So a guy worries that he might have been phished and runs some attacks against a tsunami donation website. Not only was he unsuccessful, but BT (the site hoster) was using "dead" technology (that would be IDS ) and caught him.

I am a bit torn in this case. On the one hand, I don’t want security vigilantes running around looking for vulnerabilities, but on the other hand, it doesn’t seem like he had malicious intent. This is what is annoying about our profession – we feed our young to the authorities when they act on the bluster that’s out there about doing good by doing bad. (I really don’t get the whole "police are gonna pay for this" baloney. Sure, the vigilante "security consultants" out there will stay away, but those BT security professionals probably don’t mind at all.)

For discussion:

• What if the defendant (Daniel Cuthbert) were to claim that he actually was phished? Would he have ended up like this lucky guy?
• What good could come from running scripts against a web server involved in a phishing attack? (caveat: it is not completely clear what the technical details are to this story). Either it is run by bad guys in which case it probably would have been gone by the time Cuthbert went back, or it was a compromised legitimate server…but why wouldn’t he have simply looked at his URL history and parsed it out? (I am guessing a cross-site scripting test here) or gone back to the banner ad he clicked on?