This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.
While that may be true, that doesn't appear to be the judge's rational for convicting the kid.
It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.
26 isn't really a "kid", is it. But true, they should have granted him more benefit of the doubt of what his intentions were. But still, one can not simply go hacking stuff and say you're "pen testing". Penetration testing has procedures that need to be followed to avoid getting into shit like this guy.
"Falling in love makes smoking pot all day look like the ultimate in restraint." -- Dave Sim, author of Cerebrus.
