Hacker Exposes Evidence of Widespread Grade Tampering In India 304
Okian Warrior writes "Hackaday has a fascinating story about Indian college student Debarghya Das: 'The ISC national examination, taken by 65,000 12th graders in India, is vitally important for each student's future: a few points determines which university will accept you and which will reject you. One of [Debraghya]'s friends asked if it was possible to see ISC grades before they were posted. [Debraghya] was able to download the exam records of nearly every student that took the test. Looking at the data, he also found evidence these grades were changed on a massive scale."
Caste system (Score:2, Interesting)
Or just buy degree (Score:5, Interesting)
Nothing I hear about education fraud in India surprises me since one of my Indian coworkers explained how people "buy" degrees from Indian universities.
University employees can be bribed to create the records for an entire curriculum, spanning multiple years of attendance. This record is indistinguishable from a valid one and generates a real diploma. The University will confirm education because "it's in the system".
I think he said it cost about $3000 USD or so for a Masters degree.
Re:not even hacking just URL typing with fixed ID (Score:2, Interesting)
According to my attorney (a former IT person who went to law school), that qualifies as hacking.
He was helping me with a child custody issue, but he had a case where a woman was accused of hacking. He said clearly she couldn't do it as she could barely use a webbrowser and she was accused of a fairly sophisticated attack. He was thinking about using me as an expert witnesss, so we got talking about the subject. He said he'd obviously argue it wasn't if he was the defense attorney, but that case law present was changing GET parameters qualifies as hacking.
That truly scared me.
Re:Caste system (Score:4, Interesting)
There is nothing in the article that indicates caste has anything to do with it. Most of the discussion suggested that the cause may have been to "bump" almost-passing grades to passing grades (and presumably other achievement tiers as well).
Re:not even hacking just URL typing with fixed ID (Score:5, Interesting)
Back in late 2009 and early 2010 I was scraping jail inmate registry records for Scott and Dakota County, MN. This was simply a script which incremented the ID numbers by one several times a day and put them out into a CSV. I uploaded these to Google Docs and had Docs Widgets build simple charts based on those data for a rolling ~6 month window of inmates.
As I started looking deeper into the data I started noticing I had ages lower than 18. Odd I thought but sure enough, Scott County was including their juvenile records in the data mixed with the adults even though it wasn't shown on their public website.
I contacted the County and they fixed the bug (you can read about that here: http://www.lazylightning.org/scott-county-quickly-fixes-juvenile-jail-roster-issue [lazylightning.org]) but I was still surprised at the relative lack of security for juvenile records:
It's surprising how lax security is anywhere and to the poster elsewhere in this thread that said this is what you get when you outsource to India, this particular web stuff was not performed with outsourced talent so that comment was nothing short of asinine.
Re:Caste system (Score:5, Interesting)
Technically, in a caste system, you're not allowed to move up except in very narrow circumstances. You're not actually allowed to move at all - up or down. You can be the most brilliant person on the planet, but if you were born to an untouchable in India, well, no one would listen to you.
More likely though, it would be done by people from higher castes because they have a certain image to maintain.
Remember, in Asia, this all derived from the old school British system where exams basically set you on your path through life - basically the final exams at the end of high school was The Final Exam(tm). Score well, and you'd go to university. Score not-so-well, you got to a second-rate college. Score less and you're a lowly tradesperson. Score even worse and you're an unskilled labourer.
So in general, it's an extremely high-stress period where teens would basically be locked in their rooms spending all the time studying because it really is it - no chance to take it over (well, I suppose there are certain humanitarian reasons they allow), and it basically determines your future.
Likewise, for anything with this much pressure on it, people succumb to the human condition - suicide is common, both before and after the exame. Cheating is as well - and many elaborate cheating machines have been conjured up over the years - this isn't your own hide-a-cheat-sheet scale - this is full on tiny 2-way radios and other mechanisms. And of course, hacking of grades to improve one's score.
Interestingly, I think in China one district is forcing all test-takers through a very sensitive metal detector and forcing them to strip - just one step below forcing test-takers to be stark naked during testing. The metal detector is extremely sensitive and basically won't allow anything metal in.
That's how serious the test is, and how serious everyone takes it.
For all its flaws, the modern American system is generally better and more "available" (and even the modern British education system isn't as strict). I'm not entirely sure that letting one test determine your future is entirely wise, and it's one reason why a lot of students travel abroad to study. Some do it because they scored well and got prestigious international study scholarships from their country, but others do it because they couldn't get in, and studying abroad is an option for those that do not pass.
Re:Some basic problems with this story (Score:4, Interesting)
I've read the original. Whether your policy can produce that sort of distribution depends entirely on what the policy is, no?
As an example of a system that produces exactly this sort of pattern, at my university the pass grade was 50%. Anyone who scored at least 45% but less than 50% in the exam could apply to sit a supplementary exam a few weeks later. The supplementary exam score would then be your final score, but the maximum mark available in the supplementary exam is 50%. If this results in you scoring 50% then the subject is recorded as a "conceded pass". You can only take one conceded pass in a year and many degree programs also limit how many conceded passes you can count towards your degree.
