"Rasch highlighted concerns that the earlier scope of US anti-hacking law - which only covered unauthorized access, or breaking into a computer - had been amended to cover "exceeding the scope of authorization to access a computer"."

If I surf to a web site, I have remotely accessed the server. If I then use some sort of remotely exploitable privilege escalation, the average jury would have no problem with describing me as a hacker. Rasch's distinction between hacking and exceeding authorisation simply makes no sense when just about every computer larger than a palm top has an OS that enforces multiple levels of authorisation.

Neither does it make any difference that the defendant didn't have to break some clever security to achieve his ends. If I leave my front door open, it is still theft if you walk in and nick my telly.

One can argue whether the sentence isn't too harsh, but he didn't have permission to do what he did with a system that belonged to someone else when he was supposed to be doing something else.