September 28, 2012 at 15:22Dissonance
Foreword
All events are fictitious, thoughts and suggestions - fantasy, coincidences - are random.
The article is a subjective free-thinking fabrication about the inconsistency in reality of the IT sphere and the application to it of some elements of the corresponding article of the Criminal Code of the Russian Federation. For this "epic" my comrades may be condemning me, but one way or another, any reaction is necessary to the questions raised in the article. The article is divided into 3 parts, by the number of reasons .
Several reasons motivated me to write this article:
Reason One
Each time I encounter another incident of information security, the better I understand that I don’t know anything, probably not even, not so categorically, each time I understand that with a new incident there is always a lack of some new brick, trifles, but , no matter where this element is missing, in the “foundation” or on the edge in the “roof pipe”, it is becoming more and more difficult to build logical paths, connections, weave a web that would symmetrically and logically glue together the objective reality that was reflected in Incident, and Our laws. That is depressing, before the introduction to the brink of depression, I understand how, in principle, it is easy to ruin the combined result of the work of experts, specialists, security officers, investigators. Our laws, this is the Criminal Code, the law “On the ARD”, and the CPC, and we must not forget the rest, federal laws related to the "informational" topic. Moreover, in my opinion, if it is very pedantic to analyze each case, many incidents can not be connected at all, "summed up" under any article of the Criminal Code. I do not consider the Code of Administrative Offenses at all, I believe that for the areas of “communication”, “information” - it does not actually exist. Therefore, the first reason for writing an article is the desire to bring to Habr community their vision of the situation in this area, to drag readers into their long-term cognitive dissonance. Therefore, in this part there will be a brief superficial legal educational program under Article 272 of the Criminal Code of the Russian Federation (I will not consider articles 273 and 274 of the Criminal Code of the Russian Federation, so as not to complicate the text, which is so difficult for a meaningful understanding). many incidents cannot be connected in any way, “summed up” under any article of the Criminal Code. I do not consider the Code of Administrative Offenses at all, I believe that for the areas of “communication”, “information” - it does not actually exist. Therefore, the first reason for writing an article is the desire to bring to Habr community their vision of the situation in this area, to drag readers into their long-term cognitive dissonance. Therefore, in this part there will be a brief superficial legal educational program under Article 272 of the Criminal Code of the Russian Federation (I will not consider articles 273 and 274 of the Criminal Code of the Russian Federation, so as not to complicate the text, which is so difficult for a meaningful understanding). many incidents cannot be connected in any way, “summed up” under any article of the Criminal Code. I do not consider the Code of Administrative Offenses at all, I believe that for the areas of “communication”, “information” - it does not actually exist. Therefore, the first reason for writing an article is the desire to bring to Habr community their vision of the situation in this area, to drag readers into their long-term cognitive dissonance. Therefore, in this part there will be a brief superficial legal educational program under Article 272 of the Criminal Code of the Russian Federation (I will not consider articles 273 and 274 of the Criminal Code of the Russian Federation, so as not to complicate the text, which is so difficult for a meaningful understanding). the first reason for writing the article is the desire to bring to Habr community their vision of the situation in this area, to drag readers into their long-term cognitive dissonance. Therefore, in this part there will be a brief superficial legal educational program under Article 272 of the Criminal Code of the Russian Federation (I will not consider articles 273 and 274 of the Criminal Code of the Russian Federation, so as not to complicate the text, which is so difficult for a meaningful understanding). the first reason for writing the article is the desire to bring to Habr community their vision of the situation in this area, to drag readers into their long-term cognitive dissonance. Therefore, in this part there will be a brief superficial legal educational program under Article 272 of the Criminal Code of the Russian Federation (I will not consider articles 273 and 274 of the Criminal Code of the Russian Federation, so as not to complicate the text, which is so difficult for a meaningful understanding).
Reflections on Article 272 of the Criminal Code of the Russian Federation
Consider Part 1 of Article 272 of the Criminal Code of the Russian Federation “Unlawful access to computer information”
Unlawful access to computer information protected by law, if this act entailed the destruction, blocking, modification or copying of computer information, - shall be punishable by a fine in the amount of up to two hundred thousand rubles or in the amount of the convict's salary or other income for a period of up to eighteen months, or by corrective labor on a term of up to one year, or restriction of liberty for a term of up to two years, or forced labor for a term of up to two years, or imprisonment for the same term.
The most important are the two elements of the article: what was wrongfully accessed to information protected by law, and the second moment, the onset of consequences in the form of destruction, blocking, modification or copying (Note: moreover, the Legislator did not explicitly indicate the consequences of “protected by law”, but apparently, we like to be clear that access to information and posledstviya- is all in relation to the same information, or what?). Whether it is legitimate or not - we will not consider, of course, there are nuances, but they are not basic, it seems to me that it is clear what is what and under what technical and legal conditions.
