Creation of malware. A responsibility
I do not work for RU and the CIS in particular, which means it is clean before the law. Do not poke me in the Criminal Code, I know him perfectly and do not break. Such is the code of criminal procedure in our country, which it does not consider a violation of 272/273, if it has not caused harm to the Russian Federation. Thus, I disclaim the responsibility of what I have said here, and also do not bear any responsibility for the actions caused after reading this article. And in general - I tied up. I am kind, kindly and cherish.
This quote, posted in the now deleted article, caused in the comments a rather broad discussion of issues related to the responsibility for writing malware and exploits. Including in the course of research.
Is it the responsibility of the virus writer who created the bootloader? And if he creates his software in another country? And if he doesn’t even know that his software is being used for malicious purposes? There are many questions, we will try to answer them.
Before we start talking about responsibility according to the provisions of the law, I must say something sad. The law is not the chased formulations of the ideal TK, which many of those present on this resource are accustomed to. Alas. In this regard, there are comments to each article of the Criminal Code (you can get acquainted with them by typing in a search engine a query like “Article 273 of the Criminal Code of the Russian Federation”). But this is not a general explanation for everyone like “we read here, here it is.” Alas, this is the interpretation of specific people posted on specific sites. In most cases they coincide, but not always - and sometimes opinions are diametrically different. A few examples in the course of this article I will analyze. As a result, the decision on the case will depend (even without considering the quality of the evidence collection procedure and the quality of the case materials submitted to the court) on the qualifications of the lawyer, the qualifications of the court, and the established practice.
Let's start with the simplest questions.
')
“I do not write programs that encrypt or steal data. I make programs that infect a computer and then load the actual malicious programs on request. There is no article in the Criminal Code for this! ”
It is impossible to embrace all the laws of the world, therefore we will consider situations using the example of the Criminal Code of the Russian Federation. Legislation of other countries in most cases are similar.
To answer the above statement read Art. 273 of the Criminal Code "Creation, use and distribution of malicious computer programs" (as amended by the Federal Law of 07.12.2011 N 420-):
1. Creation, distribution or use of computer programs or other computer information that are known to be used for unauthorized destruction, blocking, modifying, copying computer information or neutralizing computer information protection tools, is punished by restriction of freedom for up to four years, or by forced labor for four years, or imprisonment for the same period with a fine of up to two hundred thousand rubles, or in the amount of wages or other income for a period of up to eighteen months.
2. Deeds stipulated by the first part of this article, committed by a group of persons in a preliminary conspiracy or organized group or a person using their official position, as well as causing major damage or committed out of mercenary interest, - shall be punished with restriction of liberty for up to four years, or forced works for up to five years with the deprivation of the right to occupy certain positions or engage in certain activities for a period of up to three years or without it, or imprisonment for a period of up to five years with a fine in the amount of one hundred thousand to two hundred thousand rubles, or in the amount of wages or other income of the convict for a period of two to three years or without such and with the deprivation of the right to hold certain positions or engage in certain activities for up to three years or not.
3. Deeds provided for in the first or second part of this article, if they have entailed grave consequences or created a threat of their occurrence, shall be punished with imprisonment for up to seven years.
This article indicates that responsibility comes for actions leading to the destruction, blocking, modification, copying of computer information or neutralization of computer information protection tools. That is, at the first reading an opinion is created that if the program does not do anything of the kind, then there is no responsibility for the creation and distribution of the same Trojans-downloaders. This is not true. The key word here is “computer information.” What it is that defines art. 272 of the Criminal Code:
Computer information refers to information (messages, data) presented in the form of electrical signals, regardless of the means of storing, processing and transmitting them.
Thus, information from the point of view of the law is not only documents. This is any bit recorded on the computer. Accordingly, any program modifying something on a computer may, under certain conditions, be classified as malicious. The above statement can be considered false.
“So — can any program that changes anything on a computer be considered malicious?”
Not any. Let's say network research utilities, remote control utilities - they often belong to programs that antiviruses encounter with suspicion - it is painful for attackers to use them to perform their actions. The border passes by the word "knowingly" and "unauthorized." A few quotes from comments on the article:
By malicious programs, in the sense of a commented article, are meant programs specifically (deliberately) created to disrupt the normal functioning of computer programs. Under the normal operation refers to the execution of operations for which these programs are intended, which is defined in the documentation for the program.Link
The use of a malicious program or malicious computer information should be understood as their immediate release, reproduction, distribution, and other actions for their introduction into economic circulation (including in a modified form) committed for the purpose of unauthorized destruction, blocking, modification or copying of information. disruption of computer devices or their network. For example, the use of a malicious program is its input (installation) into the computer's memory.
This composition is formal and does not require the occurrence of any consequences, criminal liability arises as a result of the creation of the program, regardless of whether this program is used or not. In the sense of a commented article, the availability of source texts of virus programs is already the basis for prosecution.
Accordingly, from the point of view of the law, malicious programs include programs that are installed without notifying users and / or performing actions that are not reflected in the documentation.
“I’m a system administrator, I set up RAdmin on the network - will I go to court?”
