But CFAA charges should, and this is the issue a lot of people have with them afaict, have a sliding scale for premeditation though.
If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
A lot of the CFAA excesses are maximum penalties from the CFAA being thrown at people using minimally sophisticated / premeditated methods, in addition to charges about the underlying crime.
That doesn't seem just or fair.
In practice it's turned into an if(computer){increase maximum penalty} clause, solely at the government's discretion.
>If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
Why? (I'm not a lawyer...) - shouldn't intent and harm (i.e. the value of the stolen item) be the only relevant details? Now of course its much easier to demonstrate intent if there's a crowbar involved, but once that's already established, it seems irrelevant.
It does sound like a crime to me too. But was it a password or other credential that was guessed, or was it just some sequential primary key? The latter is not an authorization system, and I do not believe it a crime to do that unless you have specific knowledge that it is likely to cause damage and/or the intent to cause that damage.
As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it).
You are not allowed unauthorized access regardless of how the key works.
> I am allowed to send any traffic I wish to public-facing hosts
No you're not. Denial of service is a federal crime.
> I have no responsibility to refrain
Yes you do, and this is just beyond silly. The nuance of how you obtained it will be decided in a court. Stop making everything so reductionist and lazy.
> The only traffic I am not permitted to send are credentials I am not authorized to use
Absolutely not. Use of a vulnerability to cause a data breach is OBVIOUSLY a federal crime.
ethbr1|5 months ago
But CFAA charges should, and this is the issue a lot of people have with them afaict, have a sliding scale for premeditation though.
If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
A lot of the CFAA excesses are maximum penalties from the CFAA being thrown at people using minimally sophisticated / premeditated methods, in addition to charges about the underlying crime.
That doesn't seem just or fair.
In practice it's turned into an if(computer){increase maximum penalty} clause, solely at the government's discretion.
JambalayaJimbo|5 months ago
Why? (I'm not a lawyer...) - shouldn't intent and harm (i.e. the value of the stolen item) be the only relevant details? Now of course its much easier to demonstrate intent if there's a crowbar involved, but once that's already established, it seems irrelevant.
efdee|5 months ago
I think intent probably matters a lot more than the technicality of how you succeeded.
NoMoreNicksLeft|5 months ago
As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it).
So which was it?
ecb_penguin|5 months ago
> I am allowed to send any traffic I wish to public-facing hosts
No you're not. Denial of service is a federal crime.
> I have no responsibility to refrain
Yes you do, and this is just beyond silly. The nuance of how you obtained it will be decided in a court. Stop making everything so reductionist and lazy.
> The only traffic I am not permitted to send are credentials I am not authorized to use
Absolutely not. Use of a vulnerability to cause a data breach is OBVIOUSLY a federal crime.
This is beyond absurd.
efdee|5 months ago