What is this - information protected by law , those few sensible investigators of my acquaintance, relying on the legislation of the Russian Federation, want and think so:the subject of the infringement is computer information protected by law, information is understood as information (messages, data) presented in the form of electrical signals, regardless of the means of their storage, processing and transmission . Information is recognized as protected under two conditions: the law protects data from unauthorized access. So, by Decree of the President of the Russian Federation dated 06.03.1997 No. 188, the List of Confidential Information was approved. These include personal data , except for cases established by law, confidentiality of the investigation and legal proceedings , information on protected persons and state protection measures applied to victims, witnesses or other participants in criminal proceedings, official secrets, medical , notarial , lawyer's secret , secret of correspondence, telephone conversations, mail, telegraphic or other messages, etc. , commercial secret , information about the essence of the invention, utility model or industrial design before the official publication about them. In accordance with the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ, personal data refers to any information relating directly or indirectly to or determined by an individual (personal data subject). And that’s not all, I almost forgot to state secret .
Moreover, the rightful owner of the information should take measures to protect it.
Please note again what information is protected. Now the question is - has a small development team introduced, for example, a trade secret regime at your enterprise, in your organization? In short, the owner of the information has the right to attribute it to trade secrets. In order for information to receive the status of trade secret, its owner must follow the procedures established by the Law on Trade Secret. After receiving the status of trade secret, the introduction of a regime - information begins to be protected by law. In hindsight, during the “debriefing” of the Incident, alas, these procedures are unlikely to be implemented (although why not, but it will look extremely crooked). It’s primitive, but if someone penetrates your network to servers in any way and there will be consequences for the information, which you on intuition consider a trade secret, but no regime has been introduced in relation to it - alas, the investigator has the right to assert that there is no corpus delicti. And so, in principle, with each “protected information”, for each of the indicated list there are its own regimes, rules, norms, what to consider, what is not and so on.
Now that "the legitimate owner of the information should take measures to protect it." What is it? This is a set of measures of legal, organizational, technical and other characters. All sorts of more or less serious organizations for ensuring information security and legal support “ate more than one dog”, printed a single box of paper, earned not a single “stack” of money.
Retreat:
And it is here that I will say why I personally believe that the code of administrative offenses does not play any significant role in the areas of “communication”, “information”. Let’s take right away a bright topic that is so beloved by these information security structures - the topic of “personal data”. Favorite, because regularly reading the blogs of specialists and leaders of these structures, it seems to me that I’m starting to understand why they write so much about it, they are exaggerating - pure profanation of the true goal - data security, and, probably, is only designed to ensure that the money makes money. No, understand correctly, the topic is undeniably important, both personal data and making money, but here's the thing, I don’t understand why the article was introduced in the Code of Administrative Offenses. Of course, of course it is obvious that the State believes that the processed personal data of citizens should be protected, therefore, the Legislator has developed Federal Law N 152-ФЗ “On Personal Data”, introduced the administrative liability of persons guilty of violation of this Federal Law. But the law only works in cases such as last year's epic file with the contents of SMS subscribers of one well-known telecom operator. The law almost works, but what’s the bottom line: the fine for a ridiculous 30 thousand rubles (or how many cents are there?). How frequent are such failures, you must admit - this is an accident, but grandiose, but an accident. like last year's epic file with the contents of SMS subscribers of one well-known telecom operator. The law almost works, but what’s the bottom line: the fine for a ridiculous 30 thousand rubles (or how many cents are there?). How frequent are such failures, you must admit - this is an accident, but grandiose, but an accident. like last year's epic file with the contents of SMS subscribers of one well-known telecom operator. The law almost works, but what’s the bottom line: the fine for a ridiculous 30 thousand rubles (or how many cents are there?). How frequent are such failures, you must admit - this is an accident, but grandiose, but an accident.
