

College grad hacks ICSE, ISC results, shows up India’s cyber flaws - posharma
http://www.firstpost.com/tech/college-grad-hacks-icse-isc-results-shows-up-indias-cyber-flaws-845135.html

======
thex86
> One person had just acquired the exam results for the whole country. Not
> only was this a violation of any and all forms of privacy associated with
> something as personal as your examination marks, but a mass divulsion of all
> sorts of personal information - names, date of birth and school.

There is no privacy to begin with, so this is a sensationalist argument at its
best.

In India, there is no notion of keeping your grades confidential from others.
Your entire neighborhood knows how you fared in your exams, because the notion
of privacy and to keep grades as a secret as is in the western countries is
not there.

What the author has done is nothing new, except that he got hold of them
"technically". I checked my result for the same exam when I was in USA. Not
only that, I got the result for the entire school through email, it is that
easy.

Case in point:

<http://schoolcoderesults.nic.in/cbse-2013/result.php>

So if you did give the exam, you have access to all the grades and they will
send them to you through email, no questions asked at all. Let me repeat: you
get all the grades for everyone in the school just through this one click.
Should I call this a flaw in the system when the system presents this
interface to me?

Even if you did not give the exam, you can get the "School Code" and
"Authorization Code", again from the CBSE (the Central Board of Secondary
Education). So I can get the grades for anyone from any school in India.

This is not a "cyberflaw". It is a flaw in our culture, if you can call it
that.

~~~
harichinnan
Results get published in news paper in India. Anyone with your registration
number could get all your marks. Its easy to go back one step and know who is
the owner or the exam registration number. In our state(Kerala) they publish a
ranking of top 15 rank holders in the state for 10'th and 12'th classes and
the kids are treated as celebrities with newspaper and tv coverage.

------
nrbafna
He writes about it himself here - [http://deedy.quora.com/Hacking-into-the-
Indian-Education-Sys...](http://deedy.quora.com/Hacking-into-the-Indian-
Education-System)

Also, from his write up, it was serious lack of security on the results
website.

More importantly, the focus from his write up should be less on the getting
the data of the results, rather on the data itself. He goes on plot the scores
vs frequency for all the courses taken up students and discovers a good case
of tampering with the scores.

~~~
zengr
He has clearly stated on his blog:

"I spoke to the Times Of India (linked below) and I would like to clarify
what's been written in the article. The article states "A 20-year-old Indian
student from Cornell University hacked into the database ... " This is
technically incorrect. I did no such thing. I did not illegally access any
database system. All I did was access information that was available to any
person who entered a number into the website could access. I simply mined the
data and then analyzed it to reveal some interesting and disturbing trends""

So, he didn't hack anything.

~~~
openforce
Its funny how this will likely be handled by the people in authority. Some
narrow minded men with no computer knowledge will sit around a table and
decide what action can be taken against the 'hacker' for this 'breach',
Ignoring the real issue here.

Websites made by/for government institutions in India are a joke. Most Indian
websites are probably still made to work only with IE (IE6 even).

~~~
fakeer
Most probably those narrow minded people have a lot of other things to do like
tackling insurgency and terrorism and calculating how much commissions comes
from which tender and which bank they should hide that amount too, unless the
ICSE board wants to pursue it further.

------
glesica
Why are all the comments focused on how he got access to the data? The real
scandal isn't in that they didn't protect the results (apparently Indian
culture doesn't have the same level of privacy in this area), but in the fact
that the results appeared to have been manipulated in odd ways.

~~~
iamshs
The guy is playing the press, and enjoying the limelight on him by terming his
data mining process as hacking in the opening paragraphs complete with juicy
quotes, and this is why this article does not even mention the anomalies in
the testing but rather concentrates on the cyber attacks.

On his results: [http://qph.is.quoracdn.net/main-
qimg-7563466e4810af140bb712b...](http://qph.is.quoracdn.net/main-
qimg-7563466e4810af140bb712b95f238531)

Now this data distribution looks suspect to tampering. I will not pass
judgements though without knowing the format of the papers. Besides, we do not
know if indeed he actually fetched data for all the students and did not miss
anybody, since he is relying upon his manual boundaries while scraping data.
How informed are those boundaries is not known. ICSE schools are not normal
run of the mill schools, they are populated by rich kids who can afford extra
help and are kind of smart. Their English curriculum is reputed to be strong,
hence the strong distribution towards high end. I am also making assumptions,
but I do not have full data to make informed inferences.

