Ryan Pickren was only playing a prank, or so he thought until he was arrested and found himself in jail on Christmas Eve 2014, facing charges of “computer trespassing.”
Now, a little more than a year later, charges against Pickren have been dropped, his arrest and record have been expunged, and Pickren is set to graduate in May 2017.
How did Pickren’s fortunes turn around so completely, so quickly?
As we reported last January after his arrest, Pickren, a computer engineering student at Georgia Tech, went looking for bugs in the website of the University of Georgia, the arch-rival to his own school, when he stumbled across a bug he could exploit for his prank.
Pickren published his version of the story this week in a Facebook post.
According to Pickren’s description of events, he was home with his family celebrating Thanksgiving, anticipating the following week’s football game between his school and its nemesis, when he decided to join in the 100-year tradition of pranks against the rival team (theoretically harmless hijinks, but often illegal in reality, such as stealing the opposing school’s mascot).
Pickren discovered that he could tamper with the master calendar of the University of Georgia’s website with a simple HTTP POST request.
HTTP form submissions sometimes simply encode the user-supplied data into the URL itself, typically following a question mark (“?”). In an HTTP POST, however, the user-supplied data is placed into the body of the request, rather than the URL itself. POSTs avoid any browser-imposed limits on the lengths of URLs.
As Pickren tells it, he then made “the biggest mistake” of his young life:
While sitting in my room waiting for Thanksgiving dinner, I decided that I was going to play a prank of my own. I pulled up the University of Georgia’s homepage and started poking around. A few minutes later I stumbled upon their master calendar for campus events. I will spare you the technical details, but I had a hunch that I could circumvent their approval process by carefully forming an HTTP POST request. At that moment, I made the biggest mistake of my life. I posted “Get Ass Kicked By GT” on UGA’s master calendar for the time of the annual football game.
His prank was noticed by a reporter for the sports network ESPN, who tweeted about it, and other media picked up on the story.
A few weeks later, Pickren got a phone call from university police, who were investigating the incident.
In Pickren’s words:
I was in shock. I didn’t even know this could be considered illegal. I didn’t steal anyone’s password, install malware, or take any personal data. I just found a bug in their site that allowed my seemingly harmless prank.
Unfortunately for Pickren, the claim that “I didn’t think I was doing anything wrong” was already unacceptable to US courts as an excuse for computer misuse as long ago as the 1980s.
So, on Christmas Eve, Pickren was informed there was a warrant for his arrest and he was to turn himself in to face computer trespassing charges, which in Georgia carries a maximum penalty of 15 years in prison and a $50,000 fine.
Fortunately for Pickren, the judge and district attorney were not interested in prosecuting him to the full extent of the law, and he was let off easy – he would write an apology letter and perform some community service, and after 12 months of being a good citizen, his debt to society would be paid.
As Pickren explained:
I completed my community service for TechBridge, an Atlanta based non-profit organization that provides technical support to other non-profits. While volunteering, I developed security tools to help them protect their clients from hackers. Yes, there was some irony in the service, but it was indeed the best way for me to use my skills to give back to the community.
Pickren says he hopes his story serves as a lesson to others, showing other young cyber-punks “the possible repercussions of cyber pranks.”
Pickren’s story has a happy ending – he’s even had job offers as a result of his new-found fame.
Other hackers haven’t been so fortunate.
A hacker in Turkey was recently sentenced to 334 years in prison for setting up phishing websites to steal bank customer details.
That’s a much more serious crime than what Pickren did – sort of like the difference between robbing hundreds of people and spray-painting graffiti on one person’s house.
These are two opposite extremes, but was justice served in Pickren’s case?
Did the punishment fit the crime?
Let us know your thoughts in the comments below.