No, that analogy suggests that there was someone actively paying attention, who should have noticed something awry, but was instead granting permission without thinking. In this case, they just left an unsecured program running; it was a passive mistake. Just like leaving a door unlocked and someone comes in and goes through your papers. The door being unlocked does not mean that someone gave permission for you to go through it.
> In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.
I think that the fact that he requested a hundred thousand records probably didn't work in his favor. If he had requested just a dozen or so, to confirm that the problem existed, it would have been one thing; once he hit thousands, it makes you wonder if he had ulterior motives. Past the first dozen or so, there was nothing left to prove about the security flaw.
> Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.
Yes, this was the biggest mistake. And I don't remember the source, but I recall that someone mentioned that he had considered selling the information as well, before deciding to just give it to Gawker.
Of course, in some ways I don't blame him for not going to AT&T first; there have been researchers who have discovered flaws, and disclosed them to the company, only to have the company accuse them of criminal acts for having even tested for the flaw in the first place. That kind of behavior creates a catch-22, and a very chilling effect on security research.
> In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.
I think that the fact that he requested a hundred thousand records probably didn't work in his favor. If he had requested just a dozen or so, to confirm that the problem existed, it would have been one thing; once he hit thousands, it makes you wonder if he had ulterior motives. Past the first dozen or so, there was nothing left to prove about the security flaw.
> Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.
Yes, this was the biggest mistake. And I don't remember the source, but I recall that someone mentioned that he had considered selling the information as well, before deciding to just give it to Gawker.
Of course, in some ways I don't blame him for not going to AT&T first; there have been researchers who have discovered flaws, and disclosed them to the company, only to have the company accuse them of criminal acts for having even tested for the flaw in the first place. That kind of behavior creates a catch-22, and a very chilling effect on security research.