I have never found this analogy compelling for two reasons.
First, your sink is not part of a botnet (assuming it's not a smartsink, I guess). By leaving your machine unpatched, you are causing harm to others.
This makes the ethics of this sort of grey-hat hacking much more murky IMO. I'm willing to concede that the grey-hat behaved unethically, but I also believe that leaving a machine unpatched makes the machine's owner at least somewhat responsible for how that machine is used.
Further, I do not think it's reasonable to both claim that this sort of grey-hat activity is unethical and also claim that owners of unpatched devices have absolutely zero responsibility for how their unpatched machines are used. I.e., if we condemn this grey hat (assuming he simply locked to door and left and did nothing else) then we should also condemn the owners of botnet'd devices for the way in which their negligence causes harm to others.
If others can't break in and fix your stuff when it starts effecting them, then you should be held at least partially responsible for how your stuff is used by criminals.
Second, physical presence can be a privacy intrusion on its own and without any willful intent. E.g., a grey-hat plumber who is purely altruistic might never-the-less accidentally catch a glimpse of you naked. On the other hand, cyber presence almost always requires intentional snooping to cause a privacy violation.
First, your sink is not part of a botnet (assuming it's not a smartsink, I guess). By leaving your machine unpatched, you are causing harm to others.
This makes the ethics of this sort of grey-hat hacking much more murky IMO. I'm willing to concede that the grey-hat behaved unethically, but I also believe that leaving a machine unpatched makes the machine's owner at least somewhat responsible for how that machine is used.
Further, I do not think it's reasonable to both claim that this sort of grey-hat activity is unethical and also claim that owners of unpatched devices have absolutely zero responsibility for how their unpatched machines are used. I.e., if we condemn this grey hat (assuming he simply locked to door and left and did nothing else) then we should also condemn the owners of botnet'd devices for the way in which their negligence causes harm to others.
If others can't break in and fix your stuff when it starts effecting them, then you should be held at least partially responsible for how your stuff is used by criminals.
Second, physical presence can be a privacy intrusion on its own and without any willful intent. E.g., a grey-hat plumber who is purely altruistic might never-the-less accidentally catch a glimpse of you naked. On the other hand, cyber presence almost always requires intentional snooping to cause a privacy violation.