> I mean was it really unauthorized access (they called it “hacking” of course) if his user account literally had permission to map network drives?
My expectation is that laws probably specify that gaining access that you know you’re not supposed to be able to get is probably illegal, but I get your point.
Reminds me, however, of the pen-testers that got hired to infiltrate a court system and got harassed by a prosecutor despite having explicit approval to conduct an audit.
https://darknetdiaries.com/episode/59/
Our judicial system is ludicrous.
The Florida Computer Crimes Act was passed in 1978 so as you can imagine it’s very draconian. I’m pretty sure it was a misdemeanor for 16-year-old me to boot Linux from a live USB as a means to get around the IE-only web filter the school district used.
If someone didn't question, or otherwise call out, the pentesters activity, that would have been a blemish against the security training of the org being pentested. This is why pentesters need a way to immediately escalate to the hiring party, to satisfy legit concerns over access and ensure those claiming to be pentesters legitimately are.
In this case IIRC they did have exactly that but were caught up in drama between different factions within the justice system. Unfortunately a few of the people involved behaved in bad faith and thus they got stuck in jail for a while.
The moral of the story, if there is one, is probably a cautionary tale about petty individuals prioritizing workplace politics over ethical integrity.
If you listen to the episode you'll learn that such escalation did occur, and unfortunately the harrassment by local LEO did not cease.