Big Brother does Russia
by ALiEN Assault

Published in Phrack #64 as a part of "Know your enemy : facing the cops" article.

This  file  is  a basic description of russian computer law related
issues.  Part  1  contains  information  gathered  primarily  from
open sources. As this sources  are  all  russian, information may be
unknown to those who doesn't know russian language. Part  2  consists
of  instructions  on  computer crime investigation: raid guidelines and
suspect's system exploration.

  1.1 - Basic Picture 1.2 - Criminal Code 1.3 - Federal Laws
  2.1 - Tactics of Raid 2.2 - Examining a Working Computer 2.3 -
  Expertise Assignment



--[ 1.	 LAW.

----[ 1.1. Basic Picture.

Computer-related  laws	are  very  draft and poorly describes what are
ones about.  Seems  that  these  are  simply  rewritten instructions
from 60's *Power Computers* that took a truck to transport.

Common	subjects  of lawsuits include carding, phone piracy (mass
LD service thievery)  and...  hold  your  breath... virii infected
warez trade. Russia is a real  warez  heaven  -  you can go to about
every media shop and see lots of CDs with  warez,  and some even has
cover  (along with "ALL RIGHTS RESERVED" on back)! To honour pirates,
they  include  all  .nfo  files  (sometimes  from  4-5 BBSes warez was
courriered  through).  It  is  illegal	but  not  prosecuted.  Only if
warez are infected  (and  some VIP bought them and messed his system up)
shop owners faces legal  problems.
/* Latest addition - pressure on warez became stronger. Article was writen in 2002 */

Hacking  is  *not  that  common*,  as  cops are rather dumb and busts
mostly script kiddies for hacking their ISPs from home or sending your
everyday trojans by email.

There  are  three  main  organisations	dealing  with  hi-tech	crime:
FAPSI (Federal	Government  Communications  and  Information  Agency
- mix of FCC and secret service), UKIB FSB (hi-tech feds; stands for
departamernt of computer and information  security)  and  UPBSWT  MVD
(hi-tech  crime fightback dept.) which incorporates R unit (R for radio -
busts ham pirates and phreaks).
/* Latest addition - FAPSI was disbanded */

FSB   (secret	service)  also	runs  NIIT  (IT  research  institute).
This organisation  deals  with	encryption  (reading your PGPed mail),
examination of malicious  programs  (revealing	Windoze source) and
restoration of damaged data (HEXediting saved games). NIIT is believed
to possess all seized systems so they have tools to do the job.

UPBSWT	has a set of special operations called SORM (operative
and detective measures	system).  Media describes this as an
Echelon/Carnivore-like thing, but it  also monitors phones and
pagers. Cops claims that SORM is active only during major criminal

----[ 1.2. Criminal Code.

Computer criminals are prosecuted according to this articles of the Code:

  • 159: Felony. This mostly what carders have to do with, accompanied by caught-in-the-act social engineers. Punishment varies from fine (minor, no criminal record) to 10 years prison term (organized and repeated crime).
  • 272: Unauthorized access to computer information. Easy case will end up in fine or up to 2 years probation term, while organized, repeated or involving "a person with access to a computer, computer complex or network" (!#$@!) crime may lead to 5 years imprisonment. Added to this are weird comments on what are information, intrusion and information access.
  • 273: Production, spreading and use of harmful computer programs. Sending trojans by mail considered to be lame and punished by up to 3 years in prison. Part II says that "same deeds *carelessly* caused hard consequences" will result in from 3 to 7 years in jail.
  • 274: Computer, computer complex or network usage rules breach. This one is tough shit. In present, raw and somewhat confused state this looks, say, *incorrect*. It needs that at least technically literate person should provide correct and clear definitions. After that clearances this could be useful thing: if someone gets into a poorly protected system, admin will have to take responsibility too. Punisment ranges from ceasing of right to occupy "defined" (defined where?) job positions to 2 years prison term (or 4 if something fucked up too seriously). ----[ 1.3. Federal Law. Most notable subject related laws are: "On Information, Informatization and Information Security" (20.02.95). 5 chapters of this law defines /* usually not correct or even intelligent */ various aspects of information and related issues. Nothing really special or important - civil rights (nonexistent), other crap, but still having publicity (due to weird and easy-to-remember name i suppose) and about every journalist covering ITsec pastes this name into his article for serious look maybe. "National Information Security Doctrine" (9.9.2K) is far more interesting. It will tell you how dangerous Information Superhighway is, and this isn't your average mass-media horror story - it's a real thing! Reader will know how hostile foreign governments are busy imlpementing some k-rad mind control tekne3q to gain r00t on your consciousness; undercover groups around the globe are engaging in obscure infowarfare; unnamed but almighty worldwide forces also about to control information...ARRGGH! PHEAR!!! {ALiEN special note: That's completely true. You suck Terrans. We'll own your planet soon and give all of you a nice heavy industry job}. Liberal values are covered too (message is BUY RUSSIAN). Also there are some definitions (partly correct) on ITsec issues. "On Federal Government Communications and Information" (19.2.93, patched 24.12.93 and 7.11.2K). Oh yes, this one is serious. Everyone is serious about his own communications - what can i say? Main message is "RESPONSIBLES WILL BE FOUND. OTHERS KEEP ASIDE". Interesting entity defined here is Cryptographic Human Resource - a special unit of high qualified crypto professionals which must be founded by FAPSI. To be in Cryptographic Human Resource is to serve wherever you have retired or anything. Also covered are rights of government communications personnel. They have no right to engage in or to support strike. Basically they have no right to fight for rights. They don't have a right to publish or to tell mass-media anything about their job without previous censorship by upper level management. Cryptography issues are covered in "On Information Security Tools Certification" (26.6.95 patched 23.4.96 and 29.3.99) and "On Electronic Digital Signature" (10.2.02). Not much to say about. Both mostly consists of strong definitions of certification procedures. --[ 2. ORDER. ----[ 2.1. Tactics of Raid. Given information is necessary for succesful raid. Tactics of raid strongly depends on previously obtained information. It is necessary to define time for raid and measures needed to conduct it suddenly and confidentially. In case of presence of information that suspect's computer contains criminal evidence data, it is better to begin raid when possibility that suspect is working on that computer is minimal. Consult with specialists to define what information could be stored in a computer and have adequate technics prepared to copy that information. Define all measures to prevent criminals from destroying evidence. Find raid witnesses who are familiar with computers (basic operations, programs names etc.) to exclude possibility of posing raid results as erroneous at court. Specifity and complexity of manipulations with computer technics cannot be understood by illiterate, so this may destroy investigator's efforts on strengthening the value of evidence. Witness' misunderstanding of what goes on may make court discard evidence. Depending on suspect's qualification and professional skills, define a computer technics professional to involve in investigation. On arrival at the raid point is necessary to: enter fast and sudden to drive computer stored information destruction possibility to the minimum. When possible and reasonable, raid point power supply must be turned off. Don't allow no one touch a working computer, floppy disks, turn computers on and off; if necessary, remove raid personnel from the raid point; don't allow no one turn power supply on and off; if the power supply was turned off at the beginning of raid, it is necessary to unplug all computers and peripherals before turning power supply on; don't manipulate computer technics in any manner that could provide inpredictable results. After all above encountered measures were taken, it is necessary to preexamine computer technics to define what programs are working at the moment. If data destruction program is discovered active it should be stopped immediately and examination begins with exactly this computer. If computers are connected to local network, it is reasonable to examine server first, then working computers, then other computer technics and power sources. ----[ 2.2. Examining a Working Computer. During the examination of a working computer is necessary to:
  • define what program is currently executing. This must be done by examining the screen image that must be described in detail in raid protocol. While necessary, it should be photographed or videotaped. Stop running program and fix results of this action in protocol, describing changes occured on computer screen;
  • define presence of external storage devices: a hard drive (a winchester*), floppy and ZIP type drives, presence of a virtual drive (a temporary disc which is being created on computer startup for increasing performance speed) and describe this data in a protocol of raid;
  • define presence of remote system access devices and also the current state of ones (local network connection, modem presence), after what disconnect the computer and modem, describing results of that in a protocol;
  • copy programs and files from the virtual drive (if present) to the floppy disk or to a separate directory of a hard disk;
  • turn the computer off and continue with examining it. During this is necessary to describe in a raid protocol and appended scheme the location of computer and peripheral devices (printer, modem, keyboard, monitor etc.) the purpose of every device, name, serial number, configuration (presence and type of disk drives, network cards, slots etc.), presence of connection to local computing network and (or) telecommunication networks, state of devices (are there tails of opening);
  • accurately describe the order of mentioned devices interconnection, marking (if necessary) connector cables and plug ports, and disconnect computer devices.
  • Define, with the help from specialist, presence of nonstandard apparatus inside the computer, absence of microschemes, disabling of an inner power source (an accumulator);
  • pack (describing location where were found in a protocol) storage disks and tapes. Package may be special diskette tray and also common paper and plastic bags, excluding ones not preventing the dust (pollutions etc.) contact with disk or tape surface;
  • pack every computer device and connector cable. To prevent unwanted individuals' access, it is necessary to place stamps on system block - stick the power button and power plug slot with adhesive tape and stick the front and side panels mounting details (screws etc.) too. If it is necessary to turn computer back on during examination, startup is performed with a prepared boot diskette, preventing user programs from start. * winchester - obsolete mainstream tech speak for a hard drive. Seems to be of western origin but i never met this term in western sources. Common shortage is "wint". ----[ 2.3. Expertise Assignment. Expertise assignment is an important investigation measure for such cases. General and most important part of such an expertise is technical program (computer technics) expertise. MVD (*) divisions have no experts conducting such expertises at the current time, so it is possible to conduct such type of expertises at FAPSI divisions or to involve adequately qualified specialists from other organisations. Technical program expertise is to find answers on following:
  • what information contains floppy disks and system blocks presented to expertise?
  • What is its purpose and possible use?
  • What programs contains floppy disks and system blocks presented to expertise?
  • What is their purpose and possible use?
  • Are there any text files on floppy disks and system blocks presented to expertise?
  • If so, what is their content and possible use?
  • Is there destroyed information on floppy disks presented to expertise?
  • If so, is it possible to recover that information?
  • What is that information and what is its possible use?
  • What program products contains floppy disks presented to expertise?
  • What are they content, purpose and possible use?
  • Are between those programs ones customized for passwords guessing or otherwise gaining an unauthorized computer networks access?
  • If so, what are their names, work specifications, possibilities of usage to penetrate defined computer network?
  • Are there evidence of defined program usage to penetrate the abovementioned network?
  • If so, what is that evidence?
  • What is chronological sequence of actions necessary to start defined program or to conduct defined operation?
  • Is it possible to modify program files while working in a given computer network?
  • If so, what modifications can be done, how can they be done and from what computer?
  • Is it possible to gain access to confidential information through mentioned network?
  • How such access is being gained?
  • How criminal penetration of the defined local computer network was committed?
  • What is the evidence of such penetration?
  • If this penetration involved remote access, what are the possibilites of identifying an originating computer?
  • If an evidence of a remote user intrusion is absent, is it possible to point computers from which such operations can be done? Questions may be asked about compatibility of this or that programs; possibilities of running a program on defined computer etc. Along with these, experts can be asked on purpose of this or that device related to computer technics:
  • What is the purpose of a given device, possible use?
  • What is special with its construction?
  • What parts does it consist of?
  • Is it industrial or a homemade product?
  • If it is a homemade device, what kind of knowledge and in what kind of science and technology do its maker possess, what is his professional skill level?
  • With what other devices could this device be used together?
  • What are technical specifications of a given device? Given methodic recommendments are far from complete list of questions that could be asked in such investigations but still does reflect the important aspects of such type of criminal investigation. * MVD (Ministry of Inner Affairs) - Russian police force. CREDITS I like to mention stiss and BhS group for contibutions to this file.