dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1340
graniterock
Premium Member
join:2003-03-14
London, ON

graniterock

Premium Member

First Heartbleed related arrest?

I'm not sure if this is the first arrest. But it's the first I've heard of. In my town no less.
quote:
The lawyer of a 19-year-old London, Ont., man charged with exploiting the Heartbleed bug to steal over 900 SIN numbers says his client has been devastated by the arrest.

Stephen Arthuro Solis-Reyes, a student at Western University and the son of Roberto Solis-Oba who teaches computer science at Western, was arrested late Tuesday afternoon. The RCMP says Solis-Reyes is charged with one count of unauthorized use of a computer and one count of mischief in relation to data.

More:
»www.cbc.ca/news/politics ··· .2612526

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

 
CBC's 'The National ' news live stream also covered this.

The broadcast is available live at 9PM and 10PM, and later on-demand for up to a day.

»www.cbc.ca/player/

Also likely the individual item clip will be posted there within an hour or two of now.

d4m1r
join:2011-08-25

d4m1r to graniterock

Member

to graniterock
It's going to be the first and only....

The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent). Since he accessed the CRA's system from his home PC/IP, he is obviously not a "professional" so if I was one of those 900, I'd feel slightly comforted by that fact.
graniterock
Premium Member
join:2003-03-14
London, ON

graniterock

Premium Member

I'm kinda curious how they tracked him down. Some articles I've read basically assert using the bug leaves no log trail.

DKS
Damn Kidney Stones

join:2001-03-22
Owen Sound, ON

DKS to d4m1r

to d4m1r
said by d4m1r:

It's going to be the first and only....

The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent). Since he accessed the CRA's system from his home PC/IP, he is obviously not a "professional" so if I was one of those 900, I'd feel slightly comforted by that fact.

He will be made an example of. This falls into the category of "Wanna see something cool? Here. Hold my beer..." Bad decision with serious consequences.

ssherwood
Premium Member
join:2002-02-23
Toronto, ON

ssherwood to graniterock

Premium Member

to graniterock
The bug may leave no trail, but anything upstream of that server that actively monitors the network would have captured/logged the traffic. An attack like this would have represented more than just a few minutes of traffic - more likely this computer was repeatedly making requests (attacking) over an extended period of time, all from the same IP.

Semaphore
Premium Member
join:2003-11-18
101010

Semaphore to graniterock

Premium Member

to graniterock
....Leaves no trail in the server logs, but a NetVCR or a Nixsun probe would show this exploit no problem.

TOPDAWG
Premium Member
join:2005-04-27
Calgary, AB

TOPDAWG to DKS

Premium Member

to DKS
I'm torn on this as how the fuck are sites or whatever going to find out about holes unless someone tries to use the damn holes in the first place?

Hell even if he did find the hole tried it to see if it worked and he wrote the government he could still face charges to me that is dumb. Now this kid no idea if he wrote anyone or did it for shits and giggles.

Nitra
join:2011-09-15
Montreal

Nitra

Member

He exploited the bug after it was made public.

And he's a complete fucktard for not thinking that the CRA wouldn't be able to replay his attack.

ruddypict
join:2010-03-24

ruddypict to TOPDAWG

Member

to TOPDAWG
said by TOPDAWG:

I'm torn on this as how the fuck are sites or whatever going to find out about holes unless someone tries to use the damn holes in the first place?

Generally by being told "Version xxx of software yyy is vulnerable, please update". CRA should have patched faster but that still doesn't make it OK.
said by TOPDAWG:

Hell even if he did find the hole tried it to see if it worked and he wrote the government he could still face charges to me that is dumb. Now this kid no idea if he wrote anyone or did it for shits and giggles.

He should have to face consequences for his actions. If the bank leaves the vault door open, I steal the money and I get caught, I still have to face the consequences for stealing, even if the bank wasn't too bright.

That being said I hope they don't throw the book at him. Might do some good to give him a hefty number of community service hours helping charities with their computers.

dillyhammer
START me up
Premium Member
join:2010-01-09
Scarborough, ON

dillyhammer to d4m1r

Premium Member

to d4m1r
said by d4m1r:

The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent).

