This is in reference to the Twitter worm, and the Samy Myspace worm awhile back.<p><i>MySpace filed a lawsuit against the virus creator, Samy Kamkar. He entered a plea agreement, on January 31, 2007, to a felony charge.[2] The action resulted in Kamkar being sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.</i><p>From: http://en.wikipedia.org/wiki/Samy_(XSS)<p>I'm not sure what is going to happen to the kid that did the Twitter worm.<p>On what grounds is what these people did considered harmful? It doesn't harm any end-users... at worst it only modifies their profile page. It's a bug (or feature) in the web application, not exactly a virus that affects other peoples computers. I guess my point is, it's all encapsulated to the website.<p>Furthermore, it just seems like they're taking advantage of the features the developers created. If you can execute javascript, why not force people to friend you? If the developers included a big button that said: "Delete a random user's profile" and you pushed it... would that be illegal? What if instead of a button, there was a hidden URL that did this? What if you needed to provide a 1 digit password?<p>I just don't get how fooling around with a website can be considered illegal, and what defines the line between legal and not.
Three observations.<p>One: There are specific laws against unauthorized access to computer systems:<p><a href="http://www.ncsl.org/programs/lis/CIP/hacklaw.htm" rel="nofollow">http://www.ncsl.org/programs/lis/CIP/hacklaw.htm</a><p>These acts are generally considered illegal because... they contravene laws!<p>Two: "What defines the line between legal and not?" The answer, ultimately, is judges and juries. These people have a wide range of discretion and are often surprisingly reasonable. (Although certainly not always. And they cost a lot to convince, and they can be <i>randomly</i> unreasonable, which is why there are a lot of jury-trial horror stories and why lawyers prefer to avoid jury trials whenever possible.)<p>If I leave a loaded gun lying around and you pick it up and shoot me dead, the legality of your action is going to depend crucially on what you can make the prosecutor and the jury believe. If you convince them that you did it by accident -- that you were honestly just playing around with the gun on the assumption that nobody would be dumb enough to leave a loaded gun around -- you might be found innocent. If you had a documented motive for killing me, or were arguing with me at the time in front of witnesses, or if there were <i>no</i> witnesses... well, good luck.<p>Finally, when you say:<p><i>It doesn't harm any end-users... at worst it only modifies their profile page.</i><p>You are making a lot of unwarranted assumptions. For one thing: If you publicly deface a website you advertise the existence of an exploit which someone <i>else</i> might then use for evil purposes. But, more importantly: Who says that an edit to a user profile is always harmless? People have lost relationships, job leads, careers, and reputations over such "trivial" things. Remember the poor teacher whose Windows box got infected by a virus and spewed porn links all over the screen in front of the students? The woman who lost her job and narrowly missed being convicted as a sex offender by a crazy prosecutor?<p><a href="http://news.cnet.com/8301-1009_3-10107743-83.html" rel="nofollow">http://news.cnet.com/8301-1009_3-10107743-83.html</a><p>If I were a teacher and someone defaced my online profile with a porn link I'd consider it a direct threat to my family's life.
That last sentence is a bit troubling, are you serious? Think about a situation for example where all of your income comes from a website you publish and someone else does (without your permission) something to change/destroy the content, how that can be legal? If a car has unlocked doors and the keys are in ignition is it legal to take that car?
doing anything on someone else's account without them aware (or in control) has to be illegal ... ?<p>my concern is that its myspace one day, my bank the next. Stemming this in the bud is of value for everyone.
The same exact argument as the OP holds for CSS... When is playing a DVD considered illegal? What if I just put it into an unlicensed player? What if the decryption algorithm is so simple a 14 year old can crack it? What if the algorithm has been cracked for 14 years?<p>DCMA says that breaking ANY encryption even if the encryption says take my data, treat it as binary and invert all the digits, and the first line contains those instructions, it is illegal to break the encryption because of DCMA.<p>So yea if its a 1 digit password its illegal to guess it.