Slashdot Mirror

← Back to Stories (view on slashdot.org)

RCMP Arrest Canadian Teen For Heartbleed Exploit

Posted by timothy on from the they-got-their-man dept.

According to PC Mag, a "19-year-old Canadian was arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data." That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.

104 comments

  1. Good. by jellomizer · · Score: 5, Insightful

    I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.

    Sure it is easy to update your PC, but if you have a mission critical application running, you need to make sure you take all the right steps even with the security vulnerability to make sure it doesn't go down.
     

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Good. by Anonymous Coward · · Score: 0

      An example needs to be made; that's the only way to send a strong message. It's the same reason they hung pirates back in the old days without question. You pirate, you die. Don't pirate, asshole, unless you want to die. I'm not necessarily suggesting we kill Stephen; but at a minimum he should be stripped of all his possessions and locked up for a long, long time - 20 years minimum. I also wouldn't be opposed to some physical punishment - amputation of a limb or digits, for example, or perhaps sterilization.

    2. Re:Good. by Anonymous Coward · · Score: 2, Funny

      I for one ...

      Can we somehow stop the "I for one" lead-ins on /.? I for one would welcome the change.

    3. Re:Good. by Anonymous Coward · · Score: 1

      I for one support this idea.

    4. Re:Good. by Anonymous Coward · · Score: 0

      I for one would support such an effor.

    5. Re:Good. by Anonymous Coward · · Score: 0

      I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.

      For once, the "door to a house" analogy actually fits.

      Most of the time, people try to liken the situation to an unlocked door. But those situations have thus far always been better described as random people asking your crazy ex to access your house, and the crazy ex letting them in because you forgot to remove the ex's access when you two broke up.

      But here, I do believe that likening the situation to a locked door actually fits.

    6. Re:Good. by Anonymous Coward · · Score: -1

      Yea throw the book at this little shit. Somehow I'm not surprised that he lives in the middle of butt-fuck-no-where Canada too. London Ontario breeds idiots.

    7. Re:Good. by parlancex · · Score: 2

      Sure. I'd agree with that.

      What I wouldn't agree with however would be blood-seeking legislation that does not carefully factor in the disparity in the actions taken by computers and their owners. There's a reasonable debate to be had about responsibility and negligence, but proving beyond reasonable doubt that the attack was actually perpetrated by Mr. Roger B. Jones, with intent, is much harder than proving an attack originated from an IPv4 block assigned to his ISP, and possibly allocated by DHCP at that time to a modem currently registered an account owned by Mr. Roger B. Jones. My worry is that the courts probably won't care, and that's a dangerous path and I'd dare you to throw the first stone.

    8. Re:Good. by grumpyman · · Score: 1

      I think the arrest is warranted. However, WTF is wrong with CRA people, seriously. Shut the damn thing down as soon as they find out it is vulnerable.

    9. Re:Good. by Joce640k · · Score: 1

      You COULD prevent millions of people from being able to do their job, ... or ... just turn off the heartbeat feature.

      (And set up a honeypot it its place to catch the bad people)

      --
      No sig today...
    10. Re:Good. by Anonymous Coward · · Score: 5, Funny

      Ok, thanks for that, we have the moderate perspective covered. Anyone feel like voicing a hard line?

    11. Re:Good. by MightyMartian · · Score: 1

      I was going to suggest going North Korean on his ass. Death by mortar fire, death by flame thrower or death by hungry dogs? It's just so damned hard to choose.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    12. Re:Good. by neoform · · Score: 4, Insightful

      >I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.

      I think your example is a bit too gentle.

      This is more like someone kicking your locked front door down and pointing out that your door isn't strong enough to prevent someone from kicking it down.

      The system was "locked" for all intents and purposes, as best the system administrators knew how to lock it. It wasn't because they were lazy or forgot, they just didn't know the door had any weaknesses.

