LONDON, ONT.—The young man who stands accused as the Heartbleed hacker has a penchant for pointing out weakness.
As a teenage spelling bee champion, he challenged the judges.
When he was 14, the computer science prodigy tried to warn his high school administrators the computer system was vulnerable to hacking. They didn’t believe him, so he went in and proved it by finding confidential information, his lawyer is quoted as saying.
In university, he was known to send computer science assignments back to his professors with a note saying he’d found an error in the question.
And when the so-called Heartbleed bug — a flaw in computer code that was supposed to encrypt private data, but didn’t — made headlines, Stephen Arthuro Solis-Reyes, 19, allegedly tested the security breach and got himself arrested.
On Tuesday, the second-year computer science student at Western University turned himself in to authorities in London, Ont., where police are helping the RCMP investigation. A statement that said police believe Solis-Reyes extracted “private information” came two days after the Canada Revenue Agency announced the social insurance numbers of 900 Canadians had been extracted from its database. The two have not been directly linked by law enforcement and police have not clarified exactly what Solis-Reyes is accused of accessing.
The flaw in the software, known as OpenSSL and used by major websites like Google and Facebook, had the potential to leave hundreds of millions of online passwords and other sensitive information like credit card numbers exposed. That prompted the CRA to shut down its website for five days in April at the height of tax season.
Solis-Reyes was charged with one count of unauthorized use of a computer and one count of mischief. He was later released. It’s not known how he will plead.
“Maybe he was just testing his skill, and maybe the Canada Revenue Agency is not a good idea to test with,” said Ayan Chaudhury, a PhD candidate who was Solis-Reyes’s teaching assistant for Computer Fundamentals II in winter 2013.
Solis-Reyes received a perfect grade on all four of his assignments and never missed a lab, Chaudhury said. The young man’s work was often used as a benchmark against other students.
He is described as a serious but quiet student, neither asking for help nor saying hello when he saw his teaching assistant riding the same bus to campus.
Computer code is in his genes. Solis-Reyes lives at home with his father, Roberto Solis-Oba, who has a PhD from Purdue University and is a well-liked professor in the Computer Science department, where he is the graduate chair. The two were sometimes seen together in the Grad Club, a campus restaurant in the basement of Middlesex College, where Solis-Oba’s office is located.
According to Solis-Oba’s university webpage, applications for his research into algorithms include web caching, web searching, computational biology and data mining.
His son was a spelling bee champion as a youth. In 2006 as a Grade 6 student, he went to the Spelling Bee of Canada and practised a 400-word lexicon for months before. He told a London Free Press columnist at the time he wanted to work with computers, like his dad.
He later won a local spelling contest in 2008, by then a student at Mother Teresa Catholic Secondary School. Claire Whitty, now 17, came in third. She remembered him being outspoken with the judges.
“He liked to challenge their decisions,” she said.
Residents on a northwest London street a short drive from Western said the family members, including three sons, are good neighbours. A dog leash hung from the mailbox. Birdbaths and an evergreen decorated a tidy front lawn. There were no signs RCMP investigators had searched the home just days ago.
Outside the townhome, owned by Solis-Oba and Veronica Reyes-Gonzalez since 2000, the soft-spoken professor declined to speak with a Star reporter, deferring to his lawyer.
Western University has told faculty and staff not to speak to media.
Solis-Reyes’s arrest was connected to a “malicious breach of taxpayer data” over a six-hour period, according to the RCMP.
A friend, who called Solis-Reyes a “computer science whiz,” said he wasn’t convinced.
“I highly doubt he would have any malicious intent,” said second-year student Yash Paliwal, added Solis-Reyes would often work on projects more advanced than what they were learning in class.
“From what I can tell he just wanted to test his prowess and see where he could go with it.”
A “typical CS student,” Solis-Reyes was reserved and kept to himself, Paliwal said.
In 2011, someone with Solis-Reyes’ name registered a BlackBerry app to solve Sudoku problems; the following year a Stephen Solis-Reyes took part in the nationwide Canadian Computing Competition challenge at the University of Waterloo as a senior competitor, although he didn't make it past the first stage.
Another teaching assistant, Jordan Van Dyk, who is also a student of Professor Solis-Oba, said there’s no doubt his student was talented.
But he thought it was unlikely a computer script could deliberately seek SIN numbers. The weakness in the Heartbleed bug means the server generally delivers more information to the hacker than it should because the data entered by the unwitting user — like a SIN number — was never properly encrypted.
So in six hours, reams of information could have been provided through the site, Van Dyk said, and SIN numbers were included. It could have been postal codes, he said.
And Solis-Reyes had a bright future ahead of him. He seemed to be learning toward a career in research.
“It doesn’t really make sense for someone like that to say ‘Hey, I’m going to go live a life of crime.’”
“If he was really looking to make money, I think he would have covered his tracks a little bit better … I wonder if arrogance maybe came a little bit into the equation. He’s young.”
The Heartbleed bug has been around since 2012 although it was just reported widely earlier this month.
“If this is a known exploit, it shouldn’t have been possible. Especially with something like the CRA, there should have been steps taken to guarantee this couldn’t happen,” Van Dyk said.
Whether there is such thing as “ethical hacking” is up for debate.
Dawson College student Ahmed Al-Khabaz was famously expelled for exposing a flaw in his school’s security in 2012. He was called a “whistle-blower” while the college considered pushing for criminal charges.
Gabriella Coleman, a professor at McGill and author of the book Coding Freedom: The Ethics and Aesthetics of Hacking says it’s common for hackers to “push the envelope for the sake of learning.”
“They often can’t help themselves so the code of conduct is not to stop it but to cause no harm when you do,” Coleman said.
Digital Locksmith chief technology officer Terry Cutler is an “ethical hacker,” which means he tries to break into computer systems at specific request of companies.
But there is a limit: “If you don’t have permission, don’t do it,” he said.
When the news about Heartbleed broke, Solis-Reyes probably heard about the vulnerability and wanted to see if it was real, said James Arlen, a senior security adviser at Leviathan Security Group and self-identified hacker.
“What I did, a guy who is in essentially the same boat, I picked on one of my own servers … that’s safe because I’m not intruding in any way,” Arlen said. Others reported trying to scrape data from Yahoo’s email servers.
How to report flaws discovered illegally — without the permission of the computer system owner — is a grey area for hackers suffering from “white knight syndrome” who claim they are just trying to do good, Arlen said.
The law has been clear about performing penetration tests or scouring for vulnerabilities on computer systems that do not belong to you, Arlen said.
Adam Hueniken, a third-year U of T student and president of the Hacker Academy, recalls a challenge issued by web security company CloudFlare Inc. to hack into their system using Heartbleed and steal a private key.
“That’s a way to try your skills legally,” he said.
He noted that across the varied groups that make up the hacker subculture — from the well-intentioned to the anarchists — bragging rights are important.
“For some groups that means you have to show you’ve broken into something,” Hueniken said.
But when it comes to potentially accessing Social Insurance Numbers “it’s not like it’s going to provide a benefit to anybody by opening that up.”
A major part of the community standard for hacking is that you don’t do something that is easy to do, agrees Titus Ferguson, London, Ont.-based co-founder of the UnLondon incubator.
“The Heartbleed bug is very easy to take advantage of, which is why it’s so shocking and potentially dangerous.”