back to article Moscow says writing infrastructure attack code is a thought crime

Malware writers whose wares are used by separate attackers to pop Russian national infrastructure could end up fined and in jail, if a new Russian bill become law. The bill (Number 47571-7, Russian) reported by local media threatens those involved in the manufacture of malware subsequently used in damaging attacks against …

  1. Voland's right hand Silver badge

    Some royalties due here

    An electronic version of "creating and possessing material usable for terrorist purposes". Copying from the UK I see. That, my dear friends is Crown Copyright. You should pay to the inventors. Royalties are due.

    We take royalties in gas and oil nowdays so should not be an issue.

    1. Anonymous Coward
      Terminator

      Re: Some royalties due here

      Quite.

      Poor old "communist" Russia... still lagging decades behind "the west."

      Still, at least the Russians have the decency to punish their thought criminals with a nice rehabilitating trip to a Gulag, rather than forcibly expatriating them to the NSA.

      1. Anonymous Coward
        Anonymous Coward

        Re: Some royalties due here

        Gulag? Just those who are not "dual use" themselves. And just to remember them they should not sell the tech outside Russia...

  2. PassiveSmoking

    The problem is how do you prove intent? In some cases it's fairly obvious that it's malware, but there are plenty of tools that were designed for security testing or stress testing that could easily be adapted to attacking systems.

  3. Anonymous South African Coward Bronze badge

    Good luck with that.

    On the other hand, here's hoping the creator of Locky get caught out and sent to the Gulag for a stretch...

    1. Sleep deprived

      Just Locky?

      The Gulag could also offer paid holidays to spammers, scammers, phishers and virus writers.

    2. Mark 85

      As long as Locky isn't used against Russian users, companies, etc. there's no problem apparently. It seems to me that the government is saying: "Do what you will to the rest of the world, just leave Mother Russia out of it.". <nudge><nudge><wink><wink>

  4. Jess

    Title misrepresents the article.

    The title implies creating it is a crime.

    The article states if it is used, it will be a crime.

    Somewhat different.

    1. Anonymous Coward
      Anonymous Coward

      Re: Title misrepresents the article.

      The problem is "used by someone else", not the one who created it - especially when it was never intended as a crime tool.

    2. Voland's right hand Silver badge

      Re: Title misrepresents the article.

      Both misrepresent the law proposed. I did a quick skim through it. It is a part of ongoing work in Russia in making Internet and IP based networks part of critical infrastructure.

      It has WAY more interesting bits than the reported small tidbit.

      1. It establishes a clear order of who, how and what is declared critical internet infra in addition to stuff which is declared in law (f.e. based on some other stuff which was floated on the register, .ru zone name servers and any peering point infra is declared critical unconditionally).

      2. It makes the operator of a piece of internet infrastructure declared critical (regardless of is it private or state owned) criminally liable for not protecting it sufficiently.

      If we had this law at least two UK broadband CEO would be doing time for not taking measures against building botnets out of their CPE routers.

      You know what, I do not know who does the engineering preparation of their legal stuff, but compared to the drivel produced by May and Co it is like ... light years ahead. It is written in a literate well define and technically correct manner. I approve.

      P.S. They should still pay royalties for the "thoughtcrime portion" though. That is UK invention.

  5. Olius

    "pull off the hacks"

    I like that. I hope the hacks do too.

    But more seriously, it's all well and good until someone gets prosecuted for writing something like Snort or Nmap.

  6. Destroy All Monsters Silver badge
    Windows

    Isn't that what Germany has done?

    Last I heard, nmap is illegal in the Deutschland.

    Or is it?

    With Mamma Merkel, one never knows what kind of stuff hits the fan.

  7. Simon Harris

    By analogy...

    Kalashnikov Concern is 51% state owned.

    Should a terrorist attack in Russia occur using their assault rifles, will the Russian government have to arrest itself for creating material used for terrorist purposes?

  8. Your alien overlord - fear me

    So if caught your punishment is to work for the state? Presumably writing code that won't get you caught?

    1. Sir Runcible Spoon
      Joke

      code that won't get you caught

      code that won't get you caught

      code that won't get you caught

      code that won't get you caught

      code that won't get you caught

      code that won't ge...oh, you probably didn't mean that did you?

  9. lukewarmdog

    Proving Intent

    As long as you put "not to be used to hack Russian Infrastructure" in the read_me / EULA, you'll be fine.

  10. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    Authors of netcat looking nervous now....

    Hey - just because an app could be used for something malicious, like opening a remote shell on a server, shouldn't mean embedding it in malware is a crime.

    I hear 'ping' is used by malware to seek out possible hosts - should Russia be arresting every o/s vendor on the planet?

    Fucking insanity.

