Hacker News new | past | comments | ask | show | jobs | submit login

He knew that he was obtaining sensitive information that he shouldn't have been able to access (through at&t's negligence), however instead of following any sort of responsible disclosure, and reporting the incident to the company, he goes to IRC and talks openly about trying to use the information to benefit himself through insider trading and then gives the information to Gawker (again instead of contacting AT&T).

He probably could have had the charges dropped, had he composed his actions differently.




Absolutely. He was a dick about it. I don't think that anyone would argue differently.

But the fact of the matter is, he's been convicted for unauthorized access to a public computer system. Last I checked, being a dick and a braggart wasn't criminal.

I think he was rather stupid about the whole thing, but criminal? The fault should lie with AT&T, who put their customer data on a public webserver for the world to see.


Being a dick in general is not criminal. Being a dick by stealing 100K private emails and giving them to press, apparently, is criminal.


But it's not stealing if AT&T was just happily giving them away. Which they were.


Is that still defensible if you go out of your way to brute force download as many as you can and you then distribute that list?


That's like saying that it isn't robbery if the door was unlocked.

It still is. Any reasonable person would know that stealing from a house, locked or no, isn't something they're supposed to be doing.

It's a quandary, to be sure, because once you discover a hypothetical exploit, it's human nature to sate that curiosity by testing whether it works. Two or three accounts would have proved it, 100,000 accounts is excessive.

I'm not trying to say that the number of accounts he released is germane to the discussion per se, but I certainly think that it's relevant in the discussion of intent.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: