

Do shellshock scans violate CFAA? - tshtf
http://blog.erratasec.com/2014/09/do-shellshock-scans-violate-cfaa.html

======
jessaustin
_This test is bonkers for computers, because a "reasonable person" means an
"ignorant person". Reasonable people who know how the web works, who have read
RFC 2616, believe Weev's actions are clearly authorized. Other reasonable
people who know nothing except how to access Facebook with an iPad often
believe otherwise -- and it's the iPad users the court relies upon for
"reasonable person"._

"Reasonable" people regularly sit in judgment of other specialists' actions.
Therefore I think this eventually devolves to a battle of expert witnesses.
Which means security researchers should get something analogous to malpractice
insurance, because the best witnesses are the most expensive. In the medical
malpractice suit for which I was a juror, the difference between expert
witnesses was comical.

------
jessaustin
A thoughtful reasonable important piece like TFA drops with nary a ripple,
while his follow-up crackpot "criticism" of the _style_ of decades-old C code
causes a 68-comment furor. No wonder the author keeps writing that kind of
crap: it's nice to be noticed, even if only on HN...

------
fabulist
I propose we create a new convention, "humans.txt", which states in a plain,
simple manner what parts of a system one can access and how. This is placed in
the web root alongside robots.txt .

This would be a closed-by-default system; it says you can use the shopping
cart functionality for yourself. Thus, if you use CSRF to use the shopping
cart functionality "for" someone else, you are breaking the law unambiguously.

