Ryan Pickren was only playing a prank, or so he thought until he was arrested and found himself in jail on Christmas Eve 2014, facing charges of “computer trespassing.”
Now, a little more than a year later, charges against Pickren have been dropped, his arrest and record have been expunged, and Pickren is set to graduate in May 2017.
How did Pickren’s fortunes turn around so completely, so quickly?
As we reported last January after his arrest, Pickren, a computer engineering student at Georgia Tech, went looking for bugs in the website of the University of Georgia, the arch-rival to his own school, when he stumbled across a bug he could exploit for his prank.
Pickren published his version of the story this week in a Facebook post.
According to Pickren’s description of events, he was home with his family celebrating Thanksgiving, anticipating the following week’s football game between his school and its nemesis, when he decided to join in the 100-year tradition of pranks against the rival team (theoretically harmless hijinks, but often illegal in reality, such as stealing the opposing school’s mascot).
Pickren discovered that he could tamper with the master calendar of the University of Georgia’s website with a simple HTTP POST request.
HTTP form submissions sometimes simply encode the user-supplied data into the URL itself, typically following a question mark (“?”). In an HTTP POST, however, the user-supplied data is placed into the body of the request, rather than the URL itself. POSTs avoid any browser-imposed limits on the lengths of URLs.
As Pickren tells it, he then made “the biggest mistake” of his young life:
While sitting in my room waiting for Thanksgiving dinner, I decided that I was going to play a prank of my own. I pulled up the University of Georgia’s homepage and started poking around. A few minutes later I stumbled upon their master calendar for campus events. I will spare you the technical details, but I had a hunch that I could circumvent their approval process by carefully forming an HTTP POST request. At that moment, I made the biggest mistake of my life. I posted “Get Ass Kicked By GT” on UGA’s master calendar for the time of the annual football game.
His prank was noticed by a reporter for the sports network ESPN, who tweeted about it, and other media picked up on the story.
A few weeks later, Pickren got a phone call from university police, who were investigating the incident.
In Pickren’s words:
I was in shock. I didn’t even know this could be considered illegal. I didn’t steal anyone’s password, install malware, or take any personal data. I just found a bug in their site that allowed my seemingly harmless prank.
Unfortunately for Pickren, the claim that “I didn’t think I was doing anything wrong” was already unacceptable to US courts as an excuse for computer misuse as long ago as the 1980s.
So, on Christmas Eve, Pickren was informed there was a warrant for his arrest and he was to turn himself in to face computer trespassing charges, which in Georgia carries a maximum penalty of 15 years in prison and a $50,000 fine.
Fortunately for Pickren, the judge and district attorney were not interested in prosecuting him to the full extent of the law, and he was let off easy – he would write an apology letter and perform some community service, and after 12 months of being a good citizen, his debt to society would be paid.
As Pickren explained:
I completed my community service for TechBridge, an Atlanta based non-profit organization that provides technical support to other non-profits. While volunteering, I developed security tools to help them protect their clients from hackers. Yes, there was some irony in the service, but it was indeed the best way for me to use my skills to give back to the community.
Pickren says he hopes his story serves as a lesson to others, showing other young cyber-punks “the possible repercussions of cyber pranks.”
Pickren’s story has a happy ending – he’s even had job offers as a result of his new-found fame.
Other hackers haven’t been so fortunate.
A hacker in Turkey was recently sentenced to 334 years in prison for setting up phishing websites to steal bank customer details.
That’s a much more serious crime than what Pickren did – sort of like the difference between robbing hundreds of people and spray-painting graffiti on one person’s house.
These are two opposite extremes, but was justice served in Pickren’s case?
Did the punishment fit the crime?
Let us know your thoughts in the comments below.
Image of chalkboard drawing of hacked computer courtesy of Shutterstock.com.
15 comments on “Student who hacked college website escapes jail time, gets job offers”
Great story. The lesson and the close call should be widely circulated. The most remarkable thing about the story is a “computer engineering student’s” ignorance of the most basic legal elements of computing. It’s a great example of how siloed most education is, and how willing most students are to stay in that silo.
Kids and students are trying things, that’s part of growing up. This guy didn’t steal anything. If the school had secured their website, it even wouldn’t happen. IMHO a good warning for him and no doubts for his future. Good decesion of this judge.
This is actually a good story, and good to hear someone made a mistake, and before going too far down the rabbit hole, learned their lesson and can start being on the good side. 🙂
Seems to me like the law is missing the point here.
If you leave the house for a week and before you leave you unlock all your doors and windows and open them as wide as they go. Then you come back and your stuff is gone. Whose fault is it?
That’s what happened here, by not putting the proper security in place they essentially left their doors wide open. ESPECIALLY in this case when something as simple as properly formed POST request with NO authentication can make changes on a live network…
Essentially, to use a real world example, There was a digital white board in the middle of a mall with no guards and the special pen that writes on it was left there in the open. Ryan walked up to the board and wrote a message…
I totally agree it’s a hippocritical double standard. When you build a house there are safety inspections and codes to follow, then as with all structures there needs to be follow up to determine structural integrity et al. Same applies to when you code or develop a website. It it passes initial muster, then it’s set to go live. But you need to follow up and apply security updates and patches. In many cases this is the backbone of IT work.
It reflects poorly on the site admins at the college, because they should have had this stuff secured. But many times Admins cop out and say this was beyond the purview of my resposibilitites. We if that’s the case, going back to the building analogy, if an electrician finds sees something lacking in say the plumbing, but fails to identify the site foreman, water damage ensues, and during the inquiry it’s determined that the electrician was at fault for not alerting those responsible, then his rep’s on the line. Unfortunately not all IT personnel hold themselves or are held up to the same exacting standards as in other industries. And too many times get away with “well I didn’t know…”.
Naked Security says it every month, patch and patch often. I work for a manager who refuses to update until two or three months after the patch has been released. It’s not hard to spin up a VM, delpoy the patches test, see what. if anything, breaks then deploy them to production units. Thinking you’re safe because the law says it’s illegal, (thinking of automotive industry), is just pure stupidity.
The the law should look to the college IT department and see where they point. And those who impelmented policies to prevent accountable IT personnel from doing their job, they should get the jail time.
If somebody steals an unsecured garden ornament and sells it on ebay then that is still theft. But this is more like somebody turning a garden gnome around and wedging a fake cigarette into its hand, which the sentence reflected.
There’s a discrete difference between “I did something dumb” and “that was my fault.” The words “blame” and “fault” imply intent, while many of us have lacked good judgment–even at critical moments–with no malice at heart.
If you leave the keys in your car while buying a doughnut, you’re being dumb–exceedingly dumb where I live–but *blame* lies with me when I take it upon myself to take your car; I’M acting wrongly…you made a mistake.
Leaving my front door unlocked does not change the B&E laws, and losing my wallet in the park doesn’t herald National Free Money Day. These are dumb acts on my part, but I don’t *deserve* to lose my car–even if I’m asking for it.
Our society has learned it’s increasingly foolish to leave the front door unlocked, but we’ve used that paradigm shift to expand the definition of “fault” in the process.
That said, “get ass kicked by GT” was a (relatively) harmless event, easily reverted–I’ve no doubt more egregious and lasting harm has resulted from school rivalry pranks. He learned a lesson and benefitted the community as he learned it. While the red tape likely cost more than it should’ve, this is the legal system doing well.
So glad they did not prosecute for this small sports related prank. Do people really get arrested for Mascot stealing? I think it was clever and harmless.
I believe I can appreciate this type prank much more than the traditional college pranks that are usually involved with college rivalries (i.e. stealing mascots, etc., etc.) It’s up there with Cal Tech students hacking into the 1984 Rose Bowl scoreboard and making it read “Cal Tech 38, MIT 9.” Good for him for finding lessons learned and opportunities in the end!
So a snot-nosed little brat that knows very little about hacking other than how to use someone else’s software to hijack a site, is then hirded by some dummkoph company that knows nothing about security and doesn’t want to know anything about security. Ha ha! They are only going to get what they deserve, which mean they won’t be actually be improving the security of their business anytime soon, although I wish the kiddie-scripter would get what he deserves too.
Kudos to the Judge who applied a little common sense.
A college student that knows enough about computing should also know about the laws surrounding computer use & have enough of an ethical standard to turn it into a white hat. He could have informed the other university’s web team & did shown them the proof of concept by executing the same code with the “cost” for his help would be the message stay in the calendar with thanks to him, which would have given them enough info to close the hole & everyone (except insulted UoG students) would be happier and the court system could deal with real crimes & not waste time litigating appropriate punishment for what amount to a silly (but stupidly ignorant) prank.
So what was the score of the game?
One wonders what sort of company would extend a job offer to someone who’s hacking skills amount to submitting POST requests. I’m no lawyer, but I have questions whether sending POST requests amounts to computer trespass. If someone breaches a password protected area, that would seem more like trespass. I fundamental rule of server-side Web programming is to filter form inputs, If the university bought a Website that allowed unfiltered form inputs to change the content of a page, it would seem to be more like negligence on their part. The analogy that comes to mind is an open field with no signs posted to prohibit trespass, but I guess some states, like Oklahoma, have laws about recreational trespass that might not require private areas to be posted with no trespassing signs – if those laws are constitutional
Would this be considered a serious crime?
I recently signed into my college wi-fi using my own credentials and redirecting internet traffic through my laptop by fooling both the AP and the clients connected to it. this allowed me to view student as well as professor passwords and usernames.
I am a computer science student and had no intentions of using them for anything. My lowest grade is a B+ and a 3.6 GPA. permanent resident of NJ.
3 days after, I was questioned by the school and arrested and currently awaiting trial for unauthorized access to computer and obtained passwords.
Does this qualify for cybercrime and am I going to jail? Jeopardize my immigration status? Expelled from school?