Teen Arrested For Using Heartbleed To Get Canadian Taxpayer Info; Did Nothing To Hide Himself

from the that-didn't-take-long dept

One of the most high profile victims of the Heartbleed vulnerability was the Canadian tax service, Canada Revenue Agency, which shut down its online tax filing offering. A few days later, the agency admitted that about 900 Canadians had information copied from the site via someone exploiting the vulnerability, prior to the site being shut down. And, from there, it was just a day or so until it was reported that a teenager, Stephen Arthuro Solis-Reyes, had been arrested for the hack.

Given the speed of the arrest, it would not appear that Solis-Reyes did very much to cover his tracks. In fact, reports say he did nothing to hide his IP address. He’s a computer science student — and his father is a CS professor, with a specialty in data mining. It seems at least reasonably likely that the “hack” was more of a “test” to see what could be done with Heartbleed and (perhaps) an attempt to show off how risky the bug could be, rather than anything malicious. It will be interesting to see how he is treated by Canadian officials, compared to say, the arrests of Aaron Swartz and weev.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Teen Arrested For Using Heartbleed To Get Canadian Taxpayer Info; Did Nothing To Hide Himself”

Subscribe: RSS Leave a comment
Anonymous Coward says:

“It seems at least reasonably likely that the “hack” was more of a “test” to see what could be done with Heartbleed and (perhaps) an attempt to show off how risky the bug could be, rather than anything malicious.”

That’s a big assumption to make, and it misses the point.

The act of exploiting the tax service to get sensitive information is malicious in and of itself.

There are test servers that people have put up for people to test out the heartbeat bug. The kid should’ve used those servers instead.

Anonymous Coward says:

Re: Re:

“exploiting the tax service” or used a publicly available feature?

Go up to a man who works for the Tax service.

You say:


The man says:

[private info , private info]

Stap exploiting the tax service ?
Saying “Hi” is illegal ?

Did they arrest the tax service for giving out the info?

PaulT (profile) says:

Re: Re: Re:

This is one of those situations where any analogy to the physical world is at best misleading. In the physical scenario, the person on the tax service would be at least aware of the information he was giving away, if not outright in collusion with the requester. There’s no situation where a human being would unknowingly start giving you private information about someone else. Here, a bug was responsibly for inadvertently giving away information.

Whichever way you excuse it, the kid was exploiting a known vulnerability to get confidential private information. If he wanted to run a test, he should have done it on a test server or a server he owned. By accessing confidential private information without permission, he broke the law. Since the vulnerability was already public, he doesn’t even have the moral high ground of white hat hacking to hide behind.

Anonymous Coward says:

Re: Re: Re: Re:

“There’s no situation where a human being would unknowingly start giving you private information about someone else. “


“accessing confidential private information without permission, he broke the law.”

A) He was given it. (information stored in ram)
B) There could have been anything in that ram.
C) The people who gave him it are relevant.

“Inadvertently” …. you said it yourself. “a bug was responsibly for inadvertently giving away information”.
Leads to the question. Who had the bug?

Look, I agree that the morality is questionable. The information was sensitive. It was an unwanted feature/bug. However, to ignore the glaring “who dun it” because of that is plain ignorant to the facts. The tax office gave out information. THEY DUN IT.

Heaven forbid we hold the tax office accountable for not donating to openssl and dictating/securing the wanted features in it.

To blame some kid for using it is an applauding “pass the buck” scenario.
They had a feature, someone used it. It’s their fault. It’s that simple.

FFS, You had WHAT feature ?

You better remove that feature you asshole.

meh… don’t say it. Direct your anger at some kid stupid enough to use the feature. Like he is the worst type of person that could have used THEIR feature.

PaulT (profile) says:

Re: Re: Re:2 Re:

I’m often sympathetic in these cases, but the facts here seem clear. The bug was not of their making, and not their error. The kid accessed data he knew he had no right to access. He did so deliberately.

Sorry, but there’s no excuse here, any more than there would be an excuse for you using a password someone accidentally emailed you. The security error does not excuse its deliberate exploit, unless doing so is a proof of concept to notify those affected. The affected were already informed, so no go.

Anonymous Coward says:

Re: Re: Re:3 Re:

Even if used as a proof of concept, attacking or subverting security systems without prior authorization is unethical and in many cases illegal. Penetration testers, the aforementioned white hats, and others in the security community who have concern for acting ethically know better.

One may not access a system without authorization and walk away without “doing something wrong.” Sometimes authorization is implicit, sometimes explicit, but it either exists or does not exist and may be dependent upon certain system objects. As an example, I’m authorized to access Techdirt’s articles and comment sections, but attacking the backend or using the administration console would be unauthorized. I doubt the subject was authorized to use the system in the way he did. He certainly wasn’t intended to do so by the system architects or administrators.

