0:00:00.000,0:00:09.534
<i>preroll music</i>

0:00:09.534,0:00:15.929
Herald: North Korea; not only famous for chocolate[br]but for being a surveillance state

0:00:15.929,0:00:22.289
And as a good surveillance state,[br]it has to have its own operation system.

0:00:22.289,0:00:27.710
Because how will you do proper surveillance[br]without your own operation system?

0:00:27.710,0:00:35.550
Today, we get a brief introduction[br]how Red Star OS is working.

0:00:35.550,0:00:38.910
The introduction will have a specific[br]focus on the custom code

0:00:38.910,0:00:45.350
which was inserted for surveillance,[br]and especially how to get around it.

0:00:45.350,0:00:52.420
So please welcome Florian and Niklaus[br]with a big round of applause.

0:00:52.420,0:01:00.600
<i>Applause</i>

0:01:00.600,0:01:03.230
Florian Grunow: Hey everybody,[br]thanks for having us.

0:01:03.230,0:01:08.070
We are going to give you a deep[br]dive into Red Star OS.

0:01:08.070,0:01:12.070
Actually, we were kind of surprised that[br]there is not so much information

0:01:12.070,0:01:17.850
on the net about really the core of Red[br]Star and what is it doing.

0:01:17.850,0:01:22.310
So we thought we would change this,[br]and give you an insight in how

0:01:22.310,0:01:26.500
this Operating System works,[br]and by looking into the technical aspects

0:01:26.500,0:01:33.700
of Red Star you can also draw conclusions[br]about how development in North Korea

0:01:33.700,0:01:38.200
is evolving and is, maybe, catching up.

0:01:38.200,0:01:42.390
So what we're going to talk about is:[br]First of all, a short introduction

0:01:42.390,0:01:45.630
into the motivation; why are we doing[br]this? We are going through

0:01:45.630,0:01:49.720
the architecture of Red Star; we are going[br]to show you the components in the core

0:01:49.720,0:01:53.640
in the operating system itself; and then[br]we will take a deep dive into

0:01:53.640,0:01:57.440
the additional components, all of the[br]programs that are coming from North Korea

0:01:57.440,0:02:01.470
and are supplied with the ISO[br]of Red Star OS.

0:02:01.470,0:02:06.500
After that, we are going to give you a[br]deep dive into the most interesting features

0:02:06.500,0:02:13.290
of Red Star OS; and then we will be able[br]to draw our own conclusions;

0:02:13.290,0:02:16.069
and afterwards we will have time[br]for questions, we hope.

0:02:16.069,0:02:21.459
By the way, this picture on the left you[br]can see here is actually one of the--

0:02:21.459,0:02:28.579
I think it's the screensaver right from[br]Red Star OS. <i>Laughter</i> So, um, yeah.

0:02:28.579,0:02:32.849
So before we begin, we need to[br]do this disclaimer:

0:02:32.849,0:02:37.959
For your information we have never visited[br]DPRK, we have never been to North Korea.

0:02:37.959,0:02:41.549
All we know about North Korea is from[br]public sources, from the internet,

0:02:41.549,0:02:47.450
from media, whatever. So what we are[br]going to say about North Korea

0:02:47.450,0:02:52.590
has to be speculation because we don't[br]know exactly what happens in North Korea.

0:02:52.590,0:02:58.370
Also, the ISOs that we have been analysing[br]are found publicly available on

0:02:58.370,0:03:02.499
the internet, [and] may be fake. We don't[br]think that they are fake because

0:03:02.499,0:03:09.340
Will Scott has shown last year on the 31C3[br]how Red Star looks, and everything that

0:03:09.340,0:03:15.719
he has been showing is basically in the[br]ISO, so we think it is legit.

0:03:15.719,0:03:20.840
Remember that we are not going to make fun[br]of anybody in this talk. We are not going

0:03:20.840,0:03:24.319
to make fun of the developers, and we are[br]certainly not going to make fun of

0:03:24.319,0:03:30.040
the people in the DPRK, because we think[br]that our presentation might have some

0:03:30.040,0:03:36.120
funny aspects or something that makes[br]you laugh - which is perfectly fine - but

0:03:36.120,0:03:41.889
looking at Red Star in detail is kind of a[br]surveillance mess, I would say, and

0:03:41.889,0:03:48.449
it's a security or privacy nightmare.[br]So keep these aspects in mind.

0:03:48.449,0:03:51.849
Also, this talk is not going to focus[br]about security. We're not going to talk

0:03:51.849,0:03:56.010
about security. Many of the publications[br]available on the internet are

0:03:56.010,0:04:00.290
about security, and we're not going to[br]focus on this in this presentation.

0:04:00.290,0:04:06.849
So, why are we doing this? Red Star ISOs[br]have been leaked some time ago; there is

0:04:06.849,0:04:12.290
a version 2 hanging around the internet[br]and there is obviously a version 3.0

0:04:12.290,0:04:17.099
which has been leaked at the end of 2014,[br]and we were quite surprised at the middle

0:04:17.099,0:04:20.459
of the year that there is no in-depth[br]analysis of this operating system.

0:04:20.459,0:04:25.080
So most of the blogs and news articles are[br]quite superficial that you can find out there,

0:04:25.080,0:04:31.370
and this is kind of surprising because[br]if there is some kind of state that

0:04:31.370,0:04:35.680
doesn't put focus on transparency and free[br]speech, and they are putting out an

0:04:35.680,0:04:41.419
operating system, you kind of want to know[br]how do they build their operating system.

0:04:41.419,0:04:46.349
So that was one of the major aspects for[br]us to look into it. The other aspect was

0:04:46.349,0:04:50.580
to find out how is the state of[br]software development in DPRK;

0:04:50.580,0:04:58.519
how are they developing software? Do they[br]have a well-thought architecture;

0:04:58.519,0:05:04.229
are they thinking about what they are[br]doing? How is the skill level of software

0:05:04.229,0:05:08.669
development in North Korea?[br]So these were the two aspects that

0:05:08.669,0:05:10.370
we wanted to find out.

0:05:10.370,0:05:15.189
So if you look at previous work, as I said[br]there is mostly superficial stuff.

0:05:15.189,0:05:22.659
There is some information that Red Star OS[br]actually looks like Mac OSX, and we will

0:05:22.659,0:05:27.129
go into this a little bit further.[br]Then we have this talk from Will Scott

0:05:27.129,0:05:31.439
last year at 31C3, who was talking about[br]Computer Science in DPRK which was

0:05:31.439,0:05:37.159
very very interesting, and gave a pretty good[br]insight into what's happening in DPRK.

