
Heartbleed hack case sees first arrest in Canada - stehat
http://www.bbc.co.uk/news/technology-27058143
======
smtddr
_> >"I hope the actions of hijacking Justine's account help draw attention to
how big a deal this is," the hacker wrote on the social network. "I suspect a
lot of people would not have taken it seriously otherwise. Be thankful that
the person who got access to the server information was kind enough to let you
all know (and at least try and be funny with it) instead of simply sitting on
the information."_

It's not clear to me that the hacker was malicious.

That said, governments are __not__ hacker-friendly like Google, Facebook,
Twitter, etc. Never hack the government thinking you're doing them a favor,
they will never see it that way. You will be arrested.

------
anaphor
Direct link to the CRA response [http://www.cra-
arc.gc.ca/gncy/sttmnt2-eng.html](http://www.cra-
arc.gc.ca/gncy/sttmnt2-eng.html)

"Regrettably, the CRA has been notified by the Government of Canada's lead
security agencies of a malicious breach of taxpayer data that occurred over a
six-hour period."

That seems to be implying that another government agency (RCMP? CSEC?)
monitors at least the CRA network and does some kind of deep packet inspection
and/or packet logging. So are they logging every packet that gets sent to the
CRA network? Or did they know about it beforehand and could detect it in real
time with an IDS?

~~~
CanSpice
Also mentioned in that link is Shared Services Canada, which appears to be a
division that's tasked with bringing the various departments' IT
infrastructures under a single umbrella. From their website ([http://www.ssc-
spc.gc.ca/index-eng.html](http://www.ssc-spc.gc.ca/index-eng.html)):

"Shared Services Canada was created on August 4, 2011 to fundamentally
transform how the Government manages its information technology (IT)
infrastructure. Its mandate for the provision of enterprise-wide IT-
infrastructure services represents better value for money and a more reliable
IT infrastructure to support modern government operations."

------
SilasX
"Hey, I didn't know it was a crime to miscount the length of a string [by
several thousands]." -> Not recommended as legal defense

------
at-fates-hands
Interesting the difference between this article and other articles reporting
on more recent hacks. Those articles always point out how much jail time the
hacker is facing.

I suspect the Canadian authorities aren't as ruthless with their computer
crime laws as the prosecutors are here, but you never know. Any idea what the
kid is facing in terms of punishment??

~~~
dmix
“Unauthorized Use of Computer” is maximum 10 years in prison in Canada, which
is pretty much equivalent to American law. The additional mischief charge will
probably get dropped.

[https://en.wikibooks.org/wiki/Canadian_Criminal_Law/Offences...](https://en.wikibooks.org/wiki/Canadian_Criminal_Law/Offences/Unauthorized_Use_of_Computer)

> is guilty of an indictable offence and liable to imprisonment for a term not
> exceeding ten years, or is guilty of an offence punishable on summary
> conviction.

------
dmix
Googled his name and found his Github profile:

[https://github.com/Stephsolis](https://github.com/Stephsolis)

He mentions a school assignment for "CS2212" which means he is likely a CS
student at Western University in Canada.

~~~
maxerickson
Why not let him choose to publicize his defense or have a trial first?

Edit: parent comment was edited after I posted this.

~~~
dmix
No part of my comment accused him of being guilty. His name is on every news
site around the world.

I found the fact he is a CS student relevant to the news article. As is the
fact he has a git repo where he coded a Java crypto library, when he's being
accused of exploiting a crypto library.

~~~
maxerickson
I didn't accuse you of accusing him of being guilty.

There will be plenty of time to rummage through his life, internet and not, no
need to rush into it.

"Person accused of hacking good with computers, uses them" isn't exactly a
revelation.

~~~
ArcticCelt
>Their will be plenty of time to rummage through his life, internet and not,
no need to rush into it.

If find that those type of comments, event if well intended, in the end they
are not helpful. First because dmix wasn't "rummaging through his life" but
pointing out public facts related to his abilities has a coder.

Second because I wonder when will be the time to discuss this? Once nobody
talk about it anymore and it becomes completely irrelevant and forgotten? Now
is the exact time to discuss this.

~~~
maxerickson
There is little need for the internet at large to discuss anything about this
teenager.

------
JimmaDaRustla
A lawyer I consulted with is defending him, making him out to be the victim by
the RCMP. Seems like a tactic to distract people from what he actually did.
[http://www.lfpress.com/2014/04/16/london-teen-charged-in-
hea...](http://www.lfpress.com/2014/04/16/london-teen-charged-in-heartbleed-
breach-of-taxpayer-data)

Of course he's from my town, and of course he's taking computer science. This
was my first instinct when I heard of the case, that it was some kid thinking
he was safe behind his computer screen. I only say this because I seen it A
LOT in this town while going to school.

------
amits89
Google is one of the company which is affected very badly by HeartBleed bug,
Almost all the services like YouTube, Gmail by Google are affected. Amazon,
Yahoo! are also in the same list. We just need give attention to Apple &
Microsoft who are not affected by Heartbleed. Check out detail list which
shows list of company who are affected or not by this issue.
[http://www.dazeinfo.com/2014/04/17/google-inc-goog-worst-
aff...](http://www.dazeinfo.com/2014/04/17/google-inc-goog-worst-affected-
heartbleed-bug-change-passwords-prevent-data-theft/)

------
whitehat2k9
Sounds like someone forgot to use Tor.

~~~
samuelkadolph
Probably relying on the claim by some that it was completely undetectable
unless you have full packet capture which for the CRA is pretty much a
guarantee.

~~~
throwwit
...or that sysadmins are used to script kids the day a glitch comes out.
(Hopefully)

