I'm not sure if this is the first arrest. But it's the first I've heard of. In my town no less.
quote:The lawyer of a 19-year-old London, Ont., man charged with exploiting the Heartbleed bug to steal over 900 SIN numbers says his client has been devastated by the arrest.
Stephen Arthuro Solis-Reyes, a student at Western University and the son of Roberto Solis-Oba who teaches computer science at Western, was arrested late Tuesday afternoon. The RCMP says Solis-Reyes is charged with one count of unauthorized use of a computer and one count of mischief in relation to data.
The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent). Since he accessed the CRA's system from his home PC/IP, he is obviously not a "professional" so if I was one of those 900, I'd feel slightly comforted by that fact.
The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent). Since he accessed the CRA's system from his home PC/IP, he is obviously not a "professional" so if I was one of those 900, I'd feel slightly comforted by that fact.
He will be made an example of. This falls into the category of "Wanna see something cool? Here. Hold my beer..." Bad decision with serious consequences.
The bug may leave no trail, but anything upstream of that server that actively monitors the network would have captured/logged the traffic. An attack like this would have represented more than just a few minutes of traffic - more likely this computer was repeatedly making requests (attacking) over an extended period of time, all from the same IP.
I'm torn on this as how the fuck are sites or whatever going to find out about holes unless someone tries to use the damn holes in the first place?
Hell even if he did find the hole tried it to see if it worked and he wrote the government he could still face charges to me that is dumb. Now this kid no idea if he wrote anyone or did it for shits and giggles.
Hell even if he did find the hole tried it to see if it worked and he wrote the government he could still face charges to me that is dumb. Now this kid no idea if he wrote anyone or did it for shits and giggles.
He should have to face consequences for his actions. If the bank leaves the vault door open, I steal the money and I get caught, I still have to face the consequences for stealing, even if the bank wasn't too bright.
That being said I hope they don't throw the book at him. Might do some good to give him a hefty number of community service hours helping charities with their computers.
The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent).
No malicious intent?
Malice is not a prerequisite for an offence to be committed or a finding of guilt or innocence. All that is necessary is that he intended to do some prohibited thing. He intended to steal data. He did. That's it. And by the looks of him, he'll have flowers and candy bars waiting for him in his new digs.
Unlike ruddypict, I hope they crucify the little bastard.
Even if he was "just a kid" with no malicious intent, they have no choice but to throw the book at him. If they don't, every other idiot will think it's OK.
The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent).
No malicious intent?
Malice is not a prerequisite for an offence to be committed or a finding of guilt or innocence. All that is necessary is that he intended to do some prohibited thing. He intended to steal data. He did. That's it. And by the looks of him, he'll have flowers and candy bars waiting for him in his new digs.
Unlike ruddypict, I hope they crucify the little bastard.
Mike
If what has been published this far is true, I wouldn't consider this a case of a malicious hacker. I'd consider this more of a case of a dumbass kid trying something out.
If he had gotten caught with the intent to sell those SINs or other data, that would have shown a malicious intent. If he had a big plan or had been waiting to nail CRA for some time, this would have also shown malicious intent. However he didn't even try to hide his identity, which definitely proves dumbass intent.
Don't get me wrong, if he was selling the SINs I'd be right there with you Mike. In fact if news comes out that he was trying to, I'd happily hold the cross while you nail him to it.
Is intent important in law? Well, there is a reason why we have first/second degree murder & manslaughter. All are about the same thing but they all deal with different kinds of intent.
Sorry... No, he ran script against a server. There's nothing smart about that at all. In fact, he ran it from his home IP (really stupid), and he didn't think that the CRA would be able to replay his attack (double stupid). I'm sorry, the kid is a complete idiot/fucktard.
If what has been published this far is true, I wouldn't consider this a case of a malicious hacker. I'd consider this more of a case of a dumbass kid trying something out....
In this case, no it doesn't. If they don't throw the book at him, every idiot out there will think it's OK to probe servers at will, regardless of the intent.
This isn't an honest mistake, he targeted the CRA, he targeted something that was of high value, regardless of what his intentions were to do with the content.
Sorry... No, he ran script against a server. There's nothing smart about that at all. In fact, he ran it from his home IP (really stupid), and he didn't think that the CRA would be able to replay his attack (double stupid). I'm sorry, the kid is a complete idiot/fucktard.
I see it as akin to stepping in a dog turd.
The embarrassment of being told you stink, and the trouble getting it off your shoe is prob'ly enough consequence.
Once again, intent.
They can throw the book, but the charge will and should be bargained downward.
He could not have picked a worse bug to exploit, time, government agency, website and type of data to collect. Guaranteed a high profile public response, law enforcement involvement and major interest by news agencies.
A few years ago security breeches of private data might have been hidden but now must be disclosed. Even delaying disclosure over the weekend at the request of the RCMP for investigative purposes has been questioned.
In this case, no it doesn't. If they don't throw the book at him, every idiot out there will think it's OK to probe servers at will, regardless of the intent.
This isn't an honest mistake, he targeted the CRA, he targeted something that was of high value, regardless of what his intentions were to do with the content.
That doesn't make a whole lot of sense. Perhaps you've never heard of Mens Rea in the context of Canadian law?
It's like someone going into a jewelry store and taking a necklace out without paying and saying "I did it to see if I could, and anyway, I was going to put it back". He will be charged with theft. The reasoning is that he did not have permission from the owner to remove it.
In the case of the theft of the SINs, even though he COULD take them, he didn't have the permission to do so. He didn't have the permission to access the CRA computers.
His intent is irrelevent in this case, because the initial action of breaking into the CRA site IS the intention. This is the opposite of killing someone when your shotgun accidentally fired. Intention matters.
It's like someone going into a jewelry store and taking a necklace out without paying and saying "I did it to see if I could, and anyway, I was going to put it back". He will be charged with theft. The reasoning is that he did not have permission from the owner to remove it.
In the case of the theft of the SINs, even though he COULD take them, he didn't have the permission to do so. He didn't have the permission to access the CRA computers.
His intent is irrelevent in this case, because the initial action of breaking into the CRA site IS the intention. This is the opposite of killing someone when your shotgun accidentally fired. Intention matters.
Actually thanks for bringing up theft as an example. Theft is a crime where you would need to establish Mens Rea. So yes, intent in this case is very important.
Actus reus = "Was a crime committed" (which is why for example, in a murder case, having a body is SO important in Canada)
mens rea = "did he intend to commit the crime"
So, our guy here was charged with unauthorized use and mischief (which sounds very non-serious, but in the legal world can indeed be a very serious crime)
Unauthorized use ... actus reus ... dead easy just look at connectivity logs; mens rea ... unauthorized use is not something you'd do by accident.
Mischief ... actus reus ... similarly dead easy a database of SINs was accessed by logs; mens rea ... the fact that he looked at SINs said he knew he was doing it since they are the key.
There are probably many other crimes that he could be charged with, but for those, proving actus reus and mens rea gets much harder.
Let's be sensible about this. If it's proven that he did not intend to sell the SIN numbers and was not part of an organized group that was planning on profiting from this, then there's no real crime.
Why would anyone advocate throwing the book at him? Let's go after the real criminals. The ones who inflict harm on others, not some kid who might have only been experimenting to see if he can exploit the bug out of curiosity.