No malicious intent?

Malice is not a prerequisite for an offence to be committed or a finding of guilt or innocence. All that is necessary is that he intended to do some prohibited thing. He intended to steal data. He did. That's it. And by the looks of him, he'll have flowers and candy bars waiting for him in his new digs.

Unlike ruddypict, I hope they crucify the little bastard.

Mike

Nitra
join:2011-09-15
Montreal

Nitra

Member

Even if he was "just a kid" with no malicious intent, they have no choice but to throw the book at him.
If they don't, every other idiot will think it's OK.

And... his father is the professor of computer science @ Western...
»business.financialpost.c ··· 611-bc1f

He knew full well he was in the wrong.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

 
Mayhaps CRA should HIRE him !

Hackers get hired all of the time by companies/organizations wishing to improve their own security.

Nitra
join:2011-09-15
Montreal

Nitra

Member

I wouldn't hope so, kid is obviously a complete idiot.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

 
Nahhh.

Error in judgement is all.

That can be groomed.

He has the smarts.

ruddypict
join:2010-03-24

ruddypict to dillyhammer

Member

to dillyhammer
said by dillyhammer:

said by d4m1r:

The kid was probably just doing it to test if it was actually possible once he found out how to do it. I think they will also use that as his defense (no malicious intent).

No malicious intent?

Malice is not a prerequisite for an offence to be committed or a finding of guilt or innocence. All that is necessary is that he intended to do some prohibited thing. He intended to steal data. He did. That's it. And by the looks of him, he'll have flowers and candy bars waiting for him in his new digs.

Unlike ruddypict, I hope they crucify the little bastard.

Mike

If what has been published this far is true, I wouldn't consider this a case of a malicious hacker. I'd consider this more of a case of a dumbass kid trying something out.

If he had gotten caught with the intent to sell those SINs or other data, that would have shown a malicious intent. If he had a big plan or had been waiting to nail CRA for some time, this would have also shown malicious intent. However he didn't even try to hide his identity, which definitely proves dumbass intent.

Don't get me wrong, if he was selling the SINs I'd be right there with you Mike. In fact if news comes out that he was trying to, I'd happily hold the cross while you nail him to it.

Is intent important in law? Well, there is a reason why we have first/second degree murder & manslaughter. All are about the same thing but they all deal with different kinds of intent.

Nitra
join:2011-09-15
Montreal

Nitra to Davesnothere

Member

to Davesnothere
said by Davesnothere:

Nahhh.

Error in judgement is all.

That can be groomed.

He has the smarts.

Sorry... No, he ran script against a server.
There's nothing smart about that at all. In fact, he ran it from his home IP (really stupid), and he didn't think that the CRA would be able to replay his attack (double stupid).
I'm sorry, the kid is a complete idiot/fucktard.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere to ruddypict

Premium Member

to ruddypict
said by ruddypict:

If what has been published this far is true, I wouldn't consider this a case of a malicious hacker. I'd consider this more of a case of a dumbass kid trying something out....

 
In this case, I agree that intent matters.

Nitra
join:2011-09-15
Montreal

Nitra

Member

said by Davesnothere:

In this case, I agree that intent matters.

In this case, no it doesn't.
If they don't throw the book at him, every idiot out there will think it's OK to probe servers at will, regardless of the intent.

This isn't an honest mistake, he targeted the CRA, he targeted something that was of high value, regardless of what his intentions were to do with the content.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere to Nitra

Premium Member

to Nitra
said by Nitra:

Sorry... No, he ran script against a server.
There's nothing smart about that at all. In fact, he ran it from his home IP (really stupid), and he didn't think that the CRA would be able to replay his attack (double stupid).
I'm sorry, the kid is a complete idiot/fucktard.

 
I see it as akin to stepping in a dog turd.

The embarrassment of being told you stink, and the trouble getting it off your shoe is prob'ly enough consequence.

Once again, intent.

They can throw the book, but the charge will and should be bargained downward.

