Presumably Hameron, Theresa May & Hillary Clinton will be banning everything but Red Star OS in the near future.
North Korean operating system is a surveillance state's tour de force
Fresh light has been shed on North Korea's Red Star OS, which – we're told – silently tracks the exchange of files between computers. It was discovered in July that the software appends a fingerprint derived from the computer's hardware to files when they are opened. Further analysis of the Nork government's operating system …
COMMENTS
-
-
-
-
Tuesday 29th December 2015 17:32 GMT Anonymous Coward
Re: Source code?
"If not even root is allowed to get at the antivirus pattern matcher, that indicates kernel changes."
Right, I understand that, but what owns the processes? Just running in the kernel ring? Something must control them, and if you can get root (maybe they shut that off?), and then still can't control the system, maybe you ain't root.
I guess (never, ever guess) ID 0 is turned off to userland, which would support a kernel hack.
-
Tuesday 29th December 2015 21:21 GMT Anonymous Coward
Re: Source code?
"and if you can get root (maybe they shut that off?), and then still can't control the system, maybe you ain't root."
Why? The kernel can do what it likes. The root user isn't magic , its just user id zero. The kernel can simply refuse to do anything to the state of a file or process once its created/started regardless of the user id trying to modify it.
-
-
-
-
-
Tuesday 29th December 2015 17:36 GMT Anonymous Coward
"Perhaps a cyber warfare opportunity to introduce malware which randomly inserts such strings into random critical files?"
Welcome to 1998:
-
-
Tuesday 29th December 2015 15:13 GMT Mephistro
I'm gonna download this shit...
... and try it in a VM. I may even allow it to access the Internet. I'm curious about how well these embedded snooping tools will cope with Tor links, compressors+encription, misnaming, ... .
Hmmm... does this RedStar include hard-coded credentials and passwords?
Luckily for the North Koreans, nobody is interested in stealing their IP or their wealth! ;-)
-
Tuesday 29th December 2015 19:23 GMT Crazy Operations Guy
Re: I'm gonna download this shit...
If I were you, I'd destroy the machine the VM was hosted on afterwards. An obviously malicious piece of software like this would be able to detect that its running in a VM and would be able to attack the hyper-visor and the underlying hardware. Given the strong cooperation between North Korea's and China's cyber-warfare organizations, I would be surprised if Red Star didn't contain any currently unknown exploits. Hell, I wouldn't be surprised if it attempted to install malicious firmware on your network equipment and every other machine on your network. Its a full OS that doesn't need to hide its malicious intentions and given that it weighs in at 2.5 GB for the install media, it can hide masses of exploit code.
So I would purchase an old machine from a repair shop to test that OS on, then turn everything that ever touched the machine into scrap as the firmwares would be riddled with malware the second the OS started. A cheap machine would probably work better anyway as older hardware rules in the area and the OS would be optimized for it.
As far as connecting to the internet, please don't. Unless you have a fully equipped lab set up to study botnets and the like, you shouldn't subject innocent internet users to the potential danger of your machine becoming a botnet slave. Much like how studying deadly diseases must be done in a highly secured lab and not done by getting yourself infected and continuing to walk among the public.
-
Wednesday 30th December 2015 02:22 GMT Charles 9
Re: I'm gonna download this shit...
You're talking a Red Pill exploit aka a hypervisor attack. Something like that would make the technology news since AFAIK no malware has actually been able to break out of the VM and into the hypervisor. There's been a lot of conjecture about it, but nothing in the wild as of yet.
-
Thursday 31st December 2015 17:03 GMT Michael Wojcik
Re: I'm gonna download this shit...
AFAIK no malware has actually been able to break out of the VM and into the hypervisor
I'm afraid you don't know far enough. See for example:
https://www.insinuator.net/2013/05/analysis-of-hypervisor-breakouts/
Admittedly, terminology in this area is sloppy, with various types of hypervisors and various degrees of "breaking out" or "escaping" conflated. But there is a pretty long list of exploits that let a process running in a VM execute code in another VM or a host OS, such as this year's VENOM attack. There may well be some which also successfully target bare-metal (type-1) hypervisors, though I don't offhand know of any.
-
-
-
Tuesday 29th December 2015 16:35 GMT phil dude
calm down...
if you are using Windoze or $Mac, you already know you are being spied on, so this is propaganda.
I'm using Linux built from scratch, so maybe only spied on by the bits that are not FOSS (looking at YOU Nvidia and the somewhat crufty bios).
The irony here (for those that want to see it), is that NK used a FOSS product to make a Govt Malware product. By logical extension, if you are using non-FOSS, it must already be Govt Malware....
This is a wink ---> ;-)
P.
-
-
Tuesday 29th December 2015 22:54 GMT Anonymous Coward
Re: North Korean operating system is a surveillance state's tour de force ...
... So it's a rebadged version of Windows 10 then?
No, this is actually stable - you know, the elusive property which never made it into Windows (because you'd never buy the upgrade) but easily established by a 3rd world country..
-
-
Tuesday 29th December 2015 18:50 GMT Danny 2
I realise The Intercept is playing catch-up, but it is timely:
Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key
-
Tuesday 29th December 2015 20:24 GMT Crazy Operations Guy
The article is correct in spirit, but not in actual practice. Microsoft doesn't actually have your encryption key, just a passkey to access the encryption key that is stored on the encrypted device. Its stored on a system-reserved area of the disk. If those sectors where the key is actually were inaccessible for one reason or another, the files on the disk would be unreadable. It also fails to points out that that key only controls access to decrypt the boot volume of the machine. The keys used for NTFS file-encryption are left on the local system, as well as the keys used for any other purpose.
Of course "Microsoft might have the key to recover the encryption key to your boot volume" isn't quite as alarmist, so I understand why they went with that particular headline.
The point of the device encryption is to protect the information on the system from being accessed after it was lost or stolen, not to protect the user from elaborate state-sponsored attacks or corrupt governments. And for that purpose it works quite well for the average consumer. Anyone that has a need to protect the data even further would already have another, specialized piece of software for that purpose, or really should.
-
Tuesday 29th December 2015 20:53 GMT Anonymous Coward
"The point of the device encryption is to protect the information on the system from being accessed after it was lost or stolen, not to protect the user from elaborate state-sponsored attacks or corrupt governments. And for that purpose it works quite well for the average consumer. Anyone that has a need to protect the data even further would already have another, specialized piece of software for that purpose, or really should."
Biggest load of bollocks and tripe I have ever read.
1. How do you "lose" a laptop or whatever? If you do, you are an idiot.
2. If the above are stolen with serious, and I mean serious data on it, then you are an idiot for having serious data on it.
People are sheeple. Do I carry my passport around waiting to to mugged? Do I have all my details of bank accounts and what-not in my wallet that I will accidently "lose" or be stolen?
No, of course not. So why should anything change from that because it's electronic?
-
Tuesday 29th December 2015 21:41 GMT Danny 2
Lots of people carry their passports around, for example when leaving the country or trying to cash their dole giro.
Lots of people lose their laptops, to theft fire or just misplacing them.
A wee tip. Trying to convey any idea on a public forum by labelling every normal person as 'sheeple' is hardly endearing and doesn't make you look big or clever, quite the reverse. Trust me, I have malt whisky.
-
Wednesday 30th December 2015 09:15 GMT Anonymous Coward
"Lots of people lose their laptops, to theft fire or just misplacing them."
OK, fire isn't a problem - no one will get it. But how the hell do you 'misplace' an item that cost a few hundred quid or more? Maybe I am too old and look after my stuff that I worked hard for, rather than the throw away/get a new one on insurance/get a new one on credit attitudes of people today.
-
Wednesday 30th December 2015 11:28 GMT 9Rune5
"But how the hell do you 'misplace' an item"
How are you able to watch over your stuff 24x7?
Look, when travelling you either leave your laptop in your hotel room (my 15" usually won't fit in the room safe) where the cleaning staff (and just about anybody who pretend to live in your room) can get at it, or you bring it along while exploring the new city you're visiting so it can be mugged.
Or how about those times when they did not let you bring your laptop as carry-on and you had to chuck it with your checked luggage? I have almost lost some luggage a few times (had to wait three weeks for two bags once), so I know it is possible to have things 'disappear'.
I've never lost a laptop though, but that is more down to dumb luck than anything else. Plus I probably spend way too much time in my hotel rooms to begin with. Normal people are probably out and about more than me. OTOH, there was that time when I had to fight off a monkey using a tripod... I could have lost some valuable stuff that day, but thankfully I realized a metal tripod is a great weapon. Or those two times I had to run from an elephant (not the same elephant), but then again: The elephants did not care about my possessions (unlike the monkey), so there was that. A baboon once made off with my lunchbox though, with me standing right in the middle. I could have smacked the car door on its head, but I felt my lunch wasn't worth killing for. Plus, he had sharp teeth and was surprisingly brazen. I was used to baboons being rather shy, so he took me completely by surprise.
