Teen Arrested For Using Heartbleed To Get Canadian Taxpayer Info; Did Nothing To Hide Himself

from the that-didn't-take-long dept

One of the most high profile victims of the Heartbleed vulnerability was the Canadian tax service, Canada Revenue Agency, which shut down its online tax filing offering. A few days later, the agency admitted that about 900 Canadians had information copied from the site via someone exploiting the vulnerability, prior to the site being shut down. And, from there, it was just a day or so until it was reported that a teenager, Stephen Arthuro Solis-Reyes, had been arrested for the hack.

Given the speed of the arrest, it would not appear that Solis-Reyes did very much to cover his tracks. In fact, reports say he did nothing to hide his IP address. He's a computer science student -- and his father is a CS professor, with a specialty in data mining. It seems at least reasonably likely that the "hack" was more of a "test" to see what could be done with Heartbleed and (perhaps) an attempt to show off how risky the bug could be, rather than anything malicious. It will be interesting to see how he is treated by Canadian officials, compared to say, the arrests of Aaron Swartz and weev.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, canadian revenue agency, cra, hacking, heartbleed, stephen arthuro solis-reyes

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    ericH, 18 Apr 2014 @ 8:08am

    Love all the comments trying to rationalize in favour of someone who has *allegedly* broken a Canadian law. First, it is only alleged, we have no facts accepted by the court other than the Information laid to accuse him.

    While I do support arguments suggesting the CRA is to a degree liable, we are to believe they shut down their servers "as soon as the risk was known," greatly mitigating their culpability.

    As for the young man, what if we discovered a flaw in trousers which allowed wallets to fall from their back pockets with minimal effort from a passerby? There are then several options, including:
    A) Walk past a potential victim, doing nothing.
    B) Trigger the wallet drop but do nothing.
    C) Trigger the wallet drop, advise the victim their wallet just dropped.
    D) Trigger the wallet drop, keep the wallet, do nothing.
    E) Trigger the wallet drop, use the wallet contents.

    I'm thinking we're looking at "D", which suggests an intentional act to trigger the event, followed by one of questionable ethics - why keep the wallet? Why keep 900 wallets? Even with the intention of returning them, it would be grossly inappropriate (bordering on plainly stupid) to collect 900 wallets THEN say, "oh, don't worry, I was planning to return them all."

    While stupidity isn't illegal ("You can't fix Stupid,") it can surely put you in the hot seat, and so it should, to hopefully curb future stupid acts by an accused or anyone watching.

    My 2c.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.