0:05:37.159,0:05:44.349
And then we have a bunch of guys who[br]looked into the browser of Red Star,

0:05:44.349,0:05:46.319
which is also quite interesting.

0:05:46.319,0:05:53.310
So what we are going to do now is--[br]I'm going to show you the custom basic

0:05:53.310,0:05:58.180
components; I'm going to talk a little bit[br]about integrity on the system; then I will

0:05:58.180,0:06:04.610
hand over to Niklaus who will be looking[br]into the core and surveillance features;

0:06:04.610,0:06:08.319
and then as I said, we will have time[br]for questions afterwards.

0:06:08.319,0:06:13.340
So there are different leaked versions out[br]there, as I said. We have a desktop and

0:06:13.340,0:06:19.319
a server version of Red Star, so you can[br]also use Red Star as a server, and it

0:06:19.319,0:06:23.430
turns out that server version 3 is[br]actually used on the internet right now.

0:06:23.430,0:06:28.520
As you can see, there is a server[br]header returned: "Red Star 3.0"

0:06:28.520,0:06:32.750
This is an IP address of the server, and[br]it is pointing into North Korea.

0:06:32.750,0:06:37.379
So this is one of the few web sites that[br]is publicly facing the internet from

0:06:37.379,0:06:44.259
North Korea, and they are obviously using[br]the server version 3.0. So 3.0 might

0:06:44.259,0:06:48.500
actually be the latest version.[br]There is another version, it's 2.0,

0:06:48.500,0:06:53.550
which has also been leaked to the internet,[br]and then there is supposedly something

0:06:53.550,0:07:02.139
that looks like 2.5; we have found some[br]South Korean documents that seem to be

0:07:02.139,0:07:08.909
analysing the system quite superficially,[br]and it looks like 2.5 actually resembles

0:07:08.909,0:07:14.139
the look and feel of Windows XP. So you[br]kind of see this evolution right now from

0:07:14.139,0:07:19.319
2.5 XP going to 3.0 mimicking Mac OSX.

0:07:19.319,0:07:24.499
Our talk will focus on the[br]desktop version which is desktop 3.0

0:07:24.499,0:07:28.770
If you look at the timeline, which is[br]a guess - there's no documentation available

0:07:28.770,0:07:35.400
on how they did it, obviously - if you[br]look at the 3.0 version you see that it is

0:07:35.400,0:07:41.780
based on Fedora 11 which came out in 2009.[br]So our guess is they started developing 3.0

0:07:41.780,0:07:48.029
in 2009 with this Fedora 11 release.[br]The kernel that they are using is 2.6.38

0:07:48.029,0:07:55.840
which came out with Fedora 15 in 2011.[br]So it could be that the OS itself is

0:07:55.840,0:08:00.759
a little bit older, the kernel is a little[br]bit newer, and the latest package build

0:08:00.759,0:08:05.150
dates that you can see in[br]Red Star OS date to June 2013.

0:08:05.150,0:08:11.789
So our educated guess is that Red Star[br]came out in June 2013 or a little bit later,

0:08:11.789,0:08:13.939
a few weeks later or months later.

0:08:13.939,0:08:18.219
In December 2014 we had the public leak,[br]so the ISOs have been leaked to the internet

0:08:18.219,0:08:21.479
and are publicly available right now.

0:08:21.479,0:08:26.449
If you look into the operating system,[br]it's basically a fully-featured desktop system

0:08:26.449,0:08:31.150
you might imagine. It's based on KDE[br]and Fedora as I already said, and it tries

0:08:31.150,0:08:36.230
to mimic the look and feel of Mac OSX.[br]You have an e-mail client, a calendar,

0:08:36.230,0:08:41.260
a word processor, you've got Quicktime and[br]all of that stuff. You even have a disk

0:08:41.260,0:08:45.850
encryption utility that Will Scott[br]has shown last year.

0:08:45.850,0:08:51.630
They implemented additional kernel modules[br]and they touched a lot of kernel modules.

0:08:51.630,0:08:55.180
They have this kernel module "rtscan"[br]which Niklaus is going to say a little bit

0:08:55.180,0:09:00.120
more about, they have this kernel module[br]called "pilsung" - I was told this

0:09:00.120,0:09:05.210
means "victory" in Korean - and that[br]kind of is a kernel module that supplies

0:09:05.210,0:09:12.280
AES encryption. So they implemented an own[br]kernel module to supply something like AES.

0:09:12.280,0:09:16.290
Then there is a kernel module called "kdm"[br]which is the Korean Display Module,

0:09:16.290,0:09:20.960
and "kimm"-- <i>muffled laughter</i>[br]--which is not what it's like--

0:09:20.960,0:09:24.800
it's not looking-- <i>laughter</i>[br]Well, I'll just go on.

0:09:24.800,0:09:31.130
It basically just does something with[br]Korean letters and displaying Korean

0:09:31.130,0:09:35.250
letters on the screen.

0:09:35.250,0:09:39.710
Red Star has been developed by the KCC,[br]the Korean Computer Centre.

0:09:39.710,0:09:46.720
It's quite interesting that since a few[br]years ago they had an office in Berlin.

0:09:46.720,0:09:50.750
I don't know what they did there, but[br]they obviously had an office in Berlin

0:09:50.750,0:09:55.320
maybe for knowledge sharing, whatever.[br]If you look at the system hardening,

0:09:55.320,0:09:58.480
it's quite interesting that they[br]took care of system hardening.

0:09:58.480,0:10:02.780
So they implemented SELinux rules with[br]custom modules, they have IP tables

0:10:02.780,0:10:06.860
rolled out immediately so you don't have[br]to activate it or put your rules into it;

0:10:06.860,0:10:11.640
the firewall is working. They even have[br]Snort installed on the system.

0:10:11.640,0:10:16.290
It's not running by default but they are[br]kind of delivering it by default, and they

0:10:16.290,0:10:21.590
have a lot of custom services that we are[br]going to look into right now.

0:10:21.590,0:10:25.880
Quite interesting is-- so why should[br]North Korea mimic Mac OSX?

0:10:25.880,0:10:30.150
That might be one reason right there:[br]because this young fella sitting on the left

0:10:30.150,0:10:35.900
is actually using an iMac right here.[br]So this is one reason.

