I hate to be on the side of the prosecution, but hear me out first. Although Eric McCarty provided information on what he did and acted 'responsibly' after the fact, by not getting permission at all, the burden of proof is now on himself, not the prosecution. It now becomes impossible for him to prove that he did NOT use any of his findings for ill will.

Think of this hypothetical - what if someone else with malicious intent did the same exact thing that Eric did, but he also grabbed more data than he reported to the authorities and sold it to the mafia. How could the prosecution or the institution know the difference between this malicious intruder and Eric? They can't. And I'm sure that the professional criminal can sound very convincing as to how innocent he really is.

How about another... I don't know you and you have no idea who I am. I break into your house and approach you after the fact. I say that I've been in your house, and to prove it, your wife has some really interesting leather lingerie. I didn't take it all - only enough to prove I was in there. You should really have better security before someone with malicious intent comes along. This doesn't even pass the laugh test. Handcuffs would be on me quicker than I could finish my flimsy logical agrument.

Take this as a very clear warning. This is why every ethical hacking and pen testing book and/or methodology clearly states to get permission before doing any testing.

Maybe with the onslaught of regulations where a pen test will eventually be required by law and cost a LOT of $$$$, those needing these services can post a freely available online form. The freelance researcher looking to help can fill out the form, send it in, get verified or whatever else the institution decides to do, and off he goes. They know who he is, he gets to practice his research skills and they also get a free security checkup. Clearly more details would have to be worked out, but the concept is easy enough.

Anyway... I'll stop typing now.

Don

Good point Don, but you forgot one IMPORTANT little fact. When you get permission, GET IT IN WRITING!! As part of my forensics studies, I recently attempted to do a data recovery for a local school. I was unsuccessful, but I had paperwork that gave me permission. Without paperwork, it's still your word against theirs. Remember, Oral contracts (by handshake, or verbal agreements) is never binding in court. I am NOT a lawyer. Perhaps EC-council should add another module going deeper into the laws. My courseware when I did the class hit on the federal laws applicable at the time (2004), but it was only the basics. My instructor, who was a Juris Doctorate, told us "If you are ever arrested for terrorism (cyber-terrorism) YOU DO NOT get to speak to a lawyer".

Like I said, I'm not a lawyer. If I remember correctly, when my instructor said that, I think hew was referring to the arrest process. While you are under arrest and "being processed", you do not get the opportunity to consult with a lawyer. But after you've been sitting in the can for awhile, I guess you have to get a lawyer to prepare for your trial. Even terrorists DO get trials, as we saw with moussasuoi, or however you spell his name.

Don seems to have a lot of connections; maybe Don knows a lawyer he can contact to ask about this and clarify? I MIGHT be wrong, here.