But hey, please share your tips on protecting your gear.
-
Wednesday 30th December 2015 15:08 GMT toughluck
Airlines won't allow the laptop to be checked because of lithium batteries. Same goes for any other reasonably recent/modern gadget.
To be honest, your anecdotes concerning the African bush don't really translate to any 'normal' situation. And if you lost a laptop to an elephant, I don't think anyone would get any use out of it. Same goes for monkeys monkeying around with your stuff.
Seriously, if you have some seriously important stuff on your laptop or whatever and you wouldn't kill an animal over it, I honestly don't think it qualifies as important enough (although I do realize some would kill another person over their gadget sooner than an animal).
-
Wednesday 30th December 2015 22:55 GMT Charles 9
"Airlines won't allow the laptop to be checked because of lithium batteries. Same goes for any other reasonably recent/modern gadget."
Most laptop batteries are removeable and thus can be taken out so the rest of the laptop can be checked. Otherwise, you have a dilemma when you're told you can't put the laptop in to EITHER the carry-on (over the limit) OR the checked baggage (restricted contents). And since the laptop probably also contains the VPN keys, leaving it behind isn't an option, either.
-
Thursday 31st December 2015 12:12 GMT 9Rune5
"Airlines won't allow the laptop to be checked because of lithium batteries"
I wasn't aware of that. It certainly was not the case ten years ago when a colleague was ordered to put his laptop in checked luggage. Rules and regulations change though, so I will take your word for it. But then again: Rules and regulations change. Tomorrow the powers that be, might ask you to check your laptop again, because bringing li-ion batteries with you gives you (and the terrorists) free access to dangerous chemicals that are better kept out of harms way. (the more sane option imo, specially given the paranoid rules that limit people from carrying more than half a liter of drinking water)
"if you have some seriously important stuff on your laptop or whatever and you wouldn't kill an animal over it"
Granted, that particular baboon, to my untrained eyes, looked okay. But my guide told me you never can tell. It could be infected with rabies and you might not survive the fight. So yeah... Killing the animal is an option, but risk one's own life..? And allow me to reiterate: The animal did not behave the same way others of its kind had in my past meetings with them. It was unexpected.
There is still the lingering question of where to keep your stash..? Do you bring your valuables with you, on your person, at all times? A 15" laptop dangling off a chain suspended from your neck? How does that not spell 'disaster waiting to happen'?
-
Thursday 31st December 2015 13:43 GMT Charles 9
"I wasn't aware of that. It certainly was not the case ten years ago when a colleague was ordered to put his laptop in checked luggage. Rules and regulations change though, so I will take your word for it."
That was before we started getting reports of exploding iPods and so on. Then came the reports of Li-Ion and lithium metal batteries (those AA batteries meant to go in digital cameras) combusting spontaneously, even when not in use, due to the batteries being chemically active even when at rest. Look at the controversy around the 787. Plus lithium is a pretty touchy element chemically: it can react to moisture (just like sodium, one row down on the periodic table). And an in-flight fire is one of the biggest risks for an airliner, so anything that creates a fire risk is taken seriously.
-
-
-
Monday 4th January 2016 19:12 GMT druck
Re: 9Rune5
"A baboon once made off with my lunchbox though, with me standing right in the middle. I could have smacked the car door on its head, but I felt my lunch wasn't worth killing for."
Killing it? Dream on, a baboon would have smacked you straight back, and taken a big chunk out of you as keepsake.
-
-
-
-
-
Tuesday 29th December 2015 21:36 GMT Danny 2
"The point of the device encryption is to protect the information on the system from being accessed after it was lost or stolen, not to protect the user from elaborate state-sponsored attacks or corrupt governments."
True, but it really should be explicit about that health warning. And where do you draw the line between a script-kiddie and an APT? For example, do the local police and council have access to my data if I trust MS encryption? Yes, they apparently do. And they shouldn't.
-
-
-
Tuesday 29th December 2015 18:57 GMT x 7
so this is a good example of why open source software is a liability. The Norks could only do this because of the openness of FOSS. They could never have done it with closed source software such as Windows or MacOS. Seriously, open source software should be banned as a threat to the free world.
Taking a different tangent, why has the Nork government not been prosecuted for breaching the open source licences? Or have they made the amended source code available?
-
Tuesday 29th December 2015 19:51 GMT Crazy Operations Guy
Licenses are contracts, not laws. Countries are under no obligation to respect civil agreements within other countries (This is the whole point of the world-wide copyright legislation, like TPP). Besides, North Korea is by far the largest counterfeiter of currency in the world, which is an international crime, yet nothing can be done about that, a little software license doesn't even appear on their radar. Beside, there are several western companies that regularly violate the GPL without repercussions as it is.
