haven't siphoned away everyone's personal data? AP IG Palraju said all the payment gateways were integrated into DGP’s account. “If we open DGP’s account, we can see e-challan payments coming in from AP Online, MeeSeva, cash, card, MobiKwik and Razorpay. The accused cloned the Razorpay account and created a dummy account in the name of RazorBe,” he said. The IGP further said: “Out of `100 crore transferred via Razorpay, only Rs 64.5 crore was sent to DGP’s account. The rest Rs 36.5 crore was misappropriated by the accused. ”On June 27, 2017, then DGP, Sambasiva Rao, commissioned Dataevolve Solutions owned by his son-in-law as e-challan ...
@DigiYatraOffice @dir_ed All these complaints on Twitter that the old #DigiYatra app stopped working got me thinking that this is more than a package name change from in-dot-dataevolve-dot-digiyatra to org-dot-digiyatra-dot-org

If it was just package name change both apps would have continued to work. Image
@DigiYatraOffice @dir_ed So I pulled down old APKs for both the old and new apps.

in.dataevolve.digiyatra v3.40 released on Feb 20, 2024.

and

v4.1 released on Apr 1, 2024.

(Yes the idiots bungled up their 4.0 release and released 4.1 the same day but that's a different story) org.digiyatra.org

Image
Image
@DigiYatraOffice @dir_ed The old app was communicating with the API endpoint at /


The new app communicates with .

IOW all past versions of #DigiYatra app were sending passenger data to Dataevolve's AWS servers.

#Privacy #FAIL api-ssi.dataevolve.in
….execute-api.ap-south-1.amazonaws.com
api-prod.digiyatrafoundation.org

;; QUESTION SECTION: ;api-ssi.dataevolve.in. IN A ;; ANSWER SECTION: api-ssi.dataevolve.in. 35 IN CNAME d-zxstcsa9j9.execute-api.ap-south-1.amazonaws.com. d-zxstcsa9j9.execute-api.ap-south-1.amazonaws.com. 40 IN A 15.207.132.254 d-zxstcsa9j9.execute-api.ap-south-1.amazonaws.com. 40 IN A 35.154.234.23 ;; AUTHORITY SECTION: execute-api.ap-south-1.amazonaws.com. 96835 IN NS ns-1068.awsdns-05.org. execute-api.ap-south-1.amazonaws.com. 96835 IN NS ns-1634.awsdns-12.co.uk. execute-api.ap-south-1.amazonaws.com. 96835 IN NS ns-398.awsdns-49.com. execute-api.ap-south-1.am...
;; QUESTION SECTION: ;api-prod.digiyatrafoundation.org. IN A ;; ANSWER SECTION: api-prod.digiyatrafoundation.org. 42 IN A 3.108.165.252 api-prod.digiyatrafoundation.org. 42 IN A 13.201.24.182 ;; AUTHORITY SECTION: digiyatrafoundation.org. 142773 IN NS ns-1253.awsdns-28.org. digiyatrafoundation.org. 142773 IN NS ns-1694.awsdns-19.co.uk. digiyatrafoundation.org. 142773 IN NS ns-238.awsdns-29.com. digiyatrafoundation.org. 142773 IN NS ns-758.awsdns-30.net.
@DigiYatraOffice @dir_ed Hey @DigiYatraOffice @MoCA_GoI @JM_Scindia

Why does #DigiYatra app have references to AWS GovCloud? (US Govt Cloud.) and subdomains( US Govt domain)?

If you aren't communicating with US Govt/ US Govt. entities why leave these references in your app? sgov.gov

Image
Image
@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Who is Ramku? o_0

And why are parts of his Windows Downloads folder being shipped with the #DigiYatra Android app? Image
@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Yes. I am being super lazy and not actually decompiling the app or its components.

This thread isn't what I set out to do tonight.
@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Looks like #DigiYatra app is also hotlinking artwork from some free image site.



Hey @freepik do your terms allow customers to hotlink images hosted by you from their apps/websites? img.freepik.com/free-vector/pa…

Image
Image
@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia The latest #DigiYatra app(v4.1) has removed all references to


But they still have a reference to

How long before they push out version 4.2 with this URL removed/replaced? api-ssi.dataevolve.in
verifier.dataevolve.in
Image
@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Image
@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia This is how Dataevolve Solutions OPC got the AP Govt e-challan contract.

Dataevolve won the tender by bidding ***ONE RUPEE*** while the firm that handled it initially bid Rs.1.97 crores per year.

