Teen Arrested For Using Heartbleed To Get Canadian Taxpayer Info; Did Nothing To Hide Himself
from the that-didn't-take-long dept
One of the most high profile victims of the Heartbleed vulnerability was the Canadian tax service, Canada Revenue Agency, which shut down its online tax filing offering. A few days later, the agency admitted that about 900 Canadians had information copied from the site via someone exploiting the vulnerability, prior to the site being shut down. And, from there, it was just a day or so until it was reported that a teenager, Stephen Arthuro Solis-Reyes, had been arrested for the hack.Given the speed of the arrest, it would not appear that Solis-Reyes did very much to cover his tracks. In fact, reports say he did nothing to hide his IP address. He's a computer science student -- and his father is a CS professor, with a specialty in data mining. It seems at least reasonably likely that the "hack" was more of a "test" to see what could be done with Heartbleed and (perhaps) an attempt to show off how risky the bug could be, rather than anything malicious. It will be interesting to see how he is treated by Canadian officials, compared to say, the arrests of Aaron Swartz and weev.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, canadian revenue agency, cra, hacking, heartbleed, stephen arthuro solis-reyes
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
That's a big assumption to make, and it misses the point.
The act of exploiting the tax service to get sensitive information is malicious in and of itself.
There are test servers that people have put up for people to test out the heartbeat bug. The kid should've used those servers instead.
[ link to this | view in thread ]
Ask server.
Server sends you information.
It's a bug or in other words a "publicly available feature", not a hack or an exploit.
"exploiting a bug" is a really loaded statement.
"Using a feature" or "exploiting a bug" are synonymous in this case.
[ link to this | view in thread ]
Re:
Go up to a man who works for the Tax service.
Stap exploiting the tax service ?
Saying "Hi" is illegal ?
Did they arrest the tax service for giving out the info?
[ link to this | view in thread ]
Re: Re:
Whichever way you excuse it, the kid was exploiting a known vulnerability to get confidential private information. If he wanted to run a test, he should have done it on a test server or a server he owned. By accessing confidential private information without permission, he broke the law. Since the vulnerability was already public, he doesn't even have the moral high ground of white hat hacking to hide behind.
[ link to this | view in thread ]
Re: Re: Re:
LOL
"accessing confidential private information without permission, he broke the law."
A) He was given it. (information stored in ram)
B) There could have been anything in that ram.
C) The people who gave him it are relevant.
"Inadvertently" .... you said it yourself. "a bug was responsibly for inadvertently giving away information".
Leads to the question. Who had the bug?
Look, I agree that the morality is questionable. The information was sensitive. It was an unwanted feature/bug. However, to ignore the glaring "who dun it" because of that is plain ignorant to the facts. The tax office gave out information. THEY DUN IT.
Heaven forbid we hold the tax office accountable for not donating to openssl and dictating/securing the wanted features in it.
To blame some kid for using it is an applauding "pass the buck" scenario.
They had a feature, someone used it. It's their fault. It's that simple.
FFS, You had WHAT feature ?
You better remove that feature you asshole.
meh... don't say it. Direct your anger at some kid stupid enough to use the feature. Like he is the worst type of person that could have used THEIR feature.
[ link to this | view in thread ]
Re: Re: Re: Re:
Sorry, but there's no excuse here, any more than there would be an excuse for you using a password someone accidentally emailed you. The security error does not excuse its deliberate exploit, unless doing so is a proof of concept to notify those affected. The affected were already informed, so no go.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
While I do support arguments suggesting the CRA is to a degree liable, we are to believe they shut down their servers "as soon as the risk was known," greatly mitigating their culpability.
As for the young man, what if we discovered a flaw in trousers which allowed wallets to fall from their back pockets with minimal effort from a passerby? There are then several options, including:
A) Walk past a potential victim, doing nothing.
B) Trigger the wallet drop but do nothing.
C) Trigger the wallet drop, advise the victim their wallet just dropped.
D) Trigger the wallet drop, keep the wallet, do nothing.
E) Trigger the wallet drop, use the wallet contents.
I'm thinking we're looking at "D", which suggests an intentional act to trigger the event, followed by one of questionable ethics - why keep the wallet? Why keep 900 wallets? Even with the intention of returning them, it would be grossly inappropriate (bordering on plainly stupid) to collect 900 wallets THEN say, "oh, don't worry, I was planning to return them all."
While stupidity isn't illegal ("You can't fix Stupid,") it can surely put you in the hot seat, and so it should, to hopefully curb future stupid acts by an accused or anyone watching.
My 2c.
-e
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
This is like when they found those expensive locks used by the government had a flaw where they could be shorted out with a paper clip.
It's as if he went to a government installation and used the paperclip trick to break into the tax records office. He saw some files sitting on the desk so he just took those, having no idea of what he just took.
Nobody would look at that in the real world as innocent.
[ link to this | view in thread ]
Re:
-e
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
One may not access a system without authorization and walk away without "doing something wrong." Sometimes authorization is implicit, sometimes explicit, but it either exists or does not exist and may be dependent upon certain system objects. As an example, I'm authorized to access Techdirt's articles and comment sections, but attacking the backend or using the administration console would be unauthorized. I doubt the subject was authorized to use the system in the way he did. He certainly wasn't intended to do so by the system architects or administrators.