      --
      MABASPLOOM!
    13. Re:Good. by hcs_$reboot · · Score: 1

      It'll be more interesting when they catch someone who did use the heartbleed bug before it was revealed publicly.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    14. Re:Good. by interkin3tic · · Score: 1

      Boredom and isolation often leads to deviant behavior. How many of us got into nerd stuff because we were bored and wanted to know if we could "hack" something we weren't supposed to? I started reading 2600 before I got my drivers license. It was, fortunately, far over my head, and thanks to dialup, even if it weren't, that would be almost as boring as homework, so I never actually did anything.

      I wonder what the solution is. My kid isn't going to have those limitations, even comcast is vastly superior to dialup, and he's getting a head start on using computers.

      Maybe I'll have to stick with apple products, make sure he stays in the walled garden and out of the CRA website.

    15. Re:Good. by Anonymous Coward · · Score: 0

      Much like using a credit card against those old locks?

    16. Re:Good. by Anonymous Coward · · Score: 1

      I do think you are right about the illegality, but that is a really bad analogy.

      First, most of these are public facing servers asking for people to come in.
      Second, he for your analogy basically stood outside and asked for some secrets and the homeowner yelled them back at him.
      Third, it seems like we could make the use of whatever secret information (that is where the actual harm comes) used as basis of an illegal act, not the fact that he got them.

    17. Re:Good. by EvanED · · Score: 1

      Second, he for your analogy basically stood outside and asked for some secrets and the homeowner yelled them back at him.

      That's like saying someone who breaks into a house by throwing a brick through the window merely lets go of a brick when it has a particular trajectory and the glass just got out of their way.

    18. Re:Good. by Anonymous Coward · · Score: 0

      London is the 15th biggest city in the country. While it's by no means huge it's hardly butt-fuck nowhere. There's both urban in rural areas in the great 'murica and it breeds the most idiots per captia of them all...

      Anything to substantiate your claims? Citation for geographic link to small cities and intelligence?

    19. Re:Good. by Anonymous Coward · · Score: 0

      Urban and rural. My phone's autocorrect must be from London by your logic. Throw the book at Google...

    20. Re:Good. by Anonymous Coward · · Score: 0

      I for two agree and comply.

    21. Re:Good. by Anonymous Coward · · Score: 0

      London is actually one of the larger cities in Canada, but you sure are right about it breeding idiots.

    22. Re:Good. by Anonymous Coward · · Score: 1

      Nobody is going to catch the NSA...

    23. Re:Good. by Anonymous Coward · · Score: 2, Insightful

      Guys, a "system" is not a physical door, there is no material damage, you can load it back right up. also piracy isn't stealing, it's copying. get a grip on the metaphors, i'm sick of hearing ppl like you all the time. You are the reason you can go to jail for decades over using a keyboard.

    24. Re:Good. by david_thornley · · Score: 1

      Legislation of crimes and penalties really isn't related to how we establish guilt. While I agree with your points individually, I don't see the connection.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    25. Re:Good. by Anonymous Coward · · Score: 0

      It is possible. For I, one, have already changed the lead-in on this post.

    26. Re:Good. by wwphx · · Score: 1

      He's Canadian. The preferred execution method is Boot to the Head.

      --
      When you sympathize with stupidity, you start thinking like an idiot.
    27. Re:Good. by MightyMartian · · Score: 1

      Not to worry, he'd be saved by Mr. Canoe Head.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  2. LOL CANADA LOL by Anonymous Coward · · Score: -1, Flamebait

    LOL. Let's report on real countries, eh, and not just on one of USSA's puppet states.

    1. Re:LOL CANADA LOL by TitusC3v5 · · Score: -1, Flamebait

      It's worse than that. It's the RCMP. People riding horses shouldn't really be policing the internet, even in Canada.

      --
      And the masses cried out, "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0!"
    2. Re:LOL CANADA LOL by Russ1642 · · Score: 5, Interesting

      You guys will never understand the RCMP. They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them. Our city or provincial police forces on the other hand...

    3. Re:LOL CANADA LOL by Anonymous Coward · · Score: 0

      Because history and showmanship tell you a lot about capabilities.

      USMC does their fancy pants silent drill with unloaded 60 year old assault rifles. I wouldn't suggest pointing and laughing.

    4. Re:LOL CANADA LOL by Anonymous Coward · · Score: 2, Funny

      No one expects the RCMP, their two chief weapons are surprise and strangely competent horses!
      and stylish hats
      Their three chief weapons are surprise, strangely competent horses, stylish hats and a fanatical devotion to the laws of Canada.
      Their four... hang on a second, I should just do the entrance again.

      (I'd continue, but that's about all I know about the RCMP, my knowledge greatly inspired by the old Dudley Doright cartoons.)

    5. Re:LOL CANADA LOL by Anonymous Coward · · Score: 0

      I wasn't expecting a Monty Python reference.

    6. Re:LOL CANADA LOL by Anonymous Coward · · Score: 1

      I wasn't expecting a Monty Python reference.

      It's all right. Nobody expected this Monty Python reference.

    7. Re:LOL CANADA LOL by Anonymous Coward · · Score: 1

      They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them.

      No.
      The RCMP have abused their power and neglected their duties like every other police force.

    8. Re:LOL CANADA LOL by Anonymous Coward · · Score: 2, Interesting

      You guys will never understand the RCMP. They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them.

      You gotta be kidding.

      There was the incident of 4 armed RCMP officers who tasered some poor unarmed schlub FIVE times and killed him:

      http://en.wikipedia.org/wiki/R...

      And they lied about it and tried to cover it up by refusing to release the video.

      Then there was the RCMP officer who kicked Buddy Tavares in the face. Tavares was complying with the police, he was unarmed, and had his hands on the pavement. Oh, and it was recorded on video.

      http://thescottross.blogspot.c...
      http://www.theglobeandmail.com...

      There was the time the RCMP pepper-sprayed hapless protesters who were legally & peacefully protesting so that Suharto, the dictator of Indonesia wouldn't have to see them:

      http://www.cbc.ca/news/canada/...

      And many many more.

    9. Re:LOL CANADA LOL by Russ1642 · · Score: 2

      If you compare their failures to those of other police forces they don't even come close. They're in another league. They may get some publicity but I'd far rather deal with the RCMP than a city cop. The RCMP may have had a few incidents, but city police forces are corrupt from the top down.

    10. Re:LOL CANADA LOL by TechyImmigrant · · Score: 2

      >They're probably one of the last competent police forces on the planet

      Is that because they're mounted or despite their superequine status?
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    11. Re:LOL CANADA LOL by Anonymous Coward · · Score: 0

      I'm no fan of any police force, and there are massive problems with the RCMP and its culture of sexual harassment and oppression, but as a police force they're doing a lot better in terms of police work than most of their counterparts. Their abuse of the system to intimidate, harass and oppress the people they ostensibly protect is significantly less than their friends in the US, UK or Australia.

      Are they perfect, no; far from it. But Given a choice between the FBI and the Mounties, I'll take the Horse Corps any day.

      AC cause mod points

    12. Re:LOL CANADA LOL by aevan · · Score: 1

      Horses are the only thing that flow quickly and easily through the series of tubes, unlike poker chips.

    13. Re:LOL CANADA LOL by Anonymous Coward · · Score: 0

      I thought they rode ponies? Ar, ar, ar, ar, ar.

    14. Re:LOL CANADA LOL by Mashiki · · Score: 1

      RCMP compared to say? OPP and issues with let's say...oh...Caledonia? Or several other issues? Let's run away, away, run away way. Let's arrest the other non-native protesters so we don't enflame the natives? Doesn't get better when the OPP are involved or the courts either here in Ontario. How about Ipperwash? When the natives were shooting at the police, and they had it on film, and the courts refused to hear the evidence? I've have a friend who was in the military at the time and she was shot at while her helicopter was doing a flyover. They refused to allow evidence of that in too.

      Or how about the CBSA, when they stopped hundreds of american natives coming into Canada with guns? The RCMP arrested them but the courts let them go and where did they end up? Ipperwash shooting at the OPP, at the RCMP, and at the CF's. Please, the RCMP has problems without a doubt, but they're not a patch on either what goes on with the natives, some of the serious issues with the courts, or even with the provincial police forces when the government jams their fingers in and tells them to "back off."

      --
      Om, nomnomnom...
  3. interesting by slashmydots · · Score: 0

    So you do something stupid like that in the US or Canada or England or any other civilized area and you get caught in like a day. Do it in Russia or Indonesia or Turkey or Israel (mega malware hotbeds) and you might get caught somewhere between 2 years and never. Where is the UN on this one? OHHHHH THAT'S RIGHT it's all old people who don't know a thing about technology. That explains the problem.

    1. Re:interesting by Anonymous Coward · · Score: 1

      OHHHHH THAT'S RIGHT, they're not a law enforcement agency and have absolutely nothing to do with this

      FTFY

    2. Re:interesting by Anonymous Coward · · Score: 0

      things I learned today: "the UN is old people".

  4. And how about the CRA? by Logger · · Score: 1

    I imagine this kid will get what he deserves, but what about the CRA? They should've immediately taken their servers offline until they were patched. Will anyone get any heat for that?

    1. Re:And how about the CRA? by Godai · · Score: 5, Informative

      The Montreal Gazette article covers that. They asked a computer security consultant and he said the 24-hour delay was pretty reasonable given the impact taking down the site would have on people given the timing (tax season); not so much that they waited before doing it so much as it was a reasonable time to discuss it and come to a decision. So my guess is that no one will get burned over that.

      The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.

      --
      Wood Shavings!
      - Godai
    2. Re:And how about the CRA? by grumpyman · · Score: 1

      FYI I also recall CRA claims other than those SIN, the system was not breached before.

    3. Re:And how about the CRA? by Anonymous Coward · · Score: 2, Interesting

      The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.

      Full packet capture, probably. Just record all traffic (or only traffic to port 443) and then grep through it. All the common Heartbleed scripts don't bother setting up the encryption, just begin the handshake, fire off an unecrypted heartbeat request, get unecrypted response and disconnect. They could tben dig through responses and find which accounts got leaked.

      Or maybe even without raw traffic capture - suspicious activity on port 443 + everyone who accessed their accounts in that timeframe.

    4. Re:And how about the CRA? by Anonymous Coward · · Score: 2, Insightful

      faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data.

      Stuff like this makes me happy to be Canadian.

      He is being charged with what he did, and will probably be given a sentence in line with the severity of his crime. If this happened in the US he'd probably be branded a terrorist and be on his way to gitmo right now.

    5. Re:And how about the CRA? by Anonymous Coward · · Score: 0

      I'll admit that I don't really understand the exploit in question that well - but assuming that (from what I gather) it only dumps memory, as long as they can figure out when the breach occurred, figuring out what SINs may have been taken should be easy. You see who was submitting taxes during that time, or performing any other activity on the site that would include the SIN in something that ends up in memory.

      Then, for safety, you just assume that ANY of those could have been transmitted.

  5. too old. by Anonymous Coward · · Score: 0

    I'd care about his age if he were 10-14 years old or about that, who didn't hack at that age?
    When you're legal age you know what you're doing.

  6. Script Kiddy by RichMan · · Score: 3, Insightful

    Ah the brilliance of youth -
    "I have a script for an exploit"
    "I can try it against the tax man"
    "I won't get caught"
    "I'm not going to use the results so no-bad"

    "Hey what's with the cuffs!"

    1. Re:Script Kiddy by Anonymous Coward · · Score: 0

      The ironic joke is on you old fella.

    2. Re:Script Kiddy by tommeke100 · · Score: 1

      The brilliance of government systems:

      "Hey we wrote a web application the whole country uses to submit their taxes"
      "Hey, any script kiddy in the world can hack it using a well known exploit and thousands of proof of concept scripts found online"

    3. Re:Script Kiddy by Anonymous Coward · · Score: 0

      Damn Skiddos GET OFF MY LAWN!

    4. Re:Script Kiddy by rhazz · · Score: 1

      The brilliance of two-thirds of the world's web servers

      FTFY.

  7. No 7 proxies? by t20alex · · Score: 0

    Damn that was a quick arrest. His basement must have not very deep. Something tells me he was not realizing the extent of his actions because: -picked the worst entity to try the exploit on -picked an entity in his home country -7 proxies and all -prison.

