[freehunter]

The problem with metaphors is that they only resemble what they are describing. They'll always be imperfect. The problem with web servers is that anything that is public-facing is just that. Security through obscurity is no security at all.

Like I said, the guy went too far. But visiting a public-facing website is not a crime, no matter how you happen to discover the URL. There's no sign on the door saying "keep out", even though the server is more than capable of displaying one. Do you have a right to walk into any business, or walk into their storage space? No, but any reasonable person (notice I keep using this phrase? It's going to come up in court) would assume if the lights are on and the door is open, you can walk in. You might be mistaken, and a clerk might show you out. Intent is a critical factor. Like I said, the guy went too far. He didn't enter by mistake, though someone could have. He entered with the intent of making unauthorized copies of private data. Walking into a store's storage space isn't illegal, but a reasonable person would know that taking pictures of customer data is.

It's not illegal to visit any public facing Internet site. It is illegal to make unauthorized copies of restricted data. It's also against The company is hugely to blame in this situation for leaking private information. So is the guy who broke the law by making unauthorized copies of this private information. I support him having criminal charges filed against him. My point was that there are two issues at hand, one illegal and one perfectly within the law. Implied consent at odds with intent. It should be an interesting case.

[rattus]

He demonstrated a proof of concept, collected data, and went to journalists. Cherry picking irc logs for things for possible uses of the data is weak because they have a weak case.

Arguing about methods of responsible disclosure, a very dead horse that has been beaten to dust, seems like a waste of time and not really relevant.

This is just the endgame of the chilling effect of arresting and hounding researchers which has been going strong ever since 2001 http://news.cnet.com/2100-1001-270082.html

[maratd]

> Intent is a critical factor. Like I said, the guy went too far. He didn't enter by mistake, though someone could have. He entered with the intent of making unauthorized copies of private data.

We're in agreement here. I think we're both making the same point. Intent is the key here.

The problem is that if you just consider servers, configurations, permissions, and other technical aspects ... intent doesn't enter the picture. That's the wrong way to think about this.

[freehunter]

I do agree that we're making the same point, and I wrote my response to you in the mindset that I had poorly communicated my initial conclusion. Your point compliments my own. The difference we may have is that I don't view intent in the highest importance when someone visits a public server. Intent will only get you so far as long as server, configurations, permissions, and other technical aspects are in order. The reason he was able to copy restricted data is because the technical aspects were not in order. That's where the muddiness comes in; you wouldn't need intent to make unauthorized copies in this situation. The Googlebot could have made unauthorized copies. Your browser's cache could make unauthorized copies. Archive.org could have made unauthorized copies. Googling for plaintext and valid credit card numbers might shock you in what Google is finding on public servers.

His intent comes into play only secondarily in my opinion. I might enter a store with intent to steal something, but if a security guard is standing next to me and a camera is watching, I'd walk right back out. The lack of security is what allowed him to complete his intentions of unauthorized copying. It does not absolve him of his crimes, but thinking about the potential for unintentional restricted data access tells me that his crimes sit in line with the failed (non-criminal but out-of-compliance) policies of the host.