0:10:35.900,0:10:40.700
So why should they implement their own[br]operating system? There actually are

0:10:40.700,0:10:48.210
so-called anthologies put out by the leader,[br]and one anthology by Kim Jong-il says that

0:10:48.210,0:10:54.220
- if you translate it correctly, and we[br]try to - "in the process of programming,

0:10:54.220,0:10:59.290
it is important to develop one in our own[br]style," and with "one" he means programs

0:10:59.290,0:11:05.990
and operating systems. So there is this[br]clear guidance that North Korea should not

0:11:05.990,0:11:11.620
rely on third-party Western operating[br]system and programs, they should

0:11:11.620,0:11:15.290
develop this stuff on their own.[br]And by looking at the code and everything

0:11:15.290,0:11:19.470
that we have by Red Star OS, this is[br]exactly what they did. They touched

0:11:19.470,0:11:24.260
nearly everything on the operating system,[br]changed it a little bit, added custom code

0:11:24.260,0:11:28.710
and so this is actually what they[br]are doing right there.

0:11:28.710,0:11:34.060
The custom applications that you have is[br]a browser, which translates to "my country."

0:11:34.060,0:11:40.470
You also have a crypto tool that Will Scott[br]has shown last year which is called Bokem

0:11:40.470,0:11:44.230
which if you translate it kind of[br]translates to "sword."

0:11:44.230,0:11:49.780
You have Sogwang Office which is an[br]OpenOffice customised for North Korean use.

0:11:49.780,0:11:53.920
A software manager; you have MusicScore[br]which is an application you can compose

0:11:53.920,0:11:59.270
music with. Then you have a program which[br]is called "rootsetting" and it basically

0:11:59.270,0:12:03.520
gives you root. So if you look into the[br]documentation, it says you are not

0:12:03.520,0:12:07.520
supposed to have root on the system for[br]integrity reasons, but if you want to get

0:12:07.520,0:12:12.940
root you can use this tool, so they're not[br]hiding anything. So there are rumours

0:12:12.940,0:12:16.110
on the net that say that you're not[br]supposed to get root on the system

0:12:16.110,0:12:21.370
because it's so locked down. This is not[br]true obviously because there is software

0:12:21.370,0:12:24.140
intended to give you administrative privileges.

0:12:24.140,0:12:30.240
They even touched KDM, so the code base[br]that they touched is really, really big.

0:12:30.240,0:12:32.760
Nearly the whole operating system.

0:12:32.760,0:12:38.250
We are now going to give you a demo.[br]The first demo that we are doing, we are

0:12:38.250,0:12:42.390
doing it right now, because we are[br]actually doing this presentation

0:12:42.390,0:12:55.080
in Red Star OS.[br]<i>Laughter and applause</i>

0:12:55.080,0:12:58.990
So what you see right here is basically[br]Red Star OS. We're going to show

0:12:58.990,0:13:03.480
some of the aspects to you. There are many many[br]screenshots on the internet, some of you might already

0:13:03.480,0:13:06.980
know how Red Star works, you might have[br]experience yourself.

0:13:06.980,0:13:09.600
We're just going over a few interesting issues.

0:13:09.600,0:13:16.110
So as you have seen, there is a full-blown[br]set of word processing, Powerpoint

0:13:16.110,0:13:22.150
presentation stuff. I'm going to open up[br]the browser-- pfft, whatever. <i>Laughter</i>

0:13:22.150,0:13:31.240
--and going into the preferences just to[br]give you a quick-- no. <i>Muted laughter</i>

0:13:31.240,0:13:38.580
Oh. <i>Laughter</i> Yeah, to give you an insight[br]on the Certificate Authorities that are

0:13:38.580,0:13:43.720
implemented in this Firefox version - it's[br]Firefox 3 - so you see there is not so many

0:13:43.720,0:13:50.740
Certificate Authorities right here, and[br]they all are I guess from North Korea.

0:13:50.740,0:13:55.780
So the browser is totally created to not[br]be used outside of North Korea,

0:13:55.780,0:14:04.170
which you can see in the URL bar.[br]There is an internal IP address

0:14:04.170,0:14:08.630
which points into the network of[br]North Korea, and all of the settings,

0:14:08.630,0:14:11.940
proxy settings, hard-coded IP addresses,[br]or whatever, all point into this

0:14:11.940,0:14:16.070
internal infrastructure of North Korea.[br]So this browser and the e-mail program

0:14:16.070,0:14:19.380
was never intended to be used[br]outside of North Korea.

0:14:19.380,0:14:22.900
<i>Pfft</i> Okay. <i>Laughter</i>[br]What else do we have?

0:14:22.900,0:14:29.000
Okay, we have a Quicktime player.[br]So speaking of Mac OSX,

0:14:29.000,0:14:41.000
you all have seen this. Woo! Swoosh. Right?[br]Okay, so that perfectly mimics Mac OSX.

0:14:41.000,0:14:45.670
So let me try to find--[br]I'll try with aplay right here.

0:14:45.670,0:14:51.800
So this is the shell. Quite interesting is[br]that when we were looking through

0:14:51.800,0:14:57.310
all of this stuff, there is a bunch of[br]files that have a certain protection,

0:14:57.310,0:15:00.420
and they seem to be pretty important[br]for the system, and there is a

0:15:00.420,0:15:06.630
wave file - an audio wave file - that[br]actually is protected.

0:15:06.630,0:15:15.170
It's usr/lib/Warnning.wav;[br]I don't know if we can hear this.

0:15:15.170,0:15:19.000
I hope that your ears are not going to[br]explode right now. I'll just try it.

0:15:19.000,0:15:22.430
<i>Pig squealing</i>[br]I'll try it again.

0:15:22.430,0:15:25.870
<i>Pig squealing</i>[br]You hear that? <i>Laughter</i>

0:15:25.870,0:15:28.740
<i>Pig squealing</i>[br]Does anybody know what this is?

0:15:28.740,0:15:33.670
<i>Shouts of "pig" from audience</i>[br]Pardon me? Pig, exactly.

0:15:33.670,0:15:36.430
And where is it coming from?[br]Does anybody know?

0:15:36.430,0:15:39.970
That's stolen from Kaspersky antivirus,[br]because in the older version of

0:15:39.970,0:15:45.340
Kaspersky antivirus if you find a virus[br]it actually will play this sound, and it's

0:15:45.340,0:15:49.970
exactly the wav file from Kaspersky;[br]we verified this by doing checksums, okay.

0:15:49.970,0:16:03.310
<i>Laughter</i> So we have a copyright violation[br]right here. <i>Laughter and applause</i>

0:16:03.310,0:16:07.770
So what else do we have? I've been talking[br]about this, you can create your own music.

0:16:07.770,0:16:12.630
I'm not going to do this now because[br]I'm not good at making music.

0:16:12.630,0:16:16.300
What else do we have? We have the browser.[br]Did we want to show-- ah yeah.