Installing programs without notice is a fairly frequent case in companies and organizations. Therefore, it is advisable to work through this issue, approve the list of software used and enter consent for its remote installation in documents signed by company employees. To avoid.
"Oh, and I spread the virus over the network!"
Let's start with the funniest quotes:
Under the use of malicious programs refers to their use (by any person ), in which their harmful properties are activated.Link
Above, I promised to sort out examples of discrepancies. The law does not quite successfully used the word "knowingly." The phrase "distribution ... of computer programs ... obviously intended" can be read in two ways. Imagine a situation where a user or administrator of a company distributed a malicious program over the network. If we imagine that “knowingly” refers to malware, then any unintentional distribution of a deliberately malicious program from the point of view of the law is not good. And here the difference in approach in the first and second parts of the article plays the role. Recall that "Acts provided for in the first part of this article, committed by a person ... using his official position ... shall be punished." No clarification that the actions committed inadvertently - no!
On the subjective side, the crime envisaged by Part 1 of the article being commented on can only be committed with direct intent, since this article determines that the creation of malicious programs knowingly for the creator of a program should lead to unauthorized destruction, blocking, modification or copying of information, disruption of work COMPUTER.Link
The use or distribution of malicious programs can also be carried out only intentionally, as in accordance with Part 2 of Art. 24 of the Criminal Code, an act committed by negligence is recognized as a crime only if it is specifically provided for by the corresponding article of the Special Part of the Criminal Code.
Part 2 of the article being commented on, in contrast to part 1, provides for the occurrence of serious consequences due to negligence as a qualifying attribute.
Another opinion to part 2:
The content of these qualifying signs corresponds to the content of similar signs of previously considered elements of crimesLink
One more:
On the subjective side, a crime can be committed both by negligence in the form of levity, and with indirect intent in the form of indifference to possible consequences. When establishing a direct intent in the actions of the perpetrator, the crime is subject to qualification depending on the goal that the perpetrator set for himself, and when the consequences came, to which he sought to achieve, and depending on the consequences that followed. In this case, the actions under Art. 273 of the Criminal Code, are only a way to achieve the goal. The perfect act is subject to qualification for the totality of the crimes committed.Link
It's funny by the way opinion:
Malware development is available only to qualified programmers who, by virtue of their professional training, must foresee the possible consequences of using these programs.
Thus, include an antivirus check in your software installation procedures, approve the procedures and follow them - do not forget about the 274 of the Criminal Code of the Russian Federation:
In accordance with article 274 of the Criminal Code of the Russian Federation, criminal liability is incurred for violating the rules for the use of the means of storing, processing or transmitting computer information and information and telecommunication networks.Link
“I just started for myself!”
Another place where interpretations differ. In most interpretations it is considered that there is no difference for oneself or not:
The considered crime will be completed from the moment of creation, use or distribution of such programs or information that create the threat of the consequences specified in the law, regardless of whether these consequences actually occurred or not . At the same time, the perpetrator must be aware that the programs created or used by him will knowingly lead to the socially dangerous consequences specified in the law. Motive and purpose do not affect the qualification of the crime.Link
The answer I think is obvious.
True the same interpretation makes condescension for shots in the leg:
However, the use of malicious computer programs for personal needs (for example, to destroy their own computer information) is not punishable.
“I’m not spreading the virus, I’ve posted it on GitHub for general information and that's it”
Distribution of programs is the provision of access to a computer program reproduced in any material form, including by network and other means, as well as by selling, renting, renting, lending for any of these purposes. One of the most typical ways of spreading malicious programs is to place them on various sites and pages of the Internet.Link
Thus, any publication is already a distribution. Naturally, there is immediately a question about the publication of exploits that demonstrate vulnerability. From the point of view of the law, this is not good. It is possible to recommend a publication with changes that make the code not workable - but whether the court will take it as an argument is not known.
“Yes, I didn’t even compile, only for interest the code was thrown”
This composition is formal and does not require the occurrence of any consequences, criminal liability arises as a result of the creation, use or distribution of the program, regardless of whether this has resulted in any socially dangerous consequences. In the sense of a commented article, the availability of source texts of virus programs is already the basis for prosecution.Link
Responsibility comes for any action provided by the disposition, alternatively. For example, someone may be responsible for creating a malicious program, another for using it, and a third for distributing malware.
More fun:
Creating programs is an activity aimed at developing, preparing programs capable of unauthorized destruction, blocking, modifying, copying of computer information or neutralizing computer information protection tools.Link
Art. 273 of the Criminal Code establishes liability for illegal actions with computer programs recorded not only on machine, but also on other media, including on paper. This is due to the fact that the process of creating a computer program often begins with the writing of its text followed by its introduction into the computer or without it. With this in mind, the availability of source texts of malicious computer programs is already the basis for being held accountable under Art. 273 of the Criminal Code.
