Legally, I think it's also true that an open door looks more like an invitation to enter (and it's different from burglary to simply poke your head in the door, see if anything is wrong, and not breaking or taking anything)
If an API is served on a public network and your client hits that API with a valid request which returns 200 (not 401) and that API is shaped like an open door, such that no "knock" or similar magic or special protection-breaking incantations were required in order to obtain "the access" ...
Then would you concede it's not actually like a burglary, but a bit more like going in through an open door to see if everyone is OK? (It sounds like that's more precisely what happened here, I'll admit I haven't read it all...)
I think that's roughly how it will play out in a CFAA case too: the case will turn on why it was you thought you were authorized to tinker with the things you tinkered with. If, as is so often encouraged on HN, your defense turns on the meanings of HTTP response codes, you'll likely be convicted. On the other hand, if you can tell a convincing story about how anybody who understands a little about how a browser works would think that they were just taking a shortcut to something the site owner wanted them to do anyways, you're much more likely to be OK.
If you create an admin account in the database, it won't much matter what position the door was in, so to speak.
The concept we're dancing around here is mens rea.
(Again: DOJ has issued a policy statement saying they're not going after cases like this Fizz thing, so this is all moot anyways.)
If my neighbor leaves his door open (in the winter, say), and I have cause to believe that something is wrong based on that, is a jury going to convict me for going in there to check on them? It really sounds like that's what was done here.
I guess creating an admin account while I'm in there is a bit like making a key for myself while I look around. That might be over the line. But without that step, I'm not sure how you can have proved that something was even wrong...
I'll go read the article now.
No: you will not get convicted checking on your neighbor. Everybody involved in that fact pattern will believe that you at the time believed it was OK for you to peek into their house. Now change the fact pattern slightly: you're not a neighbor at all, but rather some random person walking down the street. A lot less clear, right?
Anyways that's what these cases are often about: the defendant's state of mind.
Note here that this is a Firebase app, so while it's super obvious to me that issuing an INSERT or UPDATE on a SQL database would cross a line, jiggling the JSON arguments to a Firebase API call to flip a boolean is less problematic, since that's how you test these things. The problem in the SQL case is that as soon as you're speaking SQL, you know you've game-overed the application; you stop there.
It's times like these I regret that neighbors don't talk to each other anymore. How can we even have functioning internet if we don't have network neighborhood...
Friendly amendment: Generally, the prosecution must prove only the intent to take the action that's proscribed by law (and sometimes, the intent to achieve the specific outcome of the action). Proving that the actor intended to commit a crime is usually not part of the prosecution's burden. [0]
[0] https://www.nolo.com/legal-encyclopedia/general-vs-specific-...
That does not appear to be the case in Massachusetts. Here are the jury instructions relevant to B&E in the nighttime, with the full link below:
To prove the defendant guilty of this offense, the Commonwealth must prove four things beyond a reasonable doubt:
First: That the defendant broke into someone else’s (building) (ship) (vessel) (vehicle);
Second: That the defendant entered that (building) (ship) (vessel) (vehicle);
...
To prove the first element, the Commonwealth must prove beyond a reasonable doubt that the defendant exerted physical force, however slight, and thereby removed an obstruction to gaining entry into someone else’s (building) (ship) (vessel) (vehicle). Breaking includes moving in a significant manner anything that barred the way into the (building) (ship) (vessel) (vehicle). Examples would include such things as (opening a closed door whether locked or unlocked) (opening a closed window whether locked or unlocked) (going in through an open window that is not intended for use as an entrance). On the other hand, going through an unobstructed entrance such as an open door does not constitute a breaking.
(Italicized emphasis is mine.) Entering through an open door appears to be an entering (the second element of the crime), but not a breaking (the first element). IANAL.
https://www.mass.gov/doc/8100-breaking-and-entering-a-buildi...
This definitely must vary by state. At least in Michigan that would just be trespassing. I know, because I had some very in-depth conversations with my lawyer about whether I had committed trespassing or B&E while exploring steam tunnels underneath a university. In my case, B&E couldn't apply because the door was unlocked. I also committed no other crimes besides simple trespassing.
In general, I've learned that if you ever wonder whether you might be breaking the CFAA, you are in violation of the CFAA. The only time this logic has ever failed that I've seen was HiQ vs. LinkedIn.
I just wanted to argue against the idea that an unprotected computer is fair game for hacking. Morally and legally, it is not.
