Forgot your password?
typodupeerror
Canada Crime Encryption Privacy Your Rights Online

RCMP Arrest Canadian Teen For Heartbleed Exploit 104

Posted by timothy
from the they-got-their-man dept.
According to PC Mag, a "19-year-old Canadian was arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data." That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.
This discussion has been archived. No new comments can be posted.

RCMP Arrest Canadian Teen For Heartbleed Exploit

Comments Filter:
  • Good. (Score:5, Insightful)

    by jellomizer (103300) on Thursday April 17, 2014 @10:20AM (#46778869)

    I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.

    Sure it is easy to update your PC, but if you have a mission critical application running, you need to make sure you take all the right steps even with the security vulnerability to make sure it doesn't go down.
     

    • Re: (Score:2, Funny)

      by Anonymous Coward

      I for one ...

      Can we somehow stop the "I for one" lead-ins on /.? I for one would welcome the change.

      • by Anonymous Coward

        I for one support this idea.

    • Sure. I'd agree with that.

      What I wouldn't agree with however would be blood-seeking legislation that does not carefully factor in the disparity in the actions taken by computers and their owners. There's a reasonable debate to be had about responsibility and negligence, but proving beyond reasonable doubt that the attack was actually perpetrated by Mr. Roger B. Jones, with intent, is much harder than proving an attack originated from an IPv4 block assigned to his ISP, and possibly allocated by DHCP at that
      • Legislation of crimes and penalties really isn't related to how we establish guilt. While I agree with your points individually, I don't see the connection.

    • by grumpyman (849537)
      I think the arrest is warranted. However, WTF is wrong with CRA people, seriously. Shut the damn thing down as soon as they find out it is vulnerable.
      • by Joce640k (829181)

        You COULD prevent millions of people from being able to do their job, ... or ... just turn off the heartbeat feature.

        (And set up a honeypot it its place to catch the bad people)

    • Re:Good. (Score:5, Insightful)

      by neoform (551705) <djneoform@gmail.com> on Thursday April 17, 2014 @11:35AM (#46779645) Homepage

      >I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.

      I think your example is a bit too gentle.

      This is more like someone kicking your locked front door down and pointing out that your door isn't strong enough to prevent someone from kicking it down.

      The system was "locked" for all intents and purposes, as best the system administrators knew how to lock it. It wasn't because they were lazy or forgot, they just didn't know the door had any weaknesses.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Guys, a "system" is not a physical door, there is no material damage, you can load it back right up. also piracy isn't stealing, it's copying. get a grip on the metaphors, i'm sick of hearing ppl like you all the time. You are the reason you can go to jail for decades over using a keyboard.

    • It'll be more interesting when they catch someone who did use the heartbleed bug before it was revealed publicly.
    • by Anonymous Coward

      I do think you are right about the illegality, but that is a really bad analogy.

      First, most of these are public facing servers asking for people to come in.
      Second, he for your analogy basically stood outside and asked for some secrets and the homeowner yelled them back at him.
      Third, it seems like we could make the use of whatever secret information (that is where the actual harm comes) used as basis of an illegal act, not the fact that he got them.

      • by EvanED (569694)

        Second, he for your analogy basically stood outside and asked for some secrets and the homeowner yelled them back at him.

        That's like saying someone who breaks into a house by throwing a brick through the window merely lets go of a brick when it has a particular trajectory and the glass just got out of their way.

  • So you do something stupid like that in the US or Canada or England or any other civilized area and you get caught in like a day. Do it in Russia or Indonesia or Turkey or Israel (mega malware hotbeds) and you might get caught somewhere between 2 years and never. Where is the UN on this one? OHHHHH THAT'S RIGHT it's all old people who don't know a thing about technology. That explains the problem.
    • by Anonymous Coward

      OHHHHH THAT'S RIGHT, they're not a law enforcement agency and have absolutely nothing to do with this

      FTFY

  • I imagine this kid will get what he deserves, but what about the CRA? They should've immediately taken their servers offline until they were patched. Will anyone get any heat for that?

    • by Godai (104143) * on Thursday April 17, 2014 @10:27AM (#46778929)

      The Montreal Gazette article covers that. They asked a computer security consultant and he said the 24-hour delay was pretty reasonable given the impact taking down the site would have on people given the timing (tax season); not so much that they waited before doing it so much as it was a reasonable time to discuss it and come to a decision. So my guess is that no one will get burned over that.

      The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.