-
Tuesday 29th December 2015 20:33 GMT Danny 2
Hey, the DPRK also produce their own PCs (unlike backwards Britain where your best computer is a Pi that doesn't even a keyboard). Those North Korean laptops also have USB ports, so why not blame the USB Implementers Forum? Plus they'd never have nuclear weapons if Einstein hadn't blabbed, and they'd all float off into space if Newton had kept quiet about gravity.
If you really want to damage the Norks then go post on their forums. Your amazing stupidity is a liability to the free world.
-
-
Tuesday 29th December 2015 20:02 GMT Anonymous Coward
Interesting possibilities for someone wanting to take down the regime
Assuming you can get the ability to inject files into a computer in NK, and are able to fake the signature of a high ranking person's machine, you could create an incriminating file, sign it as if it was viewed by them, which once it became known to the right person would probably cause them to 'disappear'. Do this with enough people and eventually Dear Leader will have executed enough high ranking officials that those remaining decide on a coup before they are added to the list.
Not saying anyone should do this, since whoever takes over could be worse making it a risky strategy. But I have to think that the CIA is at least working on this sort of capability, and if they get it would try it out on a few low ranking officials as proof of concept. The CIA always thinks they know what they are doing when it comes to regime change, despite very ample evidence to the contrary.
-
Tuesday 29th December 2015 20:39 GMT Crazy Operations Guy
Re: Interesting possibilities for someone wanting to take down the regime
Well, JongUn seems to be executing enough people already, and is all but demanding a military coup. Executing generals who had served under the leadership of Il-Sung and remember all the positive things he had done for the country vs the massive damage that the last two regimes have done.
-
Wednesday 30th December 2015 02:30 GMT Charles 9
Re: Interesting possibilities for someone wanting to take down the regime
"Assuming you can get the ability to inject files into a computer in NK, and are able to fake the signature of a high ranking person's machine, you could create an incriminating file, sign it as if it was viewed by them, which once it became known to the right person would probably cause them to 'disappear'."
I think the way the system is designed, that's very risky, as you could just as easily commingle your signature with the target's, making it easy to tell it's a fake. Remember, the signature process runs within PID0, so you can't get around that without changing or compromising the kernel, and as the article notes, it takes precautions to prevent that. I wouldn't put them above integrity and signature checking.
-
-
Thursday 31st December 2015 18:20 GMT That Awful Puppy
Re: Interesting possibilities for someone wanting to take down the regime
To be ever so slightly pedantic, Yugoslavia started going downhill when in 1980 Tito decided to pop his clogs after a few decades of surprisingly effective state-building, drinking and whoring. Succession planning, alas, wasn't among his priorities.
-
-
-
Wednesday 30th December 2015 02:57 GMT Anonymous Coward
Could be awkward...
> AnGae.dat contains UTF-16 strings of text in several different languages – phrases that, for example, translate into "strike with fists," "punishment," and “hungry". Any media files found by scnprc that contain any of the listed strings are automatically deleted.
So any attempt to advertise my new boxing gym with Hungry Horse franchise is probably doomed?
-
Wednesday 30th December 2015 04:26 GMT JeffyPoooh
"watermarks" vs. "appended"
"...watermarks can stack up inside a file – a new one is appended..."
The word 'watermark' typically means something like subtly changing the least significant bits of a media file such that it's unnoticeable, but these bits form a resilient pattern that can be detected and the hidden data extracted. The file size does not change. Like a watermark on a paper based item doesn't require extra paper.
What's being described In the article is more like a hash and/or fingerprint that's being appended to the file. That's not a watermark.
-
Wednesday 30th December 2015 08:49 GMT Charles 9
Re: "watermarks" vs. "appended"
You're confusing watermarking with steganography, as the latter is one way to robustly and covertly apply the former. Because this process occurs behind the scenes in the OS itself, transparent to the user, possibly by way of an alternate data stream, I would consider this a form of covert fingerprinting: that's watermarking in my book.
In any event, a series of fingerprints can be used in a technique known as source tracking, which is what this system apparently does to provide an audit trail of where files get transferred.
-
-
Wednesday 30th December 2015 04:34 GMT Gruntled
What is he holding?
It looks like Fearless Leader is holding a pair of binoculars...could this be right?
Perhaps the binoculars are the Red Star OS's implementation of a Page>View>Zoom function?
