Hackers in the framework of the laws of the Russian Federation
After the publication of an article about my research as a Gray hat , in the comments to the article and in the Telegram chat (@router_os), people began to write that I had violated all the laws and they would plant me.
And as promised , after a few months I am writing this article and not even from the detention center cell :-) Moreover, yesterday I received another MTCRE certificate .
There are many articles on the Internet about hackers and attitudes towards them in various countries. But I did not find a single intelligible article about how they relate to hackers in the Russian Federation within the framework of existing laws. Perhaps not looking there, but still.
I propose to understand the types of hackers in more detail, including from the point of view of judicial practice in the Russian Federation.
Next will be purely my opinion, based on my experience and information obtained from open sources.
Therefore, I would like to see your opinion and comments in the comments.
To date, there are three types of hackers:
Most often, these are hired security specialists whose tasks include finding vulnerabilities in computer systems on the order or technical task of the system owner.
They are also called pentesters.
In most cases, they have specialized education. There are not many fans of their work among them. They do what they have been taught and asked to do. Above the head do not try to jump.
Also to the White hat can be attributed to participants of contests and programs like “Bug Bounty”.
Main motivation: guaranteed remuneration for their work.
These are the super villains who are accustomed to see in various films and which are told on TV.
As a rule, these are the same highly qualified specialists, like ethical hackers, but they can be without higher education and having mercenary personal motivation. For example, steal another base and sell it on Darknet.
The actions of the Black Hats are outlawed in almost all the world. The chance to get rich is much higher than that of the “White Hat”, but the risk to go to places not so remote is also high.
They always have criminal intent.
Although the color of these hats in between, but they are fundamentally different from cybercriminals and ethical hackers.
Usually these are young people who still believe in justice in this world and are willing to help others for free. With genuine curiosity, study the IT system under study.
If any vulnerabilities are discovered that can be exploited by attackers, they try to influence its further development:
Their activities are not aimed at making a profit.
Human nature is such that everyone wants recognition in society.
But, "Who helps people - he spends time in vain." (Shapoklyak). Therefore, not having received the desired recognition, students take off the "Gray Hat".
Then there are several ways for former altruists:
They, in fact, belong to cybercriminals. And the vast majority are far from IT, but I have to mention them in this article.
Yet their goal is to steal content, deactivate protection and resell, without deducting rewards to the content owner. Moreover, they are judged by "hacker" articles.
In our country, allowed everything that is clearly not prohibited.
What is forbidden for hackers is spelled out in four articles of chapter 28 of the Criminal Code. Let's look at them in order.
PS: In this article I do not consider crimes that do not fall under chapter 28. For example, here the owner of a proxy for Kate Mobile is trying to attract under Article 132 of the Criminal Code of the Russian Federation (sexual assault against an unidentified person), since the pedophile used this application.
Not all information is protected by law. That is, in order for information to become protected, then it must be mentioned in a legislative act.
If someone got on your computer and steal your term paper, they cannot be attracted by this article.
What kind of information is protected by law:
Any information can also become “protected by law” if the information owner has taken all necessary measures to protect it. ( Article 6 of Law N 149-ФЗ dated July 27, 2006 N 149-ФЗ “On Information ...” ).
If the attacker hacked your site with the login “admin” and the password “123” and placed an indecent picture on the main page, then according to Art. 272 of the Criminal Code of the Russian Federation cannot be attracted, even considering that he had a criminal intent.
The requirement to update the software on the router is a prerequisite for the protection of information.
Of course, all viruses and cracks for programs that neutralize software protection fall under this article.
But the program for pentest - a very controversial point. An annotation is written to such programs without fail, that it can be used only with the consent of the owner of the information system. But if the judiciary is needed, it will not be difficult to call this program malicious.
In any case, this article should be caught red-handed when creating, using or consciously distributing these programs. Or confession.
And since our investigators in the overwhelming majority are not strong in IT, the following article often appears in the sentence on this article:
It is possible to attract under this article only if the act entailed the destruction, blocking, modification or copying of computer information that caused major damage.
