Probably relying on the claim by some that it was completely undetectable unless you have full packet capture which for the CRA is pretty much a guarantee.
While he obviously behaved rather irresponsibly, talking openly about a hack he did, the word steal is probably a bit strong.
Odds are the insurance numbers are just some of the things that passed through while he performed the hack, or the first thing he saw when he got in. Not something he intentionally took for his own gain.
Intent should count, but if someone broke into a company's building at night, picked the lock to a manager's desk, and stole all the papers he could see and ran out...obviously a theft has occurred.
Even if he was not looking for anything in particular, or did not plan on using any of the information found in the papers, he's committed a felony.
In this case I don't think it's clear whether or not he went ahead to parse out the insurance numbers and save those separately, and if so if he planned to do anything further with those (like sell them).
Yeah uh, your analogy is terribly wrong and just serves to perpetuate life-destroying punishments for innocuous actions. It's more like a street-level window was left open, and this guy stuck his head in and saw a bunch of papers strewn out on a desk, all while wearing a commonly-worn head-mounted camera. Any seriousness of the situation is related to his ultimate intent, not the hacking itself.
I like your analogy in that it portrays the fact that nothing was physically stolen, much similar to arguments used in piracy issues.
However, my understanding of heartbleed is it can take many thousands of requests before interesting / meaningful data is returned. I doubt 900 SINs were returned in a single response (I could be wrong). So I suppose this is analogous to repeatedly sticking your head in & out of the wide open window at street-level.
So what I am curious about is where the line is drawn. Is one malicious packet considered enough for an arrest? 1 million?
Well the standard way of answering that question is that it has nothing to do with the number of packets, but with the ultimate intent and actual damages caused. Unfortunately the legal system considers basically any hacking to be witchcraft and is horribly miscalibrated as to what should be considered serious or not.
I think it depends on exactly what he did here. I don't know the details of the case.
If he simply ran the Heartbleed script for an hour or 2 and did literally nothing else after it finished running, then yes, your analogy is the correct one and mine is wrong. In that case he should probably only be liable for the money spent by the agency in investigating the attack.
If he scraped out the SSL private key from the results, that's clearly worse.
If he additionally scraped out everything that fit the format of an insurance number, then it's quite a bit worse.
If he planned on publicizing or personally using any of these, then it's far worse.
I would also argue that it's less like a window being left open, but rather a door located around the back of the building where no one goes accidentally being left unlocked.
What he achieved should only be relevant in how it demonstrates intent. Deducing the SSL key could be done as a proof-of-concept, and should only matter if it can be used to show that he was planning on impersonating the site in furtherance of some other crime.
I do concede that the proper analogy isn't something so plainly visible to all as an open window, but it does have to incorporate an external motivating factor to try the door (perhaps a rumor floating around town that they tend to leave it unlocked and oh boy you wouldn't believe what's on the other side..)
Wow, you seem to be condoning theft here. The CRA website was hacked, using a hacking technique just discovered. It is not like "leaving a street-level window open". It's more like, a new way to pick a lock was discovered that no one knew existed, and he went around picking locks to see what he could find.
He knew he was hacking the CRA when he did it. He can't claim to have done it accidentally. The CRA did everything reasonable to secure their servers.
That said, he's a smart teenager playing with technology and did something he shouldn't have. As long as no one was harmed, and his intentions were just curiosity, I think he should get off pretty light. Hate to see his life ruined.
An open window is easily spotted, so it probably is more appropriate to say an unlocked window. I didn't deny that he hacked the CRA, or even that those actions are wrong in a sense (on a different day/topic I might make that argument..), but am just pointing out the draconian binary punishment for computer crimes that you're also referencing when you say "Hate to see his life ruined".
Let's say on a lark you go walking down the street trying doorknobs, open the first unlocked one, and sit down on the couch and watch TV until the owner gets home. You have trespassed, and if the owner presses charges you will most likely be punished. However, that punishment will most likely be commensurate with the severity of the crime, not life-altering years in prison.
If you are geolocating, I would suggest spending $370 to buy the MaxMind GeoIPCity database. There's an nginx module for it and any major language will have code to run queries against it.
Actually this is very much illegal. You cannot charge someone for a product and then not deliver it. Kickstarter doesn't charge you for a product, you pledge or donate to a project on Kickstarter and if it's successful, you get the item(s) for the level you pledged to for free.
Well, of course if you charge someone for a product and don't ship it, then you owe them their money back.
I'm not sure there's anything illegal about it if you give them their money back -- I'm pretty sure I've tried to buy something from a seller on Amazon, been charged, it turned out they were unable to fulfill, they refunded. It happens.
Now, if you run out of money and go out of business without giving everyone their money back -- that's still not exactly 'illegal', it's not in and of itself fraud. Companies go out of business with creditors all the time, almost any time anyone does go out of business they owe someone something (I mean, in a sense, that's what makes you go out of business!)
Most credit card processors will have problems with you if you don't ship a product within a certain time frame (3-4 days) within charging a credit card. I believe its part of the TOS.
And consumers are different than creditors. There are different laws that protect each.
I wonder if they get round that law because they don't ask for your shipping address until they ship the product meaning it's never a "properly completed order"
I've found ifconfig.me to be excruciatingly when I actually need it. Like takes 10-30 seconds for a response just to get my IP. Sucks that someone got the vanity domain and put a shitty server behind it.
Having the private key of a trusted root CA lets you create leaf certificates (or intermediate CAs) that your computer will trust implicitly (because the root is trusted). This would allow someone to man-in-the-middle your connection to, say, gmail (with help of your ISP) and you would not be able to easily detect it.
Gibson Research Corporation created a page that shows the real signature for some common websites (and lets you check any site you want). You can then connect to them and view the signature in your browser and compare them. This is what you would have to do to know if you were being MITMed with a "real" certificate.
If you ever listen to Security Now, you'll know that Steve has real issues personally with the scammy SSL system. Hongkong Post is always used as the example, but check your root cert list sometime. You'll see all sorts of entities that your browser implicitly trusts and you will have absolutely no idea who they are.
You don't, really. You would need to download the details for services you care about now, and hope they're not already compromised, and compare offline at a later date when you fear they might be.
Given the first vulnerability, which stemmed from poor defaults in Rails and Github using said defaults, I wouldn't be surprised if it were affected by this.
Not using attr_accessible is a lot different than not using reset_session after authenticating a log in. It's very easy to forget or not notice a model missing some whitelisting but to roll your own authentication code with zero security investment is just stupid and I would be extremely surprised if GitHub doesn't do it.
Sounds like someone didn't read the guidelines for this. Raising the $185k is peanuts compared to what else you need. Over the 6+ months you have to prove to ICANN that you have the technical and financial ability to run a registrar which will be able to handle the number of customers you expect.
No group of donators will be able to do this without the support of a major company.