0:16:16.300,0:16:20.570
I'm going to show you one more thing.[br]I'm not going to show you the encryption

0:16:20.570,0:16:28.980
tool because Will Scott has done this[br]last year, but to give you an insight into

0:16:28.980,0:16:33.970
the crypto tool, it's pretty interesting.[br]If you look at the description of the bokem3,

0:16:33.970,0:16:38.260
bokem is the tool that is used for disk[br]encryption so it provides the user a tool

0:16:38.260,0:16:42.470
to encrypt files or even the complete[br]hard drive, and if you look into

0:16:42.470,0:16:49.730
the description it says "this allows the user[br]to store his/her privacy data with encrypted,"

0:16:49.730,0:16:56.420
which is quite nice. I mean, we didn't[br]expect to have something like this

0:16:56.420,0:17:04.000
in Red Star. So the user can at least[br]try to encrypt files.

0:17:04.000,0:17:08.750
Bokem is using out-of-the-box crypto[br]that comes with the kernel.

0:17:08.750,0:17:14.240
It also uses pilsung, which we don't know[br]if there are any backdoors in it or not,

0:17:14.240,0:17:19.849
so we have no idea if this is possible to[br]decrypt with a master key or something.

0:17:19.849,0:17:24.140
If you want to look into this, we would be[br]happy if someone with big crypto

0:17:24.140,0:17:32.750
experience would look into it.[br]So let me get back to the presentation.

0:17:32.750,0:17:39.440
Ah! One thing I need to show you is this[br]red flag on the right corner, right here.

0:17:39.440,0:17:46.410
If you look into this, and you translate -[br]I didn't click the right one - if you are

0:17:46.410,0:17:52.110
going to translate all of this, you will[br]find that all of the strings and all of

0:17:52.110,0:17:59.160
the text that you see right here, they[br]seem to be an antivirus scanner.

0:17:59.160,0:18:03.510
So they even implemented from scratch[br]an antivirus scanner in Red Star OS.

0:18:03.510,0:18:08.230
You can now select the folder or a file[br]and say run a check on the file,

0:18:08.230,0:18:13.050
and if the file is actually a malicious[br]file - we will come to that part later,

0:18:13.050,0:18:17.870
what "malicious" is - it will instantly[br]be deleted from the hard drive.

0:18:17.870,0:18:25.260
So this is an interesting feature, having[br]a virus scanner in a Linux OS.

0:18:25.260,0:18:28.570
Okay so let's look at the custom[br]components. We have been

0:18:28.570,0:18:32.290
looking into the user space a little bit,[br]and all of the programs that come with it.

0:18:32.290,0:18:37.400
There is far more stuff. Download the ISO,[br]play around with it a little bit.

0:18:37.400,0:18:41.610
First, change the language to English.[br]You will obviously not get far

0:18:41.610,0:18:46.260
if your Korean is bad.[br]So change the language and

0:18:46.260,0:18:48.030
play around with it a little bit.

0:18:48.030,0:18:53.020
So Red Star Comes with[br]interesting packages.

0:18:53.020,0:18:56.620
They touched KDE as I said.[br]They are getting out an integrity

0:18:56.620,0:19:00.210
checker and a security daemon.[br]There are signature packages right here

0:19:00.210,0:19:05.840
which Niklaus is going to talk about[br]a little bit, there are policies for selinux,

0:19:05.840,0:19:11.280
and I'm going to talk about two of the[br]integrity checking mechanisms that

0:19:11.280,0:19:12.300
Red Star has.

0:19:12.300,0:19:17.730
So by looking at Red Star, we saw that[br]one thing was pretty important to them:

0:19:17.730,0:19:22.710
They wanted to preserve the integrity[br]of the system, and one way to do this

0:19:22.710,0:19:27.140
is using this process right here,[br]it's called "intcheck."

0:19:27.140,0:19:32.280
It comes with an SQLite database with[br]hashes of files on the system,

0:19:32.280,0:19:36.920
like signatures for the system, and[br]you can configure it from user space so

0:19:36.920,0:19:40.770
it's not pretty hidden, it's pretty[br]transparent to the user.

0:19:40.770,0:19:44.660
I think there even comes a UI with it[br]where you can configure everything,

0:19:44.660,0:19:48.540
and it's run at boot. It checks the files[br]and if it sees that the files have been

0:19:48.540,0:19:52.350
manipulated or tampered with - if the[br]checksum changes - then it will issue

0:19:52.350,0:19:55.600
a warning to the user.[br]So you get a small popup that says,

0:19:55.600,0:20:00.380
"this file has been tampered with," the[br]security or the integrity of the system

0:20:00.380,0:20:05.950
is not where it should be. So that's[br]pretty much what this thing does.

0:20:05.950,0:20:11.270
securityd is kind of interesting, because[br]securityd is also a process that is known

0:20:11.270,0:20:18.090
to run under Mac OSX. I'm not a Mac user,[br]and I think that Mac OSX with securityd

0:20:18.090,0:20:21.440
is keeping track of certificates[br]and stuff like that.

0:20:21.440,0:20:26.910
So what they did is they reimplemented[br]securityd for Linux, and they included

0:20:26.910,0:20:32.900
various plugins. One interesting issue[br]with securityd is it comes with a library

0:20:32.900,0:20:37.260
that provides a function called[br]validate_os(), and what this function does

0:20:37.260,0:20:43.280
is it has a hard-coded list of files.[br]You can see like our wav file right here,

0:20:43.280,0:20:48.930
you can see configuration files, and[br]autostart files for scnprc which is

0:20:48.930,0:20:54.190
the antivirus scanner. So it checks if[br]these files are untouched, and if

0:20:54.190,0:20:59.020
these files have been tampered with it[br]initiates a reboot instantly.

0:20:59.020,0:21:03.500
So if you touch one of these files,[br]your machine will reboot instantly.

0:21:03.500,0:21:11.080
The same library is also used from KDM,[br]so during the startup process when KDM is

0:21:11.080,0:21:15.820
starting it is also doing an integrity check,[br]and if it finds that one of these files has

0:21:15.820,0:21:20.460
been tampered with it actually immediately[br]issues a reboot, and the problem is

0:21:20.460,0:21:24.000
that if you start tampering with the system[br]you will end up in reboot loops

0:21:24.000,0:21:29.809
all of the time if you're doing research,[br]because once KDM is saying reboot

0:21:29.809,0:21:33.450
the system, it's going to check it again[br]if it's rebooted and sees that it's

0:21:33.450,0:21:36.660
still tampered with and it reboots again,[br]and again, and again, and then your

0:21:36.660,0:21:40.000
system is basically dead.[br]So what they tried to do with intcheck

0:21:40.000,0:21:45.860
and securityd is try and protect certain files,[br]conserve the integrity of these files,

0:21:45.860,0:21:50.600
and if these files get tampered with they[br]assume that it is better to have an

0:21:50.600,0:21:55.280
operating system that you cannot work with[br]any more than to still let it run or

0:21:55.280,0:22:00.220
issue any warning.[br]So integrity is one of the main aspects

0:22:00.220,0:22:03.030
they were looking for in[br]implementing Red Star.