Honestly, I did not find a court practice on it ... Either I search badly, or in the Russian Federation I have not learned how to use it.
The same situation. The theory on this article can be found here habr.com/ru/post/346372
After the next release of the “personal account of the bank client”, a bug was developed that, when transferring money from the card to the account, did not check the availability of the money on the card. An ordinary clerk who knows how to click with a mouse spotted this bug. Pick myself some amount. And he did it both at work and at home without any VPN.
He personally shot the money at an ATM. Since the daily limit on the card was set at 25,000 rubles, he did this for several days in a row, until this bug was found in the bank.
When they found him and offered to voluntarily return the loot without going to the police (after all, the jamb of the bank and SB Bank understood this), then he went into denial, saying not my problems that your system distributed the loot.
The dude was convicted just by part 1 of art. 272 of the Criminal Code of the Russian Federation, since it was deliberately wrongfully modified the banking information protected by law.
Even if the acts of a hacker do not establish a corpus delicti, the damage can be obtained in civil procedure (Civil Code of the Russian Federation Article 1064).
For example, if I updated the firmware on a leaky Mikrotik and it was “worn out”, then the owner of this router (after refusing to initiate the UD) can sue me in a civil procedure and ask the court to recover this damage from me.
In fact, a hacker in the Russian Federation can be held criminally liable only under two articles and only under the following circumstances:
Well, or he himself confesses everything, even if he hasn’t done anything :-)
According to the laws of the Russian Federation, “Gray Hats” cannot accidentally become felons. To do this, they must have criminal intent and be quite stupid in IT and legal terms. After all, there are practically no convicted real hackers in the Russian Federation.
And within the framework of the laws of the Russian Federation, I cannot be held criminally responsible for the fact that I made changes to the router's firewall, even if someone suffered damage from this action ...
But do not forget that investigators and courts in the Russian Federation can make any decisions that may don't be friends with healthy meaning and often remind
Hope this article will give you more confidence in IT research!
And as promised , after a few months I am writing this article and not even from the detention center cell :-) Moreover, yesterday I received another MTCRE certificate .
There are many articles on the Internet about hackers and attitudes towards them in various countries. But I did not find a single intelligible article about how they relate to hackers in the Russian Federation within the framework of existing laws. Perhaps not looking there, but still.
I propose to understand the types of hackers in more detail, including from the point of view of judicial practice in the Russian Federation.
Next will be purely my opinion, based on my experience and information obtained from open sources.
Therefore, I would like to see your opinion and comments in the comments.
To date, there are three types of hackers:
White hat or Ethical hacker
Most often, these are hired security specialists whose tasks include finding vulnerabilities in computer systems on the order or technical task of the system owner.
They are also called pentesters.
In most cases, they have specialized education. There are not many fans of their work among them. They do what they have been taught and asked to do. Above the head do not try to jump.
Also to the White hat can be attributed to participants of contests and programs like “Bug Bounty”.
Main motivation: guaranteed remuneration for their work.
Black Hat or Cybercriminal
These are the super villains who are accustomed to see in various films and which are told on TV.
As a rule, these are the same highly qualified specialists, like ethical hackers, but they can be without higher education and having mercenary personal motivation. For example, steal another base and sell it on Darknet.
The actions of the Black Hats are outlawed in almost all the world. The chance to get rich is much higher than that of the “White Hat”, but the risk to go to places not so remote is also high.
They always have criminal intent.
Gray hat
Although the color of these hats in between, but they are fundamentally different from cybercriminals and ethical hackers.
Usually these are young people who still believe in justice in this world and are willing to help others for free. With genuine curiosity, study the IT system under study.
If any vulnerabilities are discovered that can be exploited by attackers, they try to influence its further development:
- Someone reports this bug to the owner of the IT system.
- Someone is trying to fix it yourself
- Someone on a public resource publishes a description of this bug.
Their activities are not aimed at making a profit.
Human nature is such that everyone wants recognition in society.
But, "Who helps people - he spends time in vain." (Shapoklyak). Therefore, not having received the desired recognition, students take off the "Gray Hat".
Then there are several ways for former altruists:
- Search for legal work related to the topic under study.
