IITB ASC on SMS

[Saket Choudhary]

Hello All,

How many times has it been that you are out of the institute, your grades have been just declared and you are tempted to know your grade or the grading statistics? Sadly enough , you don't have a 2G/internet at home and possibly VPN isn't working either ! We often call our friends who happen to be 'inside'  , tell them our LDAP ID & password and voila ! Neat or is it ?

Your mobile networks are more reliable than your internet . So what if you could get to know all your grades and the grading statistics just through one SMS ?

We were faced with these problems too and came up with an app which solves the problem to some extent . 

Send a SMS to 9243342000 with <@asciitb gstats course code year>  to get the grading stats for the course. 

eg: @asciitb gstats CS101 2010. This will give you the grading statistics of CS 101 in the year 2010

Send a SMS to 9243342000 with <@asciitb grades ldap_id ldap_password semester>  to get your grades for a semester.

eg: @asciitb grades username password 5. This will give you your grades for semester 5. 

How it Works !

Hosted on Google App Engine the app receives requests from the txtweb api , processes it makes a request to a server located inside IITB and sends you back the result. 

The password is though being sent in 'plain text' now, we are working upon implementing encryption, though it seems a little difficult given the txtweb api limitations.

Passwords are never stored. Neither on txtweb end nor on our end.

Normal SMS rates apply.

--

We have been testing it for past couple of weeks, but then it doesn't make sense to keep it restricted to the four of us , hence we decided to open it for everybody out there who has faced a similar problem in life atleast once !

Incase you started using it, your comments/suggestions/bugs are welcome at  http://home.iitb.ac.in/~saket.kumar/iitbasc/

And yeah, there's an easter egg hidden somewhere ! Let us know incase you encounter it !

---

GAPS

Giri Prashant

Avnish Kumar

Pushkar Godbole

Saket Choudhary

[Mayank Singhal]

Actually the password will be sent in plaintext as a GET variable. The server logs as well as TxtWeb logs have the info.

--
The website for the club is http://stab-iitb.org/wncc
To post to this group, send email to wncc...@googlegroups.com

[karthik CS]

How will it distinguish between the semesters in a year for grading statistics?

---

From: Mayank Singhal <manku....@gmail.com>
To: wncc...@googlegroups.com
Sent: Friday, January 20, 2012 8:53 PM
Subject: Re: [WnCC] IITB ASC on SMS

[Chiraag Juvekar]

Is it possible to do something like OAuth with LDAP?

Saket Choudhary

--
The website for the club is http://stab-iitb.org/wncc
To post to this group, send email to wncc...@googlegroups.com

--
Chiraag

You can't have everything in life, 

In particular, the list of all lists that do not contain themselves.

[Saket Choudhary]

I somehow didn't give this a thought. But seems good enough if this can be done.

Will post here if we can get this done the OAuth way !

Thanks !

[Saket Choudhary]

By default, stats for both the sems are sent.

[Sudarshan Wadkar]

Hmm, interesting stuff. Though I must warn you guys that almost all
your fancy SMS are passed down from one operator/circle to another in
plain HTTP/SMPP protocols (GET method mostly, small PHP scripts
urlencod'ing your plain text, thats all. I am not sure if their
communication channels are secure or not, but I wouldn't put my money
on security structure of any networks.

@Manku
you are right, even the internal communications are plain
HTTP/GET(mostly) or SMPP

-Sudarshan Wadkar

"Success is getting what you want. Happiness is wanting what you get."
- Dale Carnegie
"It's always our decision who we are"
- Robert Solomon in Waking Life
"The truth is the truth, so all you can do is live with it."
--Systematic Chaos

[Saket Choudhary]

Agreed.

We aren't fiddling with the logs. And never plan to.

[Mayank Singhal]

There are other waise to correlate phone numbers (or txtweb user ids) to LDAP

Mayank Singhal

5th Year Dual Degree Student

Computer Science and Engineering

IIT Bombay

[Mayank Singhal]

With TxtWeb it is even worse, as instead of making post requests they are making GET requests

to TxtWeb apps. So the thing is that server visitor logs will have all the data

 

Mayank Singhal

5th Year Dual Degree Student

Computer Science and Engineering

IIT Bombay

[Sudarshan Wadkar]

What can be really interesting is if you can show this stuff to
ASC-head, and get ASC to send SMS alerts! They already have your
address details, just update it with your current number and voila !

Now that would be cool (isn't this insti-elections time ? Ouch ! I
just leaked a manifesto point in public ! :P )

-Sudarshan Wadkar

"Success is getting what you want. Happiness is wanting what you get."
- Dale Carnegie
"It's always our decision who we are"
- Robert Solomon in Waking Life
"The truth is the truth, so all you can do is live with it."
--Systematic Chaos

[Saket Choudhary]

This is really the issue.

So incase you have an "&" in your password , the system is screwed because txtweb screws  it all  !

[Saket Choudhary]

We did try contacting the ASC people, well by emails only. No responses .

[Mayank Singhal]

@sudhi
So TxtWeb doesn't expose real phone numbers to the App developers but a unique ID. So even they will face similar issues.

[Sudarshan Wadkar]

Hmm, very interesting! Surprisingly, never came across this. Gotta dig
into the APIs sometime.

-Sudarshan Wadkar

"Success is getting what you want. Happiness is wanting what you get."
- Dale Carnegie
"It's always our decision who we are"
- Robert Solomon in Waking Life
"The truth is the truth, so all you can do is live with it."
--Systematic Chaos

[Praveen Kumar Pendyala]

Actually it does...  We can get permissions from a user if LDAP supports OAuth and give a web interface where da user, who is using for the 1st time, gets a key which would work only when it is associated to his mobile number,  I mean he get results only if he text from that number with da associated key embedded... Guess this is a better protection rather passing users password from servers.. If there is no OAuth we may save his credentials in tat web server as we dnt hve a choice.
--
-Sent from Samsung Galaxy S2

On Jan 20, 2012 10:53 PM, "Praveen Kumar Pendyala" <pravee...@praveenkumarpendyala.in> wrote:

OAuth doesn't solve da purpose of password secrecy.

--
-Sent from Samsung Galaxy S2

[Praveen Kumar Pendyala]

Identify the user by his mobile number and a key, different from his LDAP password, he sends via sMs. This way his password won't propagate through external servers in a less secure mode :-)

--
-Sent from Samsung Galaxy S2

[Sudarshan Wadkar]

On Fri, Jan 20, 2012 at 11:09 PM, Praveen Kumar Pendyala
<pravee...@praveenkumarpendyala.in> wrote:
> Identify the user by his mobile number and a key, different from his LDAP
> password, he sends via sMs. This way his password won't propagate through
> external servers in a less secure mode :-)

But you still need to store that password, somewhere, somehow.
Unwanted/extra burden on the dev/author of the app to ensure its safe
and secure. I wonder what else can be done to authenticate LDAP if not
OAuth. Quick google yields nothings to me. But it will be interesting
to look at the options.

-Sudarshan Wadkar

[Saket Choudhary]

This We had thought of when we started off intially.
Then we did a small survey amongst ourselves : "I won't want to take
the pain of going to a website, giving my mobile , LDAP_ID,
LDAP_Password and then send some random code to a number ".

Anyway even if we encrypt your password, we are finally storing your
password, and would need to decrypt it some time when you demand your
grades. This is kind of unavoidaible.

On 20 January 2012 23:09, Praveen Kumar Pendyala

[Saket Choudhary]

On 21 January 2012 00:27, Sudarshan Wadkar <wad...@gmail.com> wrote:

On Fri, Jan 20, 2012 at 11:09 PM, Praveen Kumar Pendyala
<pravee...@praveenkumarpendyala.in> wrote:
> Identify the user by his mobile number and a key, different from his LDAP
> password, he sends via sMs. This way his password won't propagate through
> external servers in a less secure mode :-)

But you still need to store that password, somewhere, somehow.
Unwanted/extra burden on the dev/author of the app to ensure its safe
and secure. I wonder what else can be done to authenticate LDAP if not
OAuth. Quick google yields nothings to me. But it will be interesting
to look at the options.

Exactly my point. OAuth would help, but requires a bit digging here and there on the web !

Something worth working upon ! 

[Sameep Bagadia]

Can it be done that as soon as the grade is out for a course,
automatically an sms of that grade will go to the mobile number given
as info in asc?
This way person doesnt have to log in and will receive his grade as sms.

[Saket Choudhary]

Yeah. Just that this requires a better configuration at the server, which we don't have currently. This is in the pipeline.

[Saket Choudhary]

Bot Version  Now Live !

Add asc...@jabber.org to your Gtalk chat list.

Only Grading Statistics feature has been ported currently.

Send <gstats CS 101 2010> to get CS101 grades for year 2010. 

Saket

[Saket Choudhary]

There was an easter egg. 

Somebody just hit it :)

[vihang gosavi]

its not working for even sems i guess

--
The website for the club is http://stab-iitb.org/wncc
To post to this group, send email to wncc...@googlegroups.com

--
with regards from
Vihang Gosavi
Junior Undergraduate
Department of Computer Science & Engineering
IIT Bombay

[Gaurav Bharti]

Awesome effort...

Bot not live yet though....

On Mon, Apr 23, 2012 at 10:40 PM, Saket Choudhary <sak...@gmail.com> wrote:

[Saket Choudhary]

It works on an yearly basis. 

Can you post here the example you tried out ?

[Bharat Singhvi]

Nice work.

Bharat Singhvi
M.Tech II Year,
Dept. of Computer Science and Engineering,
IIT Bombay.