> One person had just acquired the exam results for the whole country. Not only was this a violation of any and all forms of privacy associated with something as personal as your examination marks, but a mass divulsion of all sorts of personal information - names, date of birth and school.
There is no privacy to begin with, so this is a sensationalist argument at its best.
In India, there is no notion of keeping your grades confidential from others. Your entire neighborhood knows how you fared in your exams, because the notion of privacy and to keep grades as a secret as is in the western countries is not there.
What the author has done is nothing new, except that he got hold of them "technically". I checked my result for the same exam when I was in USA. Not only that, I got the result for the entire school through email, it is that easy.
So if you did give the exam, you have access to all the grades and they will send them to you through email, no questions asked at all. Let me repeat: you get all the grades for everyone in the school just through this one click. Should I call this a flaw in the system when the system presents this interface to me?
Even if you did not give the exam, you can get the "School Code" and "Authorization Code", again from the CBSE (the Central Board of Secondary Education). So I can get the grades for anyone from any school in India.
This is not a "cyberflaw". It is a flaw in our culture, if you can call it that.
Results get published in news paper in India. Anyone with your registration number could get all your marks. Its easy to go back one step and know who is the owner or the exam registration number. In our state(Kerala) they publish a ranking of top 15 rank holders in the state for 10'th and 12'th classes and the kids are treated as celebrities with newspaper and tv coverage.
CBSE[1] officially sends you results via email[2]. Of an entire school and there you get students' names, roll numbers and marks and pass/fail. The you get student's roll number and see the entire result card[3] which also has students' mother's names, father's names and DOB.
All you have to know is two codes of a school: affiliation and school code which is public and schools put it on their websites[4]
Also, from his write up, it was serious lack of security on the results website.
More importantly, the focus from his write up should be less on the getting the data of the results, rather on the data itself. He goes on plot the scores vs frequency for all the courses taken up students and discovers a good case of tampering with the scores.
"I spoke to the Times Of India (linked below) and I would like to clarify what's been written in the article. The article states "A 20-year-old Indian student from Cornell University hacked into the database ... " This is technically incorrect. I did no such thing. I did not illegally access any database system. All I did was access information that was available to any person who entered a number into the website could access. I simply mined the data and then analyzed it to reveal some interesting and disturbing trends""
If he stated so, it is clearly not in line with the title of his blog post [1]. Come on, the media preys on keywords like hacking, so if you don't see it coming be careful the next time is my advice to the "hacker" in question.
[1] http://deedy.quora.com/Hacking-into-the-Indian-Education-Sys...
Its funny how this will likely be handled by the people in authority. Some narrow minded men with no computer knowledge will sit around a table and decide what action can be taken against the 'hacker' for this 'breach', Ignoring the real issue here.
Websites made by/for government institutions in India are a joke. Most Indian websites are probably still made to work only with IE (IE6 even).
Most probably those narrow minded people have a lot of other things to do like tackling insurgency and terrorism and calculating how much commissions comes from which tender and which bank they should hide that amount too, unless the ICSE board wants to pursue it further.
Well, don't know what laws India has with regards to Cyber-security if any at all, but I wonder how the reaction would be if that happened to a nation-wide exam/test in the US like the SAT.
Even if the data was available on the server, I think the laws here are such that one can still be persecuted for that. A recent example that comes to mind is the AT&T hack that leaked email addresses of some iPad users [1].
Fortunately, in this case, it does not appear that the original poster has anything to be concerned about.
> Also, from his write up, it was serious lack of security on the results website.
How? The website has an interface to give you all the results. All you need is an email address. How is this then a lack of security? This is 'by design'.
Just because that's the interface doesn't mean, "Allowing the entire world access," is by design. I understand where you're coming from with the cultural angle in your other post. On the other hand, sometimes people leave things in the open with the idea, "what's the worst that can happen," or, "only authorized people will know about this, I don't need security." This doesn't signify an intention to let the world see, or a lack care about whether or not the world sees.
As far as my memory goes - I think I can safely say this for the past six years, everyone I know is aware that you can get the results for practically anyone, as long as you know their name and their school. So I meant that that this is not anything revolutionary or new, let alone a security flaw. It's just how it is. And this is no violation of privacy as the author claims.
When the grades are announced, they are put up in their full glory in the school. There is no privacy! That is what I meant.
I know this is not a good thing, but I doubt this trend will change anytime soon.
And that is one reason very few pupils in India get depressed and commit suicide or steer towards drugs because they have scored less and/or others saw it.
And I don't complain about it. However with the recent (Sibbalusque) change in education marking system this trend may change.
Why are all the comments focused on how he got access to the data? The real scandal isn't in that they didn't protect the results (apparently Indian culture doesn't have the same level of privacy in this area), but in the fact that the results appeared to have been manipulated in odd ways.