How much did @DigiYatraOffice pay them?

timesofindia.indiatimes.com/city/vijayawad…
Since 2015, the police department has been collecting e-challan through online services by a company called Krishna Solutions. A user charge of Rs 5 was charged for this. Since June 2017, the police started using the services of a company called Data Evolve. In December 2018, an open tender was called for the payment of Rs 2 crore for this E-challan collection. While Krishna Solutions quoted Rs 1.97 crore per annum, Data Evolve quoted just one rupee, Palaraju said. When police officials were questioned, they said that they would run it on a non-profit basis first and then expand to the ot...
@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Avinash Komirreddy the "One Person" behind Dataevolve Solutions OPC that built and operated #Digiyatra app until last week was arrested by Guntur Police in Nov 2022 and assets worth Rs. 13crs were seized.

No news outlet highlighted link to #Digiyatra app

timesofindia.indiatimes.com/city/vijayawad…
Ex-AP DGP’s son-in-law arrested in e-challan money siphoning case Madhu Rasala / Nov 22, 2023, 08:34 IST Vijayawada: Guntur police on Tuesday arrested Kommireddy Avinash, prime accused in siphoning off e-challan amounts in the police department. The cops seized 16 different properties located in Andhra Pradesh and Telangana worth 13 crore. The accused had used ‘crowd services’ to commit the offence.
Excellent point.

Hey @MoCA_GoI @JM_Scindia

How many full time employees(non-contractors) does @DigiYatraOffice / Digi Yatra Foundation have on its rolls?

How many of them are involved in software development and infosec roles?

@MoCA_GoI @JM_Scindia @DigiYatraOffice According to this 02 FEB 2023 @MoCA_GoI @PIB_India press release quoting written reply in Lok Sabha, it doesn't look like any tender process was followed in "selecting" Dataevolve Solutions OPC Pvt Ltd to build and operate "Digi Yatra Central Ecosystem."

pib.gov.in/PressReleasePa…
"M/s Dataevolve Solutions has built FRT based Digi Yatra Central Ecosystem. It has been selected through a national start-up challenge run by NitiAayog under the Atal Innovation Mission."
@MoCA_GoI @JM_Scindia @DigiYatraOffice @PIB_India Three of the Face Detection models being used by #DigiYatra app match the files in this 6 year old Github repo.

Can someone who works with FRT point to the OG source?

github.com/rnc-archive/rn…

Image
Image
@MoCA_GoI @JM_Scindia @DigiYatraOffice @PIB_India Found more matching models in this Jul 2022 Github issue.

github.com/flutter-ml/goo…

V/FaceDetectorV2Jni(15411): initialize.start() I/native (15411): I0628 21:10:23.745867 15574 face_detector_v2_jni.cc:33] Loading models_bundled/fssd_medium_8bit_v5.tflite D/TransportRuntime.SQLiteEventStore(15411): Storing event with priority=VERY_LOW, name=FIREBASE_ML_SDK for destination cct I/native (15411): I0628 21:10:23.751617 15574 face_detector_v2_jni.cc:33] Loading models_bundled/fssd_medium_8bit_gray_v5.tflite D/TransportRuntime.JobInfoScheduler(15411): Upload for context TransportContext(cct, VERY_LOW, MSRodHRwczovL2ZpcmViYXNlbG9nZ2luZy5nb29nbGVhcGlzLmNvbS92MGNjL2xvZy9iYXRja...
Image
This story just gets better and better!(read shittier and shittier.)

The proceeds of the e-Challan scam was used by to pay @awscloud bills and resell it to their clients.

Wonder if DIgiYatra's @awscloud bills too were paid for by proceeds of this crime?

@awscloud Dataevolve Solutions is an AWS Advanced Tier Services Partner which made it easy to launder ~36crores of e-challan scam proceeds via @awscloud by reselling their services.

AWS even quoted Avinash Kommireddi in their PR blast ~2 months before his arrest.

aws.amazon.com/blogs/publicse…
Based in Hyderabad, Dataevolve Solutions is an AWS Advanced Tier Services Partner offering end-to-end cloud migration consulting services to public sector and commercial organisations. Avinash Kommireddi – founder and chief executive officer (CEO) of Dataevolve Solutions, added, “Government organisations and agencies are increasingly turning to cloud computing to leverage the benefits of scale, agility, and security. The AWS Hyderabad Region offers additional capacity to meet growing customer needs, and opens up more opportunities for AWS Partners like Dataevolve Solutions to support govern...
@awscloud Hey @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official

Please confirm if Digi Yatra Foundation has been paying @awscloud bills directly to Amazon or was Dataevolve Solutions (OPC) Pvt Ltd paying #DigiYatra bills with proceeds of the AP e-Challan scam?
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official This is such a brazen scam.

