It is absolutely not the case that the author described something absolutely legal. I don't care if you think it's "victim blaming"; I am making a simple positive statement, not a normative one. People will get hurt buying into what you're saying. There's no "reasonable testing" exception to the CFAA. You're very unlikely to be prosecuted for doing this stuff, but it's not that unlikely that you will get wrecked with legal bills reaching that conclusion.
'tptacek is 100% correct here. Anyone reading this: please listen to these words of wisdom, because not doing so is how you get seriously hurt in the eyes of the law.
Hack, but hack carefully, at least until there are laws that protect you. Today, there aren't.
There is a huge gray area between "absolutely legal in all circumstances" and "absolutely not legal under any circumstances". The fact that somebody has not (so far) been found guilty in court doesn't mean their conduct was definitely legal.
If you're trying to discuss whether something is legal in general, looking at a broad spectrum of case law is generally more instructive than focusing on the outcome of one particular case.
Because the behavior described in the blog post is open and shut CFAA-and-equivalents, regardless of weaseling over words like “authorized” and “access” and “computer”. The author’s own words complete a CFAA case. Not argue for. Complete. The narrative as described is prosecutable.
You could have done everything the author claims to have done in order to stop a Martian invasion or the extinction of every living thing or in the genuine spirit of trying to help and it’s still several prima facie violations of CFAA. It just is. I’m sorry. The why doesn’t matter, barring the contractual scenario tptacek points out (and which STILL requires diligence by both parties to avoid prosecution).
To be clear I think it sucks what happened to the author, but if weev goes down for enumerating primary IDs via a Web browser (and to be fair, also trying to sell the data like a complete tool), setting up an entire technical infrastructure to compromise this app in this way is trivially demonstrable intent. You and I both know what Charles does. Now wait until a prosecutor spins the whole setup as a giant technical hack that shows this person intended to compromise a competitor. I’m not even finished with law school and I’m certain I could prosecute this person successfully, but note that doesn’t mean I’m saying they should be.
Given what you said here and to your point, I’m going to preempt your likely retort and point out that I’ve described the behavior as afoul of CFAA and not the person. You’re right that they are entitled to due process. The blog post is literally evidence is all. I’d bet my Rams tickets next year there’s a subpoena on its way to this post. If not in a theoretical criminal case, then definitely in the civil litigation already underway (again, taking the author at face value).
tptacek is right, and I mean this with respect: you really need to be careful with your opinions on CFAA, particularly when potentially suggesting violation thereof. Your pronouncement that the person didn’t do anything illegal is actionable in a very distant, fucked up world with a bunch of prerequisites, but still a very very possible world. (IANAL/YL, comment is general opinion and not advice, etc)
> You're very unlikely to be prosecuted for doing this stuff, but it's not that unlikely that you will get wrecked with legal bills reaching that conclusion.
What he's saying seems to be exactly in line with what's happening. Even if the author doesn't end up being found guilty by any court, he'll still be wasting a bunch of money on lawyers.
