Attaching serious criminal charges to the act of feeding an automated system input that the automated system does nothing to verify is crazy (that is, it isn't wire fraud to use a variety of email addresses on a system that does nothing other than note the address that was input).
The indictment uses language like "Although a MAC address is intended to be a permanent and globally unique identification". And yet nobody serious about security has any expectation that a MAC address is permanent or globally unique (it is well understood that they aren't particularly useful for authentication).
If the government wants to attach serious charges to accessing computer systems, there should at least be some sort of notification that the provider of the system considers the system to be protected under federal law, not this running backwards to say that accepting an email address or having the capability to block a MAC address somehow makes a network 'protected'.
To be perfectly clear, I'd be entirely fine with a broadly applicable lesser charge that applied more generally to computer tampering, for cases where the prosecutor wanted to argue that a user exceeded intended access and such.
> The expert witness that was working with the defense states that JSTOR did not require passwords from computers on MITs network
The problem with this logic is that it assumes the content hoster has the responsibility to actively keep attackers away. Sure, it's a great idea, but is it really their duty to stop from being victimized?
If a bank left their assets in the middle of the lobby they'd be stupid, but it would still be theft on the part of the robber when it inevitably gets stolen.
A better analogy might be that having stolen some magazines from a bookstore (a surprisingly large number of magazines...), the thief was charged with breaking and entering and safe cracking, rather than shoplifting.
And people that attach computers to the public internet absolutely do need to be treated as responsible for the information that those computers transmit. If they want to claim that they intend to limit access to the information, they need to take meaningful steps to actually put limits in place.
I don't mean to say that there should be no recourse in situations where intended access is exceeded, I mean that the bar for a 30 year felony needs to be a little higher than "we didn't intend for our system to be accessed in that manner".
> And people that attach computers to the public internet absolutely do need to be treated as responsible for the information that those computers transmit. If they want to claim that they intend to limit access to the information, they need to take meaningful steps to actually put limits in place.
That goes entirely against the principles on which activists claim the Web is based on. Instead of a democratic network where anyone with an IP address can fire up an httpd and be (in theory) just as equal as any other DNS entry, you're saying there needs to be technical measures put in place to enforce an "honor code". What's next, DRM on mp3 files?
But either way, they and MIT both took many "meaningful steps" against aaronsw, and he sidestepped every one.
> I don't mean to say that there should be no recourse in situations where intended access is exceeded, I mean that the bar for a 30 year felony needs to be a little higher than "we didn't intend for our system to be accessed in that manner".
Luckily, 30 years wasn't the sentence in question, even with the heavy-handed prosecution in place, and what transpired was more than "our system was accessed once in an unintended fashion". So the bar probably does need to be moved, but it's not as if he simply wandered near the wrong Wifi hotspot and accidentally mirrored a website...
I'm saying if you choose to configure your server to answer a request, you had better not come back later saying you didn't mean to answer that particular request. It's exactly in the spirit of the web, publishing something at a url is a grant of access to whatever was published.
http://unhandled.com/2013/01/12/the-truth-about-aaron-swartz...
Attaching serious criminal charges to the act of feeding an automated system input that the automated system does nothing to verify is crazy (that is, it isn't wire fraud to use a variety of email addresses on a system that does nothing other than note the address that was input).
The indictment uses language like "Although a MAC address is intended to be a permanent and globally unique identification". And yet nobody serious about security has any expectation that a MAC address is permanent or globally unique (it is well understood that they aren't particularly useful for authentication).
If the government wants to attach serious charges to accessing computer systems, there should at least be some sort of notification that the provider of the system considers the system to be protected under federal law, not this running backwards to say that accepting an email address or having the capability to block a MAC address somehow makes a network 'protected'.
To be perfectly clear, I'd be entirely fine with a broadly applicable lesser charge that applied more generally to computer tampering, for cases where the prosecutor wanted to argue that a user exceeded intended access and such.