Now we will simulate a more real situation in my opinion, tomorrow in torrents, on all large file hosting sites, a database of subscribers, clients of any organization appears, even if the database contains information that matches personal data. What is going to happen? First, Roskomnadzor should find out. If it will be the base of any of the Big Three operators or a large financial institution, then it will know immediately, but if it is a regional organization? I don’t remember that Roskomnadzor was charged with the responsibility of monitoring the entire Network to identify published "sinks", and even if there is a similar functionality, it is not implemented in objective reality, but taking into account some changes currently being made, reductions in the structure, and real monitoring not to be expected. Further, Roskomnadzor initiates an audit of the organization for compliance with 152-FZ., And after agreeing on an audit with the Prosecutor’s Office, justifying the extreme need for it, I note that this is not always easy. Well, okay, Roskomnadzor learned that further, as part of the audit, Roskomnadzor employees requested documentation, the organization submitted all possible documents, licenses, certificates, contracts, etc. (after all, it was not for nothing that the information security agencies mentioned earlier prepared the documents and received money), so the same results of internal verification, independent examination. And everything is fine on the papers, the legal owner of the information took all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? moreover, after agreeing on the verification with the Prosecutor's Office, justifying the extreme need for it, I note that this is not always easy. Well, okay, Roskomnadzor learned that further, as part of the audit, Roskomnadzor employees requested documentation, the organization submitted all possible documents, licenses, certificates, contracts, etc. (after all, it was not for nothing that the information security agencies mentioned earlier prepared the documents and received money), so the same results of internal verification, independent examination. And everything is fine on the papers, the legal owner of the information took all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? moreover, after agreeing on the verification with the Prosecutor's Office, justifying the extreme need for it, I note that this is not always easy. Well, okay, Roskomnadzor learned that further, as part of the audit, Roskomnadzor employees requested documentation, the organization submitted all possible documents, licenses, certificates, contracts, etc. (after all, it was not for nothing that the information security agencies mentioned earlier prepared the documents and received money), so the same results of internal verification, independent examination. And everything is fine on the papers, the legal owner of the information took all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? I note that this is not always easy. Well, okay, Roskomnadzor learned that further, as part of the audit, Roskomnadzor employees requested documentation, the organization submitted all possible documents, licenses, certificates, contracts, etc. (after all, it was not for nothing that the information security agencies mentioned earlier prepared the documents and received money), so the same results of internal verification, independent examination. And everything is fine on the papers, the legal owner of the information took all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? I note that this is not always easy. Well, okay, Roskomnadzor learned that further, as part of the audit, Roskomnadzor employees requested documentation, the organization submitted all possible documents, licenses, certificates, contracts, etc. (after all, it was not for nothing that the information security agencies mentioned earlier prepared the documents and received money), so the same results of internal verification, independent examination. And everything is fine on the papers, the legal owner of the information took all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? the organization submitted all possible documents, licenses, certificates, contracts, etc. (after all, it was not in vain that the information security agencies mentioned earlier prepared documentation and received money), as well as the results of an internal audit, an independent examination. And everything is fine on the papers, the legal owner of the information took all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? the organization submitted all possible documents, licenses, certificates, contracts, etc. (after all, it was not in vain that the information security agencies mentioned earlier prepared documentation and received money), as well as the results of an internal audit, an independent examination. And everything is fine on the papers, the legal owner of the information took all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? The legal owner of the information has taken all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first? The legal owner of the information has taken all measures to protect the processed personal data. What to do? Something needs to be done, by someone, somehow the information is “gone” - a preliminary investigation, and which article is the very first?
Part 1 of Article 272 of the Criminal Code. But there is no suspect, and most likely everything will not be in an objectively perspective time from the point of view of the process (VPN in Peru, TOR with access to Dublin, the initial Internet access point is the public Wi-Fi network, logs on which will be repeatedly they were erased by new customers, the data on the surveillance cameras in the district were rewritten ten times, and the poppy address of the attacker's network card was fake, without reference to the manufacturer). But nevertheless, let’s say the most improbable, the suspect was found, and even questioned, and again “obvious-unbelievable” he, in addition to deferring himself, as is usually the case when using article 51 of the Constitution of the Russian Federation, says something to the investigator. The deadline has already clearly passed for more than 3 months, but he says the following, and let his words be true: "... I used a banal exploit 5 years ago ...".
Therefore, I believe that all these shamanistic dances around 152 - Federal Law and the execution of other, various initiatives of the Regulator, measures, consulting of information security structures have only one main vector of protection - from the State in the person of Roskomnadzor and its checks "for compliance ...", and only secondarily aimed directly at the security of personal data. And what does it do, is it right, is that the goal? And yet, at the end of the Retreat about personal data and the Code of Administrative Offenses, I am not observing anything, neither in my life, nor on the information on the Web about the set of checks in relation to various organizations whose databases are distributed on the Web, in the metro, anywhere. In general, I have black thoughts of corruption, we are modeling in this direction: each region has its own small telecommunication companies or branches of the same Rostelecom, subscriber bases for local exchangers, or in torrents are regularly published “from the time of Tsar Gorokh”, which prevents me or to someone else to download the database, modify it a bit, publish it, from the “left people” publicize this “epic file” and initiate,
Note to Retreat:
Already finishing part of the article, on the blog of one of the experts, I found a trend correlating with my thoughts, I will simply quote: “ In this regard, I recalled the other day PHD, whose slogan was“ Real Security ”. And really - hacks of automated process control systems, ATMs, browsers, bypass of protective mechanisms, fraud with remote banking systems - these are what information security services should do. And they have a trite lack of time for this, because they are compelled to carry out multi-page manuscripts built on the already outdated secure perimeter paradigm, protecting state secrets and countering foreign technical intelligence. "
However, let us return to article 272. With regard to information and its protection by law, we generally understood at a primitive level. And it is clear that not everything is so simple, moreover, the fact of unlawful access to information protected by law is subject to proof, that is, if the medium to which there was access (I de facto consider remote access through any kind of communication, is the case when someone stole the media from someone — it’s not interesting), it contains a lot of files, data structures — and not all of the data will be protected by law, and it will be necessary to prove to the investigator that it was unlawful access to the protected by law. Moreover, the investigator will require a specific list of files, databases protected by law, with confirmation of unauthorized access to them. Something like this ... by the way, than to unequivocally confirmwill we?