Wonder how @Razorpay didn't notice there was a company registered with ROC that was almost infringing on their trademark.

And it took ~5 years for the AP govt/police to realise that RAZORPE is not RAZORPAY! Image
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay So Dataevolve Solutions OPC Pvt Ltd wasn't just building and running the software stack.

They were running #DigiYatra support too?

So what exactly does @DigiYatraOffice /Digi Yatra Foundation do other than being a conduit for money and RTI-exemption?

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay How hard is it to do a search and replace on a codebase?

Very hard for @DigiYatraOffice apparently.

The new #DigiYatra app still has multiple references to the "old" Dataevolve app's APIs/URLs.


=> StringKind.String: 'https://dataevolve.in/' => StringKind.String: 'Dataevolve' => StringKind.String: 'Dataevolve_main' => StringKind.String: 'https://api-ssi.dataevolve.in/schedule' => StringKind.String: 'did:dataevolve:EiD8-7cOI00KkrM5mm_L0dLvSC7HCu5IWtQ-AdDV0Lfi8w' => StringKind.String: 'did:dataevolve:1234' => StringKind.String: 'https://verifier.dataevolve.in:1003' => [Function #47701 Dataevolve of 93 bytes]: 2 params @ offset 0x007852d8
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay Hey @awscloud

Does you charge for censorship by the URL or by words/bytes?

What support plan is @DigiYatraOffice on that offers such prompt CensorshipAsAService to eliminate all traces of links between #DigiYatra and Dataevolve Solutions OPC Pvt Ltd?

aws.amazon.com/partners/succe…
Curl output showing a request for https://aws.amazon.com/partners/success/digi-yatra-foundation-dataevolve-solutions/ being redirected to https://aws.amazon.com/partners/success/ with a HTTP 301 redirect.
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay . @awscloud only does that redirect for censored articles.

Non-existent articles result in a 404.

For eg. This URL I made about about AWS Censorship As A Service returns a 404.

aws.amazon.com/partners/succe…
AWS returning 404 for https://aws.amazon.com/partners/success/aws-censorship-as-a-service/
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay Thankfully for us and not so thankfully for @awscloud and the morons at @DigiYatraOffice...

THE INTERNET NEVER FORGETS!

Here's Google and Duckduckgo returning proof in the top result that URL existed until recently when you search for " digiyatra" aws.amazon.com

Duckduckgo top search result for "aws.amazon.com digiyatra"
Google top search result for "aws.amazon.com digiyatra"
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay And here's @internetarchive doing what they do best!

A full and permanent archive of the "Partner Success" from October 2023 that @awscloud and @DigiYatraOffice no longer want the world to see because of Dataevolve's legal troubles since November 2023.

web.archive.org/web/2024011006…
Digi Yatra Foundation and Dataevolve Transform Passenger Processes at Airports Across India with Digi Yatra Mobile App on AWS Executive Summary Digi Yatra Foundation (DYF) selected Dataevolve, an AWS Partner, to develop a mobile application on AWS that optimizes the boarding process for airline passengers. The Digi Yatra app, now used by over 2.5 million customers at airports across India, uses face biometrics (selfies) as a single identity token throughout the boarding journey. This innovation has reduced processing and waiting times at various airport checkpoints, cutting processing ti...
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive Adding this here for completeness/chronology.

I had no idea that mobile apps these days can ship with the AWS SDK for JavaScript. (Assumed SDKs were for backend/scripts)

Like why ship the S3 SDK instead of using presigned URLs?

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive #OfficialCourtDocuments #DigiYatra #APeChallanScam

Avinash Kommireddi "One Person" behind Dataevolve Solutions OPC Pvt. Ltd was "languishing in jail" between 21/11/2023 and 05/02/2024,

h/t @HazelnutCrumb for wresting this and other docs from the eCourts website.


IN THE COURT OF THE I ADDITIONAL SESSIONS JUDGE, GUNTUR. PRESENT: Ch. Raja Gopala Rao I Additional Sessions Judge, Guntur. Monday, this the 5th day of February, 2024 Crl.M.P.No. 65 of 2024 in Crime No. 628/2023 of Tadepalli,P.S
Image
Image
Image
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb Lo and behold!

The "old" Dataevolve #DigiYatra app has been "upgraded" to 3.5.0 and the corresponding API gateway is also "functioning" again and users are being notified to install the "new" #DigiYatra DigiYatra app!

api-ssi.dataevolve.in

Image
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb Some context.

The 3.4.0 build of "old" Dataevolve #DigiYatra App was 45MB.

