[Volpe]

I have trouble agreeing with this. I know nothing of the law around this, but also realise given the international nature of the internet, the law probably doesn't mean much in perspective. Would Aurenheimer be prosecuted if he were Chinese?

The grandparent making the point about status 200 has a point, especially in regards to this case. If a website is returning 200s for a get request. Then you are implicitly 'authorized' to see that page. The counter point made of SQL injection is also valid, but SQL injection wasn't used here. Just plain old GET requests.

It's difficult to draw real world comparisons to things like this. So I don't think you can simplify it down to locked/unlocked doors, or public/private property.

If I go to cia.gov/supersecretfiles and it returns something... did I just "hack" the CIA? It doesn't make sense to me.

URIs that return 200s are public resources.

[rmrfrmrf]

In northern Maine, everyone I know keeps their house doors unlocked and their keys sitting in the ignition of their cars. However, it's still illegal to steal their cars and enter their houses.

There doesn't even need to be a metaphor here: the data physically existed on a private server, and weev was not authorized to access it.

[Volpe]

GET google.com

What's returned is data physically on a private server. I am not authorized to access that server.

But the internet would be a pretty crap place if that was against the law.

As I said, metaphors to locked/unlocked public/private don't make sense. But happy for you to keep stretching this analogy until it fits.

[sneak]

When you put data on a private server accessible via GET with no access control or firewall, it is published on the web to the public.

Comparing it to houses that have doors, locked or otherwise, is exceptionally disingenious.

[reginaldjcooper]

That's not how HTTP servers work. They are not cars and when they send information back it is not as if you have set foot on property.

[tptacek]

No, he would not have been prosecuted if he were Chinese.

The point about "200" error codes is sophistry. We all know that every 200 code is not actually a deliberate authorization. If you believe otherwise, then any SQL injection attack that uses GETs and generates 200 must be authorized.

[Volpe]

SQL injection wasn't used here. The URL scheme being used was used exactly as intended (by developers).

Seems the sophistry here is applying another clear cut version of hacking to say that this 'not clear cut at all' version is also wrong.