- To score and forget.
- Get on the slippery slope of a cybercriminal.
And I am not an exception.
Я познакомился с оборудованием Микротик ещё в 2015 году, когда устроился на работу в организацию, в которой применялось это оборудование. Но сеть была построена крайне отвратительна (например, каждый сегмент сети NATился имея прямые линки) и я стал изучать микротик с цель правильного строительства сети.
Через год я сменил работу и Микротик ко мне стал попадать на много реже. Но я продолжил в вялом режиме ковырять эту систему.
Не имея материальной выгоды от знаний RouterOS я в 2018 сдал экзамен MTCNA и вчера получил MTCRE
Рано или поздно любопытство к Mikrotik у меня угаснет, если не появится профессиональный интерес.
Через год я сменил работу и Микротик ко мне стал попадать на много реже. Но я продолжил в вялом режиме ковырять эту систему.
Не имея материальной выгоды от знаний RouterOS я в 2018 сдал экзамен MTCNA и вчера получил MTCRE
Рано или поздно любопытство к Mikrotik у меня угаснет, если не появится профессиональный интерес.
Pirates
They, in fact, belong to cybercriminals. And the vast majority are far from IT, but I have to mention them in this article.
Yet their goal is to steal content, deactivate protection and resell, without deducting rewards to the content owner. Moreover, they are judged by "hacker" articles.
RF law on hackers
In our country, allowed everything that is clearly not prohibited.
What is forbidden for hackers is spelled out in four articles of chapter 28 of the Criminal Code. Let's look at them in order.
PS: In this article I do not consider crimes that do not fall under chapter 28. For example, here the owner of a proxy for Kate Mobile is trying to attract under Article 132 of the Criminal Code of the Russian Federation (sexual assault against an unidentified person), since the pedophile used this application.
272 of the Criminal Code "Wrongful access to legally protected computer information"
Not all information is protected by law. That is, in order for information to become protected, then it must be mentioned in a legislative act.
If someone got on your computer and steal your term paper, they cannot be attracted by this article.
What kind of information is protected by law:
- The secret of telephone conversations and any kind of text messages. (Article 29 of the Constitution of the Russian Federation). Fraudsters who stole sms from number 900 and withdraw money from the victim’s card were drawn precisely for this article. ( Hi SS7 protocol ).
- Commercial (№ 98-ФЗ) and state secret (№ 5482-1). For this information, the circle of persons who have access to it and the rules for its use must be strictly defined. That is, the information that an ordinary citizen cannot receive without special permission.
- Medical secret (Article 13 of Law No. 323-ФЗ). Illegal access to the documentation of the Ministry of Health can be brought under this article.
- Banking secrecy (Article 26 of Law No. 395-1).
- Etc.
Any information can also become “protected by law” if the information owner has taken all necessary measures to protect it. ( Article 6 of Law N 149-ФЗ dated July 27, 2006 N 149-ФЗ “On Information ...” ).
If the attacker hacked your site with the login “admin” and the password “123” and placed an indecent picture on the main page, then according to Art. 272 of the Criminal Code of the Russian Federation cannot be attracted, even considering that he had a criminal intent.
The requirement to update the software on the router is a prerequisite for the protection of information.
273 of the Criminal Code of the Russian Federation The creation, use and distribution of malicious computer programs
Of course, all viruses and cracks for programs that neutralize software protection fall under this article.
But the program for pentest - a very controversial point. An annotation is written to such programs without fail, that it can be used only with the consent of the owner of the information system. But if the judiciary is needed, it will not be difficult to call this program malicious.
In any case, this article should be caught red-handed when creating, using or consciously distributing these programs. Or confession.
And since our investigators in the overwhelming majority are not strong in IT, the following article often appears in the sentence on this article:
“At the hearing, the defendant pleaded guilty to the charges against him under Art. 273 h. 1 of the Criminal Code of the Russian Federation fully and petitioned for the sentencing in a special order, without a trial. ”Therefore, if the collection of cracks is stored on your disk, then this is not the basis of attraction for this article.