To go back to a prior example, weev, the authorization to access the data was assumed by others to have existed in an implicit fashion due to the semi-public nature of the web, however I believe that assumption is flawed. Regardless of how poorly secured a system may be, or how simple the exploitation is, accessing parts of a system (including data stored therein) not meant to be accessed by a given user is intrusion. weev may have been let off after some (well deserved, even if only for other reasons) time served, but I don't believe he should have been.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
"Undetectable"
In fact, someone connecting to a web site with a weird access pattern, like hitting the home page 10,000 times but never going to a sub-page, is going to throw a giant red flag on a financial site.
[ link to this | view in thread ]
The comedy never stops at Techdirt.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
It's like walking up to a locked door. Ringing the doorbell and then more stuff or different stuff is given to you by the owner, than should be given.
They give you the wrong stuff.
Just because someone doesn't want that to happen when you ring a doorbell doesn't mean that ringing the doorbell is illegal.
If anything, it's more like fraud via deception. Definitely not stealing.
Heartbeat is a Keepalive function.
If your connection drops part of a packet during the keepalive process you too could be "exploiting heartbleed".
[ link to this | view in thread ]
Son of a Computer Scientist
[ link to this | view in thread ]
- The police raided his home, and seized computer equipment, but apparently did not arrest him at that time.
- He was told to 'voluntarily' show up at the police station or else the police would very publicly humiliate him by arresting him in the middle of his exams.
- When he did show up at the police station, his lawyer was not permitted to see his client for six hours.
http://www.lfpress.com/2014/04/16/london-teen-charged-in-heartbleed-breach-of-taxpayer-data
Thi s case has enough irregularities that I would not trust anything the police say unless there is some supporting evidence. It sure looks to me like the authorities are getting desperate to convict a 'dangerous hacker' to distract attention from the fact that there was a major security flaw in the government's computer systems.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
I'm also not trying to make excuses. Blaming this kid is making excuses for the ones who had the feature that could be triggered inadvertently via normal use and a mildly temperamental internet connection.
The kid shouldn't have done it. I was clear on that.
He isn't the problem here. The retards who had that feature are. They should have been supporting openssl etc...
Misdirected anger ?
They will try to make an example of him while the retards will get all the sympathy because they accidentally gave him stuff. Ignore that they were the ones who gave it out. Hang the fucking kid?
I disagree based on what I see as the ignorance of who the real culprits are. Yeah, the kid should probably get some light punishment. The tax office should get the same and be forced to donate to all the open source code projects that it uses.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
The "bug" is that when you send a packet, it sends a same sized packet back...Without it authenticating things.
This scenario is possible. (part of the keep alive process)
send a packet
>>>>>>>>> packet is lost due to bad internet connection (it happens)
You tell the server the packet was 64k
>>>>>>>>> server sends back 64k from ram
Accidental heartbleed "exploit", via proper and "authorized" usage.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Son of a Computer Scientist
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
Actually you cannot, while UDP does no error correcting, it does do error detecting, length and checksum validation, and silently drops any packets that fail the checks. Therefore if the packet is truncated by the network you do not receive a response. Its exploitation requires deliberate generation of a packet that tells lies about the length of the string within the shorter, but accurately given, packet length, along with a checksum for the packet. This is extremely unlikly to occur by accident.
[ link to this | view in thread ]
For one, how could a computer science student be so foolish as to pick a government tax return website to carry out his 'tests'. It's amazing he was foolish enough lead the Canadian Mounties, right to his doorstep.
I guess just because you're a data mining Zuckerberg, with a degree in Computer Science, doesn't make you a network protocols expert.
[ link to this | view in thread ]
Re:
Assuming Solis-Reyes did not have nefarious intentions is not such a big assumption when one takes his history into account.
From: http://www.washingtonpost.com/news/morning-mix/wp/2014/04/17/the-first-suspected-heartbleed-hacker-h as-long-history-of-hacking/?tid=hp_mm
“This kid, when he was in high school was in the top of his class. He was extremely gifted. So he sent a letter to the [London District Catholic School Board in Ontario] indicating that their school system was susceptible to hacking.” The attorney said the school officials were nonplussed. “They said they’d like to test it themselves. He was a quote computer nerd unquote and they didn’t take him seriously.” So the 14-year-old, Joseph claims, went into the computer system and found “all the confidential information.” But then, right when things could have turned criminal, Joseph said his client stopped. “He could have changed everything, and changed nothing,” Joseph said.
This article doesn't expound the problems with laws concerning unauthorized computer access but it is not missing the point either. I don't know what the penalties are in Canada for unauthorized use of a computer but in the U.S. the CFAA is a one-size-fits-all law where any unauthorized access has a maximum penalty of five years in prison. There is a wide range of criminality lumped together as violations of this law and it includes white, or gray, hat hackers who exercise an exploit simply to prove it was possible. Even with the best intentions, if such a hacker accesses a computer they don't have permission to access, the penalty is 5 years in prison. The law against unauthorized access should not have such a draconian penalty. The heavy penalties should apply to those who exhibit more nefarious intentions by also committing fraud or theft based on the information they illicitly acquired.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
Of course I over simplified the explanation. I think that half a sentence of explanation should have made that obvious.
"Extremely unlikly to occur by accident" is still possible and considering the probable trillions+ of times per day that the "function" is used. Even if it happened once per billion, with those figures it would exploited 1000 times per day.
UDP keepalives are set at 30 second intervals or so.
eg of scale: 5,922,000,000 google searches per day in 2013.
A trillion keepalives a day is probably a gross underestimation.
[ link to this | view in thread ]
Re:
Explain...
[ link to this | view in thread ]
Re:
=P
[ link to this | view in thread ]
Re: Re:
So they will still get their tax credits, but not in time for Easter.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]