CBSE website security is zero, says IT veteran amid marking portal controversy
By now it is a fact that the CBSE website, or at least the one that existed around a week ago, is poorly secured. But just how poorly? India Today Tech spoke to an IT industry veteran and digital rights activist. On a scale of 1 to 10, he rated the security of CBSE website zero!
By now it has become a fact that the CBSE website has been a leaky ship. Or rather a room with an open door and no lock, allowing anyone to enter and play around with data stored on its servers. At least that is how Srikanth Lakshmanan, an IT industry veteran, categorises the CBSE website on a blog at GitHub. His blog comes after a spate of high-profile breaches at the website by a couple of teenage techies and the like-minded internet sleuths.
Talking to India Today Tech, Srikanth is even more stark and blunt than he is on his blog. We asked him how, as someone who is an IT industry veteran, he would rate CBSE website security on a scale of 1 to 10. His reply, “Zero”.
He then added, “The solution deployed (at CBSE website) lacked any kind of basic quality control and basic security testing. The fact that answer sheets were accessible without any kind of authentication and the infrastructure was so open to grant read, write access without any sophisticated attempts proves that the systems were deployed by a vastly inexperienced team.”
In case you are wondering what Srikanth is talking about, a quick refresher. CBSE is in the middle of a major fiasco that has left thousands of students wondering about their Class 12 marks. This year for the first time, CBSE introduced On Screen Marking or OSM for its most important examination, the one which decides the entire future of students. In this new method, CBSE first scanned the answer sheets that students wrote, which were then marked by the examiner. Hence, the name OSM.
That there was something wrong with the entire process came to light when some students applied for re-evaluation. When they received their answer sheets many students found the pages were blurry, or they had got the sheets written by someone else. There were enough complaints to raise a stink.
Once CBSE came under spotlight, people started poking and probing its website as well the OSM system. A 19-year-old cybersecurity researcher, Nisarga Adhikary, found anyone online could access your answer sheets, and even view your marks, without even needing to verify themselves.
On the GitHub blog, Srikanth described the whole situation in easy to understand terms. He wrote that the CBSE website breaches were like “someone not just finding the backdoor to the school, but getting the master keys to every classroom, the principal’s office, the records room, and the intercom system — and then playing music over the PA to prove it.”
It is intent, and not capacity
Talking to India Today Tech, Srikanth highlighted that OSM as a technology is not new, or even rocket science. Although, he acknowledges that India’s sheer scale makes it difficult to implement something. On this occasion, he believes, the issues are result of hurry and lack of intent.
“CBSE has been attempting to introduce OSM for evaluation for almost a decade. Yet they haven’t clearly (ironed) out the issues before rolling it out,” Srikanth tells India Today Tech. “Other countries have been doing OSM and it does bring advantages of cost, time, correctness — when done right.”
Now that the whole fiasco, including a suspect-looking tender process for the OSM system that led to TCS losing out to a firm called Coempt, is out in the open, CBSE should be looking to address the issues transparently and honestly. That is what Srikanth suggests. “Instead of being in denial or bluntly lying that it’s engaging with those reporting (security) issues when it’s not, it must act sincerely,” he says. “There would be enough competent people in CBSE to do the right things, the problem seems to be of intent (and not) capacity.”
Only the coming days and weeks will tell what lessons CBSE has learnt from this fiasco. Only the coming days, when more amateur and professional hackers poke, push and test the CBSE website, will reveal if the agency has managed to tighten the security or not. On June 2, though, CBSE is live with a new portal for students who are looking to get their marks re-evaluated. And while the portal seems somewhat better, it also seemingly brings a new set of issues, particularly around the Aadhaar-based authentication that is reportedly failing for some students.
By now it has become a fact that the CBSE website has been a leaky ship. Or rather a room with an open door and no lock, allowing anyone to enter and play around with data stored on its servers. At least that is how Srikanth Lakshmanan, an IT industry veteran, categorises the CBSE website on a blog at GitHub. His blog comes after a spate of high-profile breaches at the website by a couple of teenage techies and the like-minded internet sleuths.
Talking to India Today Tech, Srikanth is even more stark and blunt than he is on his blog. We asked him how, as someone who is an IT industry veteran, he would rate CBSE website security on a scale of 1 to 10. His reply, “Zero”.
He then added, “The solution deployed (at CBSE website) lacked any kind of basic quality control and basic security testing. The fact that answer sheets were accessible without any kind of authentication and the infrastructure was so open to grant read, write access without any sophisticated attempts proves that the systems were deployed by a vastly inexperienced team.”
In case you are wondering what Srikanth is talking about, a quick refresher. CBSE is in the middle of a major fiasco that has left thousands of students wondering about their Class 12 marks. This year for the first time, CBSE introduced On Screen Marking or OSM for its most important examination, the one which decides the entire future of students. In this new method, CBSE first scanned the answer sheets that students wrote, which were then marked by the examiner. Hence, the name OSM.
That there was something wrong with the entire process came to light when some students applied for re-evaluation. When they received their answer sheets many students found the pages were blurry, or they had got the sheets written by someone else. There were enough complaints to raise a stink.
Once CBSE came under spotlight, people started poking and probing its website as well the OSM system. A 19-year-old cybersecurity researcher, Nisarga Adhikary, found anyone online could access your answer sheets, and even view your marks, without even needing to verify themselves.
On the GitHub blog, Srikanth described the whole situation in easy to understand terms. He wrote that the CBSE website breaches were like “someone not just finding the backdoor to the school, but getting the master keys to every classroom, the principal’s office, the records room, and the intercom system — and then playing music over the PA to prove it.”
It is intent, and not capacity
Talking to India Today Tech, Srikanth highlighted that OSM as a technology is not new, or even rocket science. Although, he acknowledges that India’s sheer scale makes it difficult to implement something. On this occasion, he believes, the issues are result of hurry and lack of intent.
“CBSE has been attempting to introduce OSM for evaluation for almost a decade. Yet they haven’t clearly (ironed) out the issues before rolling it out,” Srikanth tells India Today Tech. “Other countries have been doing OSM and it does bring advantages of cost, time, correctness — when done right.”
Now that the whole fiasco, including a suspect-looking tender process for the OSM system that led to TCS losing out to a firm called Coempt, is out in the open, CBSE should be looking to address the issues transparently and honestly. That is what Srikanth suggests. “Instead of being in denial or bluntly lying that it’s engaging with those reporting (security) issues when it’s not, it must act sincerely,” he says. “There would be enough competent people in CBSE to do the right things, the problem seems to be of intent (and not) capacity.”
Only the coming days and weeks will tell what lessons CBSE has learnt from this fiasco. Only the coming days, when more amateur and professional hackers poke, push and test the CBSE website, will reveal if the agency has managed to tighten the security or not. On June 2, though, CBSE is live with a new portal for students who are looking to get their marks re-evaluated. And while the portal seems somewhat better, it also seemingly brings a new set of issues, particularly around the Aadhaar-based authentication that is reportedly failing for some students.
