Stupid hacker tricks: The folly of youth
- — 06 May, 2008 18:28
Lessons learned: Russia's a terrible place to base your operations for a criminal enterprise, unless you like taking long vacations in Siberia. Kazakhstan and Latvia seem to be much more agreeable. Also, if someone sends you 40 large, don't wait: Turn off the damn DDoS before MI-5 gets involved.
Punked over a prank
Perp: Shawn Nematbakhsh
Status: Currently employed as a software engineer with a medical data company.
Dossier: One of the hottest technology topics of 2003 was how election systems were vulnerable. With the first presidential election since the Bush v. Gore fiasco coming up the following year, technologists were up in arms about the unreliability and untrustworthiness of electronic balloting systems, and were eager to prove their point.
Enter Shawn Nematbakhsh, computer science undergraduate at the University of California. Was he eager -- perhaps a bit too eager -- to make a point about the electronic balloting system that the university employed to hold student council elections, when he cast 800 votes for a fictitious candidate named American Ninja? Sadly, no.
"I really wasn't making any point at all," Nematbakhsh admits, debunking news reports to the contrary. "It was a senior prank, a silly thing."
The student council elections were held over the Web. Students could log in to a special page and cast their ballots for student council members and student body president. Unfortunately, the election system suffered from a serious internal weakness: "There was some input that was not bounds-checked, so using certain input you could vote as anyone," Nematbakhsh explains. "I wrote a script that would log in, cast a vote, log out, then log in again, cast another vote, and so on."
But seriously, American Ninja? "That year I remember watching that really stupid movie and talking about it with my friends, and it was the first thing that came [to mind]," he said.
Nematbakhsh says the jig was up when campus police called him in to discuss the incident. He'd told some friends about the vulnerability he had discovered in the voting system, and his name had eventually surfaced in the investigation. When asked, Nematbakhsh immediately admitted his involvement in the prank.
"I confessed to doing it, thinking it wasn't such a big deal. I thought they might fine me, or suspend me for a quarter or something," he says. That did happen, but a month later, he also faced criminal charges that could have landed him prison time.
In the end, he arranged a deal to accept a misdemeanor charge. His sentence: "I had to pick up trash on the weekends for three or four months, and pay back the cost of the election -- a couple thousand dollars."
Lessons learned: "Getting caught was kind of a wake-up call, that the Internet was not some kind of playground and I couldn't do what I wanted to all the time. I had to obey the law. The prank was not well received by a lot of people at the school."
Nematbakhsh's advice to potential election pranksters: "Things like that seem funny when you're doing them, but when you get caught, it's not much fun. I'd caution against silly pranks like the one I did."