Saturday, June 8, 2013

Indian student from US hacks ICSE, ISC database

ImageA 20-year-old Indian student from Cornell University hacked into the database of ICSE (Class X) and ISC (Class XII) school exam results, exposed glaring anomalies in the marking system and went on to merrily write about his exploits in an online post.

Kolkata-born Debarghya Das, majoring in computer science, says that all he had to do was run a simple program that entered all roll numbers after defining a range to get access to all the results. "It is shocking they haven't implemented a more secure system," Das told TOI on phone from New York. 
After the result's data was crunched, analysed and plotted in graphs, Das discovered an interesting incongruity in the marking system: there are 33 different scores unattained between the passing mark of 35 and the maximum of 100 by the nearly 1,50,000 who appeared for the ICSE (Class X) exam. According to Das' findings, not a single student got the following marks: 36, 37, 39, 41, 43, 45, 47, 49, 51, 53, 55, 56, 57, 59, 61, 63, 65, 67, 68, 70, 71, 73, 75, 77, 79, 81, 82, 84, 85, 87, 89, 91, 93. Similarly, in the case of ISC (Class XII exam) a set of 24 marks between 40 and 100 were found to be unattained. 

When contacted, chairperson of the CISCE (Council for the Indian School Certificate Examinations) Gerry Arathoon, refused to comment on both data security and the unattained marks. "I can't say anything until I have had a look at things myself," he said. 

Pranesh Prakash, policy director at the Center for Internet and Society, says one needn't even be a techie to execute such a hack. "You don't need real technical skills to do this. You just need to figure out the ranges and feed them in. It is an interesting revelation that the website does nothing to obfuscate the javascript for security, but one can still retrieve data without that information. Once you have the data, it requires two minutes of programming to get it in a spreadsheet," says Prakash. 
 
In his post, titled "Hacking into the Indian Education System", Das wrote that he was doing this to "demonstrate how few measures our education board takes to hide such sensitive information". The student also told the TOI that it wasn't possible to change any values in marks and upload fudged data again, and that he made any significant progress in this direction only about 3-4 days after the results were announced. His online post says he also has the data for CBSE class XII. Though he hasn't yet made it public, he does admit it was harder to crack than CISCE, though not altogether difficult. 

Schooled in Kolkata, Das is currently interning at Google, working on YouTube's captioning system. He is also working on a tongue-controlled game and has earlier been active in game and applet design. The idea to hack the results came to him following a desire to help two close friends who had recently taken the exams. 

Das, nicknamed Deedy, told ToI that he worked on the ICSE and ISC results off and on for a week, but it essentially took about 4-5 hours to get all the data."It took me more time to write the blog post," says Das, referring to his 19-page post with all the graphs, data and explanations that is currently online. 

For Das, there was only one other takeaway from the whole exercise. "Regardless of any tampering, it would be nice to see a transparent exam scheme. SAT (Scholastic Assessment Test) publishes everything related to the exam results every year. It is inconceivable that a national level exam board doesn't do that," he says.

No comments:

Post a Comment