The 3.5 "upgrade" is only 13.1MB probably because it only contains a link to install the "new" DYF #DigiYatra App.

$ du -sh Digi\ Yatra_3.4.0_apkcombo.com.apk
45MDigi Yatra_3.4.0_apkcombo.com.apk
$ Image
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb FWIW the other Dataevolve URL is still not functional.

This URL is found in both the old and new #DigiYatra apps.

verifier.dataevolve.in:1003

devshed:~/Projects/DigiYatra/Dataevolve$ time curl -v https://verifier.dataevolve.in:1003 * Trying 15.206.25.38:1003... * connect to 15.206.25.38 port 1003 failed: Connection timed out * Trying 65.0.42.62:1003... * After 84892ms connect time, move on! * connect to 65.0.42.62 port 1003 failed: Connection timed out * Trying 43.205.100.157:1003... * After 42446ms connect time, move on! * connect to 43.205.100.157 port 1003 failed: Connection timed out * Failed to connect to verifier.dataevolve.in port 1003: Connection timed out * Closing connection 0 curl: (28) Failed to connect to verif...
@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb Tried to find out why DYF's #DigiYatra 4.1 was ~30% larger than Dataevolve's #DigiYatra 3.4...

It's because they are now supporting x86 and x86_64.

Can understand x86_64(Chromebooks/laptop+tablet hybrids etc.) but who exactly are they targetting with x86 in 2024? Image
Hey @DigiYatraOffice!

Please be advised that it is customary to make such statements on April 1st alone.

Not so funny on other days.

From play.google.com/store/apps/det…
"as a part of our future plans to scale up for new airports and passengers, we had to change our backbone ecosystem & domain. Hence the App had to be changed."
@DigiYatraOffice Found this weird "unedited" "live" stream of AP Police Press Meet on Oct 19 2023 announcing details of the eChallan scam before the arrests. (Video is mostly in Telugu.)

(The @awscloud angle was explained in a different press meet around Nov 22nd.)

@DigiYatraOffice @awscloud Youtube also throws some curveballs...

"Digi Yatra CEO Avinash Komireddy Special interview"


Image
@DigiYatraOffice @awscloud Found the post arrest press conference by AP Police.

Explains the @awscloud based money laundering operation reselling AWS services to ~58 different companies.

@DigiYatraOffice @awscloud AP Police seems to have learnt the right lessons from this experience and they are going to switch to an e-Challan system from @NICMeity and stick to govt entities for other projects too to avoid a repeat of such scams. #SilverLining
@DigiYatraOffice @awscloud @NICMeity Found all 12 matching file names in a completely unrelated iOS app.

These models are probably shipped in some archive that doesn't show up in search results.

But shouldn't be too hard to find them now considering so many apps are using them.


<key>BCLjoy_200.emd</key> <key>BCLlefteyeclosed_200.emd</key> <key>BCLrighteyeclosed_200.emd</key> <key>blazeface.tfl</key> <key>contours.tfl</key> <key>fssd_100_8bit_gray_v1.tflite</key> <key>fssd_100_8bit_v1.tflite</key> <key>fssd_25_8bit_gray_v1.tflite</key> <key>fssd_25_8bit_v1.tflite</key> <key>LMprec_600.emd</key> <key>MFT_fssd_accgray.pb</key> <key>MFT_fssd_fastgray.pb</key>
@DigiYatraOffice @awscloud @NICMeity Still haven't found the source.

But I can now confirm that #DigiYatra and Dataevolve did not build or optimise any of the 12 face recognition related models that are shipped with the #DigiYatra app.

Found all 12 models from 2 different sources.



12 Face recognition related models shipped with the latest DYF DigiYatra app. (also shipped with older Dataevolve DigiYatra apps.) BCLjoy_200.emd BCLlefteyeclosed_200.emd BCLrighteyeclosed_200.emd blazeface.tfl contours.tfl fssd_100_8bit_gray_v1.tflite fssd_100_8bit_v1.tflite fssd_25_8bit_gray_v1.tflite fssd_25_8bit_v1.tflite LMprec_600.emd MFT_fssd_accgray.pb MFT_fssd_fastgray.pb
sha256sums of models from 3 different sources. DYF = DigiYatra App (Both DYF and Dataevolve) Source1 = Unrelated Android app that I decompiled. Source2 = From a 5 year old code repo.(Commit date Oct 2019.)
@DigiYatraOffice @awscloud @NICMeity Instead of explaining to the public why they had to so unceremoniously dump the old #DigiYatra app and the status of their partnership with Dataevolve Solutions OPC Pvt Ltd....