0:22:03.030,0:22:08.000
Okay, I will hand over to Niklaus and[br]he will go into the guts and the

0:22:08.000,0:22:12.500
surveillance features a little bit more.

0:22:12.500,0:22:14.940
Niklaus Schiess: The most interesting[br]feature-- package we found was this

0:22:14.940,0:22:21.280
esig-cb package, which actually says[br]in the description that it's an

0:22:21.280,0:22:26.790
"electronic signature system," but we[br]found that it is doing a lot of weird stuff.

0:22:26.790,0:22:30.570
This is actually one of the pictures[br]which is included in the package,

0:22:30.570,0:22:34.420
which is also protected. We don't know[br]really why, but it says something like

0:22:34.420,0:22:38.300
"this is our copyright;"[br]and "don't break it;"

0:22:38.300,0:22:41.020
and "don't copy it;" and stuff like that.

0:22:41.020,0:22:45.559
But it's actually doing[br]something really different.

0:22:45.559,0:22:49.500
It includes several pretty interesting files.[br]We have some configuration files,

0:22:49.500,0:22:54.059
we have a kernel module, and we also[br]have this redflag.bmp which is the

0:22:54.059,0:22:57.820
picture you just saw, and we have the[br]warning file, and we have some

0:22:57.820,0:23:03.500
shared libraries, and we'll go now[br]into details what these are actually doing.

0:23:03.500,0:23:07.640
So the first thing we looked at was[br]because there is a kernel module

0:23:07.640,0:23:11.890
loaded by default, and we thought[br]if you want to put some backdoors in it

0:23:11.890,0:23:16.010
where would you want to put it?[br]Right in the kernel module, probably.

0:23:16.010,0:23:20.290
And what it does, it's actually just[br]hooking several system calls which

0:23:20.290,0:23:26.630
provides a device which is actually[br]interfaced to the kernel so you have

0:23:26.630,0:23:30.500
different services running on a system[br]who are actually talking to this

0:23:30.500,0:23:33.730
kernel module via this device,[br]and it has some functionality like

0:23:33.730,0:23:39.080
it can protect PIDs. So when you're[br]protecting a specific process then

0:23:39.080,0:23:42.429
even root cannot kill this process,[br]which will be quite interesting

0:23:42.429,0:23:47.990
in the next slides. It also provides[br]functionality to on one side protect

0:23:47.990,0:23:52.670
files, and on the other side to hide files.[br]So protect means you cannot edit

0:23:52.670,0:23:56.040
the file, and hide means you[br]cannot even read the file.

0:23:56.040,0:23:59.710
So even if you had root user,[br]you can't even read those files.

0:23:59.710,0:24:04.679
And on the right side is actually how[br]the services are interacting with this

0:24:04.679,0:24:10.840
kernel module, and this is one function which[br]mostly protects and hides the files

0:24:10.840,0:24:15.520
which we just saw, which are included[br]in this esignature package.

0:24:15.520,0:24:19.559
Then like Florian said, we have this[br]virus scanner which at first glance

0:24:19.559,0:24:25.200
at least looks like a virus scanner,[br]and this is this "scnprc" process.

0:24:25.200,0:24:29.030
It provides a GUI to the user so it's[br]quite transparent so the user can see

0:24:29.030,0:24:32.410
"okay, I have something that looks[br]like a virus scanner, and I can also

0:24:32.410,0:24:35.320
trigger some scans of[br]different directories,"

0:24:35.320,0:24:40.760
and it's started by kdeinit. So there's[br]this scnprc desktop file which is

0:24:40.760,0:24:45.550
quite interesting because what you[br]want to do is disable it, but you

0:24:45.550,0:24:48.220
cannot actually edit these file.[br]So as soon as you edit this file

0:24:48.220,0:24:51.340
and save it, then the system[br]will immediately reboot.

0:24:51.340,0:24:54.479
So disabling it is not so easy.

0:24:54.479,0:24:58.570
Like I already said, you have different[br]ways of scanning. You can just click

0:24:58.570,0:25:02.150
on a folder and say "scan this," but[br]also if you for example plug in

0:25:02.150,0:25:06.860
a USB stick into the system then it will[br]automatically scan the files on the USB stick.

0:25:06.860,0:25:11.610
And this scnprc service is actually[br]loading the kernel module, and

0:25:11.610,0:25:15.520
it starts another service which is[br]called "opprc" which we are going to

0:25:15.520,0:25:22.790
look in detail in a minute, and this is[br]also quite interesting this next service.

0:25:22.790,0:25:28.960
But the pattern matching, we looked into[br]this a little bit and there's another

0:25:28.960,0:25:34.730
package. So we have this esig-cb package[br]and you have esic-cb-db package which

0:25:34.730,0:25:40.100
actually just provides this one single[br]"AnGae" file. As far as we know,

0:25:40.100,0:25:44.520
it means "fog" in Korean. And this is[br]basically a signature file, or how the

0:25:44.520,0:25:49.809
code references it a pattern file.[br]It's a file with a well-defined file format

0:25:49.809,0:25:53.429
and it includes patterns which are[br]loaded into memory, and as soon as

0:25:53.429,0:25:57.380
you are scanning a file it just checks if[br]these patterns are matching and as soon

0:25:57.380,0:26:02.309
as the patterns are matched then it[br]immediately deletes the file and it

0:26:02.309,0:26:08.630
plays the warning, and this is one of[br]the hidden files so even if you get root

0:26:08.630,0:26:12.040
privilege on the system you are not[br]able to actually read this file.

0:26:12.040,0:26:15.540
So a user of the operating system won't[br]be able to check "okay, what does it

0:26:15.540,0:26:20.030
check and can I produce documents[br]which won't be detected by this"

0:26:20.030,0:26:23.010
because you cannot actually read this file.

0:26:23.010,0:26:31.370
We took a look into this. Most likely our[br]best guess is that these contain--

0:26:31.370,0:26:35.110
A lot of the files are little-endian so[br]you always have to switch the bytes

0:26:35.110,0:26:40.720
and we saw that it looks at least like[br]they are UTF-16 strings with Korean,

0:26:40.720,0:26:45.000
Chinese, and some other weird characters,[br]and if we put these in Google Translate

0:26:45.000,0:26:49.720
then there are actually some pretty weird[br]and disturbing terms in those files.

