Arpit Bhardwaj

Students are guilty until proven otherwise

Arpit Bhardwaj's photo
Arpit Bhardwaj
·

8 min read

Students are guilty until proven otherwise

Table of contents

Pre-Context

Hi there, it's 6 in the morning and I am writing this. This is not going to be a technical writeup which you might have subscribed me for or expect from me. Rather, this will be my first official blog about my views (I guess? I have written countless of lengthy advises during the time I used to run a cybersecurity group) - coming back to the topic - on a very concerning issue consuming KGP.

Context

The point which I am going to share will involve an example, in which the general public might be more interested rather than the issue which I want to address by this blog, thus I would like to clarify my point of concern before starting with the story so that you read this blog from the same point of view in which I have written it. Also, I actually don't know if it is okay to mention the names of people involved here, so I will be using false names (if required). If some official requires me to provide the names of the parties involved in the story - I do not have any problem with that ¯\_(ツ)_/¯.

Ok, so enough of the background - let's start with the main thing. The issue which I want you to focus is,

Students have a bad image among the administration and are not trusted by them

Or a better way to put it will be,

Students are guilty until proven otherwise

The story

There have been countless encounters, bringing up this issue in-front of me. The most recent one was related to this years' TSG Elections (academic year 2024-2025). Excited? Drum-rolls.. Vote counts for this years' elections were leaked by an ERP developer to a student before the official disclosure of the results.

Possibility of more serious leaks?

Easily said than understanding the consequences of the revelation. Let's talk about some of the implications of this incident:

  • Although, the incident which came into light happened after the voting day. But what about the possibility that this can happen during the day of voting?

  • Anyone involved, can leak the count during the voting day and this could lead to manipulation of results in various sorts of ways.

  • There's that, now think about this, bribing an ERP Developer to tamper with the results :)

Yup that's a serious concern now. Although, not the one which I want you to focus via this blog, please continue reading..

Who am I?

How do I know it? Who am I? Just to give you sufficient information about me:
I am Arpit Bhardwaj, Technology Coordinator, Technology Students' Gymkhana for the academic year 2023-2024. Now, here's the thing - Technology Coordinator is the student position which should receive the elections results first, so that they can update it on the gymkhana website which then serves as the first and foremost source of information for the general student body regarding all the information pertaining to elections.

What did I do?

What did I do after knowing this? Why am I writing a blog? Why not inform it to the concerned authorities? Here's what I did as soon as my investigation concluded:

I immediately informed a concerned official, explained all the details about how I got to know about the issue, how I investigated the student and later found the ERP developer involved in this. I explained this more than once (It was actually more than once, but I can't give an exact count and I don't want any of the parties to raise fingers on me for providing any "false" information). The talk was a quite a bit long, around 20 minutes - I will be discussing it in parts in the blog ahead.

Concerns of the official

Let's first talk about the concerns of the officials, which I found themselves concerning (-_-). Their concern was (writing the gist of it):

  • Is there a possibility that ERP was hacked, moreover, hacked with privilege to edit the database and manipulate the vote count?

  • And was the hack done by a student?

See, this is a possibility, I am not denying that (neither would you after recent security incidents with ERP) but this can not be concluded from the current situation, how the events took place doesn't point in this direction at all. Next surprising concern:

  • What's my hall? Why am I constantly chasing this issue?

I laughed at this, hard. Anyone who knows me well enough, should know that such things (politics and stuff) doesn't matter to me. The sole reason for me to report this was to fulfil my duty as Technology Coordinator and to do what was right, an effort to maintain the integrity of our technical systems. Which was being questioned here ¯\_(ツ)_/¯ . Anyways, we forgot about something or should I say, about someone..

.. What about the ERP Developer responsible for this leak? Their response to this:

If the staff had access to data and they leaked it, HOW CAN WE PREVENT IT?

  • As in "WE CAN NOT PREVENT IT" or as in "NOTHING CAN BE DONE ABOUT IT"

"HOW CAN WE PREVENT IT?" - ?? I mean, what? Did I hear it clearly? - this was my reaction after hearing this statement. Let me tell you some technicalities (yeah, what else would you expect from me anyways) - "hacking" doesn't only involve breaking the computer system(s), there is a concept of social engineering (for those who didn't bother to read the wikipedia article - it is, in layman terms, "human hacking", where humans are "hacked" to break into the system or forced/convinced/tricked to provide confidential information). In short, some person leaking information for any reason - "knowingly" - is a crime equivalent to hacking the system. And the official was fine with it, rather concerned about involvement of student directly (as in the end, a student was involved).

IMPORTANT

I do not know what actions were taken against the ERP Developer in concern here.

My concerns

Concern 1

Students are guilty until proven otherwise

This is one of the stories which I am sharing publicly, but there have been more than one incidents of this same topic being raised. To ensure the smooth functioning of an organisation, such beliefs are detrimental. I fail to comprehend this statement entirely. Why emphasise the term "student"? Aren't mistakes made by individuals in administration as well (as evidenced by the example provided)? Why approach the situation with a perspective that implies guilt on the part of students? Instead, why not use a more generic term that encompasses a broader subset of people? Ultimately, both sides make mistakes, and pointing fingers won't facilitate resolution. Rather, focus on solving the issue more than focusing on who caused it in terms of - students or administration - rather than creating generalised beliefs based on actions of some malicious elements of a particular subset of people. This goes for students and administration, both. Let's stop pointing fingers at each other and work together at solving the problem. Because in the end,

Not all students are bad or have malicious intentions

Not all employees are bad or have malicious intentions

Not all admins are bad or have malicious intentions

Concern 2

I do not find the current ERP team to be competent enough to keep our data safe. I don't know about you, I care for my data. Technical inability was a different thing, now they are themselves leaking details? To put it more formally, give students official permission to exploit, find and report bugs in ERP - YOUR BUG REPORTING SYSTEM WILL CRASH IN A DAY! - because that will be overloaded by the massive amount of incoming reports and yes the system itself won't be built properly either ¯\_(ツ)_/¯.

So, what's the solution?

Students are NOT guilty until proven otherwise

I went to a conference, there I got an opportunity to talk with a professor who supported his students (the whole story is itself very inspiring, should discuss about this in another blog). In short, students were involved in migrating the complete network architecture from IPV4 to IPV6, contributing to the original implementations of IEEE protocols (published papers), developed crucial systems for the institute etc. How was this made possible? The quote which this section starts with is what he replied.

But what about the sensitive data?

Say students want to develop something which involves some "confidential data" for the institute or let alone work on the current existing ones and improve them. The same question comes again and again, "How to trust students with the data?". I mean google, microsoft, a random startup.. all of them have employees. All of them have some level of confidentiality available for every employee. Don't they function?

  • Let the students sign a Non Disclosure Agreement (that's what the professor earlier in the story did as well). The reality is if they want it, it is not hard to get past the problems presented.

  • Don't give them real data, students can work on a dummy data.

Conclusion

It is high time we focus on how we see the problems and stop pointing fingers and making generalised beliefs about a particular subset of people.

Did you find this article valuable?

Support Arpit Bhardwaj by becoming a sponsor. Any amount is appreciated!

tsg-electionstsg-elections-leaksiitkgp