      • by grumpyman (849537)
        FYI I also recall CRA claims other than those SIN, the system was not breached before.
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.

        Full packet capture, probably. Just record all traffic (or only traffic to port 443) and then grep through it. All the common Heartbleed scripts don't bother setting up the encryption, just begin the handshake, fire off an unecrypted heartbeat request, get unecrypted response and disconnect. They could tben dig through responses and find which accounts got leaked.

        Or maybe even without raw traffic capture - suspicious activity on port 443 + everyone who accessed their accounts in that timeframe.

      • According to the statement [cra-arc.gc.ca] on the CRA web site, it was security agencies that told the CRA that 900 SINs were stolen:

        Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking proc

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data.

      Stuff like this makes me happy to be Canadian.

      He is being charged with what he did, and will probably be given a sentence in line with the severity of his crime. If this happened in the US he'd probably be branded a terrorist and be on his way to gitmo right now.

  • Script Kiddy (Score:4, Insightful)

    by RichMan (8097) on Thursday April 17, 2014 @10:30AM (#46778975)

    Ah the brilliance of youth -
    "I have a script for an exploit"
    "I can try it against the tax man"
    "I won't get caught"
    "I'm not going to use the results so no-bad"

    "Hey what's with the cuffs!"

    • The brilliance of government systems:

      "Hey we wrote a web application the whole country uses to submit their taxes"
      "Hey, any script kiddy in the world can hack it using a well known exploit and thousands of proof of concept scripts found online"
  • by hessian (467078) on Thursday April 17, 2014 @10:37AM (#46779065) Homepage Journal

    Here in USA it's being reported this way:

    "Heartbleed hacker caught in Canada"

    Translation:

    Media sheep, go back to sleep. We caught THE hacker responsible for Heartbleed, thus it can fall into the memory hole. Any concerns you may have about your fellow citizens, their business interests or governments monitoring you, or perhaps about the general competence of software development (!!!) can also go back to sleep.

    Sleep, sleep my lovelies. Tomorrow there is obedience at school/job, and then shopping and sexy videos on the internet. Sleep, sleep.

    • by gl4ss (559668)

      yeah, it's a shame.

      and I bet some asshats will stop from patching because the "hacker is already in jail".

    • by tomhath (637240)
      You mean like this one from Fox [foxnews.com]? I guess they don't fit your fantasy of "amerika".

      Police say Canadian man used Heartbleed virus to steal personal info

      Police in Ontario, Canada have accused a 19-year-old man with exploiting the Heartbleed computer virus to steal personal data of over 900 taxpayers...

      • Overly paranoid original poster aside, I don't think this story is much better, given Fox apparently thinks Heartbleed is a virus...
        • It's quite cringe-worthy view if you look at all the stuff that is tweeted with the hashtag #HeartbleedVirus [twitter.com]. :)
        • Overly paranoid original poste

          NSA isn't spying on Americans. You disagree? You're overly paranoid.

          That's a common tactic used by Communists and other totalitarians to silence dissent.

          Oh wait, I see:

          It's not about what you think, it's about how you treat other people and how you deal with being, quite legitimately, associated with a set of actions (whatever the motive) that many find offensive.

          That's from your journal [slashdot.org] where you as an apologist for censorship endorse the idea of firing people for having "offe

          • I thought we'd moved on past the putting words in people's mouths BS.

            1. The paranoia in the original post that I was refering to was the notion that the Canadian press had concocted a headline with the intention of providing a world wide news story that would make everyone think that Heartbleed isn't a story. I don't know where the fuck you get any other interpretation from.

            2. I haven't apologized for censorship anywhere, neither in the comment you quote, nor anywhere else. The fact you think that Eich

      • Police say Canadian man used Heartbleed virus to steal personal info

        Other than the fact that they misidentify an exploit as a virus, you're telling me that Fox News has a better headline?

        Fox News, that I'm told like the Daily Mail in UK is nothing but a tabloid that no one serious reads? And that's supposed to be completely unrelated to it being one of only a few media sources that are right-wing?

        Do tell.

  • by dcollins117 (1267462) on Thursday April 17, 2014 @10:37AM (#46779067)

    I like the name of the "Mischief in Relation to Data" charge. It sounds vague enough it could mean just about anything.

    Heck, this might even be on my resume, I'll have to check.

