Litreev and Zdolnikov call for Roskomnadzor officials to be held accountable for negligence

Vladislav Zdolnikov (left) and Alexander Litreyev (center). Photo: Alexander Litreyev

In May, it became aware of a vulnerability in the Roskomnadzor lockout system, which allows you to block a resource that is not officially blacklisted. To do this, you must enter the address of the resource of the victim (which you want to block) in the DNS record of the domain that has already been blacklisted. There are hundreds of domains, and some of them can be inexpensively purchased.

For some time, de facto, on the territory of the Russian Federation, such resources as the Internet-cinema Ivi, the popular Internet publication Meduza and others have been blocked. It is possible that even now someone has blocked Steam, Instagram, World of Tanks, or other services that are definitely missing from the registry. No wonder. Thanks to the holes in the blocking system, today you can block anything in an absolutely arbitrary way in the Russian Federation. Even Habrahabr and Geektimes, this is a minute thing.
')
Apparently, Roskomnadzor officials knew about this vulnerability for several months or more, but did not even think about fixing it. In this regard, several activists - Alexander Litreev (Studio of the Literev) and Vladislav Zdolnikov (IT consultant of the Anti-Corruption Foundation of Alexei Navalny), and Alexander Brusentsev who joined them - turned to the Investigation Committee . Activists believe that officials of the Ministry of Communications and Roskomnadzor should be prosecuted under three articles of the Criminal Code (293, 285 and 306).

Article 293 - negligence, article 285 - abuse of official powers, including part 3 - entering into the unified state registers obviously false information, article 306 - obviously false reporting about the commission of a crime.

The actions of activists can not even be called a kind of act of aggression, it is rather self-defense. Roskomnadzor previously appealed to the Ministry of Internal Affairs with a request to investigate the situation with unauthorized blocking of resources that took place in the Russian Federation last week. As a result of such a check, a criminal case could be opened up against Lithreev and Zdolnikov because they bought blocked domains and “hooked up the addresses of regular websites to them” (“Vedomosti” quotes the words of a person close to Roskomnadzor). Litreev himself denies that he did this, although he actually bought more than ten blocked, but inactive resources, and seemed to add to them the addresses of some bona fide sites. But solely for verification purposes. Actually, the proposal to attract officials under Article 306 is connected precisely with that denunciation to the Ministry of Internal Affairs.

Lytreev and Zdolnikov are the authors of the popular Telegram channels dedicated to information security. One has 8,200 subscribers, another has 14,000. Both of them actively pointed out the vulnerability on their channels, so everyone was well aware of it.

At the same time, Roskomnadzor knew about the vulnerability in March 2017, as evidenced by the letters of the meetings that were held on this topic at that time. And even in February, I already knew what the letter to one ISP from the Ministry of Communications testifies to (the letter was obtained by the Lyreyevs).



Russian officials are not taken to prioritize information security in the first place, monitor the closure of vulnerabilities, etc. For example, last week the head of Roskomnadzor, Alexander Zharov, said that the solution to this problem could be “a bill giving the authorities the right to independently determine the order of blocking resources. " That is, the problem will not be solved soon.