0:26:49.720,0:26:53.620
But we actually cannot confirm this.[br]It looks like they are actually not

0:26:53.620,0:26:57.910
scanning for malware in the system, so[br]most likely they are checking documents

0:26:57.910,0:27:02.020
and if those documents match those[br]patterns then they are most likely--

0:27:02.020,0:27:05.460
for example, governments don't want these[br]files to be distributed within the intranet

0:27:05.460,0:27:07.850
of North Korea then it just[br]deletes those files.

0:27:07.850,0:27:12.200
But actually we cannot confirm this[br]because we are not quite sure if you

0:27:12.200,0:27:17.570
put those strings in Google Translate that[br]they are actually real translations.

0:27:17.570,0:27:22.809
But you can always update these pattern[br]files, so on the one side is scnprc has a

0:27:22.809,0:27:26.610
built-in update process where it just[br]updates the file itself, or you can just

0:27:26.610,0:27:30.340
when you are doing operating system[br]update via your package manager

0:27:30.340,0:27:35.809
and you update this esig-cb-db package[br]and you also get a brand new file.

0:27:35.809,0:27:40.830
The interesting part of this is that the[br]developers decide what is malicious.

0:27:40.830,0:27:46.110
So it's not necessarily that "malicious"[br]means that it's malware, that it's

0:27:46.110,0:27:52.179
bad for you, but somewhere the developers[br]and officials will actually say,

0:27:52.179,0:27:55.559
"okay, we don't want those files[br]distributed, just delete them

0:27:55.559,0:27:57.980
"because we think they are malicious."

0:27:57.980,0:28:02.799
There is this other service which I was[br]also talking about, this "opprc."

0:28:02.799,0:28:06.260
This is more interesting than the[br]virus scanning itself.

0:28:06.260,0:28:10.179
It's running in the background, so[br]actually a user will not see that there

0:28:10.179,0:28:13.549
is actually another service running, you[br]don't have any GUI or something like that,

0:28:13.549,0:28:17.809
you cannot trick or something with this,[br]and this is one of the protected PIDs.

0:28:17.809,0:28:23.750
So scnprc for example you can just kill[br]with root privileges, but this is a process

0:28:23.750,0:28:27.710
no one can kill on the system, and[br]this is quite interesting because

0:28:27.710,0:28:32.240
you cannot unload the kernel module[br]unless this service is killed, so they

0:28:32.240,0:28:37.360
are actually protecting each other so that[br]no one can stop the services at all.

0:28:37.360,0:28:40.660
And this service shares a lot of[br]code with the scnprc.

0:28:40.660,0:28:45.559
We just did some entropy checking[br]and saw okay-- I will talk in a minute

0:28:45.559,0:28:51.610
when we are comparing more of these[br]files why we think that this looks

0:28:51.610,0:28:55.020
pretty much the same, why they are[br]sharing so much code, because

0:28:55.020,0:28:58.710
we found something interesting with[br]older versions of those services.

0:28:58.710,0:29:03.600
But the most interesting thing this[br]service is doing is it watermarks files.

0:29:03.600,0:29:07.630
And now we are going to look deeper[br]into what this watermarking means.

0:29:07.630,0:29:11.850
So actually as soon as this system is[br]started, it reads your hard disk serial

0:29:11.850,0:29:15.660
and then scrambles it a little bit,[br]and as soon as you are for example

0:29:15.660,0:29:20.740
plugging a USB stick into your system[br]then it will trigger a watermarking

0:29:20.740,0:29:25.080
process where it takes the serial,[br]takes a hard-coded DES key from

0:29:25.080,0:29:28.850
the binary itself, and then encrypts[br]it and then puts it into your file.

0:29:28.850,0:29:35.049
And when you are converting this hex key[br]into a decimal representation then you

0:29:35.049,0:29:39.410
see that it is actually two dates.[br]We actually cannot confirm what

0:29:39.410,0:29:45.120
those two dates mean, but one of those[br]matches Madonna's birth date, and

0:29:45.120,0:29:51.010
there are rumours that some people in[br]North Korea might really like Madonna.

0:29:51.010,0:29:57.530
This is just speculation, but if you have a[br]better conspiracy theory then just let us know.

0:29:57.530,0:30:01.890
Because we found some pretty interesting[br]stuff, but we cannot confirm this.

0:30:01.890,0:30:07.420
So technically the watermarks have an[br]ASCII EOF appended, which is most likely

0:30:07.420,0:30:11.200
used by the code itself to parse[br]the files and see if there's already

0:30:11.200,0:30:15.690
a watermark in there, and for JPEG[br]and AVI files, for example, it just

0:30:15.690,0:30:20.330
appends this watermark to the end of the[br]file, and when you have a DOCX for example

0:30:20.330,0:30:24.000
it just appends it near the header where[br]there are a bunch of null bytes, and then

0:30:24.000,0:30:27.610
it just puts it in there.

0:30:27.610,0:30:32.320
So the watermarking itself is as soon as[br]you open a document file with Office then

0:30:32.320,0:30:38.309
it will be watermarked, and actually they[br]have code which watermarks files even if

0:30:38.309,0:30:43.770
you don't open those files, but as soon[br]as we saw this-- it's pretty buggy.

0:30:43.770,0:30:48.350
It doesn't work every time, but they have[br]code for this implemented, and mostly

0:30:48.350,0:30:54.360
it works but sometimes it just fails.[br]The supported types that we can confirm

0:30:54.360,0:31:01.760
are DOCX files, image files like JPEG and[br]PNG and AVI video files. But the code

0:31:01.760,0:31:06.720
indicates there are several more file[br]types available for watermarking, but

0:31:06.720,0:31:11.380
we most likely didn't look into this.[br]But the most interesting thing here

0:31:11.380,0:31:16.860
is that only media files are affected.[br]So they don't watermark any binaries

0:31:16.860,0:31:22.950
or something like that, they are reducing[br]their surface to files which could be used

0:31:22.950,0:31:31.299
to carry information, which could be used[br]to put out information for free speech

0:31:31.299,0:31:36.250
purposes, and actually what we think is[br]that this is not a security feature.

0:31:36.250,0:31:40.580
So they are actually trying to watermark[br]free speech in general, so that every time

0:31:40.580,0:31:46.559
you have a document file, an image, or[br]a video file, then they want to know who

0:31:46.559,0:31:52.489
had this file and they watermark it so[br]they can track the origin of the file.

0:31:52.489,0:32:00.090
We have a short demo where you can see[br]for example I have a USB stick.

0:32:00.090,0:32:09.610
Let me put it in my system.

0:32:09.610,0:32:15.130
There is a file on the USB stick which[br]is a love letter from Kim, and it has

0:32:15.130,0:32:21.380
a checksum which starts with "529", and[br]as soon as I plug this into the system--

0:32:21.380,0:32:34.740
I hope that it will notice this.

