> I was thinking the analog version may be someone breaking into your house and leaving a picture of Rick Astley on your kitchen bench.
It was a school, not a home.
(It's also a notable contrast that when people are arguing for bad laws the fear is that criminals will invade your privacy, but when people are arguing for mass surveillance then it's all "nothing to hide" as if organized crime getting access to the surveillance apparatus isn't somewhere north of probable.)
> You don't know that it was your neighbour playing a prank or if it was some criminal that's put up little IP cameras all around your house until you do some investigation. Until you come to some conclusion you could be very worried and/or paranoid.
The criminal who is secretly trying to hide IP cameras in your house is going to leave you a picture of Rick Astley?
The problem with this theory in general is that it has nothing to do with any wrongdoing. Suppose your neighbor sees what kind of locks you have on your door and proceeds to pick them in front of you in ten seconds, then advises you to use better locks.
Now you're in exactly the same situation. You just learned that that person or anybody else with amateur-level lockpicking skills could have been in your house at any point after you installed those locks. If you're a paranoid person then that fact is going to distress you and you're going to search your house for IP cameras, but the source of that distress is the bad locks, not the person who brings them to your attention.
> Jail would be an over reaction for your neighbour, but you'd want that as an option for some creep breaking in, right?
That's the whole problem. You need to find something to distinguish those situations and codify it into law, instead of having a law so broad that it covers both and then having to rely on prosecutorial discretion. Whether you go to jail and for how long needs to depend more on what you did than how much the prosecutor likes you, or we're living in a police state where anybody can be imprisoned at will.
There is a reason we don't just have a single law that says "you must do the right thing; penalty up to life in prison" and then let prosecutors decide what the right thing is.
It was someones network that they're in charge of securing.
> The criminal who is secretly trying to hide IP cameras in your house is going to leave you a picture of Rick Astley?
See anything from Anonymous-like hacking groups. Leaving troll notes behind isn't all that uncommon in network breaches. The point is you just don't know until you investigate.
> Suppose your neighbor sees what kind of locks you have on your door and proceeds to pick them in front of you in ten seconds
Or picks them while you're out and leaves a note saying "your locks suck". You discover it's your neighbour after checking your cameras. The OP did say they traced his IP to discover who it was, this wasn't some white hat pen test.
> That's the whole problem. You need to find something to distinguish those situations and codify it into law, instead of having a law so broad that it covers both and then having to rely on prosecutorial discretion.
Great point, I'm on board. But there's a lot to cover that isn't just "what harm did you cause once you were in?". There's potentially time and money (resources) that law enforcement spend investigating. Resources that the company spends investigating. If the breach is public, stock prices could be impacted. IP could be discovered - whether or not it is disseminated, sometimes you just can't know.
All of this because you wanted some lulz and to see if you could? How about stay out of the network you aren't meant to be in. Go into pen testing if you find that work so rewarding and fun.
Punishment isn't the only reason we have laws. Deterrence is also key.
> There's potentially time and money (resources) that law enforcement spend investigating. Resources that the company spends investigating. If the breach is public, stock prices could be impacted. IP could be discovered - whether or not it is disseminated, sometimes you just can't know.
Which is necessary because of the vulnerability, not because of the breach. If bad people could have gotten into your network and that is something you care to spend resources investigating then you need to do it regardless of whether the person who notified you of the vulnerability trolled you with it or not. Whether they troll you is independent of whether they steal your secrets; you can have either without the other or both or neither.
> All of this because you wanted some lulz and to see if you could? How about stay out of the network you aren't meant to be in.
It isn't a question of right and wrong, it's a question of proportionality. If you troll somebody you deserve to be chastised and given detention or community service, not thrown in prison.
> Deterrence is also key.
I'm not sure deterrence is working in your favor here. If your network is insecure and you get trolled then you look stupid and fix it and give the kids detention. If your network is insecure and you deter the trolls then it takes another year before someone who is harder to deter breaks in and then you get arrested because the people who broke in were using your servers to distribute child pornography.
It was a school, not a home.
(It's also a notable contrast that when people are arguing for bad laws the fear is that criminals will invade your privacy, but when people are arguing for mass surveillance then it's all "nothing to hide" as if organized crime getting access to the surveillance apparatus isn't somewhere north of probable.)
> You don't know that it was your neighbour playing a prank or if it was some criminal that's put up little IP cameras all around your house until you do some investigation. Until you come to some conclusion you could be very worried and/or paranoid.
The criminal who is secretly trying to hide IP cameras in your house is going to leave you a picture of Rick Astley?
The problem with this theory in general is that it has nothing to do with any wrongdoing. Suppose your neighbor sees what kind of locks you have on your door and proceeds to pick them in front of you in ten seconds, then advises you to use better locks.
Now you're in exactly the same situation. You just learned that that person or anybody else with amateur-level lockpicking skills could have been in your house at any point after you installed those locks. If you're a paranoid person then that fact is going to distress you and you're going to search your house for IP cameras, but the source of that distress is the bad locks, not the person who brings them to your attention.
> Jail would be an over reaction for your neighbour, but you'd want that as an option for some creep breaking in, right?
That's the whole problem. You need to find something to distinguish those situations and codify it into law, instead of having a law so broad that it covers both and then having to rely on prosecutorial discretion. Whether you go to jail and for how long needs to depend more on what you did than how much the prosecutor likes you, or we're living in a police state where anybody can be imprisoned at will.
There is a reason we don't just have a single law that says "you must do the right thing; penalty up to life in prison" and then let prosecutors decide what the right thing is.