What sentence do you think Aaron should have been facing in court? How about someone who roots and wipes a multiuser box for revenge? How do you discriminate between the two?
I've got a hard time trying to come up with something "right" because it doesn't feel like Aaron's access should really be a crime at all, and JSTOR can go for civil damages or criminal copyright infringement. And it also doesn't feel like we need a law to punish someone for using a computer while defrauding a bank, because we've already got a law for defrauding a bank that even gets applied when you do it in person. And to the extent that one can cause purely virtual destruction (and hence not have any physical world laws apply), that should be the thing that is addressed as the primary crime, instead of having a lone charge of something that is usually bundled on top of other crimes to punish harder.
What about punishment of cracking applying solely to damage done to the cracked systems (either categorically or monetarily, and possibly including something like your tests)? This would also put someone who successfully tries an sshd exploit and then emails the administrator completely in the right - something we've never had. What scenarios would this leave completely unpunished (with no applicable laws), and can those just be fixed with similar categories?
I've got a hard time trying to come up with something "right" because it doesn't feel like Aaron's access should really be a crime at all, and JSTOR can go for civil damages or criminal copyright infringement. And it also doesn't feel like we need a law to punish someone for using a computer while defrauding a bank, because we've already got a law for defrauding a bank that even gets applied when you do it in person. And to the extent that one can cause purely virtual destruction (and hence not have any physical world laws apply), that should be the thing that is addressed as the primary crime, instead of having a lone charge of something that is usually bundled on top of other crimes to punish harder.
What about punishment of cracking applying solely to damage done to the cracked systems (either categorically or monetarily, and possibly including something like your tests)? This would also put someone who successfully tries an sshd exploit and then emails the administrator completely in the right - something we've never had. What scenarios would this leave completely unpunished (with no applicable laws), and can those just be fixed with similar categories?