I skimmed the guide and I know the distinction is covered in multiple points throughout, but it would be helpful in future versions of this document to find a way to center it. There are a lot of people who believe that finding browser vulnerabilities is legally risky, and a lot of people who believe there are good-faith security exemptions to testing for XSS vulnerabilities in web sites.
The broadcast industry is awful. If you use censys to search for
You will find hundreds of video servers, from Saudi Arabia to Poland, from Brazil to India, open to the world on the internet.
Half of these have the default password which is available fairly easily online, and hasn't changed for years (I won't write it down here, but it's insanely easy to crack. Try it once per minute on those servers and you'll get it in a month. Nobody monitors the logs.)
The company that makes these devices (mobile viewpoint) doesn't care - they don't make you change the password on first use, they tell you to open port 80 and 443 up to the world (or port 7071 and 7072 - because their application doesn't work if you do block port 80 and 443, so they run the same server on those higher ports too)
If you know what you're doing you can pull the rtmp preview stream and see whats going on, once you log in, you can shutdown these servers. If you really know what you're doing it wouldn't surprise me if you could replace the video with your own stream, as the OS they run is years out of date.
It's not just mobile viewpoint servers though, I've just logged into an NTT encoder in Japan with a username of "admin" and the default blank password. Again, the manufacturer could have insisted on setting a password on first login (which you need to do to configure it), but they don't. No idea what it's streaming, other than it's going into a decoder elsewhere in Japan (which is also admin/blank). While a WMT is easy to DOS and theortically possible to replace the stream, these are trivial to replace the stream.
Can't really do much about it, including writing an article lamenting the state of the industry for various industry locations, because it's illegal in the UK to even try to log in to these machines with the default credentials.
It's illegal in the US as well, just because you know a credential doesn't mean it's legal for you to use it.
EDIT: This is mildly noteworthy because the authors are at Harvard Law, and lawyers and law students typically use Word, not LaTex. The senior author, Harvard Law student Sunoo Park, is also an MIT computer science Ph.D and computer security researcher.
GGP here: I said it was trivia; please see the edit above.
I'm curious which state's laws apply? That is, how is jurisdiction determined for a computer network event that might start from a laptop in one state, be routed via the Internet through another state—possibly even out of country—and hit an organization's server in a third state?