0:32:34.740,0:32:38.740
You can see okay, it recognised something[br]like a USB stick on the system, but I won't

0:32:38.740,0:32:55.220
open it, and I won't open any file on the[br]USB stick. I just will eject it.

0:32:55.220,0:33:03.360
I hope that it works.[br]Will it actually open?

0:33:03.360,0:33:07.410
This is what I meant, that it's kind of[br]buggy, so it doesn't always work with

0:33:07.410,0:33:12.720
the watermarking, but most likely if you[br]open the file itself then it will work.

0:33:12.720,0:33:17.520
I guess we didn't have the case that it[br]doesn't work when you open it. [sic]

0:33:17.520,0:33:28.690
--which then opens Office, and I close[br]it again and-- just close this.

0:33:28.690,0:33:33.860
Go back, and then hopefully if we mount[br]this again then you can see it has

0:33:33.860,0:33:39.250
been changed. So we didn't change anything[br]in the file, it was just the operating system

0:33:39.250,0:33:44.350
who's changing files, and this was[br]initially the part where we started to

0:33:44.350,0:33:47.570
look into this more deeply because we[br]thought an operating system who is

0:33:47.570,0:33:57.219
just changing files when you are plugging[br]into the system is kind of annoying.

0:33:57.219,0:34:00.690
Just to make this easier for you--[br]So what it actually does in the file,

0:34:00.690,0:34:04.570
we have here the header of the file[br]which is a document, a DOCX file,

0:34:04.570,0:34:09.089
and it just added this string which is[br]marked right here. This is actually

0:34:09.089,0:34:13.649
the watermark it's putting in there.[br]Opposite there you can see the plaintext

0:34:13.649,0:34:17.679
which is actually encrypted and then[br]put into the file, and the serial starts

0:34:17.679,0:34:23.440
with "B48" so every time it puts the[br]serial into the file, it prefixes it with

0:34:23.440,0:34:24.978
"WM"

0:34:24.978,0:34:29.998
we think stands for "watermark" probably,[br]and you can see the EOF at the end of

0:34:29.998,0:34:35.399
the file. This allows basically everyone[br]who can access this file, who can

0:34:35.399,0:34:40.679
decrypt this watermark which is actually[br]encoded with the hard-coded key,

0:34:40.679,0:34:45.989
so pretty much everyone who has access[br]to this ISO can get this key and can

0:34:45.989,0:34:51.319
decrypt this. And this allows you to[br]really track back the origin of the file,

0:34:51.319,0:34:54.190
where it came from.

0:34:54.190,0:35:00.589
But there is a pretty funny example.[br]So imagine you have this picture, and

0:35:00.589,0:35:05.130
you are inside North Korea and you think[br]"okay, this is pretty cool, and I want to

0:35:05.130,0:35:09.160
distribute this to all of my friends."[br]So you think "okay, they might be

0:35:09.160,0:35:12.470
intercepting all of my e-mail and my[br]browser communication," so you put it

0:35:12.470,0:35:16.239
on a USB stick and give it to your friends[br]so that you think, "okay, no-one actually

0:35:16.239,0:35:22.759
on the internet can access this file"[br]and you give it to someone else.

0:35:22.759,0:35:26.680
Then at the beginning we have this[br]situation, where this is the original file.

0:35:26.680,0:35:31.900
This is the end of the JPEG file - which[br]by definition always ends with an "FF D9"

0:35:31.900,0:35:37.019
hexadecimal - and as soon as you give this[br]to your friend and he plugs the USB stick

0:35:37.019,0:35:42.019
into his computer which is running Red[br]Star OS, then the file will actually

0:35:42.019,0:35:45.799
change and it will look like this.[br]So for JPEG files, as I said it just

0:35:45.799,0:35:49.640
appends the watermark to the end of[br]the file. So you can see the "FF D9," this

0:35:49.640,0:35:53.890
is the actual end of the image file, and[br]they're appending the watermark there,

0:35:53.890,0:35:57.509
like you can see with the EOF.[br]But where it gets interesting

0:35:57.509,0:36:02.140
is when your friend is actually[br]distributing the file to another friend.

0:36:02.140,0:36:06.920
So what Red Star OS is actually doing,[br]it appends also the watermark of your

0:36:06.920,0:36:09.930
third friend. <i>Slight laughter</i>[br]So what you then can do--

0:36:09.930,0:36:14.880
If you technically combine this together,[br]then you can see not only where the file

0:36:14.880,0:36:19.119
has its origins, but you can also track[br]each and everyone who had this file

0:36:19.119,0:36:24.499
and who distributed this file, and with[br]this knowledge you might be able to

0:36:24.499,0:36:29.079
construct something like this, where you[br]can track the distribution of all of the

0:36:29.079,0:36:33.150
media files which are distributed[br]over the intranet in North Korea.

0:36:33.150,0:36:37.049
You can see then in the centre we have[br]this one really weird guy who is always

0:36:37.049,0:36:41.769
distributing images that we don't like,[br]and you can see also who gets these files

0:36:41.769,0:36:45.299
and trace it back to all of the persons[br]who ever had this file, and then you

0:36:45.299,0:36:49.499
can just go home to him and then shut[br]him down and take his computer.

0:36:49.499,0:36:54.859
And we have actually not seen any[br]functionality, but probably there is

0:36:54.859,0:36:58.509
functionality in the system implemented[br]where it always sends your hard disk

0:36:58.509,0:37:04.569
serial to their servers, so the OS can[br]probably be able to match your IP

0:37:04.569,0:37:07.759
address to your hard disk serial, and[br]then they don't even have to go to your

0:37:07.759,0:37:12.599
home and get to your computer and check[br]your hard disk serial, they just can do

0:37:12.599,0:37:16.279
this remotely and can check all of the[br]distribution of all malicious media files

0:37:16.279,0:37:21.729
within the intranet of North Korea.

0:37:21.729,0:37:27.210
What we thought is pretty hard for someone[br]who doesn't have access to a system other

0:37:27.210,0:37:31.700
than Red Star OS, who just has this one[br]system, and tries to disable all of this

0:37:31.700,0:37:35.210
malicious functionality like the virus[br]scanning that can delete all of your files

0:37:35.210,0:37:40.619
that someone else doesn't like, or the[br]watermarking/the tracking of those files.

0:37:40.619,0:37:44.569
And this is actually quite hard, because[br]some of those services are depending

0:37:44.569,0:37:49.470
on each other and can only be killed[br]when the other service is not running.

0:37:49.470,0:37:53.700
So what you actually have to do is you[br]have to get root privileges, and then you

0:37:53.700,0:37:58.239
have to kill those two integrity checking[br]daemons which Florian was talking about

0:37:58.239,0:38:02.819
so that it doesn't always reboot the[br]system when you're changing anything.