  8. What are the odds? by Anonymous Coward · · Score: 0

    On it being 'revealed' he suffers from Ass Burgers?

  9. Story important for pacifying headlines by hessian · · Score: 3, Insightful

    Here in USA it's being reported this way:

    "Heartbleed hacker caught in Canada"

    Translation:

    Media sheep, go back to sleep. We caught THE hacker responsible for Heartbleed, thus it can fall into the memory hole. Any concerns you may have about your fellow citizens, their business interests or governments monitoring you, or perhaps about the general competence of software development (!!!) can also go back to sleep.

    Sleep, sleep my lovelies. Tomorrow there is obedience at school/job, and then shopping and sexy videos on the internet. Sleep, sleep.

    --
    Futurist Traditionalism
    1. Re:Story important for pacifying headlines by gl4ss · · Score: 1

      yeah, it's a shame.

      and I bet some asshats will stop from patching because the "hacker is already in jail".

      --
      world was created 5 seconds before this post as it is.
    2. Re:Story important for pacifying headlines by tomhath · · Score: 1
      You mean like this one from Fox? I guess they don't fit your fantasy of "amerika".

      Police say Canadian man used Heartbleed virus to steal personal info

      Police in Ontario, Canada have accused a 19-year-old man with exploiting the Heartbleed computer virus to steal personal data of over 900 taxpayers...

    3. Re:Story important for pacifying headlines by Anonymous Coward · · Score: 0

      Life must be a lot easier when you assume you are the only one who is at all cognizant. I bet you're a hit at parties.

    4. Re:Story important for pacifying headlines by squiggleslash · · Score: 1

      Overly paranoid original poster aside, I don't think this story is much better, given Fox apparently thinks Heartbleed is a virus...

      --
      You are not alone. This is not normal. None of this is normal.
    5. Re:Story important for pacifying headlines by jones_supa · · Score: 1

      It's quite cringe-worthy view if you look at all the stuff that is tweeted with the hashtag #HeartbleedVirus. :)

    6. Re:Story important for pacifying headlines by Anonymous Coward · · Score: 0

      I've seen cringe-worthier.

      I've seen a site that starts with a proper two paragraph explanation of Heartbleed bug... And then slaps on a list of some random trojan symptoms and wants you to "Download Heartbleed removal tool"

      There's also a bunch of computer repair shops that speak about Heartbleed as if it was an actual virus, link to filippo.io's heartbleed tester as "Check if your site is infected!" and want you to bring your computer for virus check and removal.

    7. Re:Story important for pacifying headlines by Anonymous Coward · · Score: 0

      Media sheep, go back to sleep. We caught THE hacker responsible for Heartbleed, thus it can fall into the memory hole. Any concerns you may have about your fellow citizens, their business interests or governments monitoring you, or perhaps about the general competence of software development (!!!) can also go back to sleep.

      I hate to defend NSA, but this is one of the few instances in which a security breach has national security (economic) implications on both sides of the Canada/US border. We know NSA (and can assume CSEC, the Canadian eye of the Five Eyes) has full packet capture everywhere. The bust could have been as simple as the RCMP calling CSEC, CSEC asking NSA what they saw, and NSA saying "Yeah, XYZ packets from this IP to the CRA's IP netblock contain Heartbeat data. Here's the dump so you can tell CRA what leaked. Hey, you wouldn't happen to know if there are any Americans dumb enough to h4x0r the IRS, would you?", and CSEC filtering the info back via RCMP to the tune of "only 900 SSNs, and they were all from this one doofus, so have fun."

  10. Mischief in Relation to Data by dcollins117 · · Score: 4, Funny

    I like the name of the "Mischief in Relation to Data" charge. It sounds vague enough it could mean just about anything.

    Heck, this might even be on my resume, I'll have to check.

    1. Re:Mischief in Relation to Data by compro01 · · Score: 4, Informative

      It does have a somewhat specific legal meaning.

      (1.1) Every one commits mischief who wilfully
              (a) destroys or alters data;
              (b) renders data meaningless, useless or ineffective;
              (c) obstructs, interrupts or interferes with the lawful use of data; or
              (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.
      ...
      (5) Every one who commits mischief in relation to data
              (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
              (b) is guilty of an offence punishable on summary conviction.

