RCMP Arrest Canadian Teen For Heartbleed Exploit 104
According to PC Mag, a "19-year-old Canadian was
arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data." That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.
Good. (Score:5, Insightful)
I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.
Sure it is easy to update your PC, but if you have a mission critical application running, you need to make sure you take all the right steps even with the security vulnerability to make sure it doesn't go down.
Re:Good. (Score:5, Funny)
Ok, thanks for that, we have the moderate perspective covered. Anyone feel like voicing a hard line?
Re: (Score:2)
I was going to suggest going North Korean on his ass. Death by mortar fire, death by flame thrower or death by hungry dogs? It's just so damned hard to choose.
Re: (Score:2)
Re: (Score:2)
Not to worry, he'd be saved by Mr. Canoe Head.
Re: (Score:2, Funny)
I for one ...
Can we somehow stop the "I for one" lead-ins on /.? I for one would welcome the change.
Re: (Score:1)
I for one support this idea.
Re: (Score:3)
What I wouldn't agree with however would be blood-seeking legislation that does not carefully factor in the disparity in the actions taken by computers and their owners. There's a reasonable debate to be had about responsibility and negligence, but proving beyond reasonable doubt that the attack was actually perpetrated by Mr. Roger B. Jones, with intent, is much harder than proving an attack originated from an IPv4 block assigned to his ISP, and possibly allocated by DHCP at that
Re: (Score:2)
Legislation of crimes and penalties really isn't related to how we establish guilt. While I agree with your points individually, I don't see the connection.
Re: (Score:2)
Re: (Score:2)
You COULD prevent millions of people from being able to do their job, ... or ... just turn off the heartbeat feature.
(And set up a honeypot it its place to catch the bad people)
Re:Good. (Score:5, Insightful)
>I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.
I think your example is a bit too gentle.
This is more like someone kicking your locked front door down and pointing out that your door isn't strong enough to prevent someone from kicking it down.
The system was "locked" for all intents and purposes, as best the system administrators knew how to lock it. It wasn't because they were lazy or forgot, they just didn't know the door had any weaknesses.
Re: (Score:2, Insightful)
Guys, a "system" is not a physical door, there is no material damage, you can load it back right up. also piracy isn't stealing, it's copying. get a grip on the metaphors, i'm sick of hearing ppl like you all the time. You are the reason you can go to jail for decades over using a keyboard.
Re: (Score:2)
Re: (Score:1)
Nobody is going to catch the NSA...
Re: (Score:2)
Re: (Score:1)
I do think you are right about the illegality, but that is a really bad analogy.
First, most of these are public facing servers asking for people to come in.
Second, he for your analogy basically stood outside and asked for some secrets and the homeowner yelled them back at him.
Third, it seems like we could make the use of whatever secret information (that is where the actual harm comes) used as basis of an illegal act, not the fact that he got them.
Re: (Score:1)
That's like saying someone who breaks into a house by throwing a brick through the window merely lets go of a brick when it has a particular trajectory and the glass just got out of their way.
Re: (Score:2)
I wonder what the solution is. My kid isn't going to have those limitations, even comcast is vastly superio
interesting (Score:1)
Re: (Score:1)
OHHHHH THAT'S RIGHT, they're not a law enforcement agency and have absolutely nothing to do with this
FTFY
And how about the CRA? (Score:1)
I imagine this kid will get what he deserves, but what about the CRA? They should've immediately taken their servers offline until they were patched. Will anyone get any heat for that?
Re:And how about the CRA? (Score:5, Informative)
The Montreal Gazette article covers that. They asked a computer security consultant and he said the 24-hour delay was pretty reasonable given the impact taking down the site would have on people given the timing (tax season); not so much that they waited before doing it so much as it was a reasonable time to discuss it and come to a decision. So my guess is that no one will get burned over that.
The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.
Re: (Score:2)
Re: (Score:2, Interesting)
The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.
Full packet capture, probably. Just record all traffic (or only traffic to port 443) and then grep through it. All the common Heartbleed scripts don't bother setting up the encryption, just begin the handshake, fire off an unecrypted heartbeat request, get unecrypted response and disconnect. They could tben dig through responses and find which accounts got leaked.
Or maybe even without raw traffic capture - suspicious activity on port 443 + everyone who accessed their accounts in that timeframe.
Security agencies told the CRA (Score:2)
According to the statement [cra-arc.gc.ca] on the CRA web site, it was security agencies that told the CRA that 900 SINs were stolen:
Re: (Score:2, Insightful)
faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data.
Stuff like this makes me happy to be Canadian.
He is being charged with what he did, and will probably be given a sentence in line with the severity of his crime. If this happened in the US he'd probably be branded a terrorist and be on his way to gitmo right now.
Script Kiddy (Score:4, Insightful)
Ah the brilliance of youth -
"I have a script for an exploit"
"I can try it against the tax man"
"I won't get caught"
"I'm not going to use the results so no-bad"
"Hey what's with the cuffs!"
Re: (Score:2)
"Hey we wrote a web application the whole country uses to submit their taxes"
"Hey, any script kiddy in the world can hack it using a well known exploit and thousands of proof of concept scripts found online"
Re: (Score:1)
The brilliance of two-thirds of the world's web servers
FTFY.
Story important for pacifying headlines (Score:3, Insightful)
Here in USA it's being reported this way:
"Heartbleed hacker caught in Canada"
Translation:
Media sheep, go back to sleep. We caught THE hacker responsible for Heartbleed, thus it can fall into the memory hole. Any concerns you may have about your fellow citizens, their business interests or governments monitoring you, or perhaps about the general competence of software development (!!!) can also go back to sleep.
Sleep, sleep my lovelies. Tomorrow there is obedience at school/job, and then shopping and sexy videos on the internet. Sleep, sleep.
Re: (Score:2)
yeah, it's a shame.
and I bet some asshats will stop from patching because the "hacker is already in jail".
Re: (Score:2)
Police say Canadian man used Heartbleed virus to steal personal info
Police in Ontario, Canada have accused a 19-year-old man with exploiting the Heartbleed computer virus to steal personal data of over 900 taxpayers...
Re: (Score:2)
Re: (Score:2)
Calling people paranoid to silence them (Score:1)
NSA isn't spying on Americans. You disagree? You're overly paranoid.
That's a common tactic used by Communists and other totalitarians to silence dissent.
Oh wait, I see:
That's from your journal [slashdot.org] where you as an apologist for censorship endorse the idea of firing people for having "offe
Re: (Score:2)
Fox has a better headline (Score:1)
Other than the fact that they misidentify an exploit as a virus, you're telling me that Fox News has a better headline?
Fox News, that I'm told like the Daily Mail in UK is nothing but a tabloid that no one serious reads? And that's supposed to be completely unrelated to it being one of only a few media sources that are right-wing?
Do tell.
Mischief in Relation to Data (Score:5, Funny)
I like the name of the "Mischief in Relation to Data" charge. It sounds vague enough it could mean just about anything.
Heck, this might even be on my resume, I'll have to check.
Re:Mischief in Relation to Data (Score:5, Informative)
It does have a somewhat specific legal meaning. [justice.gc.ca]
(1.1) Every one commits mischief who wilfully
...
(a) destroys or alters data;
(b) renders data meaningless, useless or ineffective;
(c) obstructs, interrupts or interferes with the lawful use of data; or
(d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.
(5) Every one who commits mischief in relation to data
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
Re: (Score:2)
It does have a somewhat specific legal meaning.
In that case I shall remove that phrase from my resume posthaste.
Re: (Score:3)
That's an interesting wording. It does seem like a pretty flimsy charge for what actually happened. A copy of the data (SIN numbers) was read from memory. CRA could continue to use that data to process tax returns (or whatever other purpose) regardless of if the data was read or not. The language is around "denied access to a person entitled" as opposed to "granted access to a person NOT entitled" (which is really what happened).
Analogy.. Going into your house and stealing your TV interrupts your ability to
Poor analogy (Score:1)
This is more like making a copy of the old credit card carbon copy slips; it doesn't appear to have any effect on the credit card itself, however it can be used for fraudulent purposes. In Canada, the SIN (Social Insurance NUMBER), is used by CRA, banks and potential employers, which means that being able to associate name, address, and SIN renders the information ineffective as a private/unique identifier.
Re: (Score:2)
Interferes with someone in the lawful use of data would seem to cover it.
Re: (Score:2)
Here in Canada, we use common law as the basis of our legal code. So the wording really interesting, what you're actually missing is the case law behind how the law has developed and why mischief is actually a fairly serious crime on the books here. If you're actually interested, you can go over here [canlii.org] and start looking through the vast library of it.
Anyway, for your analogy, that comes under several different laws. Mischief(interrupting the cable service on your end), theft of service(from the provider an
Re: (Score:2)
Here in Canada, we use common law as the basis of our legal code. So the wording really interesting, what you're actually missing is the case law behind how the law has developed and why mischief is actually a fairly serious crime on the books here. If you're actually interested, you can go over here [canlii.org] and start looking through the vast library of it.
