Dissonance

Foreword

All events are fictional, thoughts and sentences are fantasy, coincidences are random.
The article is a subjective free-thinking about the existing discrepancies in the reality of the IT sphere and the application to it of some elements of the relevant article of the Criminal Code of the Russian Federation. My comrades may condemn me for this “epic”, but one way or another, a reaction is needed to the questions raised in the article, any. The article is divided into 3 parts, according to the number of Causes .

By writing this article I was led by several reasons:

Reason One

Every time I encounter another Information Security Incident, the better I understand that I don’t know anything, even probably not, not so categorically, every time I understand that with a new Incident there is always a lack of some new brick, little things, but Regardless of where this element is missing, it’s harder and harder to build logical paths, connections, weave a web, which would symmetrically and logically glue the objective reality in the “foundation” or at the edge in the “roof pipe”. in the incident, and our laws. So sadly, before the introduction to the verge of depression, I understand how, in principle, it is easy to ruin the combined result of the work of experts, specialists, operatives, investigators. Our laws are the Criminal Code, the law “on the OSA”, and the Criminal Procedure Code, and not necessarily forget the rest of the federal laws related to the “informational” subject. And, in my opinion, if it is very meticulous to sort out each case, many incidents cannot be linked at all, “brought” under any article of the Criminal Code. I don’t consider the Code of Administrative Offenses at all, I believe that for the spheres “communication”, “information” it actually does not exist. Therefore, the first reason for writing the article is the desire to bring to the Habr community his own vision of the situation in this area, with an edge to draw readers into his many years of cognitive dissonance. Therefore, in this part there will be a brief superficial legal educational program under Article 272 of the Criminal Code of the Russian Federation (Art. 273 and 274 of the Criminal Code of the Russian Federation I will not consider, so as not to complicate, and so difficult for meaningful understanding of the text).

Reflections on article 272 of the Criminal Code of the Russian Federation

')
Consider part 1 of article 272 of the criminal code of the Russian Federation "Illegal access to computer information"

Unauthorized access to computer-protected information by law if this act resulted in the destruction, blocking, modification or copying of computer information is punishable by a fine of up to two hundred thousand rubles or in the amount of the wages or other income of the convicted person for a period of up to eighteen months, or by correctional labor on up to one year, or restriction of liberty for up to two years, or forced labor for up to two years, or imprisonment for the same period.

The most important are the two elements of the article: what was the unauthorized access to legally protected information, and the second point, the consequences of destruction, blocking, modification or copying (Note: the Legislator did not indicate directly in the consequences of “legally protected”, but Apparently, it seems to us that access to information and the consequences are all in relation to the same information, or how?). Whether we are correct or not, we will not consider, of course, nuances, but they are not fundamental, it seems to me, it is clear what is what, and under what technical and legal conditions.

What is this - legally protected information , those few sober investigators of my acquaintance, relying on the legislation of the Russian Federation, want and consider this: the subject of encroachment is the computer information protected by law, information means - information (messages, data) presented in the form of electrical signals , regardless of their means of storage, processing and transmission . Information is deemed to be protected under two conditions: the law puts the data from unauthorized access under protection. Thus, Decree of the President of the Russian Federation of 06.03.1997 No. 188 approved the List of confidential information. These include personal data , except for cases established by law, the secrecy of the investigation and legal proceedings , information about the protected persons and state protection measures applied to victims, witnesses or other participants in criminal proceedings, official secrets , medical , notarial , legal secrecy , correspondence secrets, telephone conversations, postal, telegraph and other communications, and so on. e., trade secrets, information about the nature of the invention, utility model or industrial design to their official noy publications about them. In accordance with the Federal Law "On Personal Data" dated July 27, 2006 No. 152-FZ, personal data means any information relating to directly or indirectly determined or determined by an individual (subject of personal data). And that's not all, I almost forgot to mention the state secret .

Moreover, the legal owner of the information must take measures to protect it.
Notice once again what information is protected. Now the question is - is a small team of developers introduced in your enterprise, in your organization, for example, a trade secret mode? In short, the owner of the information has the right to attribute it to a trade secret. In order for the information to receive the status of a trade secret, its owner must follow the procedures established by the law “On Trade Secret”. After receiving the status of a trade secret, the introduction of the regime - the information begins to be protected by law. “In hindsight”, during the “debriefing” of the Incident, these procedures, alas, are unlikely to be carried out (although why not, it will look extremely crooked). Primitive, but if someone somehow penetrates your network to the servers and there are consequences for the information that you consider to be a commercial secret, but the regime is not introduced - alas, the investigator has the right to assert that the crime is missing. And so, in principle, with each “protected information”, for each of the specified list there are different modes, rules, norms, what to assume, what is not, and so on.
Now that "the legal owner of information must take measures to protect it." What is it? This is a complex of legal, organizational, technical and other activities. All sorts of more or less serious organizations to ensure information security and legal support "have eaten not one dog", printed out a single box of paper, earned not a single "stack" of money.

