π Story Hook
In 2013, an MIT student named Aaron Swartz downloaded 4 million scientific articles from the paid JSTOR database. He wanted to make them free for everyone β that was his idealism.
JSTOR sued. The prosecutor demanded 35 years in prison and a $1 million fine under the CFAA law.
Aaron took his own life before the trial. He was 26 years old.
This is a story about how the law doesn't care about your intentions. Downloading someone else's data without permission β prison time. Even if you're like Robin Hood.
π¨ Main Rule
Without the owner's written permission β YOU CAN'T DO ANYTHING.
Even if you're just "taking a look". Even if you "didn't hurt anyone". Even if "the company is stupid and to blame". The law looks at one thing: was there permission or not.
π Laws in Simple Terms
π·πΊ Russian Criminal Code Article 272 β "Unauthorized Access"
What: any access to information on a computer without permission.
Punishment:
- Basic part β fine up to 200k β½ or up to 2 years in prison
- With selfish motives β up to 4 years
- By a group or using official position β up to 5 years
- With serious consequences β up to 7 years
Real case: in 2022, a student from Voronezh hacked into the university database to change grades. He got 3 years probation + a lifetime conviction. He won't be hired for IT jobs again.
π·πΊ Russian Criminal Code Article 273 β "Creating Malicious Programs"
What: writing or distributing viruses, ransomware, trojans.
Punishment: up to 4 years in prison. With serious consequences β up to 7.
Special note: publishing malware code on GitHub "for educational purposes" can fall under Article 273. Be careful with "hello-world ransomware".
πΊπΈ US CFAA β "Computer Fraud and Abuse Act"
What: the American equivalent. Stricter than the Russian Criminal Code.
Punishment: up to 10 years for the first offense. Up to 20 years for repeat offenses. Extradition is possible from 90+ countries.
Special note: CFAA applies extraterritorially. If you hack an American website from Russia β the US can demand your extradition. It's not always successful, but there's a risk.
πͺπΊ GDPR β "European Data Protection Law"
What: leaking personal data of EU citizens.
Fine: up to β¬20 million or 4% of the company's annual turnover. For individual hackers, they usually get punished under local law + the company gets a GDPR fine.
β
What You CAN Do
There are 4 legal ways to apply your hacking skills:
π―
1. Bug Bounty Programs
A company publicly says "come and hack us according to these rules". Apple, Google, Tesla, Microsoft, Sber. You get paid ($50-$50,000+).
Where to find: hackerone.com, bugcrowd.com, intigriti.com. Some companies have their own programs (apple.com/security).
Conditions: read the scope carefully β which domains/applications can be tested. If you go out of scope β the law is against you.
π’
2. Penetration Testing with a Contract
You work for a pentest company or as a freelancer. Before each job, a contract + signed authorization is signed. The client gives official permission.
Salary: $50-150k/year for junior-mid. Senior $150-250k. Freelance $500-2000/day.
Never start work without a contract. Even if the client is a "good acquaintance".
π
3. Training Platforms (CTF, labs)
HackTheBox, TryHackMe, our platform GuardLabs Labs (coming soon). Specially prepared machines, legal, and safe.
Bonus: 80% of employers know these platforms. "Completed HTB Pro Hacker" β it's a plus in your resume.
π»
4. Your Own Systems
You set up a VM, install vulnerable software (DVWA, Juice Shop, Metasploitable), and hack it. Your hardware, your responsibility, everything is legal.
In Module 2 we'll set up such a VM with Kali Linux together.
β What You CAN'T Do (even "for fun")
- Scanning someone else's network (nmap on someone else's IP) β even without an attack.
- Brute-forcing someone else's passwords β even if you know the login.
- Logging in with a found password "just to look" β that's already unauthorized access.
- Downloading someone else's data "for analysis".
- Testing SQL injection on live websites without permission.
- Sitting in someone else's Wi-Fi network using protocol vulnerabilities.
- "Reversing" someone else's software if the EULA prohibits it.
- Uploading malware to GitHub "for education" β can fall under Article 273.
π€ Gray Area: What's Not Always Clear
Can you ping someone else's server?
Technically β yes. Ping and public nmap scans of public websites are usually not considered an attack. But if you do a massive scan (10,000 packets/second) and the admin notices β they might file a "DDoS attempt" complaint. Better not do that.
Can you look for vulnerabilities on an unfamiliar website?
No. Even if you don't do anything β it's still unauthorized access. If the website doesn't have a bug bounty program β don't touch it.
Can you use a found vulnerability to write "you have a problem"?
That's a gray hat. The law is against you. But 95% of companies will say "thank you" and won't sue. 5% will sue. You decide: risk vs wanting to help.
π€ Vibe-task: Ask Claude
Open Claude and ask:
I'm a beginner white hat. Give me 5 bug bounty programs for NEWCOMERS
with a low entry threshold in 2025-2026. For each, specify:
- Platform (HackerOne / Bugcrowd / own)
- Which domains are in scope (what you can practice on)
- Minimum payout
- What they usually respond to (XSS / IDOR / business logic)
- Program URL
You'll get specific programs to apply to after the course. Save the list β it'll come in handy in Module 9.
π‘ Main Principle of an Ethical Hacker
"When in doubt β DON'T HACK. Find where you can do it legally".
Everything has a legal way: bug bounty, CTF, your own VM. Why risk a lifetime conviction when there are at least 4 ways to do the same thing legally and get paid?
π¬ What's Next
Lesson 1.3 β money. Real salaries for junior pentesters, seniors, red team. Stories of people who switched to security from scratch and how much they earn now.