The problem is that the law is written for bank wire cyber criminals and this guy did the real life equivalent of opening up the fire escape to let in a raving homeless person.
Yes he should get punished. Fired, fined, maybe even a couple days or weeks in jail. But the justice system has not caught up to the internet.
We have have a thing called assault. A thing called battery. A couple things called murder. Morality is a grey scale.
I'd say it's more like handing a copy of his keys to miscreants (of any type) with a note attached "DO HARM THERE" after being evicted. If proven in court, I'd expect a guilty verdict on a charge of criminal mischief.
Having no authority to order the harm, and having no plausible way to realize a tangible benefit from any harm that may occur, I fail to see how that is a criminal act. At worst, that's just a civil lawsuit against him.
And it would be a pretty strong affirmative defense if the landlord did not re-key all of his locks at the time of the eviction.
If this had happened in a physical place rather than on a web site, no one would be going to jail. Someone would be sued in civil court, and be forced to pay no more that the amount that a locksmith typically charges to re-key all the locks on a property.
And if the landlord so much as left a window open, the defendant probably wouldn't have to pay anything at all!
What does his authority have to do with it? His intent seems entirely clear. Again: the chat transcripts, which are traceable to him through the network, show him expression discouragement at the minimal amount of damage the IRC hackers were willing to do. What he wanted to have happen was even worse.
I'm also not sure how "the employers didn't rekey the lock" is any kind of defense at all.
The hackers are the ones actually responsible for the damage that occurred, as evidenced by the fact that they did not do as much as he asked of them.
You leave your bike propped up against a wall, unlocked. Someone starts shouting "Hey, steal this bike! Steal it!" When you return, your front wheel is gone. Someone tells you about the shouting guy. So you sue him for the loss of your front wheel. You are able to get a recording of that guy complaining that only the front wheel got stolen. It doesn't matter. He didn't steal your wheel. He could have wanted someone to steal your whole bike and your wallet, but the fact remains that he didn't do it.
Now suppose that you did lock up your bike. But you used a TSA-approved luggage lock. Now the guy passes out copies of the TSA master key along with the shouting. But anybody could have had that key already. He still didn't steal your wheel.
Now instead of a known-insecure lock, you use a good lock, but you had at some point given the shouting guy a key to it. After you two have a falling-out, you keep using the same lock. While on the surface it looks different, this is the same situation as the TSA lock, because your lock is not truly secure if its keys are not controlled by you, and you alone. He still didn't steal your wheel. At worst, you can recover from him the cost of replacing your u-lock, as he made it unfit for its intended purpose.
Wishing misfortune on others is not a crime. It isn't very nice, but it is not criminal, and does not create civil liability. I can say as often as I like that I would be happier if Bank of America's corporate headquarters were destroyed by a lucky meteorite strike. If an arsonist tries to burn it down instead, I am in no way responsible. I didn't give that guy any tangible benefit for doing the crime. I could not have harmed him in any way if he did not do it. The person was not acting as my proxy. If the arsonist cannot be identified, I am not an acceptable scapegoat simply because I wished harm upon the victim. I have malicious intent, it is certain. But I have not performed the malicious act.
(I won't be able to respond further, because "HN: You're submitting too fast. Please slow down. Thanks." It looks like tptacek can post about 10 times more often than I can, so I can't meaningfully participate in a discussion with that account.)
No, the real life equivalent of what he did would be giving some teenagers unsupervised access to the office copy machine. It wasn't bright, but it doesn't sound like a life-defining felony.
How can you believe that giving a group of anonymous people you suspect to be hackers a username/password, then telling them that it's superuser access, then giving them the admin URLs, then giving them the URL to the user manuals for the console, then creating them new accounts...is the same scope as letting a bunch of teens use your "office copy machine"? (unless your company's business is literally the copy machine...I suppose)
I just pulled up the Los Angeles Times, and something literally resembling a copy-scan-fax machine plugged directly into a Wordpress site comes to mind.
In reading the transcript, it's clear this person deserves to be punished according to the maximum penalties prescribed by the applicable laws. It is not as clear to me that the laws being applied accurately reflect the harm incurred, or even the potential for harm given the nature of the compromised system.
Yes he should get punished. Fired, fined, maybe even a couple days or weeks in jail. But the justice system has not caught up to the internet.
We have have a thing called assault. A thing called battery. A couple things called murder. Morality is a grey scale.