This is absurd. If there's no access controls, but it's still a crime, we're going to have to determine if we can legally access all web addresses beforehand. But that's what 403 status codes are for.
The same thing happens in real life all the time. We're supposed to use our brains and make ethical decisions on our own, not simply rely completely on technical safeguards to clue us into proper behavior.
What he did was unethical. But the idea that connecting to a URL you changed on a hunch could ever be a felony is outrageous.
Imagine if it had been comics published online. Because the server refuses to interact with your Chrome browser, you tell the website you are an IE. Because the "next" button is small, you use keyboard shortcuts to change the URL and view the next one. Without realizing it, you view a handful that weren't released yet. That's now a felony with a court precedent.
Why does it have to be binary with all you guys? :P
I didn't say weev deserved a felony conviction. I said he dun goofed, as a counterpoint to what many here are saying, that because the API he accessed was unauthenticated, it meant he did nothing wrong. That argument's completely bogus as well, just as much as a 2 year prison sentence for this is bogus.
I don't think what he did is ethical and I would be happy to see him jailed for an actual crime.
But talking to a webserver isn't like entering a house. It's like making a phone call. "Hi.. my name is Firef--, I mean, Mobile Safari. Can I have your email?"
I think creating a precedent for prosecution when accessing a number of web pages after spoofing a header is far, far worse than making an example of a troll that exploited a loophole to grab information that he shouldn't have. When talking to a webserver, without a clear separation between public and private with something like an API key or username/password, the only possible convictions we should allow is over DoS and that is only if there is malicious intent.
> the only possible convictions we should allow is over DoS and that is only if there is malicious intent.
What's 'malicious intent'? Is it what the 'reasonable person' decides it is? If so I don't see how what you're proposing is significantly different from what I've been saying.
Likewise a DoS is not the worst possible thing you could do to a website with an unauthenticated API. Why do you carve open an exception for DoS but not for e.g. identity theft or doxxing?
