Some stories are just so satisfying that they deserve to be shared. Here is one.
In early May, Ohio Republican Governor Mike DeWine began reopening the state economy. And to support business and slash state expenses, both at worker expense, he had a “COVID-19 Fraud” form put up on the Ohio Department of Job and Family Services website where employers could confidentially report employees “who quit or refuse work when it is available due to COVID-19.” Inspectors would then investigate whether the reported workers should lose their unemployment benefits and possibly be charged with unemployment fraud.
Significantly, as Sarah Ingles, the board president of the Central Ohio Worker Center, noted in a statement quoted by the Intercept, the form “does not define what constitutes a ‘good cause’ exemption, and by doing so, may exclude many Ohio workers who have justifiable reasons for not returning to work and for receiving unemployment insurance benefits.” In other words, “while the state did not take the time to define what a ‘good cause’ exemption includes or does not include, it did have time to develop an online form where employers could report employees.”
However, thanks to the work of an anonymous hacker, the site has now been taken down. In officialese, “The previous form is under revision pending policy references.” Most importantly, as Janus Rose writing for Motherboard reports:
“No benefits are being denied right now as a result of a person’s decision not to return to work while we continue to evaluate the policy,” ODJFS Director Kimberly Hall told Cleveland.com.
According to Rose, the hacker developed a script that overwhelmed the system:
The script works by automatically generating fake information and entering it into the form. For example, the companies are taken from a list of the top 100 employers in the state of Ohio—including Wendy’s, Macy’s, and Kroger—and names and addresses are randomly created using freely-available generators found online. Once all the data is entered, the script has to defeat a CAPTCHA-like anti-spam measure at the end of the form. Unlike regular CAPTCHAs, which display a grid of pictures and words that the user must identify, the security tool used by the form is merely a question-and-answer field. By storing a list of common questions and their respective answers, the script can easily defeat the security measure by simply hitting the “switch questions” button until it finds a question it can answer.
To make the code more accessible, software engineer David Ankin repackaged the script into a simple command line tool which allows users to run the script in the background of their computer, continuously submitting fake data to the Ohio website.
“If you get several hundred people to do this, it’s pretty hard to keep your data clean unless you have data scientists on staff,” Ankin told Motherboard.
The hacker told Motherboard they viewed their effort as a form of direct action against the exploitation of working people during the COVID-19 crisis. Score one for working people.