      --
      upon the advice of my lawyer, i have no sig at this time
    2. Re:Mischief in Relation to Data by dcollins117 · · Score: 1

      It does have a somewhat specific legal meaning.

      In that case I shall remove that phrase from my resume posthaste.

    3. Re:Mischief in Relation to Data by wonkey_monkey · · Score: 4, Funny

      It won't go anywhere. They'll let him plea bargain to Second-Degree Shenanigans and that'll be the end of it.

      --
      systemd is Roko's Basilisk.
    4. Re:Mischief in Relation to Data by gregmac · · Score: 2

      That's an interesting wording. It does seem like a pretty flimsy charge for what actually happened. A copy of the data (SIN numbers) was read from memory. CRA could continue to use that data to process tax returns (or whatever other purpose) regardless of if the data was read or not. The language is around "denied access to a person entitled" as opposed to "granted access to a person NOT entitled" (which is really what happened).

      Analogy.. Going into your house and stealing your TV interrupts your ability to watch TV, and alters the state of your house. On the other hand, peeking through your window and taking a picture of your TV does not prevent you from watching TV, and does not change the state of your house. In fact, if you didn't catch me in the act, you'd never even know it happened (just like Heartbleed), and if you didn't know cameras could take pictures through windows you wouldn't even think about this happening (just like before Heartbleed was disclosed). It does not make it right at all, but it also doesn't even remotely seem to align with the definition of "Mischief in Relation to Data".

      --
      Speak before you think
    5. Re:Mischief in Relation to Data by Anonymous Coward · · Score: 0

      In that case I shall remove that phrase from my resume posthaste.

      Just replace the word "Data" with "Goats".

    6. Re:Mischief in Relation to Data by Anonymous Coward · · Score: 0

      "Alter" is only one possibility there.

      Mischief basically refers to destroying value of someone else's property. Passwords et al. known by somebody else but owner are useless, more than that, that's losses incurred on time wasted changing passwords/getting credit monitoring/etc.

      PS: Oh, and he's also charged with "Unauthorized use of a computer", anyways.

    7. Re:Mischief in Relation to Data by Anonymous Coward · · Score: 0

      What if I wilfully destroy my own data? Am I committing mischief in relation to data then?

    8. Re:Mischief in Relation to Data by Anonymous Coward · · Score: 0

      Did you wilfully destroy your common sense and now came here for legal counsel?

      PS: I hope your "Delete" key is all dusty from lack of use. Mounties are coming for you!

    9. Re:Mischief in Relation to Data by BoberFett · · Score: 1

      Dcollins collins bo bollins, banana fana focollins, fe fi mocollins, collins!

      Oh shit...

    10. Re:Mischief in Relation to Data by ceoyoyo · · Score: 1

      Interferes with someone in the lawful use of data would seem to cover it.

    11. Re:Mischief in Relation to Data by Entropius · · Score: 1

      Are my students guilty of "mischief in relation to data" by 1.1b after the garbled lab reports they sometimes hand in?

    12. Re:Mischief in Relation to Data by Anonymous Coward · · Score: 0

      Those bytes you left in your comment are AWFUL mischievous! I think we may have more witch trials, er, trials to perform!

    13. Re:Mischief in Relation to Data by Mashiki · · Score: 1

      Here in Canada, we use common law as the basis of our legal code. So the wording really interesting, what you're actually missing is the case law behind how the law has developed and why mischief is actually a fairly serious crime on the books here. If you're actually interested, you can go over here and start looking through the vast library of it.

      Anyway, for your analogy, that comes under several different laws. Mischief(interrupting the cable service on your end), theft of service(from the provider and to you), B&E(altering the state of your house), probably possessing tools to commit the BE(another law), peeking through the windows(invasion of privacy). But it does actually align with the definition in relation to data just fine, since the case law data has defined this clearly. It's also just as important in common law that the law itself clearly defines what is, and isn't. And in this case, with the previous cases of mischief of people "capturing data" in an unauthorized way, section 1.1(c) is what will most likely be applied.