The guy is playing the press, and enjoying the limelight on him by terming his data mining process as hacking in the opening paragraphs complete with juicy quotes, and this is why this article does not even mention the anomalies in the testing but rather concentrates on the cyber attacks.
Now this data distribution looks suspect to tampering. I will not pass judgements though without knowing the format of the papers. Besides, we do not know if indeed he actually fetched data for all the students and did not miss anybody, since he is relying upon his manual boundaries while scraping data. How informed are those boundaries is not known. ICSE schools are not normal run of the mill schools, they are populated by rich kids who can afford extra help and are kind of smart. Their English curriculum is reputed to be strong, hence the strong distribution towards high end. I am also making assumptions, but I do not have full data to make informed inferences.
The article is mostly about the data he gathered, not the methods he used to acquire the data. I agree with you that it is hard to draw conclusions from his analysis without knowing more about the tests and how they work, but that is exactly why I was hoping the comments on HN would provide some clarity in this area rather than a debate about whether what he did was "hacking", which is wholly uninteresting as far as I'm concerned.
>> ICSE schools are not normal run of the mill schools, they are populated by rich kids who can afford extra help and are kind of smart.
Around a decade back, When I joined pre university college. ICSE/CBSE fashion was its highest. I remember our college principal had put them all in a section and they often got the best faculty and privileged treatment. It was almost like they were sort of something special, so special care needs to be taken to handle them, As though they were some exotic orchids. And we were some garbage thrown across the road which would turn fertilizers for the large plants.
By the next year it was clear, they were a total disaster. In fact their only distinguishing factor was they could speak neat English, good clothes and a tremendous sense of elitism.
Its just these highly bloated syllabi, about teaching kids all sort of advanced subjects which they understand nothing of. Ultimately they learn less than others.
Besides, it's a tradition to get high marks in an ICSE schools in India. So much that if you pass your 10 from an ICE school and go to a CBSE school for admission and have 94% marks then the kid who has 89-90% from a CBSE school or even lower from a state board school might be preferred. It was true in 2001-2003 and was till I kept track, not sure now.
Their system has(had) a lot of marks in the hands of school authority rather than the board and those marks were(are) very generously handed out.
Few years ago I too "mined data" ( this word sounds ethical ) the data from MTNL site. I got the record of every single person who have landline number in delhi. ( Actually I just wanted to see the bill amount ) but they showed me everthing. ;) Though I didn't made such graphs.
Whats's more in one of the site I was able to clear my bill by paying as much I like. That means if my bill was 1000/- then by just paying 100/- I would get the confirmation of 1000/- bill pay. :)
I don't have the time to write a complete explanation about that, but if you point out a specific instance that interests you particularly, I can try to give an explanation.
I think the hacking claims are just fine. Hacking doesn't just mean making use of some XSRF or XSS exploit. Hacking means to make software behave in a way it was not intended to behave. It means to spot mistakes in software in some ingenuous fashion. The author (http://deedy.quora.com/Hacking-into-the-Indian-Education-Sys...) has done just that. He had to look into the source code, figure what format of the request was, figure the block ranges for the student and school codes and parse out the html results.
I've forked the GitHub and rewritten the scraper in Ruby. Full ICSE and ICS results are already there, plus a PostgreSQL loader and a script to determine the "true" all-India topper accounting for exam difficulty. I've also written a preliminary CBSE scraper. https://github.com/octonion/CISCEResults2013
http://tnresults.nic.in/tncfplus/cfplus.htm is the similar site for the Tamil Nadu (southern state)'s exam. From a cursory look seems to be at least a little bit more secure - requires DOB. Still, is made with Frontpage...
A simple explanation would be extra scrutiny for the answer paper evaluators when marks go beyond 80. That might determine the difference between getting home/hotel at 5:00 P.M or sitting with the supervisor, painstakingly cross checking every answer. Picking answer paper evaluators are like picking people for jury duty in US. Its a lottery system for teachers across the board(In this case across India) and once you get selected, its mandatory to show up at the central evaluation center. The evaluations last something like 10-15 days.
There is no privacy to begin with, so this is a sensationalist argument at its best.
In India, there is no notion of keeping your grades confidential from others. Your entire neighborhood knows how you fared in your exams, because the notion of privacy and to keep grades as a secret as is in the western countries is not there.
What the author has done is nothing new, except that he got hold of them "technically". I checked my result for the same exam when I was in USA. Not only that, I got the result for the entire school through email, it is that easy.
Case in point:
http://schoolcoderesults.nic.in/cbse-2013/result.php
So if you did give the exam, you have access to all the grades and they will send them to you through email, no questions asked at all. Let me repeat: you get all the grades for everyone in the school just through this one click. Should I call this a flaw in the system when the system presents this interface to me?
Even if you did not give the exam, you can get the "School Code" and "Authorization Code", again from the CBSE (the Central Board of Secondary Education). So I can get the grades for anyone from any school in India.
This is not a "cyberflaw". It is a flaw in our culture, if you can call it that.