You don't think the supposed difference in values is the result of ignorance of how the internet works? Or what a security researcher does? Or that security researchers exist as a hobby and profession? Or that the security of the internet at large depends on people who do this? That the every-other-month theft of giant numbers of credit cards or passwords can be prevented if white hat hackers find the security hole first? I would expect most people don't know that big companies like Facebook or Google offer bounties to people who find exploits, or that bugs that threaten the entire internet are routinely found by people who donate their time in order to protect people they don't even know, and who don't know they exist.
The facts of the case: someone broke into a computer system without permission.
The inability to interpret those facts in the light of what a security researcher does isn't a result of different values, but a lack of knowledge of the context. People who don't know how computers or the internet work are open to being told whatever story the prosecution decides to spin.
Edit: I think the ignorance is actually made clear by the example in the GP. Imagine some good Samaritan is walking past a jewelry store after closing time. They notice that the front door is ajar, and upon testing they find that the alarm doesn't go off when they enter the store. So they call the owners and wait in the store until the owner can get there and make sure the store is secure.
Do you think it's likely that this person would be prosecuted? Or, if they were, that the prosecutors and judge would throw the book at them to "make an example"? People understand that scenario and are likely to treat it with leniency in a way that they don't understand the equivalent scenario in computing.
P.S., Always a pleasure to be slapped down by tptacek :)
In your jewellery store example I think it may be reasonable to prosecute the person.
In increasing levels of seriousness:
1. The person is walking by the store and, in the course of their everyday activity, sees that the door is ajar; they then contact the owner. This seems fine to me.
2. The person is walking by the store, sees the door ajar, and then altering their normal activities decide to actively test the door to see if they can break into the store; they can and then contact the owner. This seems dodgy to me.
3. The person chooses to visit each jewellery store in town to see if any have a door ajar. This definitely seems inappropriate.
The reason I come down opposed to the person in the second example is two-fold.
Firstly, ignoring intent, where do you draw the line on an acceptable level of 'break the security' activity?
- Thinking that the door is ajar and pushing on it?
- Seeing that the lock is vulnerable and picking it?
- Finding a ground floor window and breaking through it with a brick?
The resolution I choose is that if you have gone out of your way to subvert the security of my stuff without my consent then you have crossed the line. Gray is black.
Second, I don't care about your intent. Every security system will break at some point, and so I view the existence of doors and locks as mainly being about roughly outlining the boundaries that I expect to be respected. If I want to improve my security then I'll hire someone to advise me on how to do it. If I come home tonight to find a stranger who has broken into my house in order to prove that it's possible then (1) I already know, and (2) they have just caused the harm which they are nominally trying to protect me against.
But most likely a security researcher will fire off some multiple of a thousand probes to see if the door is open. Collateral damage is likely. This is not what is happening in your jewelry store door case.
That the every-other-month theft of giant numbers of credit cards or passwords can be prevented: These things can be prevented by the folks in charge paying attention to the alarms going off in the back.
The facts of the case: someone broke into a computer system without permission.
The inability to interpret those facts in the light of what a security researcher does isn't a result of different values, but a lack of knowledge of the context. People who don't know how computers or the internet work are open to being told whatever story the prosecution decides to spin.
Edit: I think the ignorance is actually made clear by the example in the GP. Imagine some good Samaritan is walking past a jewelry store after closing time. They notice that the front door is ajar, and upon testing they find that the alarm doesn't go off when they enter the store. So they call the owners and wait in the store until the owner can get there and make sure the store is secure.
Do you think it's likely that this person would be prosecuted? Or, if they were, that the prosecutors and judge would throw the book at them to "make an example"? People understand that scenario and are likely to treat it with leniency in a way that they don't understand the equivalent scenario in computing.
P.S., Always a pleasure to be slapped down by tptacek :)