To go back to a prior example, weev, the authorization to access the data was assumed by others to have existed in an implicit fashion due to the semi-public nature of the web, however I believe that assumption is flawed. Regardless of how poorly secured a system may be, or how simple the exploitation is, accessing parts of a system (including data stored therein) not meant to be accessed by a given user is intrusion. weev may have been let off after some (well deserved, even if only for other reasons) time served, but I don’t believe he should have been.

Anonymous Coward says:

Re: Re: Re:4 Re:

You are “authorized” to access the keepalive function that is heartbeat. It’s part of everyday connections.

The “bug” is that when you send a packet, it sends a same sized packet back…Without it authenticating things.

This scenario is possible. (part of the keep alive process)

send a packet
>>>>>>>>> packet is lost due to bad internet connection (it happens)
You tell the server the packet was 64k
>>>>>>>>> server sends back 64k from ram

Accidental heartbleed “exploit”, via proper and “authorized” usage.

Anonymous Coward says:

Re: Re: Re:3 Re:

Loaded term. [ exploit = use ]

I’m also not trying to make excuses. Blaming this kid is making excuses for the ones who had the feature that could be triggered inadvertently via normal use and a mildly temperamental internet connection.

The kid shouldn’t have done it. I was clear on that.
He isn’t the problem here. The retards who had that feature are. They should have been supporting openssl etc…

Misdirected anger ?
They will try to make an example of him while the retards will get all the sympathy because they accidentally gave him stuff. Ignore that they were the ones who gave it out. Hang the fucking kid?

I disagree based on what I see as the ignorance of who the real culprits are. Yeah, the kid should probably get some light punishment. The tax office should get the same and be forced to donate to all the open source code projects that it uses.

PRMan (profile) says:

Re: Re: Re:3 Re:

The door was definitely locked.

This is like when they found those expensive locks used by the government had a flaw where they could be shorted out with a paper clip.

It’s as if he went to a government installation and used the paperclip trick to break into the tax records office. He saw some files sitting on the desk so he just took those, having no idea of what he just took.

Nobody would look at that in the real world as innocent.

Anonymous Coward says:

Re: Re: Re:3 Re:


It’s like walking up to a locked door. Ringing the doorbell and then more stuff or different stuff is given to you by the owner, than should be given.

They give you the wrong stuff.

Just because someone doesn’t want that to happen when you ring a doorbell doesn’t mean that ringing the doorbell is illegal.

If anything, it’s more like fraud via deception. Definitely not stealing.

Heartbeat is a Keepalive function.
If your connection drops part of a packet during the keepalive process you too could be “exploiting heartbleed”.

Anonymous Coward says:

Re: Re: Re:4 Re:

If your connection drops part of a packet during the keepalive process you too could be “exploiting heartbleed”.

Actually you cannot, while UDP does no error correcting, it does do error detecting, length and checksum validation, and silently drops any packets that fail the checks. Therefore if the packet is truncated by the network you do not receive a response. Its exploitation requires deliberate generation of a packet that tells lies about the length of the string within the shorter, but accurately given, packet length, along with a checksum for the packet. This is extremely unlikly to occur by accident.

Anonymous Coward says:

Re: Re: Re:5 Re:

Corrupted packets happen.

Of course I over simplified the explanation. I think that half a sentence of explanation should have made that obvious.

“Extremely unlikly to occur by accident” is still possible and considering the probable trillions+ of times per day that the “function” is used. Even if it happened once per billion, with those figures it would exploited 1000 times per day.

UDP keepalives are set at 30 second intervals or so.
eg of scale: 5,922,000,000 google searches per day in 2013.
A trillion keepalives a day is probably a gross underestimation.

aldestrawk says:

Re: Re:

“That’s a big assumption to make, and it misses the point.”

Assuming Solis-Reyes did not have nefarious intentions is not such a big assumption when one takes his history into account.

From: http://www.washingtonpost.com/news/morning-mix/wp/2014/04/17/the-first-suspected-heartbleed-hacker-has-long-history-of-hacking/?tid=hp_mm

?This kid, when he was in high school was in the top of his class. He was extremely gifted. So he sent a letter to the [London District Catholic School Board in Ontario] indicating that their school system was susceptible to hacking.? The attorney said the school officials were nonplussed. ?They said they?d like to test it themselves. He was a quote computer nerd unquote and they didn?t take him seriously.? So the 14-year-old, Joseph claims, went into the computer system and found ?all the confidential information.? But then, right when things could have turned criminal, Joseph said his client stopped. ?He could have changed everything, and changed nothing,? Joseph said.