274 of the Criminal Code Violating the rules for the use of the storage, processing or transmission of computer information and information and telecommunication networks
It is possible to attract under this article only if the act entailed the destruction, blocking, modification or copying of computer information that caused major damage.
Honestly, I did not find a court practice on it ... Either I search badly, or in the Russian Federation I have not learned how to use it.
274.1 of the Criminal Code of the Russian Federation. Incorrect influence on the critical information infrastructure of the Russian Federation
The same situation. The theory on this article can be found here habr.com/ru/post/346372
An example from my practice
After the next release of the “personal account of the bank client”, a bug was developed that, when transferring money from the card to the account, did not check the availability of the money on the card. An ordinary clerk who knows how to click with a mouse spotted this bug. Pick myself some amount. And he did it both at work and at home without any VPN.
He personally shot the money at an ATM. Since the daily limit on the card was set at 25,000 rubles, he did this for several days in a row, until this bug was found in the bank.
When they found him and offered to voluntarily return the loot without going to the police (after all, the jamb of the bank and SB Bank understood this), then he went into denial, saying not my problems that your system distributed the loot.
The dude was convicted just by part 1 of art. 272 of the Criminal Code of the Russian Federation, since it was deliberately wrongfully modified the banking information protected by law.
Damage
Even if the acts of a hacker do not establish a corpus delicti, the damage can be obtained in civil procedure (Civil Code of the Russian Federation Article 1064).
For example, if I updated the firmware on a leaky Mikrotik and it was “worn out”, then the owner of this router (after refusing to initiate the UD) can sue me in a civil procedure and ask the court to recover this damage from me.
Conclusion
In fact, a hacker in the Russian Federation can be held criminally liable only under two articles and only under the following circumstances:
- Hacker gained access to legally protected information or used malware
- At the same time he was caught red-handed and / or there is evidence that it is he (which happens very rarely).
- Proved criminal intent or negligence.
Well, or he himself confesses everything, even if he hasn’t done anything :-)
According to the laws of the Russian Federation, “Gray Hats” cannot accidentally become felons. To do this, they must have criminal intent and be quite stupid in IT and legal terms. After all, there are practically no convicted real hackers in the Russian Federation.
And within the framework of the laws of the Russian Federation, I cannot be held criminally responsible for the fact that I made changes to the router's firewall, even if someone suffered damage from this action ...
But do not forget that investigators and courts in the Russian Federation can make any decisions that may don't be friends with healthy meaning and often remind
joke:
Украли у мужика корову. Приходит он домой и говорит сыновьям:
— У нас корову украл какой-то пидар.
Старший брат: — Если пидар — значит маленький.
Средний брат: — Если маленький — значит из Малиновки.
Младший Брат: — Если из Малиновки — значит Васька Косой.
Все выдвигаются в Малиновку и там прессуют Ваську Косого.
Однако Васька корову не отдает. Его ведут к мировому судье.
Мировой судья:
— Ну… Логика мне ваша непонятна. Вот у меня коробка, что в ней лежит?
Старший брат: — Коробка квадратная, значит внутри что-то круглое.
Средний: — Если круглое, то оранжевое.
Младший: — Если круглое и оранжевое, то апельсин.
Судья открывает коробку, а там и правда апельсин.
Судья — Ваське Косому:
— Косой, отдай корову.
— У нас корову украл какой-то пидар.
Старший брат: — Если пидар — значит маленький.
Средний брат: — Если маленький — значит из Малиновки.
Младший Брат: — Если из Малиновки — значит Васька Косой.
Все выдвигаются в Малиновку и там прессуют Ваську Косого.
Однако Васька корову не отдает. Его ведут к мировому судье.
Мировой судья:
— Ну… Логика мне ваша непонятна. Вот у меня коробка, что в ней лежит?
Старший брат: — Коробка квадратная, значит внутри что-то круглое.
Средний: — Если круглое, то оранжевое.
Младший: — Если круглое и оранжевое, то апельсин.
Судья открывает коробку, а там и правда апельсин.
Судья — Ваське Косому:
— Косой, отдай корову.
Hope this article will give you more confidence in IT research!