Good catch. Of course, different people wear different shades of hat, and I guess the author might have good rationale for going quite as far as they did, I don't know.
Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.
But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.
BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.
Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.
But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.
BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.