Nitra
join:2011-09-15
Montreal

Nitra

Member

The kid will get federal time for it.
BrianON
join:2011-09-30
Ottawa, ON

BrianON to graniterock

Member

to graniterock
He could not have picked a worse bug to exploit, time, government agency, website and type of data to collect. Guaranteed a high profile public response, law enforcement involvement and major interest by news agencies.

A few years ago security breeches of private data might have been hidden but now must be disclosed. Even delaying disclosure over the weekend at the request of the RCMP for investigative purposes has been questioned.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

 
Even those asking questions are being questioned.

ruddypict
join:2010-03-24

ruddypict to Nitra

Member

to Nitra
said by Nitra:

said by Davesnothere:

In this case, I agree that intent matters.

In this case, no it doesn't.
If they don't throw the book at him, every idiot out there will think it's OK to probe servers at will, regardless of the intent.

This isn't an honest mistake, he targeted the CRA, he targeted something that was of high value, regardless of what his intentions were to do with the content.

That doesn't make a whole lot of sense. Perhaps you've never heard of Mens Rea in the context of Canadian law?

sbrook
Mod
join:2001-12-14
Ottawa

sbrook

Mod

It's like someone going into a jewelry store and taking a necklace out without paying and saying "I did it to see if I could, and anyway, I was going to put it back". He will be charged with theft. The reasoning is that he did not have permission from the owner to remove it.

In the case of the theft of the SINs, even though he COULD take them, he didn't have the permission to do so. He didn't have the permission to access the CRA computers.

His intent is irrelevent in this case, because the initial action of breaking into the CRA site IS the intention. This is the opposite of killing someone when your shotgun accidentally fired. Intention matters.

ruddypict
join:2010-03-24

ruddypict

Member

said by sbrook:

It's like someone going into a jewelry store and taking a necklace out without paying and saying "I did it to see if I could, and anyway, I was going to put it back". He will be charged with theft. The reasoning is that he did not have permission from the owner to remove it.

In the case of the theft of the SINs, even though he COULD take them, he didn't have the permission to do so. He didn't have the permission to access the CRA computers.

His intent is irrelevent in this case, because the initial action of breaking into the CRA site IS the intention. This is the opposite of killing someone when your shotgun accidentally fired. Intention matters.

Actually thanks for bringing up theft as an example. Theft is a crime where you would need to establish Mens Rea. So yes, intent in this case is very important.

Here is a great primer on Mens Rea

»www.youtube.com/watch?v= ··· YkwGvVZs

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

 
I had not heard of the term 'Mens Rea', but I was just commenting, using what I figure to be common sense about the situation.

Still, killing someone is more serious than theft.

You can put the necklace back, but....

ruddypict
join:2010-03-24

ruddypict

Member

said by Davesnothere:

 
I had not heard of the term 'Mens Rea', but I was just commenting, using what I figure to be common sense about the situation.

Still, killing someone is more serious than theft.

You can put the necklace back, but....

In almost every Canadian criminal case, you have to establish Actus Reus and Mens Rea. I found the video explained it really well.

sbrook
Mod
join:2001-12-14
Ottawa

sbrook

Mod

Actus reus = "Was a crime committed" (which is why for example, in a murder case, having a body is SO important in Canada)

mens rea = "did he intend to commit the crime"

So, our guy here was charged with unauthorized use and mischief (which sounds very non-serious, but in the legal world can indeed be a very serious crime)

Unauthorized use ... actus reus ... dead easy just look at connectivity logs; mens rea ... unauthorized use is not something you'd do by accident.

Mischief ... actus reus ... similarly dead easy a database of SINs was accessed by logs; mens rea ... the fact that he looked at SINs said he knew he was doing it since they are the key.

There are probably many other crimes that he could be charged with, but for those, proving actus reus and mens rea gets much harder.
Rastan
join:2007-04-25
Canada

Rastan to graniterock

Member

to graniterock
Let's be sensible about this. If it's proven that he did not intend to sell the SIN numbers and was not part of an organized group that was planning on profiting from this, then there's no real crime.

Why would anyone advocate throwing the book at him? Let's go after the real criminals. The ones who inflict harm on others, not some kid who might have only been experimenting to see if he can exploit the bug out of curiosity.