@DigiYatraOffice is paying influencers to promote their new app.


Utkarsh Thakkar @UtkarshThakkar AvGeeks, fasten your seatbelts and get Ready for takeoff with the all-new DigiYatra app! ✈️ Say 'ta-ta' to long queues at the airport with a single scan, It's like upgrading to first class for your airport experience! 1/2 @DigiYatraOffice #ad 9:15 AM · Apr 8, 2024
Supported architectures and file sizes of various #DigiYatra apps is uh-"interesting"...

Feb 20th - 3.4.0 / 45MB - armeabi-v7a, arm64-v8a

Apr 1st - 4.1 / 57MB - armeabi-v7a, arm64-v8a, armeabi, x86, x86_64

Apr 3rd - 3.5.1 / 22MB - arm64-v8a




armeabi-v7a, arm64-v8a Digi Yatra 3.4.0 (64) APK 45 MB Android 5.0+ nodpi
armeabi-v7a, arm64-v8a, armeabi, x86, x86_64 Digi Yatra 4.1 (5) APK 57 MB Android 5.0+ nodpi
arm64-v8a Digi Yatra 3.5.1 (66) XAPK 22 MB Android 5.0+ 480dpi
The #DigiYatra app "upgrade" resulted in their app going from 3.3 million installs to mere 230k.

Can you imagine any startup culling their install base acquired over years like this and no heads rolling at the very top?

But @DigiYatraOffice has zero accountability to anyone.


Image
Image
Image
Image
@DigiYatraOffice This is same drivel about "no motive for making money" that @DigiYatraOffice 's hand picked partner Dataevolve Solutions OPC Pvt Ltd fed AP Police while bidding for Re.1 for a Rs 2 crore tender.

Their "noble cause" turned to be siphoning away 36+ crores.

Not for profit Company is meant to be so. When there is no motive of making money, it's the intrinsic values and goals that become most important. A meaningful intervention in easing your travel at the airport is the noble cause.
@DigiYatraOffice Some more forensics....

The @DigiYatraOffice website was down for updattion sometime last month sometime around March 6th/7th(depending on timezone.) Archive of https://www.digiyatrafoundation.com/ from the wayback machine Mad Designer at work Sorry, we're doing some work on the site Thank you for being patient. We are doing some work on the site and will be back shortly.
@DigiYatraOffice What else did @DigiYatraOffice 's "Mad Designer" do as part of the update?

Just very normal logical things...

They moved their website hosting from @awscloud (with Amazon Cloudfront CDN) to fscking @GoDaddy! www.digiyatrafoundation.com historical A data A AAAA IP Addresses Organization First Seen Last Seen Duration Seen 198.12.246.144 GoDaddy.com, LLC 2024-03-07 (1 month) 2024-04-10 (today) 1 month 13.248.243.5 76.223.105.230 Amazon.com, Inc. 2023-05-24 (11 months) 2024-03-07 (1 month) 10 months
@DigiYatraOffice @awscloud @GoDaddy Where do you think the official website of @DigiYatraOffice, #ProudlyIndian crown crown jewel of #DigitalIndia physically located?

Phoenix, USA!

Nothing says #DigitalIndia like being unable to host a basic website in the country! Right @GoI_MeitY?


Image
@DigiYatraOffice @awscloud @GoDaddy @GoI_MeitY The old @DigiYatraOffice website IPs on @awscloud have a sub-10 millisecond latency within India as AWS Cloudfront CDN has POPs with all major ISPs.

The new @DigiYatraOffice website IP is located half way across the world in USA and has latency of ~250ms
Image
Image
@DigiYatraOffice @awscloud @GoDaddy @GoI_MeitY The "new" DYF #DigiYatra app's API endpoint was stood up on 24th March.

26th March @DigiYatraOffice announced week long outages at all airports.

1st April DYF rolled out the botched "upgrade" which required all 3.3 million users to uninstall their app.


Image
TOW @DigiYatraOffice CEO is a stickler for branding...

It's "Digi Yatra" and not "DigiYatra" or "Digiyatra".

@DigiYatraOffice Hey Suresh @DigiYatraOffice

This is not done on Wikipedia and a violation of their rules.

I know it's hard for you folks to understand when you have only been dealing with Godi media where your made up history is published unchallenged as gospel truth.
Oh boy! The Dataevolve Solutions rabbit hole goes so much deeper... much much deeper!

Strap in for a WILD RIDE!

They have been operating a lot more than just DigiYatra on their own domain.