It’s certainly fun to write source texts on paper, but this doesn’t change the meaning. Storing source code and even more malware - if you will be attracted in any case - is not good. Judicial practice in this regard is unambiguous. The presence on the computer of programs that can be classified as malicious and the possibility of using them in connection with the qualification (insanity, I agree, but this is the practice) is an aggravating circumstance
"Yes, I am only on the command line ..."
Earlier we talked only about the programs. But the 273rd contains another: "... the distribution or use of ... computer information that is intentionally intended." We recall that information is any bit on a computer.
The Civil Code of the Russian Federation defines a computer program as “an objectively presented set of data and commands intended for the operation of computers and other computer devices in order to obtain a certain result, including the preparatory materials obtained during the development of a computer program and the audiovisual displays generated by it "Link
Therefore, any actions that knowingly modify, destroy, etc. are subject to the 273 of the Criminal Code of the Russian Federation.
Even copying malware you can get under the wording of the law
A form of committing this crime can only be an action expressed in the form of creating computer malware, making changes to existing programs, as well as using or distributing such programs. The distribution of engine media with such programs is fully covered by the notion of “use”.Link
"I am not 18 yet!"
The subject of this crime can be any sane person who has reached the age of 16.Link
"For what?"
Depending on the actions and consequences of the malicious program and the consequences, responsibility may not be only according to art. 273 . Two examples
If the creation, use or distribution of malicious software acts as a method of committing another intentional crime, then the deed must be qualified for a combination of crimes. For example, in cases where a malicious program is created or used to eliminate the means of individual protection of a computer program established by the copyright holder, responsibility arises for the relevant parts of articles 146 and 273 of the Criminal Code of the Russian Federation.Link
In the event that the perpetrator of using or distributing malicious programs deliberately destroyed or damaged computer equipment, which caused significant damage to the victim, his behavior constitutes the totality of crimes provided for in Articles 167 and 273 of the Criminal Code of the Russian Federation.
“I am from another country and do not fall under the laws of your country!”
Alas, it is not. All actions to create (including as we remember storage), distribution and use - fall under the Criminal Code of the Russian Federation. That is, if you are taken with the source code on the territory of the Russian Federation, you perform any actions against citizens and institutions of the Russian Federation - you fall under the laws of the Russian Federation.
Examples of intruders who have fallen into US prisons are proof of this.
Whether you deny responsibility or not - the law does not care. The law is concerned with perfect actions. Are you stuck or not - likewise. There are committed actions and there is responsibility for them.
LeakedSource (leak aggregator, which collected Vkontakte, Mail.ru, Rambler, Last.fm, Linkedin, Dropbox, Myspace and many other resources leaked to the Internet and provided access to passwords of victims of leaks to anyone who would pay for them) Claims California law does not apply to the company because it is based outside of the United States.Link
“Why are there so few landings?”
As far as I personally know, the problem is connected not with the desire to plant, but with the flaws of the procedures. The complexities of combining small cases from different departments into one, the experience of collecting evidence
Other countries. All will not be considered, we confine ourselves to two
Kazakhstan
Article 206 of the Criminal Code of the Republic of Kazakhstan. Illegal destruction or modification of information
1. Intentional unlawful destruction or modification of information protected by law, stored on electronic media, contained in an information system or transmitted via telecommunications networks, as well as entering deliberately false information into an information system, if this resulted in a significant violation of the rights and legitimate interests of citizens or organizations or protected the law of the interests of society or the state, ...
Article 210. Creation, use or distribution of malicious computer programs and software products.
1. Creating a computer program, software product or making changes to an existing program or software product for the purpose of unlawfully destroying, blocking, modifying, copying, using information stored on electronic media contained in an information system or transmitted over telecommunications networks, computer malfunction, subscriber device, computer program, information system or telecommunications networks, as well as intentional use and (or) distribution such a program or software product ...
Pretty much the same. But the intentional actions are clearly spelled out, random distribution is not subject to punishment. On the other hand, illegal actions have been added - the fact that Russia is subject to Article 274. The article lacks a definition of information, as in the previous version of Art. 273 of the Criminal Code of the Russian Federation, which made it possible to include personal data and some other categories of data in such information.
And in the case of Kazakhstan, actions are not required. Enough inaction
Article 207. Disruption of the operation of an information system or telecommunications network
1. Intentional actions (inaction) aimed at disrupting the operation of an information system or telecommunications networks ...
Ukraine
1. Swing , - are punished with a fine against p'yatiot to thousand neopodkuvuvanih minimum_v revenues are immense or by robots with robots on lines up to two rocks, or to those who have succeeded on those lines themselves.Link
2. Those same days, reapply abo after the serpent group of the serpentine group, or stink of sneak at the bottom, mean to Skoda, - be punished for the next five years.
The incomprehensible wording "Creation for the purpose of use." Write, but do not check? In any case, the law falls under the activity of any programs or hardware to change the operation of computers or networks. There is a word spread - there is no intentional specification to it or not. I'm afraid the unintentional falls under the law
Here you can familiarize yourself with the responsibility for distributing various types (by types!) Of malware.
A few more approaches to responsibility for the creation and use of malware legislation of different countries can be found here .
Source: https://habr.com/ru/post/357256/
All Articles