This kind of hair-splitting is why the legal definition of "exceeding authorized access" is so general.

There seems to be a very popular misconception that the law criminalizes "hacking", as in "0-day exploits" and "SQL injection". No: thankfully, the law doesn't so much care about how you get access. It cares that you knowingly access things without permission, no matter how you do it.

So by your lights I could make a copy of a key on your key ring, enter your house, take stuff, and that is fine because your locked door is a public endpoint?

Or if the fact that the key is physical gives you pause, let's say you nave a numeric keypad lock, and at work one day you commented that you had it set to the same setting as the lock at work to make it easy for you to remember. Do I get to take your stuff?

It's funny, these arguments weren't top of mind with regards to the hacking charges against weev or Aaron Swartz. In that case, HN was clear fault lay with AT&T or MIT and the abuse of the word "hacking" was a horrible miscarriage of justice.

Accessing a public endpoint has been prosecuted before. http://arstechnica.com/tech-policy/2013/03/auernheimer-aka-w...

True. And many, many people had trouble with that decision - many of them members of HN. Just because it's been prosecuted doesn't make the outcome any less right or wrong.

Of course - I think it was probably wrong too, though this isn't realy the place. But OP was talking about the legal line.

"any after-the-fact declaration that someone didn't want someone else looking at something."

I think putting password protection on something isn't "after-the-fact", it's pretty obvious they didn't want someone else looking.