[Zombieball]

I like your analogy in that it portrays the fact that nothing was physically stolen, much similar to arguments used in piracy issues.

However, my understanding of heartbleed is it can take many thousands of requests before interesting / meaningful data is returned. I doubt 900 SINs were returned in a single response (I could be wrong). So I suppose this is analogous to repeatedly sticking your head in & out of the wide open window at street-level.

So what I am curious about is where the line is drawn. Is one malicious packet considered enough for an arrest? 1 million?

[mindslight]

Well the standard way of answering that question is that it has nothing to do with the number of packets, but with the ultimate intent and actual damages caused. Unfortunately the legal system considers basically any hacking to be witchcraft and is horribly miscalibrated as to what should be considered serious or not.