[tptacek]

Very little of this is responsive to what I wrote earlier. I think the problem here is that you're unconsciously building a whole lot of hindsight into your analysis. You know now that very little damage was done to Trib Corp (or whoever). But at the time, that was not known. It took a very expensive investigation to resolve those questions. The cost of that investigation should be borne by the people whose actions necessitated it.

I suppose there's a completely coherent argument to be made that anything you do with a computer to someone else's computer that doesn't cause physical, kinetic damage shouldn't be a crime. I'm unlikely to agree with that argument, though, so while it's good to know that that's what you think, we're probably at diminishing returns on this thread.

[jessaustin]

Responsive? I thought we were talking about the law. You asked, incredulously, if I thought a certain set of actions should be legal. I told you why I think they should. In short, the harms of inconsistently-enforced inherently-arbitrary only-for-bigcos laws such as these exceed those of not having such laws.

I stipulated at the very top of the thread that the investigation was surely very expensive. Most citizens wish these giant conglomerates, whether in media or banking or whatever, were smaller. We're not mollified when the costs of their giant size are passed along to the taxpayer and average citizen.

Actual crimes with actual harms to actual victims should still be crimes, whether they involve computers or not.

[tptacek]

No, investigations for very small tech companies also cost far more than $20,000. Source: I've been a party to those, too.

Even if you adopt the position that we should have laws that treats victims differently depending on how big their companies are, that wouldn't have much bearing on this case.

[jessaustin]

I'll further stipulate that the costs of investigating vulnerabilities at tiny two-engineer firms far exceed the costs of investigating vulnerabilities at giant conglomerates like Tribune Media. When those vulnerabilities amount to "don't turn off credentials for fired employees", I still say they should pay for their own damn security work, and no criminal statute should say otherwise.

[tptacek]

That's not what they're paying for. They're paying for the cost, in employee hours and outsourced contractor hours, of ensuring that all that happened was that a page got modified. Rest assured, their CMS is surely as crappy as it was before Keys laid his stubby little fingers on it.

[jessaustin]

"Stubby little fingers"? Ouch. He's probably going to get hassled enough for his appearance in FPMITAP. It makes sense that one would need to demonize him, though. That's the same maneuver we've seen with drug users, undocumented immigrants, etc.

Why denigrate a CMS when it's well established that Tribune Media weren't removing the passwords of fired employees? If you're sure they're still not doing that, it will be grimly hilarious the next time this happens.

[tptacek]

It's super weird of you to try to position me alongside drug prohibitionists and deporters of immigrants. I take offense. Thankfully, this thread was long enough already.