[Deestan]

> Imagine you break into your friend's car

Bad comparison. Breaking into a car is a locally constrained high-risk attack vector.

This is a low-risk unconstrained attack vector. A bored person anywhere in the world could fuck their shit up with no risk or consequence.

[noobermin]

Alright, say their car is unlocked and you rewire the stereo to teach your friend not to leave their car unlocked. Or a better example is surprising them with their car insurance card from the glove compartment to prove you got into their car. The act of intruding into someone's vehicle in and of itself is an unwelcome act, even if it is to teach good lessons. The same is true for this I think.

I always feel that pointing out vulnerabilities is okay. Penetrating to point it out is another thing altogether. Continuing the analogy here would be pointing out to your friend that they shouldn't leave their car unlocked rather than entering and making a mess of things.[0]

And sure, bored person anywhere can do lots of damage and may be your damage won't be as bad, but just the act of going through someone's belonging is unwelcome.

[0] Also, there's a huge difference I feel from penetrating systems from orgs that have dedicated security teams...and picking on a private individual to make a point.