Retreat:

And it is here that I will say why I personally believe that the code of administrative offenses does not play any significant role for the spheres “communication”, “information”. Let's take a bright bright theme, which is so much loved by these structures for ensuring information security - the topic of “personal data”. Favorite, because regularly reading the blogs of experts and managers of these structures, I think I begin to understand what they write about it so much, exaggerate - pure profanation of the true goal - data security, and probably only designed to ensure that the structures earn money. No, understand correctly, the topic is undoubtedly important, both personal data and making money, but that's the thing, I do not understand why the article was entered into the Administrative Code. Of course, of course it is obvious that the State believes that the personal data of citizens being processed must be protected, therefore the Legislator developed Federal Law N 152- “On Personal Data”, introduced the administrative responsibility of persons guilty of violating this Federal Law. But the law works only in such cases as last year’s epic file with SMS content of subscribers of one famous telecom operator. The law almost works, but as a result, in the bottom line: a fine of ridiculous 30 thousand rubles (or how many kopecks are there?). How often such failures, agree - it is an accident, but a grandiose, but an accident.
Now we’ll model a more realistic situation in my opinion, tomorrow in the torrents, a subscriber base appears on all the major file sharing sites, clients of any organization, let the database contain information falling under personal data. What is going to happen? First, Roskomnadzor should know about that. If this will be the base of any of the Big Three operators or a large financial institution, will they know right away, and if this is a regional level organization? I do not remember that Roskomnadzor was charged with monitoring the entire Network in order to identify published “plums”, and even if there is similar functionality, it is not implemented in objective reality, and taking into account some changes currently being made, reductions in structure, real monitoring do not expect. Further, Roskomnadzor initiates an inspection of the organization for compliance with 152-FZ, and having previously coordinated the inspection with the Prosecutor’s Office, justifying the urgent need for it, I note that this is not always easy. Well, okay, Roskomndzor learned that further, as part of the audit, Roskomnadzor employees requested documentation, the organization submitted all possible documents, licenses, certificates, contracts, etc. (it’s not for nothing that the previously mentioned information security structures prepared documents and received money) the same results of internal verification, independent examination. And everything is fine on the papers, the legal owner of the information has taken all measures to protect the processed personal data. What to do? Something needs to be done, someone, somehow the information is “gone” after all - a preliminary investigation, and which article is the very first?
Part 1 of Article 272 of the Criminal Code. And there is no suspect, and rather everything will not be in an objectively promising from the point of view of the time process (VPN in Peru, TOR with access to Dublin, the starting point of entry into the Internet is a public Wi-Fi network, logs, which will be repeatedly erased by new customers, data on surveillance cameras in the area are rewritten ten times, and the MAC address of the attacker's network card is fake, without reference to the manufacturer). But still, let's say the most unbelievable, a suspect was found, and even interrogated, and again “obvious-unbelievable” he, besides delaying himself, as usually happens when using Article 51 of the Constitution of the Russian Federation, says something to the investigator. The deadline has clearly passed more than 3 months, but he says the following, and let his words be true: “... I used a banal exploit 5 years ago ...”. For us it will probably become clear to you that the “rightful owner of information” didn’t take all the necessary measures to protect the data, but the deadline for bringing to administrative responsibility expired long ago - “Thank you all, everyone is free”, the customer database has gained freedom on the Web long ago, the operator personal data will not be punished, because at this moment all the holes are already closed, the new boxes of the corresponding papers have been printed.
Therefore, I believe that all these shamanic dances around 152 - FZ and the execution of other, various initiatives of the Regulator, measures, consulting information security structures have only one main vector of protection - from the State represented by Roskomnadzor and its checks for "compliance ..." , and only for the second time directed directly to the security of personal data. And what it turns out, is this correct, is this a goal? And yet, at the end of the Retreat about personal data and the Administrative Code, I do not observe anything, neither in life nor information on the Web about the sets of checks against certain organizations whose databases are distributed on the Net, in the metro, anywhere. In general, I have black ideas in corruption, we model in this direction: every region has its own small telecommunications companies or branches of the same Rostelecom, subscriber bases for local exchangers, or torrents are regularly published “from the time of King Goroh”, which prevents me or anyone else to download the database, modify it somewhat, publish, push this “epic file” from the “left people” and initiate an appeal to the Prosecutor’s Office and Roskomnadzor from the same “left citizens”, let this opera torment personal data torus, and then actually "troll" operator n-times, and the police let him seek a Peruvian Dublin residence.

