Slashdot Mirror

← Back to Stories (view on slashdot.org)

RCMP Arrest Canadian Teen For Heartbleed Exploit

Posted by timothy on from the they-got-their-man dept.

According to PC Mag, a "19-year-old Canadian was arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data." That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.

21 of 104 comments (clear)

  1. Good. by jellomizer · · Score: 5, Insightful

    I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.

    Sure it is easy to update your PC, but if you have a mission critical application running, you need to make sure you take all the right steps even with the security vulnerability to make sure it doesn't go down.
     

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Good. by Anonymous Coward · · Score: 2, Funny

      I for one ...

      Can we somehow stop the "I for one" lead-ins on /.? I for one would welcome the change.

    2. Re:Good. by parlancex · · Score: 2

      Sure. I'd agree with that.

      What I wouldn't agree with however would be blood-seeking legislation that does not carefully factor in the disparity in the actions taken by computers and their owners. There's a reasonable debate to be had about responsibility and negligence, but proving beyond reasonable doubt that the attack was actually perpetrated by Mr. Roger B. Jones, with intent, is much harder than proving an attack originated from an IPv4 block assigned to his ISP, and possibly allocated by DHCP at that time to a modem currently registered an account owned by Mr. Roger B. Jones. My worry is that the courts probably won't care, and that's a dangerous path and I'd dare you to throw the first stone.

    3. Re:Good. by Anonymous Coward · · Score: 5, Funny

      Ok, thanks for that, we have the moderate perspective covered. Anyone feel like voicing a hard line?

    4. Re:Good. by neoform · · Score: 4, Insightful

      >I for one welcome arresting people who seem to think it is a good idea to enter someones home just because they didn't get to update all their locks on their home.

      I think your example is a bit too gentle.

      This is more like someone kicking your locked front door down and pointing out that your door isn't strong enough to prevent someone from kicking it down.

      The system was "locked" for all intents and purposes, as best the system administrators knew how to lock it. It wasn't because they were lazy or forgot, they just didn't know the door had any weaknesses.

      --
      MABASPLOOM!
    5. Re:Good. by Anonymous Coward · · Score: 2, Insightful

      Guys, a "system" is not a physical door, there is no material damage, you can load it back right up. also piracy isn't stealing, it's copying. get a grip on the metaphors, i'm sick of hearing ppl like you all the time. You are the reason you can go to jail for decades over using a keyboard.

  2. Re:And how about the CRA? by Godai · · Score: 5, Informative

    The Montreal Gazette article covers that. They asked a computer security consultant and he said the 24-hour delay was pretty reasonable given the impact taking down the site would have on people given the timing (tax season); not so much that they waited before doing it so much as it was a reasonable time to discuss it and come to a decision. So my guess is that no one will get burned over that.

    The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.

    --
    Wood Shavings!
    - Godai
  3. Script Kiddy by RichMan · · Score: 3, Insightful

    Ah the brilliance of youth -
    "I have a script for an exploit"
    "I can try it against the tax man"
    "I won't get caught"
    "I'm not going to use the results so no-bad"

    "Hey what's with the cuffs!"

  4. Story important for pacifying headlines by hessian · · Score: 3, Insightful

    Here in USA it's being reported this way:

    "Heartbleed hacker caught in Canada"

    Translation:

    Media sheep, go back to sleep. We caught THE hacker responsible for Heartbleed, thus it can fall into the memory hole. Any concerns you may have about your fellow citizens, their business interests or governments monitoring you, or perhaps about the general competence of software development (!!!) can also go back to sleep.

    Sleep, sleep my lovelies. Tomorrow there is obedience at school/job, and then shopping and sexy videos on the internet. Sleep, sleep.

    --
    Futurist Traditionalism
  5. Mischief in Relation to Data by dcollins117 · · Score: 4, Funny

    I like the name of the "Mischief in Relation to Data" charge. It sounds vague enough it could mean just about anything.

    Heck, this might even be on my resume, I'll have to check.

    1. Re:Mischief in Relation to Data by compro01 · · Score: 4, Informative

      It does have a somewhat specific legal meaning.

      (1.1) Every one commits mischief who wilfully
              (a) destroys or alters data;
              (b) renders data meaningless, useless or ineffective;
              (c) obstructs, interrupts or interferes with the lawful use of data; or
              (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.
      ...
      (5) Every one who commits mischief in relation to data
              (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
              (b) is guilty of an offence punishable on summary conviction.

      --
      upon the advice of my lawyer, i have no sig at this time
    2. Re:Mischief in Relation to Data by wonkey_monkey · · Score: 4, Funny

      It won't go anywhere. They'll let him plea bargain to Second-Degree Shenanigans and that'll be the end of it.

      --
      systemd is Roko's Basilisk.
    3. Re:Mischief in Relation to Data by gregmac · · Score: 2

      That's an interesting wording. It does seem like a pretty flimsy charge for what actually happened. A copy of the data (SIN numbers) was read from memory. CRA could continue to use that data to process tax returns (or whatever other purpose) regardless of if the data was read or not. The language is around "denied access to a person entitled" as opposed to "granted access to a person NOT entitled" (which is really what happened).

      Analogy.. Going into your house and stealing your TV interrupts your ability to watch TV, and alters the state of your house. On the other hand, peeking through your window and taking a picture of your TV does not prevent you from watching TV, and does not change the state of your house. In fact, if you didn't catch me in the act, you'd never even know it happened (just like Heartbleed), and if you didn't know cameras could take pictures through windows you wouldn't even think about this happening (just like before Heartbleed was disclosed). It does not make it right at all, but it also doesn't even remotely seem to align with the definition of "Mischief in Relation to Data".

      --
      Speak before you think
  6. Re:LOL CANADA LOL by Russ1642 · · Score: 5, Interesting

    You guys will never understand the RCMP. They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them. Our city or provincial police forces on the other hand...

  7. "The Register has the story as well" by xxxJonBoyxxx · · Score: 2

    >> The Register has the story as well

    Duh - the Register is where most of us read the story so we'll know what to write when the same news appears on SlashDot tomorrow.

  8. Re:LOL CANADA LOL by Anonymous Coward · · Score: 2, Funny

    No one expects the RCMP, their two chief weapons are surprise and strangely competent horses!
    and stylish hats
    Their three chief weapons are surprise, strangely competent horses, stylish hats and a fanatical devotion to the laws of Canada.
    Their four... hang on a second, I should just do the entrance again.

    (I'd continue, but that's about all I know about the RCMP, my knowledge greatly inspired by the old Dudley Doright cartoons.)

  9. Re:And how about the CRA? by Anonymous Coward · · Score: 2, Interesting

    The real questions are fairly simple: when did the breach occur, and how did they know? Also, how did they know 900 SIN numbers were taken and how do they know more weren't? None of these are necessarily conspiracy-esque questions, but they're relevant. Though it sounds like the CRA may not be at liberty to say anything about some (or any) of that, having been asked by the RCMP not to while they firm up charges.

    Full packet capture, probably. Just record all traffic (or only traffic to port 443) and then grep through it. All the common Heartbleed scripts don't bother setting up the encryption, just begin the handshake, fire off an unecrypted heartbeat request, get unecrypted response and disconnect. They could tben dig through responses and find which accounts got leaked.

    Or maybe even without raw traffic capture - suspicious activity on port 443 + everyone who accessed their accounts in that timeframe.

  10. Re:And how about the CRA? by Anonymous Coward · · Score: 2, Insightful

    faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data.

    Stuff like this makes me happy to be Canadian.

    He is being charged with what he did, and will probably be given a sentence in line with the severity of his crime. If this happened in the US he'd probably be branded a terrorist and be on his way to gitmo right now.

  11. Re:LOL CANADA LOL by Anonymous Coward · · Score: 2, Interesting

    You guys will never understand the RCMP. They're probably one of the last competent police forces on the planet, and the vast majority of Canadians respects them.

    You gotta be kidding.

    There was the incident of 4 armed RCMP officers who tasered some poor unarmed schlub FIVE times and killed him:

    http://en.wikipedia.org/wiki/R...

    And they lied about it and tried to cover it up by refusing to release the video.

    Then there was the RCMP officer who kicked Buddy Tavares in the face. Tavares was complying with the police, he was unarmed, and had his hands on the pavement. Oh, and it was recorded on video.

    http://thescottross.blogspot.c...
    http://www.theglobeandmail.com...

    There was the time the RCMP pepper-sprayed hapless protesters who were legally & peacefully protesting so that Suharto, the dictator of Indonesia wouldn't have to see them:

    http://www.cbc.ca/news/canada/...

    And many many more.

  12. Re:LOL CANADA LOL by Russ1642 · · Score: 2

    If you compare their failures to those of other police forces they don't even come close. They're in another league. They may get some publicity but I'd far rather deal with the RCMP than a city cop. The RCMP may have had a few incidents, but city police forces are corrupt from the top down.

  13. Re:LOL CANADA LOL by TechyImmigrant · · Score: 2

    >They're probably one of the last competent police forces on the planet

    Is that because they're mounted or despite their superequine status?
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.