Hacker Paige Thompson is FREE (‘Because Transgender Status and Mental Health Issues’)

Capital One hacker Paige A. Thompson is still guilty, but her sentence is “time served and probation.” The judge went easy “because of her mental health and transgender status,” according to the sore losers at the Department of Justice.

Lest we forget, Capital One’s security design was hot garbage—misusing identity and access management (IAM) features in Amazon Web Services (AWS). As a direct result, the company was fined $80 million.

It’s fair to say Thompson was an ethical hacker. She could have gone about it better, but imprisoning a whistleblower is never a good look—regardless of gender identity. In today’s SB Blogwatch, we are scrupulously fair.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The re-org rag.

‘Not What Justice Looks Like,’ Whines DoJ

What’s the craic? Renata Geraldo reports—“No prison for Seattle hacker”:

Attempting to collect a bounty
Convicted in June on seven hacking-related charges … Paige Thompson was sentenced Tuesday to time served and five years of probation for violating … the Computer Fraud and Abuse Act. … Arrested in July 2019, Thompson remained jailed until November of that year.

At the sentencing hearing, U.S. District Judge Robert Lasnik said time in prison would be particularly difficult for Thompson. … The hearing to determine the restitution amount Thompson must pay is scheduled for Dec. 1.

Thompson had contended she was attempting to collect a bounty for spotting the vulnerability in the systems of the companies she hacked. … In a letter advocating for Thompson, a friend wrote that “Paige saw a situation where the information on which the financial system depends for its security was left utterly unguarded. … Any random person with a computer could commit nearly limitless fraud.”

On the other hand? Claudia Glover fits perfectly—“Former AWS engineer … will face no further jail time”:

I believe in her
Thompson, whose online alias was “erratic”, [had been] convicted of seven counts of wire fraud after uncovering Capital One’s misconfigured AWS storage buckets in 2019. … US Attorney Nick Brown expressed consternation: … “We are very disappointed with the court’s sentencing decision. This is not what justice looks like.”

Asking the court to impose a seven-year sentence, the prosecution [had] outlined how the former Seattle tech worker had built a tool to scan the web for misconfigured AWS accounts, hacking and downloading the data of more than 30 companies including Capital One. … “Thompson’s crimes were fully intentional and grounded in spite, revenge and wilful disregard for the law. She exhibited a smug sense of superiority and outright glee while committing these crimes. [She] was motivated to make money at other people’s expense, to prove she was smarter that the people she hacked and to earn bragging rights in the hacking community.”

Judge Lasnik is aware of the danger that Thompson will commit further crimes outside of jail: “If that does happen … I’ll admit my mistake. I believe in her and believe she will prove this is the right sentence.”

Is that a fair sentence? Or does the DoJ have a right to be disappointed? John69 runs a thought experiment:

Disappointed with whom? The hacker does [jail time], those responsible for security who put all that data in a “cloud bucket” … that was not properly secured do not. Which is what justice looks like?

But she was convicted on several counts. RightSaidFred99 shrugs:

Meh. Yeah I don’t think punishments for first or even second offences need to be that severe.

What I’m ***ing sick of though, is violent scum filth being let back on the streets to kill actual humans. I don’t understand our justice system — case after case of “well, the murderer/rapist had a rap sheet a mile long including assault, sexual assault, armed robbery, etc.”

What the ****? First offense for any kind of serious violent crime should be very severe, then any other serious violent crimes and it’s time to throw away the key and keep the garbage in a cage for life.

Is that up to the judge? Yes, argues doublelayer:

The judge’s role is to look at the evidence and the law and assign an appropriate sentence, keeping in mind that the law may state sentencing requirements or recommendations that limit their power. We are not only worthy of second-guessing that decision, but it is meritorious for us to do so in our role as citizens. … If we think that the sentences are consistently unethical … it’s a thing that we, through our democratic processes, can change.

Part of [justice] is ensuring that new crimes are not committed—by this defendant or by others. Inadequate penalties can produce bad results, but massive deterrents aren’t perfect either. Some degree of equality in justice is important as well.

Do you grok the “transgender” angle? If not, azrazalea is here to help:

The reason why Transgender status matters: … Regardless of anyone’s feelings on justice being served or not, trans people are often put in prison with the gender they were assigned at birth not the gender their body [and/or] identity currently matches.

This, combined with the prison staff and inmates having [antagonistic] attitudes towards trans people … results in incredibly high abuse, murder, and rape rates for trans prisoners. The judge most likely made the decision he did because he didn’t feel Paige deserved rape and death for what she did.

And the mental-illness angle? This Anonymous Coward’s apologia is unapologetic: [You’re fired—Ed.]

If you think mental illness is a get out of jail free card, I can only assume you have neither lived with a serious mental illness or been close to someone who has had one. Free, it is not. Grow up.

But misexistentialist is brimming with agency:

[I] doubt many hackers of any description will do well in a prison population of rapists and murderers. That’s why there are prisons for non-violent offenders.

It’s at time like this that we turn to JumpinJack to bring us back to reality:

Security vendors love them their hackers. … Cap One had oodles and scads of infosec **** platform protections in play and this entity called Paige wandered in and made off with all them goods. Bet on this: the information security vendors what had their wares installed and whatnot in the Cap One data tank went to the soon to be sacked CIO and minions and declared, “BUY MORE OF OUR FLAWED **** BECAUSE YOU DIDN’T HAVE ENOUGH OF OUR FLAWED **** RUNNING IN YOUR SWISS CHEESE ENVIRONMENT!”

So Cap One did buy more. … And the Cap One brass was all like the Girl With The Faraway Eyes, sitting in the corner looking a little bleary, cheque books at the ready. Like Mick sings: When you are down on your luck and you can’t harmonize, buy another firewall for the girl with the faraway eyes.

Meanwhile, SuperKendall is not an ally:

I guess her pronouns are now free/freer.

And Finally:

Mommy, where do Site Reliability Engineers come from?

Hat tippage: Kevin Beaumont and Sharon Florentine

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Paige A. Thompson

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi