You missed my point. Like I said, I'm not commenting the penalty. In my opinion, it's too hard. But this is only my opinion after hearing (just like you said) just one side of the story.
The main problem with unauthorized testing (putting aside technical problems) is that person who performs it is in _very_ difficult position explaining her intentions. She already did what is considered the _second_ stage in hacker attack. Until she can prove her good intentions, this is rightfully treated as a malicious attack.
This is what my equation means. I think everybody on this forum should be aware of this. Don't get yourself in trouble for not knowing this.
> She already did what is considered the _second_ stage in hacker attack
Considered by who? There's companies which pay you money if you can find bug in their software. And that's open offer, they don't say 'wait, we'll get ready at 8 p.m. friday and then you can check'. What do you think would Google do, if this student used scanner(or something else) on gmail and found bug and then told Google about it?
I still think that intention is key difference here. And as you said 'that person who performs it is in _very_ difficult position explaining her intentions'. That's why you shouldn't do any unauthorized checks, because even if you wanted to tell about your findings to the relevant authorities, you can be caught before that and then you'r screwed. But Mr. Al-Khabaz informed university/company and was initiator of that talk, so it kinda clears him. He was able reasonable explain his intentions and his punishment could be just some warning(of course if there's no any significant moments we don't know about). Also he didn't get any credit for help he did by finding the bug.
Regarding this guy's intention, you're probably right. The main reason why I'm commenting here is that guys with good intentions don't get themselves in the trouble for not knowing what they're doing.
Finding vulnerabilities in software on your machine and hacking other people's systems are entirely different things. By testing software you're not violating anything (except maybe EULA for some licences). By hacking other people's systems, you're committing a crime.
> What do you think would Google do, if this student used scanner(or something else) on gmail and found bug and then told Google about it?
At first, they would treat it like an attack. Like almost any other company would do. I have no idea what would happen later.
But you wouldn't call reconnaissance hacking, would you? That's just vaguely looking at the site and information about the company. Step 2, pointed at something like a webserver, does not connect to any systems the person is not supposed to have access to. Only step 3 crosses the line.
Good point, I wouldn't call reconnaissance hacking. For two reasons: 1) It's a passive method 2) It's not done on the attacked system.
Scanning is an active method and it's done on the attacked system. Web scanning is not the same as web crawling (downloading pages of the site). It include all kinds of invasive tests, like SQL Injection, XSS, command injection and other attack attempts. It can cause many kinds of problems, named here in this thread.
From security perspective, scanning is an attack. Everyone who uses these tools should be aware of this.
Companies paying bounties for bugs are explicitly giving you the right to pen test their applications. This changes nothing in terms of unauthorized scanning = malicious attack.
The main problem with unauthorized testing (putting aside technical problems) is that person who performs it is in _very_ difficult position explaining her intentions. She already did what is considered the _second_ stage in hacker attack. Until she can prove her good intentions, this is rightfully treated as a malicious attack.
This is what my equation means. I think everybody on this forum should be aware of this. Don't get yourself in trouble for not knowing this.