Originally Posted by ukjb
That is not a very fair analogy.
Think of it this way.
You put all your money into a bank. You don't know it, but that bank isn't very secure.
Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?
a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)
b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.
c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.
Why is that not a perfectly apt analogy? Someone engaged in activities using resources or facilities they had no authority to. In the process they deprived someone of their property, and/or exercised control over information that had some form of value the the rightful owner which was diminished by the accessing.
Bear in mind, the theft of money or goods is a discrete event, but misappropriation of private information that can be used for ongoing harm to personal, professional or financial interests is in a whole other scope entirely. Also, stealing from a bank with a weak lock is no more legal than stealing from a bank with a strong one - even if it's just some of the money in the vault you steal.
You're biasing the presentation of your scenarios with an interesting choice of wording. Scenario 'A' is just involving "someone" doing the deed, but scenarios 'B' and 'C' feature "security analysts". What qualifies them as such? Is it just the mere fact that they want to be labeled thus? If the bank, or some other authorized body, isn't making the request for these attempts, then they ['security analysts'] are just out to exercise their will and impose their sense of morality/justice/whatever on the banks and their customers - or maybe they're simply out for the attention. Regardless, they're not acting in a professional, moral or legal capacity any more than the 'evil' person in scenario 'A'.
In all three of your scenarios, theft has occurred - someone in each of these has been illicitly deprived of some measure of their money. So all three scenarios involve theft (even if it's only 'a little' theft in the latter two), and none of those scenarios are actually desirable at all. The only difference is in the scope or magnitude of the theft.
For the first scenario we have straight theft. Not much to say there. Obviously we don't want that. That's why many organizations regularly perform security audits and even hire professionals to stage attempts to pick their locks.
Let's explore the other hypotheticals though.
In the second scenario, we have theft (albeit a smaller one), and the bank now knows about it … but wait, maybe the bank already knew about it, was in the process of developing and deploying a solution, but it hadn't been completed yet. The 'analyst' may have known this if they'd been authorized to make the attempt, but they weren't, they just decided to satisfy their own desire to "see how deep they could go". Now the self-righteous 'analyst' is peeved that the bank isn't making a public show of it and giving them their attention (because frankly it would disrupt business to do so, and they're already working on it, and they don;t want to open themselves up to more headaches). Since we've already established that the 'analyst' is more interested in pursuing what <they> decide is the best/right/moral/whatever course of action, the peeved 'analyst' then invariably jumps into the third scenario and they publicize the weakness in the banks' locks. Now not only do skilled professionals in the lock-picking industry know of the weakness (the ones who already knew about the weakness, by the way), but amateur lick-picks and every nit-wit with access to youtube thinks the bank is ripe for easy picking. The bank is inundated with theft attempts, most of which are failed, as they're executed by people without the requisite skill to successfully do so, but they're time-consuming to deal with none the less. However, the bank now has to spend additional time and resources dealing with both the negative publicity as well as the extra security load - making it even harder and more expensive to implement the upgrades to the locks.
But really, I like scenario "D" - Some putz stumbles across a broken lock, wanders into the vault, pockets as much cash as they can carry and then runs. The bank realizes there's an irregularity, performs an internal audit (which may have taken several days) then when they're satisfied they understand what happened, even if if they don't yet know the exact details of how, they notify their customers of a breach. The would-be thief catches wind of this and tries to cover his ass by posting a youtube video claiming he was just trying to let the bank know there was a potential problem by stealing that money. In the mean time, he's spent at least some of the stolen money (or disseminated some of the private information - something that can't be undone, like spending the cash), but still claiming that he's really not a bad guy at all and was doing it all for altruistic purposes. … Sound familiar?