This article doesn’t expound the problems with laws concerning unauthorized computer access but it is not missing the point either. I don’t know what the penalties are in Canada for unauthorized use of a computer but in the U.S. the CFAA is a one-size-fits-all law where any unauthorized access has a maximum penalty of five years in prison. There is a wide range of criminality lumped together as violations of this law and it includes white, or gray, hat hackers who exercise an exploit simply to prove it was possible. Even with the best intentions, if such a hacker accesses a computer they don’t have permission to access, the penalty is 5 years in prison. The law against unauthorized access should not have such a draconian penalty. The heavy penalties should apply to those who exhibit more nefarious intentions by also committing fraud or theft based on the information they illicitly acquired.

Anonymous Coward says:

Don’t see how the Canadian Government can do anything about this. The information is “publicly available”. No security breach, breaking stuff, unauthorized access or hacking required.

Ask server.
Server sends you information.

It’s a bug or in other words a “publicly available feature”, not a hack or an exploit.

“exploiting a bug” is a really loaded statement.

“Using a feature” or “exploiting a bug” are synonymous in this case.

ericH says:

Love all the comments trying to rationalize in favour of someone who has *allegedly* broken a Canadian law. First, it is only alleged, we have no facts accepted by the court other than the Information laid to accuse him.

While I do support arguments suggesting the CRA is to a degree liable, we are to believe they shut down their servers “as soon as the risk was known,” greatly mitigating their culpability.

As for the young man, what if we discovered a flaw in trousers which allowed wallets to fall from their back pockets with minimal effort from a passerby? There are then several options, including:
A) Walk past a potential victim, doing nothing.
B) Trigger the wallet drop but do nothing.
C) Trigger the wallet drop, advise the victim their wallet just dropped.
D) Trigger the wallet drop, keep the wallet, do nothing.
E) Trigger the wallet drop, use the wallet contents.

I’m thinking we’re looking at “D”, which suggests an intentional act to trigger the event, followed by one of questionable ethics – why keep the wallet? Why keep 900 wallets? Even with the intention of returning them, it would be grossly inappropriate (bordering on plainly stupid) to collect 900 wallets THEN say, “oh, don’t worry, I was planning to return them all.”

While stupidity isn’t illegal (“You can’t fix Stupid,”) it can surely put you in the hot seat, and so it should, to hopefully curb future stupid acts by an accused or anyone watching.

My 2c.

Anonymous Coward says:


I suspect a factor in this kid’s story is that a lot of the initial media on Heartbleed called the exploit “undetectable”. This was actually shorthand for “undetectable from standard web server logs”, isn’t exactly true either, and ignores the fact that the attack is trivially detectable if the victim is logging IP traffic (which they can do with a sniffer or at the firewall) and has the software that will decrypt the traffic with the web server’s certificate.

In fact, someone connecting to a web site with a weird access pattern, like hitting the home page 10,000 times but never going to a sub-page, is going to throw a giant red flag on a financial site.

Silent Bob says:

Son of a Computer Scientist

I think he was just screwing around to see how things work. An apt comparison would be to another CS student, Robert Morris, who also had a distinguished CS researcher for a father (Bell Labs and later the NSA (oh noes)), who while screwing around exploring various vulnerabilities accidentally released the first large-scale disruptive internet worm. This was back in the 80’s. As I recall, all he got was a slap on the wrist, and later went on to become a tenured CS professor at MIT.

Chris-Mouse (profile) says:

Here’s a couple of other bits of information on this story.
– The police raided his home, and seized computer equipment, but apparently did not arrest him at that time.
– He was told to ‘voluntarily’ show up at the police station or else the police would very publicly humiliate him by arresting him in the middle of his exams.
– When he did show up at the police station, his lawyer was not permitted to see his client for six hours.


This case has enough irregularities that I would not trust anything the police say unless there is some supporting evidence. It sure looks to me like the authorities are getting desperate to convict a ‘dangerous hacker’ to distract attention from the fact that there was a major security flaw in the government’s computer systems.

Anonymous Coward says:

The teen was just following in his father’s footsteps, by data mining Social Insurance Numbers. I believe it’s a stretch to give his intentions the benefit of the doubt.

For one, how could a computer science student be so foolish as to pick a government tax return website to carry out his ‘tests’. It’s amazing he was foolish enough lead the Canadian Mounties, right to his doorstep.

I guess just because you’re a data mining Zuckerberg, with a degree in Computer Science, doesn’t make you a network protocols expert.

Ashley says:

I am one who was affected by this little s***, and his heartbleed hack with CRA, because of him I did not receive my child tax benefit. I do not make much and my CTB was to help with giving my child an Easter, but due to this the Easter bunny will not be coming to our house this year. I would like to know how to fix this before the Easter bunny needs to travel… Any help would be greatly appreciated…

Crazy Canuck says:

Re: Re: Re:

I’m assuming they mean that since the CRA stopped allowing online filing for a short period, that they were unable to file their taxes electronically or at least had to wait a week. That caused their tax return to be delayed.

So they will still get their tax credits, but not in time for Easter.

Leave a Reply to Ashley Cancel reply

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...