[burpee]

The metaphor doesn't really hold up; it's rather like you went to the administrative desk of AT&T 1000 times, asked the person behind the desk "Can I please have document 001?" and they simply handed it over without questions each of the 1000 times. That employee should have stopped handing over documents, but it didn't.

In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.

If he would have used it with the pure intention of showing that the system is insecure, he would have been right and nobody would have been able to blame him of improper conduct.

Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.

[cheald]

Bingo. I think it was a dick move to go running to Gawker with it, rather than practicing responsible disclosure. But even then, I'm having a hard time with the idea of criminal charges for that; he didn't steal this data, AT&T happily handed it to him. He basically ran around saying "Haha, what a moron the guy at the administrative desk is, I just kept asking him for files and he just kept on handing them to me". And while that's distasteful, is it criminal?

Honestly, to me, it feels like he's being run down because someone got embarrassed, and he's being railroaded with archaic laws that can be applied in vague and nebulous ways to make just about anyone a criminal if it's useful.

[lambda]

No, that analogy suggests that there was someone actively paying attention, who should have noticed something awry, but was instead granting permission without thinking. In this case, they just left an unsecured program running; it was a passive mistake. Just like leaving a door unlocked and someone comes in and goes through your papers. The door being unlocked does not mean that someone gave permission for you to go through it.

> In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.

I think that the fact that he requested a hundred thousand records probably didn't work in his favor. If he had requested just a dozen or so, to confirm that the problem existed, it would have been one thing; once he hit thousands, it makes you wonder if he had ulterior motives. Past the first dozen or so, there was nothing left to prove about the security flaw.

> Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.

Yes, this was the biggest mistake. And I don't remember the source, but I recall that someone mentioned that he had considered selling the information as well, before deciding to just give it to Gawker.

Of course, in some ways I don't blame him for not going to AT&T first; there have been researchers who have discovered flaws, and disclosed them to the company, only to have the company accuse them of criminal acts for having even tested for the flaw in the first place. That kind of behavior creates a catch-22, and a very chilling effect on security research.