I’m deliberately changing the details to protect the guilty, but I’m nearly certain the essence of the situation are legally the same as what I describe below.
Suppose a cyber security professional (CSP) obtained the username and password credentials of a bad guy (BG) who had poor operational security. The BG didn’t intend to reveal the credentials but the CSP has them and knows the BG is in the process of obtaining credentials via deceptive means from the organization the CSP works for.
The CSP, by using the credentials of the BG, can rapidly mitigate damage done by the deceptively obtained corporate credentials.
While everyone on the CSP’s team sees this as morally justified, one team member (WB) throws a wet blanket on the CSP’s plan to use the BG’s credentials to get information the BG’s intended to keep private and use for ill gotten gains. WB claims that, legally, the BG credentials have been “stolen” and should the CSP use them to surreptitiously access the BG’s data the CSP would be committing a crime.
I’m almost certain this is a crime, if not the U.S. then some other countries which may or may not be involved. And, if the CSP were do this, I’m almost certain it would never be prosecuted. But committing felonies you think you are going to get away with doesn’t seem like a particularly good item to put on your resume or even admit to others.
What do you guys think of this?