By Ryan Pickren
Today, all of the charges regarding my incident with the University of Georgia have officially been dismissed. I would like to take a moment to tell my story about how I ended up in a jail cell Christmas 2014.
While studying Computer Engineering at Georgia Tech, I discovered my passion for cybersecurity. I sought out special topics classes and did undergraduate research to learn everything I could about the industry. Living in the age of “bug bounties” and “ethical hacking,” I became desensitized to the impact that a computer breach could have on organizations. But I was about to learn the hard way that not all “research” ends with cash rewards and free merchandise.
A month before my arrest, I was at home spending Thanksgiving with my family in Tampa, Florida. The week preceding Thanksgiving is a particularly exciting time at Georgia Tech. It is the University of Georgia vs. Georgia Tech Hate Week, a 100-year-old tradition that every Tech student looks forward to. Growing up with a Georgia Tech alum for a grandfather, I heard all sorts of rivalry pranks. Stunts that ranged from stealing the other team’s mascot to spray painting the UGA arch gold—clean, old-fashioned Hate.
My grandfather said it was the best prank in Georgia Tech’s history!
While sitting in my room waiting for Thanksgiving dinner, I decided that I was going to play a prank of my own. I pulled up the University of Georgia’s homepage and started poking around. A few minutes later I stumbled upon their master calendar for campus events. I will spare you the technical details, but I had a hunch that I could circumvent their approval process by carefully forming an HTTP POST request. At that moment, I made the biggest mistake of my life. I posted “Get Ass Kicked By GT” on UGA’s master calendar for the time of our annual football game.
In shock that it actually worked, I ran downstairs to show my parents what I had done. I informed them that IT departments these days would find it funny and that the university expects pranks this time of year. My family laughed and gave me high fives. Later that night, I pulled up my computer to find that a reporter for ESPN discovered the hack and tweeted about it. It even ended up in a small article on Yahoo Sports and was mentioned on a fan blog. The next morning it was in my local newspaper in Tampa. Apparently it was a bigger deal than I thought. My grandfather said it was the best prank in Georgia Tech’s history!
Little did I realize the firestorm that I had started. The University of Georgia launched a full investigation to find the culprit. A few weeks later, I was contacted by a detective from the UGA police department asking to meet with him over coffee. I was in shock. I didn’t even know this could be considered illegal.
I didn’t steal anyone’s password, install malware, or take any personal data. I just found a bug in their site that allowed my seemingly harmless prank. A few more nervous weeks went by, then I received another phone call. This time it was informing me that there was a warrant out for my arrest. Computer Trespass is a felony in the state of Georgia that carries a maximum sentence of 15 years in prison. At that moment, everything became very real. My family stopped our holiday celebrations, and my dad drove me to Athens so I could turn myself in. On Christmas Eve, I sat in a jail cell trying to figure out what happened. A few hours later I was out on bail, but still in shock.
Apparently an engineering student facing time in prison for computer hacking makes a good headline, because my story went viral. I went from being a normal college student to being compared to North Korean hackers in the New York Times. My mug shot was everywhere and people recognized my face on campus. When I entered a classroom, heads turned, people whispered, and professors took notice. My LinkedIn page activity skyrocketed, and oddly enough, job offers started flowing in.
I didn’t steal anyone’s password, install malware, or take any personal data.
After reading numerous articles about the incident, I realized that I put the University of Georgia in a terrible position. Fortunately, the judge, the Athens Courthouse, and the employees at the county jail were professional and treated me fairly throughout the entire legal ordeal. The District Attorney graciously offered me entrance to a Pre-Trial Diversion program without requiring me to plead guilty or no contest. This program had me write an apology letter to UGA, do community service, and stay out of trouble for 12 months in return for the charges against me being dropped.
I completed my community service for TechBridge, an Atlanta based non-profit organization that provides technical support to other nonprofits. While volunteering, I developed security tools to help them protect their clients from hackers. Yes, there was some irony in the service, but it was indeed the best way for me to use my skills to give back to the community.
So here I am, 12 months later. All of the charges brought against me have been dropped, my arrest and indictment have been expunged, and the record has been sealed. I am still loving my curriculum at Georgia Tech and plan on pursuing a career in the tech industry after I graduate in May 2017. I want to thank everyone who supported me throughout this entire process. I really appreciate those who contributed to the GoFundMe page started by my sister that helped pay for my legal fees. This has been a huge learning experience for me, and I hope this incident spreads awareness about the possible repercussions of cyber pranks.
A version of this story original appeared on Ryan Pickrin’s Facebook page and has been reprinted with permission.
Illustration by Jason Reed