In what's become an all-to-familiar sounding story, a law enforcement agency has arrested a young man on allegations of hacking and data theft. In this case, the RCMP have arrested a 19 year old university student after the Canada Revenue Agency alleged that 900 Social Insurance Numbers were stolen from their online tax filing system in a Heartbleed-related attack.

CRA made the allegation days after shutting down access to their systems on April 8th due to the Heartbleed vulnerability.

To recap, Heartbleed is a bug in the OpenSSL library that can allow incoming connections to peek into the memory of the server process running the vulnerable library version. The memory is leaked in chunks, up to 64KB per "heartbeat", and the leaked memory comes from the pool of freed memory on the process's heap. This can include login names, passwords, raw data, and private encryption keys. XKCD has a more illustrative explanation.

From the moment the vulnerability was revealed, thousands of professional and recreational computer scientists and security researchers got to work trying to ascertain how widespread the fallout would be.

This process involved establishing exactly how to check for vulnerable servers. It also involved exploring the memory of potentially vulnerable servers to see what was exposed and vulnerable. And all of this was done with somewhat open communication about how to work with the vulnerability.

In other words, they attacked. In some cases they had permission, in many cases they did not. The sheer ease of the attack may have clouded some people's judgement about how their "contribution" might be interpreted. Regardless, it was quickly determined that providers such as Yahoo! had major, critical issues that exposed credentials to anyone who knew the right way to ask for them. The effort also determined that GMail and many other providers were not vulnerable.

Early results of this effort indicated that as many as 1/3rd of the SSL servers on the planet could have been vulnerable to this attack - many of which likely still are.

CloudFlare, one of the Internet's most experienced firms when it comes to combating large-scale Denial of Service attacks, even set up a server specifically for researchers to prove a core hypothesis of the Heartbleed vulnerability - were private encryption keys vulnerable or not? After a mere few hours, and thousands of attacks, it was proven that yes, the keys were vulnerable.

Not everyone involved in this effort was a noble hero of strong ethics. As with any vulnerability of this magnitude, profit seekers and vandals lined up to take pot shots at the targets they deemed juiciest.

One thing to keep in mind, though, is that this vulnerability was hiding in the wild for two years. During that time, anyone who discovered it and chose to keep it a secret would have had full run of any vulnerable server. Any service that says they have "evidence that no data was leaked" could be downright wrong, as could any service that claims only specific data was leaked. A major characteristic of this attack is that there are very few ways to detect it. It's not recorded in the system logs - it happens in an early stage of SSL communication, even before key verification is performed.

This brings us to the Canada Revenue Agency.

They allege that 900 social insurance numbers were stolen. They haven't said how they arrived at that number. One report said it was during "an attack which lasted six hours", but the nature of the Heartbleed vulnerability is such that it can be difficult to detect and monitor with that level of insight. To be fair to the CRA and RCMP, they probably need to keep some of their information to themselves in preparation for the prosecution phase of the investigation - but what they've said publicly does not yet add up.

One software engineer was quoted by the CBC as suggesting that "the 900 affected people may just be those with the bad luck to have logged on before the website was shut down" - but as outlined above, there's an entire 2 year window where this bug could have been exploited. It would be foolhardy to use this metric as a gauge of exposure, and the software engineer himself pointed out that there might be other clues CRA is using to establish their claim.

Nonetheless, the RCMP has taken action, perhaps acting on evidence that is more substantial than supposed in that CBC quote. They served a search warrant on university student Stephen Arthuro Solis-Reyes, 19, at 1 a.m. a few days before his arrest. They seized equipment from his home and left without charging him. Later that week, on April 15th (Tuesday), officers threatened to arrest him in the middle of one of his classes. He turned himself in voluntarily, and his lawyer alleges that the RCMP kept the student in custody without access to his lawyer for almost six hours while he was questioned, despite his lawyer's repeated requests to be granted access.

It's obvious that the tax system is serious business. Suffering from a vulnerability like this undermines the trust in the software running it. I don't know what evidence the RCMP and CRA have against this kid, but I hope they have some major insight into his intent - if he was planning to sell the SINs, that would be a pretty cut and dry case of computer crime, possibly rating a Gibson Level Three attack (a cyberheist).

But if it turns out that he was merely one of those thousands of computer scientists and security researchers, operating in something at least resembling an ethical manner (e.g., not making arrangements to use or sell the data for personal profit), it would be closer to a Gibson Level One event (vulnerability probing, an everyday fact of life for every server on the Internet).

Either way, the CRA should not attempt to use him as a fall guy for the whole Heartbleed problem and related costs, which were clearly outside the control of the CRA and looming for two years before this incident. Doing so will reek of political scapegoating.

I hope that the Canadian justice system will take care not to repeat the egregious and overzealous persecutions perpetrated by the US legal system.

Related Links

• Heartbleed
• RCMP asked CRA to delay news of SIN theft
• Student charged in heartbleed-related SIN theft
• NSA Exploited Heartbleed for 2 years
• White House denies NSA exploited Heartbleed
• CloudFlare Challenge Results
• XKCD Explains: Heartbleed