Curiosity killed the cat, goes an old saying. A Western University student whose curiosity led him to break into the Canada Revenue Agency’s servers two years ago to see if they were vulnerable to the Heartbleed bug earned an 18-month conditional sentence, according to the National Post.
Stephen Solis-Reyes, currently a fourth-year computer science student and son of a the graduate chairman of Western’s computer science department, received that sentence Friday in an Ottawa court after pleading guilty to two charges of mischief (one for the Canada Revenue breach, the other for exposing security breaches at the former online arm of the Jersey Island’s postal service), one charge of unauthorized use of a computer and another of and obstructing a police officer by swiping information off a computer at his arrest. In exchange the prosecution dropped 13 other charges.
As a conditional sentence he’ll serve the first four months under house arrest, and the rest under supervision. He also must serve two years of probation, with 200 hours of community service ordered. If he breaks the terms of the conditions he could serve time in jail.
The publication quotes the the student’s lawyer telling the court that Solis-Reyes was able to get into the CRA systems in “six seconds.”
The Heartbleed vulnerability exploits a coding error in systems that use the open source OpenSLL libraries for encryption protection and leaves a portion of data in memory open.
Canada Revenue had to temporarily shut its systems after discovering that during a six-hour period between April 7, 2014 — when word about the vulnerability first surfaced — and April 8 — when Canada Revenue shut its tax filing site — social insurance numbers of 900 taxpayers were “removed” from its systems by exploiting Heartbleed. The shutdown came just as millions of Canadians were filing their income tax returns, forcing the government to extend the filing deadline. It took a few days for the government to scour its systems to ensure they were protected before bringing them back online.
A few days later Solis-Reyes’ was arrested. At the time the RCMP said it treated the breach as a high priority case.
According to the news report, one reason why Solis-Reyes received only a conditional sentence is that he didn’t try to sell any of the information he got his hands on.