Do shellshock scans violate CFAA?

<i>This test is bonkers for computers, because a &quot;reasonable person&quot; means an &quot;ignorant person&quot;. Reasonable people who know how the web works, who have read RFC 2616, believe Weev&#x27;s actions are clearly authorized. Other reasonable people who know nothing except how to access Facebook with an iPad often believe otherwise -- and it&#x27;s the iPad users the court relies upon for &quot;reasonable person&quot;.</i><p>&quot;Reasonable&quot; people regularly sit in judgment of other specialists&#x27; actions. Therefore I think this eventually devolves to a battle of expert witnesses. Which means security researchers should get something analogous to malpractice insurance, because the best witnesses are the most expensive. In the medical malpractice suit for which I was a juror, the difference between expert witnesses was comical.

A thoughtful reasonable important piece like TFA drops with nary a ripple, while his follow-up crackpot &quot;criticism&quot; of the <i>style</i> of decades-old C code causes a 68-comment furor. No wonder the author keeps writing that kind of crap: it&#x27;s nice to be noticed, even if only on HN...

I propose we create a new convention, &quot;humans.txt&quot;, which states in a plain, simple manner what parts of a system one can access and how. This is placed in the web root alongside robots.txt .<p>This would be a closed-by-default system; it says you can use the shopping cart functionality for yourself. Thus, if you use CSRF to use the shopping cart functionality &quot;for&quot; someone else, you are breaking the law unambiguously.