Now, another important element of the article, I will quote my acquaintance, a rather experienced investigator, but not the fact that he is sane:
“The crime has a material composition, is considered to be completed from the moment of the occurrence of at least one of those specified in part 1 of Article 272 of the Criminal Code of the Russian Federation in the form of destruction, blocking, modification or copying of information. Familiarization with the information in the absence of consequences does not constitute a corpus delicti, provided for in Article. 272 of the Criminal Code of the Russian Federation. ”So, to the ridiculous sadness, if there is a “hacker” with a phenomenal visual or auditory memory, then he will never be convicted of this article.
And indeed, there is no consensus on the consequences, for example, “copying” is defined differently, as you wish, conveniently, lawyers who think in IT (I have such in 10 years I didn’t see it, I just read about them on the Web), they can say that copying is directly creating a duplicate of a file, files, data, or a copy of information and messages while maintaining the original computer information, the investigators can count it as “copying”, Yes ones obtained in the form of, for example, packets of settings from the DHCP server on the LAN, have been subjected to "hacking" ( author repents, was guilty, there was an excess when when about 7 years ago he participated in such a case, “secured” the data received from DHCP Wi-Fi points for the protected information, the person was sentenced to a fine under two articles: part 1 of article 272 and part 1 of the article 165 of the Criminal Code of the Russian Federation “Causing property damage through fraud or breach of trust”, justifying myself, I’ll say that we’re just tired of “finding” an Internet lover at someone else’s expense), lawyers can assure that the technical data received by the “object” during the browser (the same HTTP cookie), network devices and other service information cannot act as a “copy” object.
Retreat:
I’m wondering how, taking into account all the above, to characterize a situation in which the data obtained as a result of sniffer’s work, whether it is a normal packet interception on a channel, or as a result of a Man in middle attack with spoofing of devices on the provider's network if the intercepted information is authentication data, the username and password are “plain text” in smtp or pop, or the notorious HTTP cookies that allow the “object” to access a certain resource with the “victim” account.
We simulate, access is provided, and the “object” simply visually remembers, but actually starts recording the screen - the “desktop”. That's interesting, “screen recording” programmatically or installed in front of the monitor with a digital camera in FullHD. What is it? As one and the same - identical information on the semantic content, but different in the form of storage, presentation affects the composition, copied to the storage medium letters protected by law, documents from the resource, there is a finished composition. I read it as I indicated with video fixation, or I remembered, thanks to phenomenal abilities - there is no composition. For some reason, I’m sure that the “victim” absolutely doesn’t care in what form, by what method his data became the property of anyone else, but there is an investigator, prosecutor, judge - who will rely solely on the letter of the Law, moreover, for them this letter should be written on paper, paper approved, signed with a pen or ink, with seals and other paraphernalia, I think my irony is clear. It is very difficult, practically unrealistic in practice, to explain to the investigator, prosecutor's office, that if the “object” “saw” the data on the screen, it means he “automatically” copied it.
A similar controversial situation is with “modification”, “blocking”. I met in practice (a long time ago, really) and read on the Web that, for example, “modification” of protected information was “signed” sometimes for providers to change billing data due to access to the network using other people's details, and then “blocking” »- the client could not access the Network, reach the account (for example, when two simultaneous sessions are prohibited).
And finally, the “destruction” may seem at the everyday level - “everything is simple here”. Alas, no, and here there are difficulties, and I will try to convey some points to readers in the second part of the article.
In conclusion, I want to say that all of the above is questions and thoughts, in practice there are more questions, it is necessary to explain to the investigator for each element of the article, answer questions and be sure to have actual evidence in the Incident of each word and letter from the article of the Criminal Code of the Russian Federation. Moreover, at the same time take into account, simulate the answers of the alleged suspect and his lawyer, have arguments and evidence that can "break" any pseudoscientific nonsense of the "intruder" (you can write a separate "epic" on this topic).
And I hope that you now understand how the activities of the ordinary ordinary Incident result in a tremendous amount of work, which in the current state of affairs with the law, with conflicting, ambiguous interpretations, is easy to destroy, or at least call into question.
To be continued...