It was someones network that they're in charge of securing.
> The criminal who is secretly trying to hide IP cameras in your house is going to leave you a picture of Rick Astley?
See anything from Anonymous-like hacking groups. Leaving troll notes behind isn't all that uncommon in network breaches. The point is you just don't know until you investigate.
> Suppose your neighbor sees what kind of locks you have on your door and proceeds to pick them in front of you in ten seconds
Or picks them while you're out and leaves a note saying "your locks suck". You discover it's your neighbour after checking your cameras. The OP did say they traced his IP to discover who it was, this wasn't some white hat pen test.
> That's the whole problem. You need to find something to distinguish those situations and codify it into law, instead of having a law so broad that it covers both and then having to rely on prosecutorial discretion.
Great point, I'm on board. But there's a lot to cover that isn't just "what harm did you cause once you were in?". There's potentially time and money (resources) that law enforcement spend investigating. Resources that the company spends investigating. If the breach is public, stock prices could be impacted. IP could be discovered - whether or not it is disseminated, sometimes you just can't know.
All of this because you wanted some lulz and to see if you could? How about stay out of the network you aren't meant to be in. Go into pen testing if you find that work so rewarding and fun.
Punishment isn't the only reason we have laws. Deterrence is also key.
> There's potentially time and money (resources) that law enforcement spend investigating. Resources that the company spends investigating. If the breach is public, stock prices could be impacted. IP could be discovered - whether or not it is disseminated, sometimes you just can't know.
Which is necessary because of the vulnerability, not because of the breach. If bad people could have gotten into your network and that is something you care to spend resources investigating then you need to do it regardless of whether the person who notified you of the vulnerability trolled you with it or not. Whether they troll you is independent of whether they steal your secrets; you can have either without the other or both or neither.
> All of this because you wanted some lulz and to see if you could? How about stay out of the network you aren't meant to be in.
It isn't a question of right and wrong, it's a question of proportionality. If you troll somebody you deserve to be chastised and given detention or community service, not thrown in prison.
> Deterrence is also key.
I'm not sure deterrence is working in your favor here. If your network is insecure and you get trolled then you look stupid and fix it and give the kids detention. If your network is insecure and you deter the trolls then it takes another year before someone who is harder to deter breaks in and then you get arrested because the people who broke in were using your servers to distribute child pornography.
It was someones network that they're in charge of securing.
> The criminal who is secretly trying to hide IP cameras in your house is going to leave you a picture of Rick Astley?
See anything from Anonymous-like hacking groups. Leaving troll notes behind isn't all that uncommon in network breaches. The point is you just don't know until you investigate.
> Suppose your neighbor sees what kind of locks you have on your door and proceeds to pick them in front of you in ten seconds
Or picks them while you're out and leaves a note saying "your locks suck". You discover it's your neighbour after checking your cameras. The OP did say they traced his IP to discover who it was, this wasn't some white hat pen test.
> That's the whole problem. You need to find something to distinguish those situations and codify it into law, instead of having a law so broad that it covers both and then having to rely on prosecutorial discretion.
Great point, I'm on board. But there's a lot to cover that isn't just "what harm did you cause once you were in?". There's potentially time and money (resources) that law enforcement spend investigating. Resources that the company spends investigating. If the breach is public, stock prices could be impacted. IP could be discovered - whether or not it is disseminated, sometimes you just can't know.
All of this because you wanted some lulz and to see if you could? How about stay out of the network you aren't meant to be in. Go into pen testing if you find that work so rewarding and fun.
Punishment isn't the only reason we have laws. Deterrence is also key.