Teen Arrested For Using Heartbleed To Get Canadian Taxpayer Info; Did Nothing To Hide Himself

from the that-didn't-take-long dept

One of the most high profile victims of the Heartbleed vulnerability was the Canadian tax service, Canada Revenue Agency, which shut down its online tax filing offering. A few days later, the agency admitted that about 900 Canadians had information copied from the site via someone exploiting the vulnerability, prior to the site being shut down. And, from there, it was just a day or so until it was reported that a teenager, Stephen Arthuro Solis-Reyes, had been arrested for the hack.

Given the speed of the arrest, it would not appear that Solis-Reyes did very much to cover his tracks. In fact, reports say he did nothing to hide his IP address. He's a computer science student -- and his father is a CS professor, with a specialty in data mining. It seems at least reasonably likely that the "hack" was more of a "test" to see what could be done with Heartbleed and (perhaps) an attempt to show off how risky the bug could be, rather than anything malicious. It will be interesting to see how he is treated by Canadian officials, compared to say, the arrests of Aaron Swartz and weev.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, canadian revenue agency, cra, hacking, heartbleed, stephen arthuro solis-reyes


Reader Comments

Subscribe: RSS

View by: Thread


  1. identicon
    Anonymous Coward, 18 Apr 2014 @ 8:17am

    Re: Re: Re: Re: Re:

    Even if used as a proof of concept, attacking or subverting security systems without prior authorization is unethical and in many cases illegal. Penetration testers, the aforementioned white hats, and others in the security community who have concern for acting ethically know better.

    One may not access a system without authorization and walk away without "doing something wrong." Sometimes authorization is implicit, sometimes explicit, but it either exists or does not exist and may be dependent upon certain system objects. As an example, I'm authorized to access Techdirt's articles and comment sections, but attacking the backend or using the administration console would be unauthorized. I doubt the subject was authorized to use the system in the way he did. He certainly wasn't intended to do so by the system architects or administrators.

    To go back to a prior example, weev, the authorization to access the data was assumed by others to have existed in an implicit fashion due to the semi-public nature of the web, however I believe that assumption is flawed. Regardless of how poorly secured a system may be, or how simple the exploitation is, accessing parts of a system (including data stored therein) not meant to be accessed by a given user is intrusion. weev may have been let off after some (well deserved, even if only for other reasons) time served, but I don't believe he should have been.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.