That would explain why many officers that have gathered around seem to be giggling. That or a Steam game just crashed the computer.
-
Wednesday 30th December 2015 05:15 GMT Shadow Systems
A serious question...
What's to stop an industrious, ingenious, talented, & bored hacker group to neuter the official OS into something that LOOKS like the official one but doesn't ACT like it?
What's to stop someone from neutering the OS (so it doesn't know it's been altered; so it doesn't append the data trail to files; so it doesn't scan/delete files, etc) and go around with the altered OS on LiveUSB to every internet cafe, library with a computer, or any personal/public machine they can find, reboot to the Live media, install the new OS, and let it overwrite the old one?
Imagine all the "fun" the North Korean government would have in trying to play an infinite game of Whack-A-Mole with all the script kiddy "hackers" that wandered around town with LiveUSB copies of the new OS, installing it everywhere they went, leaving copies for others to find & utilize, and generally wrecking havoc for the Powers That Be.
I know the NK government has tried to lock it down to be impregnable/unchangeable by mere mortals, but anything one person can code, another person can tweak with enough time, motivation, & resources.
So what's to keep anti-government hackers from tweaking the official OS into something that merely looks official, replacing all the official copies they encounter, and spreading the ability for the proverbial Joe Public to do the same?
-
Wednesday 30th December 2015 07:15 GMT MacroRodent
Re: A serious question...
Perhaps they have also imported UEFI Secure Boot, and made it mandatory on every computer in the country! That combination would be the perfect privacy nightmare: An OS that tattles and reports on you, and deletes all documents with non-approved words in them, and no way to install any alternative.
-
Wednesday 30th December 2015 08:52 GMT Charles 9
Re: A serious question...
If UEFI secure boot with a custom key were required, then how are the researchers fiddling with it right now? Are they running it on Nork hardware, too (which BTW is x86-based, so no built-in security features via the CPU)? With home-grown hardware, even without EFI, it can be secured with a custom BIOS that has signature-checking capabilities (as this is a one-off, compatibility need not be an issue).
-
Wednesday 30th December 2015 10:19 GMT MacroRodent
Re: A serious question...
If UEFI secure boot with a custom key were required, then how are the researchers fiddling with it right now?
Running the OS on a computer (or more likely a virtual machine in this case) that you fully control is much easier than trying to run an alternative OS on a computer that has been locked down.
-
-
-
Wednesday 30th December 2015 13:13 GMT Karl Vegar
Re: A serious question...
This IS NorK we're talking about.
There's some 2.5 gb in the install image. What are the odds theres a little undocumented "I'm still compliant" heartbeat feature or two in there somewhere? And what do you think might happen if the heartbeart flatlines while the ISP still show traffic on your line (using a familiar mac?)
Then there's penalties. I'm guessing loss of PC privileges and some labour on first offence for a script kid of good family. For willfull distribution, I guess the hard part is over when you get to the firing squad.
-
Wednesday 30th December 2015 22:31 GMT E 2
Re: A serious question...
I doubt the NorK gov't distributes the source code for their kernel modifications. Given the NorK gov't appears to have implemented super-root level access for the security and tracking code, without the source how is a hacker supposed to subvert the system?
Not to mention the nature and scope of the punishment if caught.
-
-
Wednesday 30th December 2015 16:22 GMT toughluck
One thing is mind-boggling
If the anti-virus deletes files that contain any officially disallowed terms, that still doesn't work against pig latin (or its Korean equivalent), and at the same time, it cripples the government. Maybe that's a good thing?
"Punishment for John Doe is death."
*ping*file deleted*authorities notified
Any official army documents that mention fighting (as in strategy)? File deleted.
Official document to prevent starvation? File deleted.
And so on. How about a virus that appends any of the naughty words to every file? Everything deleted?
-
Friday 1st January 2016 08:01 GMT DocJames
Re: One thing is mind-boggling
I suspect there will be some Orwellian official phrase for hunger, eg Project for Nationwide Satiety Achievement. Same for the other terms.
And can I say how excited I am to recently find translations in all news about the Norks, rather than the transliterations that were previously used in a hamfisted colonial way to imply inferiority.
-
-
Monday 4th January 2016 12:34 GMT toughluck
Re: One thing is mind-boggling
Oh, I understand that totally.
However, the plebes have no access to computers, let alone any networks, therefore there is no need to spend any effort on an operating system. If you break the law by owning a personal computer, why would you go to the lengths of installing a state-sponsored OS on it?
Also, certain pieces of the OS (watermarking files to track their ownership) are aimed strictly at data sources at government level.
-
-