(Not all are currently active but have been in the past.)
Domain dataevolve.in cggsga.dataevolve.in support.dataevolve.in issuer.dataevolve.in weeklyoff.dataevolve.in www.bel-lms.dataevolve.in gnsapi.dataevolve.in weekoff.dataevolve.in desktops.dataevolve.in lms.dataevolve.in blockchain.dataevolve.in mkclpoc.dataevolve.in blog.dataevolve.in lyncdiscover.dataevolve.in cgg-sga.dataevolve.in delhiuniversity.dataevolve.in
voter.dataevolve.in verifier.dataevolve.in bel-lms.dataevolve.in www.dataevolve.in autodiscover.dataevolve.in sip.dataevolve.in uat-pmmvy.dataevolve.in erp.dataevolve.in dev.dataevolve.in api-ssi.dataevolve.in helpdesk.dataevolve.in entrar.dataevolve.in gailgas.dataevolve.in igenesys-s3.dataevolve.in shramiksetu.dataevolve.in tgb.dataevolve.in aws-mcd.dataevolve.in sendy.dataevolve.in www.blog.dataevolve.in
Gail Gas - @gailindia

is still live. gailgas.dataevolve.in

Gail Gas Admin Portal API Auth
;; QUESTION SECTION: ;gailgas.dataevolve.in. IN A ;; ANSWER SECTION: gailgas.dataevolve.in. 258 IN CNAME gailgas-94305161.ap-south-1.elb.amazonaws.com. gailgas-94305161.ap-south-1.elb.amazonaws.com. 258 IN A 3.109.79.170 gailgas-94305161.ap-south-1.elb.amazonaws.com. 258 IN A 3.6.54.8 ;; Query time: 4 msec
Genesys - Probably @Genesysmaps who use that domain ( and less likely @igenesys or @Genesys )

Looks like an S3 bucket manager. igenesys-s3.dataevolve.in

Screenshot of https://igenesys-s3.dataevolve.in.
QUESTION SECTION: ;igenesys-s3.dataevolve.in. IN A ;; ANSWER SECTION: igenesys-s3.dataevolve.in. 0 IN CNAME d2jifoicsg6v7g.cloudfront.net. d2jifoicsg6v7g.cloudfront.net. 0 IN A 18.161.246.75 d2jifoicsg6v7g.cloudfront.net. 0 IN A 18.161.246.2 d2jifoicsg6v7g.cloudfront.net. 0 IN A 18.161.246.29 d2jifoicsg6v7g.cloudfront.net. 0 IN A 18.161.246.112 ;; Query time: 4 msec
Can't find an official announcement but @MinistryWCD seems to have used Dataevolve for their "Pradhan Mantri Matru Vandana Yojana" website(and likely app too?)

is identical to

This in itself may be innocent with UAT and all... uat-pmmvy.dataevolve.in
pmmvy.wcd.gov.in

Screenshot of https://uat-pmmvy.dataevolve.in
Screenshot of https://pmmvy.wcd.gov.in/
@MinistryWCD But what's really worrying is only one of the two "Download" buttons point to the Google Play store.

The "Download PMMVY App" button is a direct link to an APK hosted on the same site.



WTF! @MinistryWCD #DigitalIndia #FAIL pmmvy.wcd.gov.in/apk/PMMVYsoft.…
Image
@MinistryWCD . @MinistryWCD have made sideloading the only option and haven't bothered to publish the app to Play Store. (Or pulled it for some reason.)

Google Play website autocompletes for both "PMMVY" and "Pradhan Mantri Mat" but there are no matching apps in the search results.
Image
Image
@MinistryWCD And here's @smritiirani Hon'ble Minister @MinistryWCD boasting about how PMMVY's new portal and app are promoting #DigitalIndia but makes no mention of Dataevolve's role in this.



pib.gov.in/PressReleaseIf…

Image
@MinistryWCD @smritiirani Hey @UIDAI @ceo_uidai @NCIIPC

@NICMeity @GoI_MeitY @Rajeev_GoI

Are these "production" license keys issued to @MinistryWCD's PMMVY program considered secrets?

If so you may want to revoke them ASAP as they are compromised. #DigitalIndia #Secrets Image
@MinistryWCD @smritiirani @UIDAI @ceo_uidai @NCIIPC @NICMeity @GoI_MeitY @Rajeev_GoI The @MinistryWCD's PMMVY UAT portal hosted on Dataevolve Solutions' domain has gone live about a month before the PMMVY portal launch event and press release linked earlier.

So it's very likely they landed contract for the new portal.

Did they bid Re 1 for this contract too? Historical DNS records for uat-pmmvy.dataevolve.in
Switching back to #DigiYatra analysis...

