I agree with your problem with the phrase "legitimate researcher". I'm usually supportive of the EFFs position on most issues, but sending a Tweet like this guy did was pretty dumb. Even the disruption from a "overreaction" is a problem.

Also, the gateway between the aircraft safety systems and the CANBUS is one-way. The worst he could have done is shutdown the In-Flight Entertainment system, and inconvenienced a bunch of passengers.

I'm not saying that the possibility of security flaw isn't there, only that this CANBUS issue isn't it.

A legitimate researcher would arrange a ground test, or even a test flight, and not experiment on an airliner with passengers. They can do "hardware in the loop" tests on the ground, with minimal risks. The FAA are actually involved in requesting security assessments on airline systems with safety implications.

IMHO This guy come very close to crossing the line of "interfering with the safety of an airliner" when he conducted previous tests, and that is most certainly is illegal. People have gone to prison for less.

The EFF should be pushing for further evaluation of the actual issues, whatever they may be, in an appropriate manner. If Boeing/Airbus blow off the EFF, push back harder.

A well trained crew can operate a 737 quite safely using the Standby Flight Instruments for an emergency landing, even if some sort of compromise shut down the primary Flight Management System and Primary Flight Displays.

I happen to know several computer programmers/security researchers who are also test pilots. More than one called the CANBUS risks "inconvenience" and not safety of flight.

I don't think they mean legitimate as professional or industry recognized, but more as a way to distinguish from an actual bad guy hacking for criminal intents and then claiming he is a researcher and should have carte blanche.

Researching with criminal intent is also legitimate research provided no laws are broken.

In France there is a crime labelled "association de malfaiteurs" (criminal's gathering). Fantasizing about a crime is allowed. But actually laying out plans, watching the neighbourhood, or performing concrete steps towards the crime with the intent of actually performing it… well, that is forbidden.

Makes sense to me. Mere thoughts should never be forbidden, but acting on a criminal intent, even if the acts, taken independently, wouldn't be forbidden, is something else entirely. First, actions can be punished. Second, actions are actual evidence for the intent.

What you are describing is thoughtcrime.

Criminal intent is not illegal. Only actions.

Not necessarily. Otherwise it would be impossible to prosecute someone for meticulously planning a terrorist action, who is only stopped when they are just about to purchase the materiel required to carry out the act. No action has tajen place - actual terrorism has not occurred, and there are no physical tools or similar present. But the intent (or Mens Rea, guilty mind) is there, so you can be prosecuted.

And, of coure, there are crimes of "Conspiracy to X" that involve merely the intent to commit a crime.

A crime requires the confluence of the required mens rea and the required actus reus; the former alone is not sufficient.

For the kind of plot you describe, prosecution would usually occur when there are multiple persons involved based on conspiracy charges, which require an overt act in furtherance of the conspiracy (which can be a fairly minor act, but it still requires an act.)

Mens rea is a required component of many crimes, yes, however it is not sufficient alone to be criminal. Research with malicious intent is not a crime. What you describe is not criminal.

And yet, people in the UK have certainly been prosecuted for looking up jihadi websites with the intent to download bomb-making instructions... Although, the actual crime may be posession of said information? It's hard to tell, particularly living in a country where 'glorifying terrorism' is now a crime - http://en.wikipedia.org/wiki/Terrorism_Act_2006 - as is 'encouraging terrorism' too.

I bet the prosecutors are kicking themselves for not thinking of that one earlier, as well - they could have simply rocked up to certain pubs in Belfast and arrested and jailed everone singing IRA songs ;)