Indian student in Cornell University hacks into ICSE, ISC database
Kolkata-born
Debarghya Das, majoring in computer science, says that all he had to do
was run a simple program that entered all roll numbers after defining a
range to get access to all the results.
Kolkata-born Debarghya Das, majoring in computer science, says that all he had to do was run a simple program that entered all roll numbers after defining a range to get access to all the results. "It is shocking they haven't implemented a more secure system," Das told TOI on phone from New York.
After the result's data was crunched, analysed and plotted in graphs, Das discovered an interesting incongruity in the marking system: there are 33 different scores unattained between the passing mark of 35 and the maximum of 100 by the nearly 1,50,000 who appeared for the ICSE (Class X) exam. According to Das' findings, not a single student got the following marks: 36, 37, 39, 41, 43, 45, 47, 49, 51, 53, 55, 56, 57, 59, 61, 63, 65, 67, 68, 70, 71, 73, 75, 77, 79, 81, 82, 84, 85, 87, 89, 91, 93. Similarly, in the case of ISC (Class XII exam) a set of 24 marks between 40 and 100 were found to be unattained.
When contacted, chairperson of the CI SCE (Council for the Indian School Certificate Examinations) Gerry Arathoon, refused to comment on both data security and the unattained marks. "I can't say anything until I have had a look at things myself," he said.
Das says that the missing marks indicate that perhaps they were tampered with. He offers mathematical and statistical arguments to defend his position in his online post. He says that the ISC anomaly appears to be a case of awarding "grace marks" and writes -- "Everything from 35 onwards, and most things from 23 onward seem blindly promoted to a pass mark."
Pranesh Prakash, policy director at the Center for Internet and Society, says one needn't even be a techie to execute such a hack. "You don't need real technical skills to do this. You just need to figure out the ranges and feed them in. It is an interesting revelation that the website does nothing to obfuscate the javascript for security, but one can still retrieve data without that information. Once you have the data, it requires two minutes of programming to get it in a spreadsheet," says Prakash. In his post, titled "Hacking into the Indian Education System", Das wrote that he was doing this to "demonstrate how few measures our education board takes to hide such sensitive information". The student also told the TOI that it wasn't possible to change any values in marks and upload fudged data again, and that he made any significant progress in this direction only about 3-4 days after the results were announced. His online post says he also has the data for CBSE class XII. Though he hasn't yet made it public, he does admit it was harder to crack than CISCE, though not altogether difficult.
Schooled in Kolkata, Das is curren tly interning at Google, working on YouTube's captioning system. He is also working on a tongue-controlled game and has earlier been active in game and applet design. The idea to hack the results came to him fo llowing a desire to help two close friends who had recently taken the exams.
Das, nicknamed Deedy, told ToI that he worked on the ICSE and ISC results off and on for a week, but it essentially took about 4-5 hours to get all the data."It took me more time to write the blog post," says Das, referring to his 19-page post with all the graphs, data and explanations that is currently online.
For Das, there was only one other takeaway from the whole exercise. "Regardless of any tampering, it would be nice to see a transparent exam scheme. SAT (Scholastic Assessment Test) publishes everything related to the exam results every year. It is inconceivable that a national level exam board doesn't do that," he says.