      --
      Om, nomnomnom...
    14. Re:Mischief in Relation to Data by Mashiki · · Score: 1

      Protip: In Canada, the courtroom is owned by the judge. Not the crown, the crown can offer whatever they want. The judge however can slap them with whatever sentence they want, that however can end up before the superior court(think state level supreme), which may decrease the sentence or even increase it if they think it isn't severe enough.

      --
      Om, nomnomnom...
    15. Re:Mischief in Relation to Data by Mashiki · · Score: 1

      Here in Canada, we use common law as the basis of our legal code. So the wording really interesting, what you're actually missing is the case law behind how the law has developed and why mischief is actually a fairly serious crime on the books here. If you're actually interested, you can go over here and start looking through the vast library of it.

      Anyway, for your analogy, that comes under several different laws. Mischief(interrupting the cable service on your end), theft of service(from the provider and to you), B&E(altering the state of your house), probably possessing tools to commit the BE(another law), peeking through the windows(invasion of privacy). But it does actually align with the definition in relation to data just fine, since the case law data has defined this clearly. It's also just as important in common law that the law itself clearly defines what is, and isn't. And in this case, with the previous cases of mischief of people "capturing data" in an unauthorized way, section 1.1(c) is what will most likely be applied.

      --
      Om, nomnomnom...
  11. "The Register has the story as well" by xxxJonBoyxxx · · Score: 2

    >> The Register has the story as well

    Duh - the Register is where most of us read the story so we'll know what to write when the same news appears on SlashDot tomorrow.

    1. Re:"The Register has the story as well" by Anonymous Coward · · Score: 0

      And I haven't noticed any pop-up ads at The Register, which is something I *have* noticed slashdot has been experimenting with for some damn fool reason.

    2. Re:"The Register has the story as well" by Demonantis · · Score: 1

      Not to get off topic, but this is a bad move for /.. I wasn't adblocking them, but I am now because the pop up is really annoying. I think they have become increasingly disconnected with the community. On topic, assuming he is guilty, what was this guy thinking? Its like stealing money. Most people know it is wrong. Hopefully, the courts treat him with respect and teach him a lesson without ruining his life. Something like a year probation seems fair and likely considering the charges.

    3. Re:"The Register has the story as well" by david_thornley · · Score: 1

      I don't think I have to adblock Slashdot. I've got this little checkbox that lets me disable advertising, probably because of good karma. I haven't checked it yet, because showing the ads might benefit Slashdot financially and because they haven't been annoying. This may be changing.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  12. evil Cananadianers! by Anonymous Coward · · Score: 1

    I never wanted to do this in the first place!
    I... I wanted to be... A LUMBERJACK!

  13. CRA is full of BS by Anonymous Coward · · Score: 0

    I am withholding judgment until actual facts are known.

    Would not at all be surprised if CRA was previously owned then used "heartbleed" and this kid (who I suspect actually did run a heartbleed probe of some kind) as cover or the most convenient explanation out of incompetence.

    Don't see how anyone can anyone trust them after BS PR statement they posted to their site when they would have known at that time they were compromised.

  14. Honeypot by mfh · · Score: 1

    I've talked to an accountant about this and we're both convinced this was an RCMP sting. They announced there was a vulnerability on their website about six hours before they patched it. That's either totally stupid and insane, or it was a police sting and they were just waiting to see who would be stupid enough to try and break in through the open door. Please have a seat.

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:Honeypot by Anonymous Coward · · Score: 0

      Well, if you talked to an accountant about it then it's solid

    2. Re:Honeypot by Anonymous Coward · · Score: 0

      Solid gold, dandelion! See you on the inside.

  15. Fox has a better headline by hessian · · Score: 1

    Police say Canadian man used Heartbleed virus to steal personal info

    Other than the fact that they misidentify an exploit as a virus, you're telling me that Fox News has a better headline?

    Fox News, that I'm told like the Daily Mail in UK is nothing but a tabloid that no one serious reads? And that's supposed to be completely unrelated to it being one of only a few media sources that are right-wing?

    Do tell.

    --
    Futurist Traditionalism
  16. Poor analogy by Anonymous Coward · · Score: 1

    This is more like making a copy of the old credit card carbon copy slips; it doesn't appear to have any effect on the credit card itself, however it can be used for fraudulent purposes. In Canada, the SIN (Social Insurance NUMBER), is used by CRA, banks and potential employers, which means that being able to associate name, address, and SIN renders the information ineffective as a private/unique identifier.

  17. Calling people paranoid to silence them by hessian · · Score: 1

    Overly paranoid original poste

    NSA isn't spying on Americans. You disagree? You're overly paranoid.

    That's a common tactic used by Communists and other totalitarians to silence dissent.

    Oh wait, I see:

    It's not about what you think, it's about how you treat other people and how you deal with being, quite legitimately, associated with a set of actions (whatever the motive) that many find offensive.

    That's from your journal where you as an apologist for censorship endorse the idea of firing people for having "offensive" opinions.

    I think you have mental health problems in addition to a serious lack of moral fortitude.

    --
    Futurist Traditionalism
    1. Re:Calling people paranoid to silence them by squiggleslash · · Score: 1

      I thought we'd moved on past the putting words in people's mouths BS.

      1. The paranoia in the original post that I was refering to was the notion that the Canadian press had concocted a headline with the intention of providing a world wide news story that would make everyone think that Heartbleed isn't a story. I don't know where the fuck you get any other interpretation from.

      2. I haven't apologized for censorship anywhere, neither in the comment you quote, nor anywhere else. The fact you think that Eich was targeted for his views rather than for being an ass about them doesn't make it true, it just makes you another idiot who puts their fingers in their ears and cries "la la la" when anyone tries to explain the truth to them.

      Actually refusing to listen to what someone has to say is one thing. Inventing an entire story about what you wish they said and believed isn't just arrogant, it's a sign of a serious mental problem. Get help.

      --
      You are not alone. This is not normal. None of this is normal.
  18. Different laws for different people by Hamsterdan · · Score: 1

    Meanwhile, government agencies use the same exploit without any fear of retaliation (even buys them with your money)

    http://www.wsws.org/en/article...

    --
    I've got better things to do tonight than die.
  19. Still far too ambiguous by brunes69 · · Score: 1

    IE, a polling organization conducts a poll for a vendor with a cost of one million dollars to the vendor to see which is the preferred widget, X or Y. Then, some third party comes along and points out a flaw in their testing methodology, thus invalidating all of the collected data.

    That third party has "rendered that data meaningless, useless, or ineffective" and thus could be found guilty under this statute as worded.

    This is just off the top of my head with 5 seconds thinking on it, I am sure many many such scenarios could be created. Data is not the same as physical property, you can't just take a property law and replace the word "property" with "data" and expect it to make sense (see the original "mischief" section above in the law).

    Whoever got this on the books should be drawn and quartered.

    1. Re:Still far too ambiguous by compro01 · · Score: 1

      Whoever got this on the books should be drawn and quartered.

      That would be Mulroney. "Mischief in relation to data" was added to the criminal code by the Criminal Law Amendment Act, 1985.

      --
      upon the advice of my lawyer, i have no sig at this time
  20. Eric Snowden did. by mmell · · Score: 1

    (n/t)

  21. early attack by manu0601 · · Score: 1

    He attacked early. Did he wrote the attack tool himself? Or did he received it from someone else?

    1. Re:early attack by Anonymous Coward · · Score: 0

      he's a computer science major and his dad is the computer science professor at his university.

      he came in first place in some secondary school programming comps, so safe bet is he had early warning and skillz.

      the odd part is the early detection, "spotted by network-monitoring tools that capture and analyze transiting data packets".

      is this the first hint of operation PRISIMAPLE up and running in the land of the "snowed in" people?

  22. Security agencies told the CRA by kbahey · · Score: 1

    According to the statement on the CRA web site, it was security agencies that told the CRA that 900 SINs were stolen:

    Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

    So, are the security agencies monitoring traffic to government web sites, so that they are so specific? What else are they monitoring?

    --
    2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.