~~~
glesica
The article is mostly about the data he gathered, not the methods he used to
acquire the data. I agree with you that it is hard to draw conclusions from
his analysis without knowing more about the tests and how they work, but that
is exactly why I was hoping the comments on HN would provide some clarity in
this area rather than a debate about whether what he did was "hacking", which
is wholly uninteresting as far as I'm concerned.

------
general_failure
I think the hacking claims are just fine. Hacking doesn't just mean making use
of some XSRF or XSS exploit. Hacking means to make software behave in a way it
was not intended to behave. It means to spot mistakes in software in some
ingenuous fashion. The author ([http://deedy.quora.com/Hacking-into-the-
Indian-Education-Sys...](http://deedy.quora.com/Hacking-into-the-Indian-
Education-System)) has done just that. He had to look into the source code,
figure what format of the request was, figure the block ranges for the student
and school codes and parse out the html results.

------
nadahalli
It's not quite bogus, but it's very close.

[http://pratyaya.nationalinterest.in/2013/06/05/the-bogus-
cla...](http://pratyaya.nationalinterest.in/2013/06/05/the-bogus-claims-of-
hacking-indian-education-system-and-marks-tampering/)

------
octonion
I've forked the GitHub and rewritten the scraper in Ruby. Full ICSE and ICS
results are already there, plus a PostgreSQL loader and a script to determine
the "true" all-India topper accounting for exam difficulty. I've also written
a preliminary CBSE scraper. <https://github.com/octonion/CISCEResults2013>

~~~
iamshs
Can you put up the CBSE results please? Simple csv aggregate file will
suffice. I will do some analysis on that too.

~~~
octonion
I have about 1 million of the CBSE student records there now. That's abut 8.8
million scores.
[https://github.com/octonion/CISCEResults2013/tree/master/cbs...](https://github.com/octonion/CISCEResults2013/tree/master/cbse)

------
cubancigar11
I have been doing this for past two years for my paper on social privilege and
reservation. Thanks to this guy my job might just become harder.

~~~
ISL
Quality work is quality work. Getting scooped doesn't diminish whatever you've
accomplished.

------
Sven7
Hilarious stuff :)

"For example, 81, 82, 84, 85, 87, 89, 91 and 93 were visibly missing. I
repeat, no one in India had achieved these marks in the ICSE."

[http://deedy.quora.com/Hacking-into-the-Indian-Education-
Sys...](http://deedy.quora.com/Hacking-into-the-Indian-Education-System)

~~~
IvyMike
To me the missing values (and nearby spikes) seem like they could be aliasing
due to a bad rounding/scaling algorithm.

~~~
iamshs
This is what i thought too, especially since it is visible among all the
subjects.

~~~
harichinnan
A simple explanation would be extra scrutiny for the answer paper evaluators
when marks go beyond 80. That might determine the difference between getting
home/hotel at 5:00 P.M or sitting with the supervisor, painstakingly cross
checking every answer. Picking answer paper evaluators are like picking people
for jury duty in US. Its a lottery system for teachers across the board(In
this case across India) and once you get selected, its mandatory to show up at
the central evaluation center. The evaluations last something like 10-15 days.

------
yuvipanda
<http://tnresults.nic.in/tncfplus/cfplus.htm> is the similar site for the
Tamil Nadu (southern state)'s exam. From a cursory look seems to be at least a
little bit more secure - requires DOB. Still, is made with Frontpage...

------
captn3m0
The code for this is available on github[1], in case anyone is interested.

[1]: <https://github.com/deedydas/CISCEResults2013>

~~~
ihuman
Strange. I'm getting 404 errors for that repo.

~~~
thex86
He says he made the repo private.

~~~
fakeer
Well, that means he is a paying github customer or mayeb the recent Gitub
offer of pvt repos to students.

Ps. Any mirrors?

------
siddhantpuri
he didnt hack it he just scraped it. it wasnt something illegal. read his blog
post.

~~~
pilif
isn't what he has done exactly what the "AT&T Hacker" who's now put into jail
for years has done back in 2010?

------
ja27
Why is so significant that he is a "college grad"?

