There is a very fine, often moveable, always unpredictable line between what's considered "in plain view on the network" and what's considered "intrusion". People have been convicted of felonies for crossing that line with no malicious intent.

It's also one of the great slippery slope arguments in my field. As anyone who's ever played with Metasploit on a big network knows, what's in "plain view" depends entirely on how good your optics are.

SHODAN will definitely motivate network and server administrators to stay up to date with the latest vulnerabilities. It could possibly even be used by them to test to see if their servers are vulnerable.

Overall I don't think that will have an overly negative effect. Instead, like any other dangerous tool, it will cause people to find a way to limit the danger that it poses, and that means that they will work harder to make sure that their servers are up to date and as secure as possible.

When an entity only advertises a domain name www.domain.com rather than the URI http://www.domain.com/ then as far as I am concerned, I have been invited to query that server concerning the services it offers, namely: a portscan.

For instance the page at http://www.amazon.com/ contains an advertisement that simply says "amazon.com". So I should scan it to see what they offer. It might be http / https / irc / echo / heck even a shell for all I know. If it were "1 Amazon Street" I would be perfectly entitled to arrive at that building and see if any entrances were open to the public.

It might say "Amazon club card holders only" on a door and I might be asked for my card should I try to gain entrance. It would only be "criminal" if I decided to gain entrance despite such constraints.