Karthik P H ಕಾರ್ತಿಕ್ ಪಿ ಹೆಚ್

Delhi: Sarthak Sidhant, one of the students affected by the CBSE's 'On-Screen Marking' (OSM) system, arrived at the Parliament House Annexe to give a presentation before the Parliamentary Standing Committee on Education, Women, Children, Youth, and Sports. This committee is reviewing the use of 'On-Screen Marking' (OSM) in Class 12 CBSE examinations and the consequent problems faced by students.

The govt should consider creating a national pool of young ethical hackers, cybersecurity researchers, and talented students to regularly test the security of its websites and digital infrastructure. Every year, crores are spent on private contractors to build and maintain govt portals. Yet many remain slow, poorly designed, vulnerable to security flaws, plagued by glitches, and raise concerns about data privacy. As the recent CBSE controversy showed, even a small technical vulnerability can trigger confusion, mistrust, and nationwide outrage. So why not tap into the talent that already exists in the country? A structured bug bounty and security-audit program, with attractive rewards, would encourage some of India's brightest minds to identify vulnerabilities before malicious actors do. The cost would be a fraction of current spending and should be made part of contractors' obligations. While some govt platforms already have bug bounty programs, the current approach is either not comprehensive enough or not effective enough. A stronger, centralized, and better-funded system may be needed. No system is perfectly secure, but having thousands of skilled people actively looking for weaknesses is more effective than relying solely on a handful of vendors.

Vedant Srivastava - 17 yrs old Took to social media and exposed discrepancies in CBSE's OSM marking system. Nisarga Adhikary- 19 yrs old Hacked CBSE website and informed them (and us) that it is vulnerable and can be hacked. Sarthak Sidhant- 17 yrs old Exposed how CBSE bent rules to award the OSM tender to COEMPT. These 3 kids need to be lauded. They have given us a glimmer of hope. They have shown us, not all is lost. We still have a future to salvage.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.