Quite a few countries have laws from the 1980s that basically say "gaining unauthorised access to computer systems is a crime"
Which is of course a very expansive definition. Think you've found a leaked database credential and you test it before reporting, so as not to create a false alarm? That's illegal hacking. Almost any persistent XSS? That's illegal hacking. Access an admin panel by entering a default password? You guessed it, illegal hacking.
We might get the impression these laws don't exist, because they aren't enforced internationally or if the hacker can't be identified - so black-hat hacking, cryptolockers, tech support scams, giant data breaches and suchlike go completely unpunished. But a white-hat hacker who identifies themselves in hopes of getting their security report taken seriously might well get a visit from the cops.
In Australia the goto for dropping a legal hammer on a digital crime is "misuse of a carriage service" which is just a big lasso that puts crimes like fraud that happen on the internet into a simple basket so they can attach sentences as they see fit.
> If you randomly try my front door and find that it's unlocked, don't expect me to be thanking you.
Why? If someone tries my front door, doesn't go in but confirms that it is unlocked by opening it by an inch (=verifies the DB credentials but doesn't run any queries) without really peering into my private spaces, then privately reaches out with "hey, hey, your door is not locked - I haven't went in but I know it's unlocked, you may wanna look into this" then I imagine while that could be odd situation (e.g. depending on whenever one has a lawn), I would be grateful and not in the least bit offended.
Surely, I wouldn't be happy if I'd get an alarm that my door is suddenly open (IDS alert) and would react accordingly. But if my door is not locked and I'm not aware and someone responsibly discloses this - I don't see how that'd be an issue.
Sure, but that doesn’t mean that I’d be thanking you.
These arguments about computer crime law are always the same, and people with your view always shoot themselves in the foot with analogies like this. This is not a pre-existing social expectation. If someone comes to my front door, tells me that it’s unlocked, and tells me that they were trying peoples front doors for the intellectual thrill, there is a 0% chance that I’m an reacting positively. I challenge you to find any material proportion of well-adjusted non-nerds that don’t agree with me.
If somebody tried my door handle, I’m immediately going to assume malicious intent.
Start trying door handles in your neighbourhood and I can guarantee you’ll either be assaulted by an unhappy resident or arrested pretty quickly. It’s not acceptable behaviour however altruistic you believe it to be.
Which is of course a very expansive definition. Think you've found a leaked database credential and you test it before reporting, so as not to create a false alarm? That's illegal hacking. Almost any persistent XSS? That's illegal hacking. Access an admin panel by entering a default password? You guessed it, illegal hacking.
We might get the impression these laws don't exist, because they aren't enforced internationally or if the hacker can't be identified - so black-hat hacking, cryptolockers, tech support scams, giant data breaches and suchlike go completely unpunished. But a white-hat hacker who identifies themselves in hopes of getting their security report taken seriously might well get a visit from the cops.