Would you be outraged if you came home one day and there was a plumber fixing your sink? “Oh hi, don’t worry about me, just fixing your sink. Let myself in, hope you don’t mind”
You didn’t even know your sink was leaky let alone called a plumber.
I have never found this analogy compelling for two reasons.
First, your sink is not part of a botnet (assuming it's not a smartsink, I guess). By leaving your machine unpatched, you are causing harm to others.
This makes the ethics of this sort of grey-hat hacking much more murky IMO. I'm willing to concede that the grey-hat behaved unethically, but I also believe that leaving a machine unpatched makes the machine's owner at least somewhat responsible for how that machine is used.
Further, I do not think it's reasonable to both claim that this sort of grey-hat activity is unethical and also claim that owners of unpatched devices have absolutely zero responsibility for how their unpatched machines are used. I.e., if we condemn this grey hat (assuming he simply locked to door and left and did nothing else) then we should also condemn the owners of botnet'd devices for the way in which their negligence causes harm to others.
If others can't break in and fix your stuff when it starts effecting them, then you should be held at least partially responsible for how your stuff is used by criminals.
Second, physical presence can be a privacy intrusion on its own and without any willful intent. E.g., a grey-hat plumber who is purely altruistic might never-the-less accidentally catch a glimpse of you naked. On the other hand, cyber presence almost always requires intentional snooping to cause a privacy violation.
Its all about how its approached... and its sort of a little bit about how your personality is.
I came home one day to a note on my inner garage door: "you left your door open, I closed it for you ;)". No name, nothing... just someone entered my garage, wrote a note, closed it and left.
I took a quick survey to see if any of the obvious valuable items were disturbed or missing and none were. I was more upset with myself for letting that happen then a stranger "fixing" my security vulnerability.
EDIT: and another anecdote was that my neighbor let himself into my house once when a water leak was discovered outside so the water could be shut off. Saved me thousands in potential damages that he caught it early... I can't say I'd be all that upset finding a plumber under my sink fixing something but that's just me.
If your sink was clogged and running and flooding the apartment below you, it would be perfectly reasonable for someone to kick your door down and turn the water off.
I've never come home to an unexpected plumber, but did have a greyhat "fix" my stuff once, and wasn't outraged at all. It felt like an intrusion, but I was grateful.
In ~ 2002 I was off to college with my Linux workstation. IIRC, the vulnerability was in the CUPS web UI. Someone filled the volume with a giant /tmp/YOUR_SYSTEM_IS_INSECURE_UPDATE_NOW file, and shutdown the affected service.
Actually I once heard a story of a neighbor who let themselves in when the house was literally flooding and he saved the owner thousands of dollars worth of damage.
That's more like what's happening with these patched routers.
I also heard a story of a guy who's house burned down. The neighbor saw it very early and did nothing about it cuz not her problem. The homeowner was devastated.
So yes, if you see incredible destruction going on, it's ok to go fix it.
Certainly in Texas I would be extra careful. Either way, have someone standing outside to advise the homeowner or cops what is going on. Also call the police ahead of time and tell them what you intend to do. Maybe even ask for an officer to assist.
Better get a friend with a firearm to stand guard at the door if you must take that kind of measure. US police are ill-disciplined, trigger-happy and uninformed about the law.
What I mean is, have the police enter the home for you. They will do this if there is a threat. In smaller towns, they will likely do this even if the threat is only financial damage to the home-owner.
Also, how many times have you seen someone's fly undone and very quietly and unobtrusively informed them of the fact? You can get quite different reactions, everything from grateful thanks to "how dare you inform me that I am embarrassing myself" or just be ignored.
Different people will react differently to any help you may give them. In this case, one could possibly agree that getting these machines locked down so they longer present as a threat to others is the moral thing to do, irrespective of the legality of the action.
But that is a judgement call for the individual to make knowing that there are potential consequences for their actions.
This is not a valid analogy, unless you broken sink was causing your neighbors sinks to break as well.
And in the case of an multi-tenant building, if one person's actions (or lack of action) was causing problems for other tenants, you can safely assume the landlord would let themselves in to fix it.
I don't have a strong opinion about this case, but it would be more correct to compare it to this situation:
You come home one day, entering by the main door as usual, and when going down in the garage you notice the key on the floor with a message saying: "Your garage door were not locked and everybody knew about it, so I came in to take the key on the inner lock, closed it from outside and slipped the key back under the door so nobody else with bad intentions can enter anymore".
In the situation you described I would be pissed off, but not in this one, and IMHO it is closer to this case.
There's the added wrinkle of "... and there's a band of criminals in the area that we know likes to secretly hide in the remote, infrequently used closets of people's houses, where they plot and execute break-ins, thefts, kidnappings, and acts of terrorism."
The fact is that the greyhat could intrude, which means anyone else could intrude. If you didn't want him there you should have patched your damn router. There is no point in being outraged because you have already been owned, and the grey did you a favor. Now, there's no need to thank them, but being mad is totally counterproductive. Learn the lesson, patch your router.
If your home had a ruptured pipe, that was spraying sewage all over the sidewalk, I think someone stepping onto your property, and turning the firehose of shit off would be behaving ethically.
Trespass to save people from themselves is one thing. Trespass to save the public is quite another.
In this case it would be getting back home seeing a note saying "Fixed :)".
So yes, it's actually fixed, but now you know that someone you don't know broke into your house without permission nor supervision and you don't know what he's done/seen/stolen in your house.
It is more like you returning from vacation to your apartment and see all your carpets torn up, huge dehumidifiers going at full blast and some trades people milling about because your toilet leaked and flooded your neighbor below.
That's an inappropriate analogy because it has nothing to do with security.
A more appropriate one would be a stranger changing your lock for you because vagrants have been going in and out of your house without you realising.
Now doesn't that sound more appropriate, good neighbourly and helpful? What do you have to be outraged about?
If you had a problem with strangers violating your property you should have fixed it yourself before it became common knowledge in the neighbourhood that your house is easy to walk in and out of without your consent.
I don't think a locksmith would be any better. How happy would you be if you came home and a locksmith had replaced all your locks because they were too easy to pick? Would you trust the new locks? Would you be worried about what else he did while he was there? Would you be upset that he didn't ask first?
If you think of this like physically accessing your house, it's going to seem bad. That's probably why people got upset.
If your house has a gas leak, in the UK the local gas distribution network has the right to enter your property to stop the leak because it may well cause damage, injury or even death.
Isn't it more like a locksmith letting himself in because your lock wasn't working as it should and he fixed it?
Without going any further in than he had to and without charging you? I'd probably be a bit weirded out but quite pleased as long as he didn't hang around!
I guess this is part of the issue... even for people who have an understanding of it, it's a nuanced topic and the analogies are widespread but often misleading, because they're analogous. I'd imagine most people don't even care so long as they can access facebook.
Occasionally I see a car with the window down, that someone appears to have parked and left mistakenly accessible. When I was younger I'd have opened the door and wound the window up (checking for pets and other occupants obvs). Now, I leave the car alone because if someone comes back at the wrong moment it just looks like you're breaking in.
Would you be outraged if you came home one day and there was a plumber fixing your sink? “Oh hi, don’t worry about me, just fixing your sink. Let myself in, hope you don’t mind”
You didn’t even know your sink was leaky let alone called a plumber.