13 January 2016

How Pranking An Online Calendar Almost Sent This Student To Prison

Article re posted from http://www.popsci.com/find-website-flaw-face-15-years-in-georgia-prison

Cyberspace

Torley, via Flickr CC BY-SA 2.0

Cyberspace

It began, as these stories tend to, with an enthusiastic prankster and a little knowledge of the internet. It ended, fortunately, with a modest legal battle and a lenient judge. In the middle, it put a kid in jail on Christmas eve, 2014. Ryan Pickren, the Georgia Tech student at the heart of this saga, shared his story today on Facebook, and it’s as much a cautionary tale about overzealous reactions to online attacks as it is about the danger of pranks.

The setting is a friendly rivalry between the University of Georgia and the Georgia Institute of Technology. The rivalry even as a name: “Clean, Old-Fashioned Hate”, and a weirdly extensive entry on Wikipedia. Pickren, a Georgia Tech student whose grandfather also attended the school, was poking around the University of Georgia website the week before Thanksgiving when he made a striking discovery.

The UGA master calendar was unsecured, and with a simple POST command, he was able to add an event that read “Get Ass Kicked By GT” at the time of the rivalry football game. A couple weeks passed, seemingly without incident.

Here’s what happened next, in Pickren’s words

Little did I realize the firestorm that I had started. The University of Georgia launched a full investigation to find the culprit. A few weeks later, I was contacted by a detective from the UGA police department asking to meet with him over coffee. I was in shock. I didn’t even know this could be considered illegal. I didn’t steal anyone’s password, install malware, or take any personal data. I just found a bug in their site that allowed my seemingly harmless prank. A few more nervous weeks went by, then I received another phone call. This time it was informing me that there was a warrant out for my arrest. Computer Trespass is a felony in the state of Georgia that carries a maximum sentence of 15 years in prison. At that moment everything became very real. My family stopped our holiday celebrations, and my dad drove me to Athens so I could turn myself in. On Christmas Eve, I sat in a jail cell trying to figure out what happened. A few hours later I was out on bail, still in shock.

With apologies to Arthur C. Clarke, to anyone sufficiently ignorant of technology, all actions on computers are indistinguishable from hacking.

The arrest made local news, and Pickren’s sister set up a page to collect funds for legal fees. Pickren was fortunate, and was sent into a “pretrial diversion program,” where he did a year of community service helping a non-profit with cybersecurity. Good, clean, cybersecurity.

The entire tale, which shifts tragically from lighthearted to legal disaster, is available in a public post on Pickren’s Facebook page. Read it in full. It fortunately has a happy ending for Pickren, but if the consequences are so high and the ease of triggering them is so low, perhaps Georgia and other jurisdictions could reconsider computer laws and penalties as currently written.



Published by
Read more
Post a Comment