The computer held a list of addresses. It did not present that list to the public. He found a trick where he could probe the addresses, and used that trick to extract the list counter to the desires of the owner (and the owners of the addresses). I can't imagine how you think that access was authorized.
Now, sure, it's not much of a "hack" in a security analysis sense. And it was a terribly dumb bug, and a huge security goof by AT&T. But why should criminal law care about how difficult something is? You don't get off of burglary charges if someone's door is unlocked. And if AT&T is culpable for their poor engineering, they are so in a civil sense for damages; it doesn't make the hack less of a crime.
Admittedly there's a spectrum between "full disclosure" security research and grey hat anarchic asshattery, and there are cases where people have been wrongly prosecuted. But this case looks pretty black and white to me.
Information whether email is valid or not was made publicly available by AT&T. Shouldn't access to publicly available information be assumed to be authorized by the one who made the information public?
If you forget to wear your pants in public you are the one who is to be charged with indecent behavior not the people looking at you with intrusion on your privacy.
What gives you the right to sell that data? What gives you the rights to what a reasonable person would understand to be sensitive and private data? You can't look at this from just a technical standpoint, but also the intent of the people involved.
Your question about forgetting to wear pants is a perfect example. In California, it's legal depending on the intent. The mere act is not a crime without intent, and looking at one without the other is pointless.
> Information whether email is valid or not was made publicly available by AT&T
By mistake. They left that hole open by mistake. I just re-read the details to be sure; the clear intention of the developer was that the email address would be retrieved (keyed on the SIM ID) to pre-populate a sign-in field for the user. That CCID is not meaningfully useful to the user. This API was clearly never intended as a "validation" mechanism, and for you to claim so is flatly ridiculous. It was a security hole, and a dumb one, and something AT&T should be held liable for if someone suffered damages.
But for you to claim that its very existence makes it legal to exploit to retrieve addresses of third party users is just insane, sorry. That's the kind of logic Weev relied on, and it's going to send him to jail. And rightly so: the rest of us in society don't particularly want jokers like you running around free looking to steal our email addresses.
Very impolite. Criminal? Only if you check many entities and lots of them notice and it bothers them or you check one for a long time and you bother it. Might be harassment.
I can't see what the coat was supposed to be in AT&T case though.
Now, sure, it's not much of a "hack" in a security analysis sense. And it was a terribly dumb bug, and a huge security goof by AT&T. But why should criminal law care about how difficult something is? You don't get off of burglary charges if someone's door is unlocked. And if AT&T is culpable for their poor engineering, they are so in a civil sense for damages; it doesn't make the hack less of a crime.
Admittedly there's a spectrum between "full disclosure" security research and grey hat anarchic asshattery, and there are cases where people have been wrongly prosecuted. But this case looks pretty black and white to me.