Note to Retreat:

Already finishing part of the article, in a blog of one of the specialists, I found a direction correlating with my thoughts, I will simply quote: “ In this regard, I remembered the other day PHD, the slogan of which was“ Real Security ”. And really - hacks of automated process control systems, ATMs, browsers, circumvention of protective mechanisms, fraud with remote banking services - this is what information security services should do. And they have a trite time for this is not enough, because they are forced to carry out multi-page manuscripts built on the already outdated paradigm of the protected perimeter, protect state secrets and counteract foreign technical intelligence. "

However, let us return to Article 272. With regard to information and its protection by law, we have generally understood at a primitive level. And it is clear that not everything is so simple, moreover, the fact of unauthorized access to information that is legally protected, that is, on a carrier that was accessed, is subject to proof (I de facto consider remote access, through any kind of communication, a case where someone from someone stole the media itself is not interesting), contains a lot of files, data structures — and not all of the data will be protected by law, and the investigator will have to prove that it was illegal access to the protected law. Moreover, the investigator will require a specific list of files, databases, protected by law, confirming illegal access to them. Somehow ... by the way, what will we unequivocally confirm ?

Now, another important element of the article, I will quote my acquaintance, a rather experienced investigator, but not the fact that a sane person:

“The crime has a material composition, it is considered to be completed from the moment of occurrence of at least one of those specified in part 1 of article. 272 of the Criminal Code of the Russian Federation of consequences in the form of destruction, blocking, modification or copying of information. Acquaintance with the information in the absence of consequences does not constitute a corpus delicti under Article. 272 of the Criminal Code ".

So, to ridiculous sadness, if there is a “hacker” with a phenomenal visual or auditory memory - then he will never be convicted under this article.

And indeed, there is no unity in opinions about the consequences, for example, “copying” is defined differently, as anyone would like, conveniently, adjusted to specific situations, frank muhlezh, lawyers who understand IT (I’ve been did not see, only read about them on the Web), they can say that copying is the direct creation of a duplicate file, files, data, or copies of information and messages while preserving the original computer information, the investigators can count it as “copying”, Yes ones obtained in the form of, for example, packets of settings from the DHCP server on the LAN, have been subjected to "hacking" (author repents sinned, was bend when about 7 years ago was involved in a case of protected information "given" data obtained from the DHCP Wi-Fi points, a person was convicted of a fine under two articles: part 1 of article 272 and part 1 of article 165 of the Criminal Code of the Russian Federation “Causing property damage by deception or abuse of trust”, justifying, I will say - just tired of “finding” an amateur Internet at the expense of others), lawyers can assert that technical data read by the “object” in the course of the browser operation (the same HTTP cookie), network devices and other service information cannot act as the “copy” object.

Retreat:

I now wonder how, taking into account everything previously said, to characterize a situation in which the data obtained as a result of sniffer operation, be it the usual interception of packets on a channel, or as a result of Man in middle attacks with spoofing devices in the provider's network , if the intercepted information is authentication data, the plain text login and password in smtp or pop, or the notorious HTTP cookies, which allow the “object” to access a resource with the “victim” account.
We model, access is provided, and the “object” simply visually remembers, and actually starts recording the screen - the “desktop”. That's interesting, "recording from the screen" programmatically or installed in front of the monitor with a digital camera in FullHD. What is it? As one and the same - identical information on the semantic content, but different in the form of storage, the presentation affects the composition, copied to the storage medium the letters protected by law, documents from the resource, there is a finished composition. I read it the same way as I indicated with video fixing, or remembered, thanks to phenomenal abilities - there is no composition. For some reason, I am sure that the “victim” absolutely does not care in what form, by what method his data became the property of someone else, but there is an investigator, a prosecutor’s office, a judge - who will rely solely on the letter of the Law, and for them it should be written on paper, paper approved, signed by pen or ink, with seals and other paraphernalia, I think my irony is understandable. It is very difficult, practically impossible to explain in practice to the investigator, the prosecutor’s employee, that if the “object” “saw” the data on the screen, it means that he “automatically” copied it.

Similarly ambiguous, the situation with the "modification", "blocking". I met in practice (a long time ago, the truth) and read on the Web that, for example, under the “modification” of protected information, sometimes billing data was changed for providers, as a result of access to the network using other details, and then blocking "- the client could not go online, reach the account (for example, when two simultaneous sessions are prohibited).
And now, finally, “destruction” may seem at the everyday level - “everything is simple here.” Alas, no, and then the complexity, and some points I will try to convey to readers in the second part of the article.

In conclusion, I want to say that all of the above are questions and thoughts, in practice there are more questions, it is necessary for each element of the article to be explained to the investigator, to answer questions and to have actual confirmation in the Incident of every word and letter from the article of the Criminal Code of the Russian Federation. Moreover, at the same time, to take into account, to model the answers of the alleged suspect and his lawyer, to have arguments and evidence that can “break” any peri-scientific nonsense of the “offender” (you can write a separate “epic” on this subject).
And I hope you now understand how events for the ordinary ordinary Incident translate into tremendous work, which, in the current state of affairs with legislation, with contradictory, ambiguous interpretations, is easy to destroy, or at least call into question.

To be continued...