Anyway, for your analogy, that comes under several different laws. Mischief(interrupting the cable service on your end), theft of service(from the provider an
Re: (Score:2)
Are my students guilty of "mischief in relation to data" by 1.1b after the garbled lab reports they sometimes hand in?
Still far too ambiguous (Score:2)
IE, a polling organization conducts a poll for a vendor with a cost of one million dollars to the vendor to see which is the preferred widget, X or Y. Then, some third party comes along and points out a flaw in their testing methodology, thus invalidating all of the collected data.
That third party has "rendered that data meaningless, useless, or ineffective" and thus could be found guilty under this statute as worded.
This is just off the top of my head with 5 seconds thinking on it, I am sure many many suc
Re: (Score:2)
Whoever got this on the books should be drawn and quartered.
That would be Mulroney. "Mischief in relation to data" was added to the criminal code by the Criminal Law Amendment Act, 1985.
Re:Mischief in Relation to Data (Score:5, Funny)
It won't go anywhere. They'll let him plea bargain to Second-Degree Shenanigans and that'll be the end of it.
Re: (Score:2)
Protip: In Canada, the courtroom is owned by the judge. Not the crown, the crown can offer whatever they want. The judge however can slap them with whatever sentence they want, that however can end up before the superior court(think state level supreme), which may decrease the sentence or even increase it if they think it isn't severe enough.
Re: (Score:2)
Dcollins collins bo bollins, banana fana focollins, fe fi mocollins, collins!
Oh shit...
"The Register has the story as well" (Score:3)
>> The Register has the story as well
Duh - the Register is where most of us read the story so we'll know what to write when the same news appears on SlashDot tomorrow.
Re: (Score:2)
Re: (Score:2)
I don't think I have to adblock Slashdot. I've got this little checkbox that lets me disable advertising, probably because of good karma. I haven't checked it yet, because showing the ads might benefit Slashdot financially and because they haven't been annoying. This may be changing.
Honeypot (Score:1)
I've talked to an accountant about this and we're both convinced this was an RCMP sting. They announced there was a vulnerability on their website about six hours before they patched it. That's either totally stupid and insane, or it was a police sting and they were just waiting to see who would be stupid enough to try and break in through the open door. Please have a seat.
Different laws for different people (Score:2)
Meanwhile, government agencies use the same exploit without any fear of retaliation (even buys them with your money)
http://www.wsws.org/en/article... [wsws.org]
early attack (Score:2)
Re:LOL CANADA LOL (Score:5, Interesting)
You guys will never understand the RCMP. They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them. Our city or provincial police forces on the other hand...
evil Cananadianers! (Score:1)
I... I wanted to be... A LUMBERJACK!
Re: (Score:2, Funny)
No one expects the RCMP, their two chief weapons are surprise and strangely competent horses!
and stylish hats
Their three chief weapons are surprise, strangely competent horses, stylish hats and a fanatical devotion to the laws of Canada.
Their four... hang on a second, I should just do the entrance again.
(I'd continue, but that's about all I know about the RCMP, my knowledge greatly inspired by the old Dudley Doright cartoons.)
Re: (Score:1)
I wasn't expecting a Monty Python reference.
It's all right. Nobody expected this Monty Python reference.
Re: (Score:1)
They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them.
No.
The RCMP have abused their power and neglected their duties like every other police force.
Re: (Score:2, Interesting)
You guys will never understand the RCMP. They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them.
You gotta be kidding.
There was the incident of 4 armed RCMP officers who tasered some poor unarmed schlub FIVE times and killed him:
http://en.wikipedia.org/wiki/R... [wikipedia.org]
And they lied about it and tried to cover it up by refusing to release the video.
Then there was the RCMP officer who kicked Buddy Tavares in the face. Tavares was complying with the pol
Re: (Score:3)
If you compare their failures to those of other police forces they don't even come close. They're in another league. They may get some publicity but I'd far rather deal with the RCMP than a city cop. The RCMP may have had a few incidents, but city police forces are corrupt from the top down.
Re: (Score:2)
RCMP compared to say? OPP and issues with let's say...oh...Caledonia? [caledoniawakeupcall.com] Or several other issues? Let's run away, away, run away way. Let's arrest the other non-native protesters so we don't enflame the natives? Doesn't get better when the OPP are involved or the courts either here in Ontario. How about Ipperwash? When the natives were shooting at the police, and they had it on film, and the courts refused to hear the evidence? I've have a friend who was in the military at the time and she was shot at w
Re: (Score:3)
>They're probably one of the last competent police forces on the planet
Is that because they're mounted or despite their superequine status?
Re: (Score:2)