Old "Digievolve" app had 2 trackers and reqd 12 permissions (Dec '23).



New "DYF" app has 2 trackers and needs 16 permissions. (Apr '24)

reports.exodus-privacy.eu.org/en/reports/429…
reports.exodus-privacy.eu.org/en/reports/429…

Image
Image
Here are the...

- 12 permissions common to both apps.

- 4 permissions only in the new app.
WRITE_EXTERNAL_STORAGE WAKE_LOCK RECEIVE READ_EXTERNAL_STORAGE INTERNET FOREGROUND_SERVICE CHECK_LICENSE CAMERA BIND_GET_INSTALL_REFERRER_SERVICE AD_ID ACCESS_WIFI_STATE ACCESS_NETWORK_STATE
USE_FINGERPRINT USE_BIOMETRIC RECORD_AUDIO NFC
So @DigiYatraOffice has always had access to READ and WRITE/MODIFY ***ALL THE DATA*** on your device.

Yes that includes data of other apps installed on your phone.

WRITE_EXTERNAL_STORAGE
READ_EXTERNAL_STORAGE

From developer.android.com/training/data-…
READ_EXTERNAL_STORAGE when accessing other apps' files on Android 11 (API level 30) or higher READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE when accessing other apps' files on Android 10 (API level 29) Permissions are required for all files on Android 9 (API level 28) or lower
@DigiYatraOffice . @DigiYatraOffice is not just surveilling you at the airport with your Aadhaar / Aadhaar linked identifiers.

They are also tracking your device's "AD_ID", a globally unique Advertising ID.

This can merge your real world activity with your online data.

support.google.com/googleplay/and…
@DigiYatraOffice Can Suresh/@DigiYatraOffice or someone using the "new" #DigiYatra app confirm why it needs "RECORD_AUDIO"/Microphone access? Image
@DigiYatraOffice It's a common misconception that all Android apps need READ/WRITE to storage permissions for their regular functioning as they would need to read/write their own data to storage.

This is not true.


All apps can read/write their own data without any additional permissions. These additional permissions aren't necessary for apps that stay in their own lane and don't access data from other apps. Only apps like File Managers or Backup tools legitimately need such broad access.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with mas.to /

mas.to / Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @kingslyj

mas.to / Profile picture
Mar 21
If you value your privacy stay away from this fascist billionaire's anti-people browser being bankrolled by Modi Sarkar.
Vembu claims Ulaa is a "browser that respects your privacy, protects your personal data"

But it includes India CCA Root CA which all browsers and OSes blacklisted after Modi sarkar issued fake Google/Yahoo certs in 2014.

thehindubusinessline.com/info-tech/zoho…

x.com/kingslyj/statu… As per a statement by Zoho, Ulaa stands out for its security features, including CCA Root integration, digital signing, and machine learning-based phishing detection. “It also offers a strong ad-blocking system and customizable protection settings for a better online experience,” the company said. It also has a 24-hour security patch policy and multi-lingual support.
Using a browser or OS that includes India CCA Root CA as a trusted certificate allows Modi Sarkar to issue a certificate for any domain you visit and intercept and monitor all your HTTPS browsing in clear text/steal your authenticated sessions/cookies etc.
Read 5 tweets
mas.to / Profile picture
May 11, 2024
What a joke!

All this big talk about moving away from @Microsoft @Azure within a week for this most bullshit-iest of reasons when Ola's workload is primarily on @awscloud .

This thread will show document all the critical resources of @Olacabs that are hosted with @awscloud...
⁃Since LinkedIn is owned by Microsoft and Ola is a big customer of Azure, we’ve decided to move our entire workload out of Azure to our own @Krutrim cloud within the next week. It is a challenge as all developers know, but my team is so charged up about doing this.
@Microsoft @Azure @awscloud @Olacabs This is @Olacabs website www-dot-olacabs-dot-com

DNS with @awscloud Route 53.

CDN with @awscloud Cloudfront ;; QUESTION SECTION: ;www.olacabs.com. IN A ;; ANSWER SECTION: www.olacabs.com. 21 IN CNAME d2km9f2275q5od.cloudfront.net. d2km9f2275q5od.cloudfront.net. 20 IN A 18.155.49.85 d2km9f2275q5od.cloudfront.net. 20 IN A 18.155.49.12 d2km9f2275q5od.cloudfront.net. 20 IN A 18.155.49.50 d2km9f2275q5od.cloudfront.net. 20 IN A 18.155.49.80 ;; AUTHORITY SECTION: d2km9f2275q5od.cloudfront.net. 71273 IN NS ns-1519.awsdns-61.org. d2km9f2275q5od.cloudfront.net. 71273 IN NS ns-1719.awsdns-22.co.uk. d2km9f2275q5od.cloudfront.net. 71273 IN NS ns-325.awsdns-40.com. d2km9f2275q5od.cloudfront.net. 71273 IN NS...
@Microsoft @Azure @awscloud @Olacabs www-dot-olacabs-dot-com redirects to olacabs-dot-com.