  12. Terry Cloth
    Trollface

    Look on the bright side...

    It is unknown how such laws could impact authors of legitimate hacking tools, although the bill states wares must be deliberately built for offensive hacking.
    At least the Russkis admit a distinction between ``legitimate'' testing tools and ``offensive'' warez. They're ahead of the U.S. there.

  13. Anonymous Coward
    Anonymous Coward

    That's going to be a blow to the Russian economy

    Trolls and hackers are pretty the entirety of Russia's high-tech sector.

    1. Anonymous Coward
      Anonymous Coward

      Re: That's going to be a blow to the Russian economy

      Crime IS Russia's economy. The poorest Russians are the most trustworthy of the lot. Everybody else there, with money, is a criminal. Except for Kaputski Labs, those guys look legit! :P

      If you can't beat 'em, hack 'em. If you can't hack 'em, do some other crimes. Nothing is as it was. Truth is false with the new world order.

      Join me. Not actually me, but take off the White Hat, dye it grey, and live a little. Some crime is super fun. Watching people freak out because they can't get to Farcebark, or Twatter, or whatever waste of time app/site they desire is the bee's fucking knees, good sers.

      Hack the USA. No need to wait. Do it TODAY!

      1. Crazy Operations Guy

        Re: That's going to be a blow to the Russian economy

        "Crime IS Russia's economy."

        The same claim can be made about any other country out there. It really just depends on what side of the double-standard you are on. One man's "civilizing the savages" is another man's "Oppressing the hell out of defenseless people and taking their natural resources"

  14. Someone Else Silver badge
    Big Brother

    Do as I say, not as I do...

    Never did like that pap when my Mom said that; I really don't like it when Mother Russia says it.

  15. JLV
    Trollface

    Excellent, excellent, comrades

    Now, perhaps, the .ru domain will be less 419-y? Or maybe it doesn't count if your code is used to steal $ from elsewhere?

    Inquiring minds want to know.

  16. MNGrrrl
    Pirate

    Typical

    Russia is once again re-arranging deck chairs on the Titanic. Who decides what is sufficient protection? By what process? And if there is a flaw in said process, how is it addressed? What counts as an attack? Most security problems, and indeed most infrastructure problems, are not caused by deliberate, malicious acts. Servers don't crash to the scream of "Jihad!" ... They most always die to the quieter utterance of "Oops." So what, Russia plans on imprisoning anyone in IT who makes a typo and craps out a router? I mean, how do you prove it wasn't malicious (other than, you know, common sense)? And round and round we go.

    Here's the big problem: We're not *allowed* to engineer secure systems. Everything is a black box due to "trade secrets" or "copyright" or "patents", and so nobody has a damn clue how anything works, and when it breaks, we can't even open it up and try to suss out the problem. The code that runs the overwhelming majority of our infrastructure is under lock and key, in a disused lavatory, in the basement, with a sign outside that says "Beware of the Leopard." And we did it all because businesses asked our idiot lawmakers to do it, and not being engineers, they were only too happy to eviscerate any hope we might have had at using the hard-won lessons of every other branch of engineering.

    And now that everything is on fire, their solution is to yell at the fire fighters who are hopelessly ham strung by the idiotic machinations of the government (generically: As in, every government has contributed to this)? Sure. Yeah, okay. You know what, Russia? Here's my bucket. You deal with it. I'm going home.

    1. Voland's right hand Silver badge

      Re: Typical

      I suggest you read the whole proposed law.

      I can only wish we had lawmakers and their technical aides which are as literate as whoever wrote it. By the way - el reg quoted someone who quoted a single paragraph out of context. The doc deals with a completely different set of problems and deserves copying ~ 90%+ verbatim.

  17. Sloppy Crapmonster

    "modificating"

  18. Crazy Operations Guy

    Will they arrest themselves?

    Pretty much every advanced government out there, especially one stuck in a cold-war mindset like Russia has several divisions of folk producing anti-infrastructure malware all the time. The people creating it aren't using it themselves, but rather passing it onto the military or third parties to wreak havoc on their enemies. Russia proved this during the Liberation/invasion of the Ukraine as well as their action with Georgia.

    Pretty much everyone has that capability. The US has proved that they do possess such capability and willingness to use such technologies as well with Stuxnet.

  19. Anonymous Coward
    Anonymous Coward

    A great government plan...

    By which they get all those clever code writers (or should that be breakers?) in once place; at which point they can write nice malware for the state. Fancy (Bears) that!

  20. Dinsdale247

    hmmm...

    In a country known for judicial graft, those in IT should be weary of promotions lest they find themselves in jail on charges of corrupting infrastructure. "Oh, Sasha got the promotion? We'll see about that..."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like