    • by compro01 (777531) on Thursday April 17, 2014 @11:03AM (#46779315)

      It does have a somewhat specific legal meaning. [justice.gc.ca]

      (1.1) Every one commits mischief who wilfully
              (a) destroys or alters data;
              (b) renders data meaningless, useless or ineffective;
              (c) obstructs, interrupts or interferes with the lawful use of data; or
              (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.
      ...
      (5) Every one who commits mischief in relation to data
              (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
              (b) is guilty of an offence punishable on summary conviction.

      • It does have a somewhat specific legal meaning.

        In that case I shall remove that phrase from my resume posthaste.

      • by gregmac (629064)

        That's an interesting wording. It does seem like a pretty flimsy charge for what actually happened. A copy of the data (SIN numbers) was read from memory. CRA could continue to use that data to process tax returns (or whatever other purpose) regardless of if the data was read or not. The language is around "denied access to a person entitled" as opposed to "granted access to a person NOT entitled" (which is really what happened).

        Analogy.. Going into your house and stealing your TV interrupts your ability to

        • by Anonymous Coward

          This is more like making a copy of the old credit card carbon copy slips; it doesn't appear to have any effect on the credit card itself, however it can be used for fraudulent purposes. In Canada, the SIN (Social Insurance NUMBER), is used by CRA, banks and potential employers, which means that being able to associate name, address, and SIN renders the information ineffective as a private/unique identifier.

        • by ceoyoyo (59147)

          Interferes with someone in the lawful use of data would seem to cover it.

        • by Mashiki (184564)

          Here in Canada, we use common law as the basis of our legal code. So the wording really interesting, what you're actually missing is the case law behind how the law has developed and why mischief is actually a fairly serious crime on the books here. If you're actually interested, you can go over here [canlii.org] and start looking through the vast library of it.

          Anyway, for your analogy, that comes under several different laws. Mischief(interrupting the cable service on your end), theft of service(from the provider an

        • by Mashiki (184564)

          Here in Canada, we use common law as the basis of our legal code. So the wording really interesting, what you're actually missing is the case law behind how the law has developed and why mischief is actually a fairly serious crime on the books here. If you're actually interested, you can go over here [canlii.org] and start looking through the vast library of it.

          Anyway, for your analogy, that comes under several different laws. Mischief(interrupting the cable service on your end), theft of service(from the provider an

      • by Entropius (188861)

        Are my students guilty of "mischief in relation to data" by 1.1b after the garbled lab reports they sometimes hand in?

      • IE, a polling organization conducts a poll for a vendor with a cost of one million dollars to the vendor to see which is the preferred widget, X or Y. Then, some third party comes along and points out a flaw in their testing methodology, thus invalidating all of the collected data.

        That third party has "rendered that data meaningless, useless, or ineffective" and thus could be found guilty under this statute as worded.

        This is just off the top of my head with 5 seconds thinking on it, I am sure many many suc

        • by compro01 (777531)

          Whoever got this on the books should be drawn and quartered.

          That would be Mulroney. "Mischief in relation to data" was added to the criminal code by the Criminal Law Amendment Act, 1985.

    • by wonkey_monkey (2592601) on Thursday April 17, 2014 @11:14AM (#46779437) Homepage

      It won't go anywhere. They'll let him plea bargain to Second-Degree Shenanigans and that'll be the end of it.

      • by Mashiki (184564)

        Protip: In Canada, the courtroom is owned by the judge. Not the crown, the crown can offer whatever they want. The judge however can slap them with whatever sentence they want, that however can end up before the superior court(think state level supreme), which may decrease the sentence or even increase it if they think it isn't severe enough.

    • by BoberFett (127537)

      Dcollins collins bo bollins, banana fana focollins, fe fi mocollins, collins!

      Oh shit...

  • by xxxJonBoyxxx (565205) on Thursday April 17, 2014 @10:49AM (#46779161)

    >> The Register has the story as well

    Duh - the Register is where most of us read the story so we'll know what to write when the same news appears on SlashDot tomorrow.

  • by mfh (56)

    I've talked to an accountant about this and we're both convinced this was an RCMP sting. They announced there was a vulnerability on their website about six hours before they patched it. That's either totally stupid and insane, or it was a police sting and they were just waiting to see who would be stupid enough to try and break in through the open door. Please have a seat.

  • Meanwhile, government agencies use the same exploit without any fear of retaliation (even buys them with your money)

    http://www.wsws.org/en/article... [wsws.org]

  • He attacked early. Did he wrote the attack tool himself? Or did he received it from someone else?

The study of non-linear physics is like the study of non-elephant biology.

Working...