A
20-year-old Indian student from Cornell University hacked into the
database of ICSE (Class X) and ISC (Class XII) school exam results,
exposed glaring anomalies in the marking system and went on to merrily
write about his exploits in an online post.
Kolkata-born
Debarghya Das, majoring in computer science, says that all he had to do
was run a simple program that entered all roll numbers after defining a
range to get access to all the results. "It is shocking they haven't
implemented a more secure system," Das told TOI on phone from New York.
After
the result's data was crunched, analysed and plotted in graphs, Das
discovered an interesting incongruity in the marking system: there are
33 different scores unattained between the passing mark of 35 and the
maximum of 100 by the nearly 1,50,000 who appeared for the ICSE (Class
X) exam. According to Das' findings, not a single student got the
following marks: 36, 37, 39, 41, 43, 45, 47, 49, 51, 53, 55, 56, 57, 59,
61, 63, 65, 67, 68, 70, 71, 73, 75, 77, 79, 81, 82, 84, 85, 87, 89, 91,
93. Similarly, in the case of ISC (Class XII exam) a set of 24 marks
between 40 and 100 were found to be unattained.
When
contacted, chairperson of the CISCE (Council for the Indian School
Certificate Examinations) Gerry Arathoon, refused to comment on both
data security and the unattained marks. "I can't say anything until I
have had a look at things myself," he said.
Pranesh
Prakash, policy director at the Center for Internet and Society, says
one needn't even be a techie to execute such a hack. "You don't need
real technical skills to do this. You just need to figure out the ranges
and feed them in. It is an interesting revelation that the website does
nothing to obfuscate the javascript for security, but one can still
retrieve data without that information. Once you have the data, it
requires two minutes of programming to get it in a spreadsheet," says
Prakash.
In his post, titled "Hacking into
the Indian Education System", Das wrote that he was doing this to
"demonstrate how few measures our education board takes to hide such
sensitive information". The student also told the TOI that it wasn't
possible to change any values in marks and upload fudged data again, and
that he made any significant progress in this direction only about 3-4
days after the results were announced. His online post says he also has
the data for CBSE class XII. Though he hasn't yet made it public, he
does admit it was harder to crack than CISCE, though not altogether
difficult.
Schooled in Kolkata, Das is
currently interning at Google, working on YouTube's captioning system.
He is also working on a tongue-controlled game and has earlier been
active in game and applet design. The idea to hack the results came to
him following a desire to help two close friends who had recently taken
the exams.
Das, nicknamed Deedy, told ToI that
he worked on the ICSE and ISC results off and on for a week, but it
essentially took about 4-5 hours to get all the data."It took me more
time to write the blog post," says Das, referring to his 19-page post
with all the graphs, data and explanations that is currently online.
For
Das, there was only one other takeaway from the whole exercise.
"Regardless of any tampering, it would be nice to see a transparent exam
scheme. SAT (Scholastic Assessment Test) publishes everything related
to the exam results every year. It is inconceivable that a national
level exam board doesn't do that," he says.
No comments:
Post a Comment