It's a system that lets you have another go if you had a bad day in an exam and, yes, in many subjects it produces this pattern of no-one receiving 45, 46, 47, 48 or 49 and a big lump of people receiving 50.
Re:Some basic problems with this story (Score:5, Interesting)
The criticism seems rather pedantic. I'm the last one to defend the barely-reading, never-correcting, link-to-blog-post-instead-of-actual-article, duplicate-posting slasheditors, but the fact is:
1) the server has a place where you put in a code and, i'd guess, a passcode. He looked at the code, determined the data was being drawn by a simple java query to an unsecured text file. Did he get the data the way it was intended? CERTAINLY not. Did he essentially 'break in' through what was relatively tissue-thin (derived from obscurity only, really) security? Yes, I'd say he did. So yes, in MOST people's definitions, he 'hacked' their shitty website.
2) WTF are you talking about? Every school system in existence ADJUSTS grades on standardized tests? Proof? The guy discovered that something like of the passing scores (everything > 35), like 40% of the possible scores NEVER showed up. Ie, nobody *ever* got a score of 82, 84, 91, or 93, while 94-100 was regularly distributed. Mathematical anomaly? Maybe. But that seems unlikely with a massive test, and multiple added scores that this is possible.
I think what he discovered was a ridiculously insecure web service, and a list of grade scores that have suspiciously regular omissions.
So "hacked" and "possible grade tampering" seems pretty spot on.
Re:not even hacking just URL typing with fixed ID (Score:5, Interesting)
The examples in parent post are wrong.
"Breaking and entering" requires physical trespass. There is no trespass involved when using the GET method, which is part of a standard and open protocol, to request a web page, which in this case is unencrypted and easily read by anyone who asks for it.
The "bait car" analogy fails miserably. There is no property theft involved in what was described by TFA since nobody was deprived of use of anything. In the general case, "intellectual property" is not physical property and courts need to recognize the differences.
If anyone needs a physical analog of what this fellow has done, it is like this:
Imagine that for reasons unknown, the New York City Board of Education recorded the student ids and test scores as graffiti on all the park benches in Central Park. Where any passer-by could read them. Each student was directed to the bench where their data was recorded (in indelible magic marker), and the BoE patted itself on the back for having found a way to make use of all those benches. Then this guy comes along and develops an efficient way to go from bench to bench to bench... Data on the Internet, accessible without any protection to anyone who had or could construct the URL, is as freely available as any graffiti written on a park bench.
Questions should begin with why the India agency responsible for handling this data put up these web pages without involving anyone who had a year or more of training in information management techniques. They certainly had persons on staff who would have avoided making the JavaScript so readily accessible, and there should have been some kind of password scheme so that only the student would be able to access his own scores. Why were their in house experts not involved? It is as if those who were delegated to build the web site did not want to involve anyone who knew enough about data management that they would become suspicious about it being manipulated.
I think there is more than enough evidence here that something is very corrupt in the India education system. Even if the data obtained had not been so obviously altered, the grossly amateur handling of highly personal information stinks to high heaven.
Re:not even hacking just URL typing with fixed ID (Score:5, Interesting)
If this had happened in the usa
Something very similar to this did happen in the USA, from some time in the 1980s until around 1995. It involved a government forestry agency, and the database they had to track logging, replanting, spraying, road building, and other commercial forest management activities.
I became involved about 1993 when I was hired by an eco-activist group who had used FOIA to obtain a digital copy of a detail report of the entire forestry database for the region. My task was to develop one-off perl scripts to extract the data from the report format and build a Paradox database that could be queried to see if the forestry records indicated any violations of the laws to protect spotted owl habitat. This was straightforward work: as I recall the hardest part was staying awake when doing the validation cross-checking. (I also dislike reconciling my checking account with the bank statement.)
But what I discovered was that the forestry database was full of crap. You cannot harvest a 20 year old stand of timber from a parcel that had been clear cut just three years earlier; you cannot harvest anything from a parcel before the access road to it is completed. A big portion of the database lacked self-consistency. Years later, I learned that the consultant that the forestry agency had hired to develop and maintain the database had been convicted of fraud, and that there had been a shake-up in the management of that agency. (Since the database records were crap, the eco-activists chose not use it in their spotted owl fight. Instead a new, and appropriate, attack on the managerial competency of the forestry agency was launched, I believe by persuading one of the State Representatives to demand an investigation.)
I do not think that computer fraud on this scale is likely to happen in the USA now, because I think every manager of any kind of any large government database is well aware that he needs to cover his ass by having his stuff validated by Information Management. However the news indicates this kind of fraud is happening in some small towns, and some of the smaller departments of cities-- places where there is still no easy access to information management professionals, where decisions involving database management have to be made by persons without a background in the subject.