[uptown]

What was your game-plan if you'd stumbled upon something highly personal and sensitive in their mailboxes? Or if one of their friends had sent them a person IM while you were logged in as them? The fact is, you could have easily approached these people face-to-face, offered to show them the risks they were exposing themselves to using your laptop, and give them the choice as to whether you took control of their accounts. While it appears that you did what you did with the best of intentions, you violated the privacy of the people whose accounts you accessed; broke a variety of laws; then documented your crime in your personal blog.

You describe your targets as lacking judgment. Maybe you should consider your own.

[CWuestefeld]

Upvote. This is precisely analogous to the following "brick-and-mortar" situation:

You notice that some folks in your town aren't locking the doors of their houses when they leave. So you go to each of those houses (when they're not there), walk in the front door, and tack a note to the first wall you encounter, telling them that they really ought to lock their doors.

The next day you go back and check their locks. For those that are still unlock, you go into their bedroom and mess up their sheets (being careful not to look around too much lest you notice some "marital aids", since you're not that kind of guy), so they can see that someone's really coming into their house.

It's pretty clear that you've violated any number of laws, morals, and societal values in the physical world. Why, in the virtual world, do you think that in doing so you're a white knight?

[gloshuertos]

Well, I never called myself a white knight, but that's beside the point.

If someone breaks into your Facebook account, bad things can happen, but none that (directly) involve physical harm. If someone enters your home, they could easily cause you physical harm (and in many jurisdictions you'd be well within your rights to shoot them).

Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be -- and I don't think opening an unlocked car door and leaving a note on the dash is wrong.

It's like when people equated Amazon's revoking of 1984 to breaking into a customer's house and taking the book off the shelf. It's fearmongering, and isn't an accurate analogy.

[dinedal]

> Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be -- and I don't think opening an unlocked car door and leaving a note on the dash is wrong.

Are you serious? If someone did that to me I would feel terribly violated! Even if I forgot / just thought I lived in a neighborhood with human decency, that is wrong on so many levels.

Trespassing by accessing someone else's property, home, car, or virtual, is wrong. Harm is harm, physical or not, and you can cause plenty of harm by accessing someone's facebook account, embarrassing them to friends or co-workers for starters.

[CWuestefeld]

Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be

These are your opinions, your values. You've got no business with (a) deciding the value of a person's virtual identity and data; nor (b) weighing that against your value for the education about greater security.

You might be right -- FOR YOUR PERSONAL VALUES. But it's simply none of your business how another person would judge this in the balance. Your beneficiaries/victims have every right to decide for themselves that the security afforded by the current systems are sufficient for the risks. And the fact that their decision makes it easier for you to teach them a lesson does not give you the right to do so.

[compactdisk2]

ehh... I would strongly disagree. I think it would be a fairly universal opinion that having your Facebook account violated is favorable over having your home broken into, even if nothing is stolen or damaged.

I would agree that there are some ethical problems with his actions, but this is far from being ethically analogous to the whole break-in scenario.

[dinedal]

Exactly. Just because there's a rock next to a window doesn't mean you should throw the rock through the window to prove a point that people shouldn't leave rocks near windows.

[mcknz]

I don't get all of the animosity toward the OP. He has taken all the risk by documenting everything -- essentially saying "I'm doing what I believe is right, and you can prosecute me if you want." Making him "aware" of what he's done (and the possible consequences) seems redundant.

We can go back and forth on the white hat/black hat issues, but I think we need more people who are willing to raise awareness on this.

The animosity should be reserved for those who use Firesheep/Wireshark for completely malicious purposes.

[CWuestefeld]

Or, perhaps busybodies shouldn't think their personal values are more correct than the values of others.

As Henry David Thoreau said, If I knew for a certainty that a man was coming to my house with the conscious design of doing me good, I should run for my life.

[mcknz]

Ah, but this presupposes knowledge of their values. One person's busybody is another's good samaritan.

You also seem to be describing the US Congress.

[dedward]

Absolutely. This may even be criminal, unfortunately.

[gloshuertos]

Actually, whether or not I broke any laws (in the US) is not clear. I deliberately did not look at anything in their account while I was in it, so privacy was not actually compromised.

The folks I recognized on my way out were people with large profile pictures of their faces. In general, this wasn't the case. I'd have had to do a lot more rifling through accounts to be able to identify someone face-to-face, and would have risked someone having a bad reaction.

So, unlike all the people who have used Firesheep in public to look at peoples' accounts and then not told anyone about it, I notified the users and then told the public about what happened. You're saying that's bad?

[uptown]

"I deliberately did not look at anything in their account while I was in it, so privacy was not actually compromised."

From your blog: "I opened up his Amazon homepage, identified something he had recently looked at"

[gloshuertos]

That was the single exception, and I agree that that was in a murky area.

[sdurkin]

Ah, wow. This could not be further from the truth. This wasn't a "murky area." Its a big fat red zone.

Let's look at the Florida statute:

815.06 - Offenses against computer users. -

(1)Whoever willfully, knowingly, and without authorization:

(a)Accesses or causes to be accessed any computer, computer system, or computer network;... commits an offense against computer users.

(2)(a)Except as provided in paragraphs (b) and (c), whoever violates subsection (1) commits a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.

So you committed a felony punishable by up to five years in prison, informed the victims, and documented your crime in explicit detail on your blog. That's a tad more dangerous than using unsecured cookies.

[burgerbrain]

Just because something is unethical, doesn't mean it is also illegal.

The reverse obviously is also true, and arguably applies in this situation. (I'm not arguing that it does, but but the OP is).

Ethics are subject to opinion, one man's gray area is another mans A-Ok, and another's "big fat red zone".

[gloshuertos]

Clearly I meant that it was a murky area morally.

Also I don't live in Florida.

I also never said that I thought I was protected from prosecution, so I don't know why you're so eager to prove that I am.

[uptown]

You've probably admitted to and documented multiple counts of Computer Trespass, knowingly using a computer service without authorization and knowingly gaining access to computer material. It's a Class E felony.

156.10 Computer trespass.

A person is guilty of computer trespass when he knowingly uses or causes to be used a computer or computer service without authorization and:

1. he does so with an intent to commit or attempt to commit or further the commission of any felony; or

2. he thereby knowingly gains access to computer material.

Computer trespass is a class E felony.

http://ypdcrime.com/penal.law/article156.htm#156.10

[dave783]

You say "That was the single exception".

You also wrote '[I] then sent him a "no, seriously" message on Facebook from his account including the fun fact about his music choices.'

Viewing a person's music choices and sending them a message about them is a total violation of privacy. Or do you just attribute that to being another exception?

[dinedal]

I think he's saying that using Firesheep at all is bad.

Just because it's easy doesn't mean it's ethical.