I didn't say it was legal, I just said it was a bad analogy.

If you setup a directory /admin on your webserver, and forget to password protect it, and someone accesses it, you can't really call it hacking.

That's still a bad analogy, and you've used it way too many times in this thread.

Whether or not accessing anything on a webserver is illegal depends partly on your intentions while doing so. That's a basic function of most court trials--to discern your intentions. For example, see the differences between the various degrees of murder, and the way such trials often hinge on "preconceived intent."

If my intention in accessing "/admin" was to access your server without your authorization to access some protected piece of information, damage computers, or defraud you, that may indeed be a crime. See http://www.law.cornell.edu/uscode/18/1030.html . It doesn't matter whether it was password protected or not. If I went there by accident, however, it probably was not a crime, although depending on what I accessed I may wind up having to go to court to prove that my intentions were benign.

You absolutely can call it hacking, and people have been prosecuted for things like that. How much simpler can I say it? The difficulty of an attack has nothing whatsoever to do with the severity of the resulting offense. Difficulty is just one measure that can be used to establish your purposefulness in exploiting unauthorized access.

> The difficulty of an attack has nothing whatsoever to do with the severity of the resulting offense.

My point which you gloss over is in the definition of "attack".

Whether browsing to a publicly accessible url with no security is an attack or not, is a very grey area.

No, it's not a grey area. The "public accessibility" of a URL may serve as evidence that you had no criminal intent (because you didn't have to "jimmy the lock" to get in), but if you then do things with that access, you're criminally liable.