Chin up, CapitalOne: You may not have been the suspected hacker's only victim. Feds fear 30-plus organizations hit The ex-Amazon software engineer accused of stealing the personal information of 106 million people from Capital One's cloud-hosted databases may have hacked dozens of other organizations. This is according to a filing [PDF] this week by prosecutors in a US federal district court in Seattle, where suspected cyber-thief Paige …
So here we have someone who, even to the most casual reader, obviously doesn't have all their mental ducks swimming in the same direction and they are treated as if they are some cybercriminal mastermind caught sitting on piles of ill gotten gains.
This looks like a vindictive, spiteful prosecution of someone who is probably more in need of help at a mental hospital than being locked up in a disgusting American prison.
Is there actually any evidence that she sold any of the data she downloaded? There's a huge difference between downloading stuff to prove that you can and selling it to fraudsters to have fun with.
Any claim of an insanity defense went out the window with her writing, "Ive basically strapped myself with a bomb vest, f***ing dropping capital ones dox and admitting it"
She was aware of her actions, aware they were wrong, and aware they came with negative consequences for her.
Whether she's competent to stand trial is more questionable, in which case treatment would only delay a trial.
Agreed. Also the insanity defense is rarely successful even when a defendant meets the criteria.
In this case, while I agree Thompson is almost certainly not in good mental health and needs (and deserves) treatment, I think it's also clear that by the current legal standard in the US she's fit to stand trial and receive punishment, including fines and incarceration. Whether the punishment she potentially faces, or whatever she actually ends up receiving, is appropriate and proportional is another question. But unlike some of the people tried for hacking, she appears to have done actual harm.
For the record, I (like many people in the US) think the statutory punishments for many crimes in the US are grossly excessive; that the US incarceration epidemic is one of our great national disgraces; and that "tough on crime" politicians and their cronies are foolish or immoral. But that doesn't mean that people who knowingly do wrong should suffer no consequences simply because they're somewhat emotionally unbalanced. Plenty of other people in that situation don't go around committing crimes.
I'd be interested to know whether she ever sought treatment for her mental-health issues. She apparently has been unemployed for nearly three years (which I'm sure takes its toll), but was often employed since 2005, and presumably would have had health insurance during those periods. Did she take advantage of it? Far too many people don't.
> There's a huge difference between downloading stuff to prove that you can and selling it to fraudsters to have fun with.
There might be a difference in terms of how many decades of prison time can be added to the sentence of someone found guilty of profiting from accessing the computer systems of a US financial institution without authorization. Selling stolen data to nefarious third parties might add another 20 years in the cooler.
But unauthorized access to any computer system belonging to a financial institution is a big no-no in the US, regardless of profit motive, and has been so for decades:
US Computer Fraud and Abuse Act.
You might argue that the statute is overly broad, or what not, but breaking into a bank's systems and stealing PID just for kicks doesn't go over well.
This CBS article has more info:
"Neo Nasrati, CEO of ColumbusSoft, which acquired Seattle Software Solutions from its previous owner, said Thompson was a "very talented 'white hat' ethical hacker" who excelled at testing clients' security systems for flaws."
"Thompson doesn't appear to have accessed the bank accounts or sold the data. Amazon says the knowledge that was used to obtain Capital One's files was something that could be found out by anyone, and wasn't information that would have been obtained from working at the company."
https://www.cbsnews.com/news/paige-thompson-what-we-know-about-accused-capital-one-breach-hacker-2019-07-31/
Cloudflare's Evan Johnson has a good explanation of what Capital One did wrong, and is of the opinion that this kind of problem is difficult to detect and prevent, and that AWS doesn't do enough to help customers secure their systems against it.
It's interesting to note that the underlying issue was an SSRF vulnerability in a security component - the WAF module. So the Capital One admins had gone to some effort to secure their site using well-known mechanisms, but missed an inobvious vulnerability in a firewall configuration. This is rather different to, say, the Suprema breach, which was straightforward incompetence on the part of the admins; or the now-commonplace "we didn't secure our S3 buckets" failure mode.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