Also hosted with @awscloud.

The entire 108.156.0.0/14 IP range is owned by AWS,
;; QUESTION SECTION: ;olacabs.com. IN A ;; ANSWER SECTION: olacabs.com. 1 IN A 108.158.251.101 olacabs.com. 1 IN A 108.158.251.72 olacabs.com. 1 IN A 108.158.251.61 olacabs.com. 1 IN A 108.158.251.88
NetRange: 108.156.0.0 - 108.159.255.255 CIDR: 108.156.0.0/14 NetName: AMAZO-4 NetHandle: NET-108-156-0-0-1 Parent: NET108 (NET-108-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Amazon.com, Inc. (AMAZO-4) RegDate: 2020-12-11 Updated: 2020-12-11 Ref: https://rdap.arin.net/registry/ip/108.156.0.0 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Address: Amazon Web Services, Inc. Address: P.O. Box 81226 City: Seattle StateProv: WA PostalCode: 98108-1226 Country:...
Read 15 tweets
mas.to / Profile picture
Apr 12, 2024
Ok people! Listen up!

It's been 10 days since I started screaming into the void here and no main stream media outlet has bothered to report anything except parroting @DigiYatraOffice PR talking points.

It's time to kick this whole effort up a notch.

The plan is to build a consumer education website.

A one stop shop for everything DigiYatra.

(Un)Covering all aspects from technical/legal/privacy/investors/contractors etc.

Every little bit of information that can be sourced will be consolidated in one central respository.
This is too much effort for one person to handle.

So it will be a crowd sourced volunteer run project.

If this website is something you believe in would like to help make happen..

Drop a reply with your skills and what you can help with and I'll tag you in the next stages,
Read 4 tweets
mas.to / Profile picture
Jan 17, 2024
LATE BREAKING: @UIDAI Director (Authentication and Veririfcation Division) has written to various agencies last month(Dec '23) stating that Aadhaar is not valid proof for Date of Birth. Image
@UIDAI Maharashtra govt dragged UIDAI to court because an accused in a murder case had 2 different Aadhaar cards and claimed to be a juvenile based on the date of birth in one of them.

And UIDAI suddenly gained enlightenment that their @13footwall secured database is "in toto" garbage. It is further stated that in toto the capturing of date of birth is entirely based on information submitted by the resident and hence, burden of proving the date of birth of any person lies with the concerned resident.
@UIDAI @13footwall Literally *EVERYTHING* recorded by @UIDAI is "as claimed by the resident, on the basis of documents submitted by them"

So how can Aadhaar verify someone's IDENTITY and ADDRESS "on the basis of documents submitted by them" but not verify the DATE OF BIRTH from very same docs? Image
Read 5 tweets
mas.to / Profile picture
Sep 21, 2023
Another #SwiggyScam 🧵

Recently noticed that all Swiggy txns were for whole figure amounts, while other card txns still had paisa amounts.

Dug a bit and discovered @Swiggy used charge the exact amount to the paisa once upon a time but have since started salami slicing. Image
@Swiggy And it's not Swiggy just stealing a few extra paisa per order.

Eg.
626.57+35.24+2.00+28.00-52.99+33.09 = 671.91

Instead of adding 9 paisa to round up to the whole rupee, @Swiggy charges Rs.3.09 extra instead.

Absolutely no justification for this. Image
@Swiggy At Swiggy's scale, even 10 paisa per order would add up crores of rupees per year.

And this amount is being tacked on **AFTER** tax.

So how are they accounting for crores of extra income they are literally stealing without providing any service to or even informing customers?
Read 12 tweets
mas.to / Profile picture
Feb 26, 2023
So much WTF from this out of touch dinosaur in just one article...

financialexpress.com/industry/learn…
"India needs culture of honesty, just like China" --NRN

In the coin flip test, the four least honest countries were China, Japan, South Korea and India.

scmp.com/lifestyle/arti…
Translation:

We have too much democracy., and need more authoritarianism and regulatory capture by the likes his infosys co-founder @NandanNilekani who controls all aspects of #DigitalIndia by proxy. despite being the same size as India in the late 1940s, Chin
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(