It's also worth noting that if you're caught playing games like this, there is really no way to explain your actions that would avoid serious consequences.
If however, you used the "bugdoor" method, you can plausibly deny any malicious intent and you will absolutely get away with it.
In games we usually separate between exploits and hacks. Exploits are vague but typically things allowed by the game, but not intended (or have for more impact than expected).
I believe if you lied in the game that would constitute a written/verbal contract and what you did is fraud. Some games enforce written agreements, others say it's the wild west so too bad, this is role playing by a character, not the person. I'm not sure if either has ever been tested in court.
For the hacking thing I don't really agree that all hacking is 'allowed', phishing is of course a type of fraud, your access is unauthorised even with the correct credentials - authority to enter a building does not derive from stealing a key from someone. Likewise a buffer overflow is 'allowed' much the same way a window allows itself to be broken by a brick.
Yes, just look at the example provided by OP. He noticed a security flaw and instead of trying to do something about it he and his companions made a game of exploiting this flaw as much as possible. The employees don't want the inconvenience of actual security.
so, if it is considered "hacking" to do this, what about the first time he found the exploit? He didn't intend to do that he just jumped the gun to get back to playing. Was that mistake a crime?
So his issue was not that you discovered the bug. His issue was that after discovering it, you went on to view a bunch of other people's data.
What you did was walk down the block, pull on the doors of random houses, and if you found one unlocked, went in and took a look around. If you found my door unlocked and left me a note, I would be grateful. If you went in and took a look around, then did it to all of my neighbors, we would have you arrested.
The bug here is an unlocked door. It being unlocked is a security risk, and people are thankful if you let them know. If after identifying the security risk you proceed to commit a crime, you're surprised people aren't "grateful?"
I used the word "malicious". Its not like i used the word "murderer" or "evil overlord". I'm not saying OP should go to jail or anything.
All i'm saying is if you find an exploit, and after you verify it works, you contunue to use it for your own personal ends, you're no longer benign and you shouldn't expect a warm welcome from the security team.
The line is when you start to use exploits on computers not owned by yourself for your own ends instead of for the purpose of verifying and reporting the vuln. Sure you could cross that line a little bit or a lot, but you're not innocent if you're over it.
A sophisticated attacker could make use of bugs in the player to hack the system. This sort of trick is often used against high value targets where the effort needed makes it worth it.
I’d compare this “exploit” to playing a coin pusher type gaming kiosk with an especially large bankroll and statistical analysis to determine optimal play strategy.
If someone chose to play such a game intending to win and with appropriate planning to ensure wins through optimal play, I wouldn’t call that an exploit at all. It’s beating the game, and the owner may ban you from playing it, but no laws were broken by you playing it in such a manner with larger than average capital. But your winnings are yours, fair and square.
You are a nontechnical person and stumble upon what appear to be plans for a terrorist attack. You talk to the person about it and they say "Don't worry. is computer game".
A great exploration of this is the 30 Rock episode where Tina Fey reports her neighbor for what ends up being a plan to get on the show 'The Amazing Race'.
The problem is, not knowing any better, you feel obligated to report the activity just in case. Let someone much smarter than yourself decide what is really going on. If you say nothing and someone gets hurt, can you forgive yourself?
As a hacker, I would understand this is definitely a game. But can I really expect the same from non-technical people?
Hate to be that guy, but someone has to say it... In this case the code worked as expected and the "attacker" played within the rules of the game. Except they "won" too much. That's not supposed to happen.
Yes, you can get caught by logs. That however still leaves some already existing consequences of said illegal (in terms of player-game interaction) manipulations. For example compensate expensive destroyed ships which were destroyed with use of an exploit. Also, that affects customer satisfaction and support must deal with that too.
I think the takeaway that you should have from this is; the person you showed this exploit to is not trustworthy, I'd avoid associating with them in the future.
The OP's argument is that exploiting a bug for financial gain is not wrong which is not so different from saying exploiting a faulty lock to steal is the locksmith's fault.
Putting in intentional errors so someone else can catch them and think they contributed... that IS 'games and tricks'. Whereas your example (sending things in an inefficient way) is just a matter of accommodating someone else's way of working.
Accommodation is a good idea, game-playing may work in the short run, but it does not build long-term trust.
I'm sure that they thought this. But this is a bit like doing unsolicited pentests or breaking the locks on somebody's home at night without their permission. If people didn't ask for it and consent, it is unethical.
And further, pretty much everybody knows that malicious actors - if they tried hard enough - would be able to sneak through hard to find vulns.
If however, you used the "bugdoor" method, you can plausibly deny any malicious intent and you will absolutely get away with it.
reply