Man arrested exploiting lock flaw to break into hotel room

So, some sunlight averse, snack-food junkiespends 3 years in momma’s basement trying to crack the code to electronic door locks. Me, I like photography and sporting clays. To each his own.

However, instead of telling the vendor in question, or other similar vendors, that a flaw may exist in their product that endangers people, he goes public. Super idea.

Enter knucklehead #1. Not necessarily the only person to do this, but just one that got caught. He fashions his own gizmo per the junkie’s instructions, and sets about breaking into hotel rooms.

My question for you unfrozen law-talking guys and other educated individuals is this: what culpability, if any, does our troglodyte friend have in this case? What if someone were injured, raped, or killed at the hands of someone who copied Cheeto-boy’s gizmo and gained entry with it?

Now we’re all familiar with the Anarchist’s Cookbook and other fun missives that are sold “for entertainment purposes only”, and there’s a hundred kids on Youtube teaching us how to pick locks - your own, mind you - and there’s no liability for them.

Should the guy who gives me directions to the liquor store where I then proceed to buy booze, get hammered, and plow through a T-ball game have any liability? No, I think not.
I’m the one who drank, drove, and plowed; it’s all on me.

Yet, shouldn’t there be some liability here? Surely giving highly technical instructions to commit a crime that is otherwise impossible is more odious than telling someone that the Brinks truck shows up at 3 each afternoon, wink, wink.

C’mon law students. Dig in there and find me something with teeth! If Jack Mcoy can always find some arcane law against dogs shedding on Tuesdays, I know you guys can do just as well!

The lock vendor and hotels have known about the flaw since July. Several fixes have been available since then. That particular hotel has known about it since at least August.

Police have not said how he broke into the room. The idea that he used the exploit is speculation by the hotel. They also claim to have fixed the locks, which contradicts the theory.

I think there should be None/No Liability. The lock vendor’s response has basically been “replace all the locks in your hotel at your own expense- these ones are secure, we super dog swear and you won’t have to do it again”. No surprise most hotels haven’t but if the guy had told the lock makers, the response likely would have been either A) F— off, or B) Oh, hey great, lets sue you to force you to not reveal it.

Yup, that reaction is way, way too common. Contrast Google, who offers a substantial cash prize to anyone who can show them a security flaw in their systems.

The idea that knowledge of how to commit a crime and disseminating such information is itself a crime - that really worries me. How is the world supposed to train locksmiths, then? Or computer security experts? (There are way, way more legit computer security people than hackers, unless we’re counting script kiddies.) We’re supposed to punish the action, not the thought. Otherwise it’s like deliberately blindfolding everyone in the idea that it somehow makes us safer. If the guy who found the exploit specifically collaborated with the guy who used it to break into hotel rooms, sure, there’s a criminal charge there. Otherwise, nope.

To be fair, the economic incentives are very different.

Google can generally fix their security problems by pushing a software upgrade, and finding out about it from some guy who they pay a few $thousand to in bounty is much cheaper than the service outage if a bad guy takes advantage of it.

Lock makers may or may not be able to update their locks in the field, and even if they can, it’s probably orders of magnitude more expensive to do it. Plus, they don’t suffer immediate damage from a breach, but they do suffer if the truth gets out.

I’m not saying that justifies heavy-handed legal threats. But it certainly demonstrates why they’re favored by companies that have substantial quantities of hard-to-update hardware in the field.

I agree that spreading information about how to exploit a system should not be criminal.

While he does look like he hits that snack food a little harder then he should, the guys been pretty productive for his age. I doubt he lives in a basement, his mothers or otherwise.

But in any case, I agree with the other posters. The guy has no legal or moral responsibility for the break-in.

Note the very old case of Hit Man: A Technical Manual for Independent Contractors. Long story short: a man hired a guy to kill his wife. The hired killer got information on how to commit and cover up his crime from the above-named book, published by Paladin Press. The estate of the deceased sued Paladin, saying that by publishing the book, Paladin intentionally aided the killer in committing the crime.

Now, here’s the interesting part, quoting the case itself:

So, Paladin essentially admitted that they aided the killer in committing the crime, but still claimed that they were not liable because, hey, free speech. The court disagreed, saying that speech is not protected if it is intended to aid in committing a criminal act. It appears to me that Paladin attempted to test the limits of the First Amendment and got burned for their arrogance.

I very much doubt that the outcome of the case would have been the same if Paladin hadn’t made their extensive stipulations. If they’d just said, “Hey, this book is for entertainment and crime novel writers, not actual killers!” they probably wouldn’t have been found liable.

The lesson from all this: intent is key.

“key”. snicker.

Darnit, beaten to the punch on Hit Man and Paladin Press!

He should have absolutely no liability. Not sharing that information, particularly under threat of the manufacturer, is what I like to call security through ignorance. Sure, he’s a good guy and won’t do anything with it, but that he found it out means someone with more nefarious intentions very well may soon after, if he hasn’t already. It may cost that company money by exploiting a weakness in their design, but it also allows them the opportunity to correct for it. Further, it allows people who may depend on their locks to be aware of the risk and appropriately take that added risk into account.

Yes, it’s a lot cheaper if it’s a software exploit rather than a hardware one, but that’s part of the risk of the business.