0:38:02.819,0:38:07.529
Then you can via ioctl calls to the kernel[br]module, and say just "disable" because

0:38:07.529,0:38:10.890
it has this nice feature where you can[br]enable and disable it, and then you

0:38:10.890,0:38:18.390
can kill scnprc, opprc, and the[br]best thing you can do is--

0:38:18.390,0:38:23.609
Weirdly, the libos file is not protected[br]by anyone, so you can just exchange

0:38:23.609,0:38:27.700
this with a validate_os() function which[br]always returns 1 which says everything

0:38:27.700,0:38:31.559
is fine, and then at the end you can[br]delete the desktop file which is used

0:38:31.559,0:38:35.829
by KDE in it to start all of these[br]processes, and then you are fine.

0:38:35.829,0:38:38.880
And we don't think that actually anyone[br]in North Korea who only has access

0:38:38.880,0:38:43.779
to this one system-- It will be extremely[br]hard to figure all of this out and

0:38:43.779,0:38:48.599
to completely disable it. So they did[br]a pretty good job in building an

0:38:48.599,0:38:53.660
architecture which is quite self-protecting,[br]and they put a lot of effort into it

0:38:53.660,0:39:01.180
to just prevent you from disabling all of[br]the malicious functionality.

0:39:01.180,0:39:07.059
We also took a quick look on the second[br]version of Red Star OS, just to compare

0:39:07.059,0:39:12.519
some of those services, and there we can[br]see there is quite an evolution from the

0:39:12.519,0:39:19.390
older version to the current version.[br]The thing which I was talking about,

0:39:19.390,0:39:22.729
that the binaries are quite similar,[br]is that in the older version they used

0:39:22.729,0:39:27.200
a lot of shared libraries, and in the[br]current version they statically linked

0:39:27.200,0:39:32.859
a lot of code into the binaries themselves[br]even if they don't use it, so the codebase

0:39:32.859,0:39:38.609
looks quite the same. And the chain of[br]starting the processes is a little bit

0:39:38.609,0:39:44.109
different, so they put a lot in the init[br]process which will be started at first

0:39:44.109,0:39:48.779
and not like this depending-on-each-other[br]infrastructure which they have in the

0:39:48.779,0:39:52.880
current version. In the current version[br]they also have a lot of problems with

0:39:52.880,0:39:57.450
file privileges, so privilege escalations[br]would be pretty easy, even if you don't

0:39:57.450,0:40:02.920
have this root setting file. But also they[br]have a lot of binaries that are just

0:40:02.920,0:40:07.749
setting that everyone can read and write[br]this interface to the kernel module,

0:40:07.749,0:40:11.259
which basically allows you even as a[br]non-root user to disable the kernel

0:40:11.259,0:40:14.739
module, and then you can kill all of the[br]binaries but you cannot actually delete

0:40:14.739,0:40:19.499
something because it will then[br]end up in the reboot loop.

0:40:19.499,0:40:23.900
And when you are doing something malicious[br]then the OS reboots, in the older version

0:40:23.900,0:40:29.559
it just shuts down the system, so we[br]thought this is a pretty interesting thing.

0:40:29.559,0:40:34.630
And we think, and we saw, that there's[br]a more advanced watermarking

0:40:34.630,0:40:38.979
technique in there which is not just[br]appending watermarks into the files

0:40:38.979,0:40:43.130
but it looks like they are doing, for[br]video and audio files at least,

0:40:43.130,0:40:47.170
something like they are putting the[br]watermarks as filters on the files.

0:40:47.170,0:40:51.950
So this will be a little bit harder to[br]actually see those watermarks

0:40:51.950,0:40:55.380
and read those watermarks, because it[br]is not so obvious like when you have

0:40:55.380,0:40:58.869
this "EOF" string at the end which[br]is always quite weird.

0:40:58.869,0:41:03.799
But it uses this "/usr/lib/organ" file[br]which is actually not present on the

0:41:03.799,0:41:08.660
ISO we had. We're going to talk about[br]this in the conclusion why we think

0:41:08.660,0:41:12.359
this might not be there, but it's[br]actually not available. It's referenced

0:41:12.359,0:41:17.559
a lot in the code, but we actually[br]haven't had this file and unfortunately

0:41:17.559,0:41:21.880
we couldn't look into this more deeply.

0:41:21.880,0:41:27.779
So what we didn't find were quite obvious[br]backdoors which we thought would be

0:41:27.779,0:41:34.819
in place, and that they would be pretty[br]easy to spot. But we didn't see any of those.

0:41:34.819,0:41:38.630
It doesn't mean that there are no[br]backdoors, but we have some

0:41:38.630,0:41:44.549
speculations for this, and one of these[br]is that like we saw at the beginning of

0:41:44.549,0:41:48.019
the talk that there are actually systems[br]on the internet running this version

0:41:48.019,0:41:52.210
of Red Star OS, so it would be pretty[br]weird if they would backdoor a system

0:41:52.210,0:41:57.509
and then put it on the internet.[br]As far as someone gets the ISO file,

0:41:57.509,0:42:03.559
and can look for backdoors and can find[br]some of them, they would be actually

0:42:03.559,0:42:07.440
able to exploit the system[br]from the internet.

0:42:07.440,0:42:12.630
Actually the system has a package manager[br]and as we saw with the pattern file

0:42:12.630,0:42:17.599
it has built-in update functionality and[br]different services, so backdoors could

0:42:17.599,0:42:22.339
just be loaded via updates[br]because probably they thought

0:42:22.339,0:42:27.219
"okay, these ISOs might be leaked into[br]the outside world" and you just get

0:42:27.219,0:42:33.019
an ISO, install it, update your system -[br]which is only possible from within the

0:42:33.019,0:42:39.170
intranet of North Korea, with hard coded[br]internal IP addresses - so probably they

0:42:39.170,0:42:43.420
thought "we only want our backdoors on[br]the systems which are actually located

0:42:43.420,0:42:47.690
within North Korea."

0:42:47.690,0:42:55.999
This is what we thought, that they thought[br]the ISO might be leaked, which is what

0:42:55.999,0:43:00.440
actually happened. Another problem[br]is that, like Florian already said, they

0:43:00.440,0:43:05.499
will touch a lot of code within the[br]operating system and we didn't manage

0:43:05.499,0:43:09.900
to check all of the code. We mostly[br]focused on the watermarking and the

0:43:09.900,0:43:14.969
virus scanning stuff, and there might be a[br]lot of code that should be checked further.

0:43:14.969,0:43:21.789
The conclusion also is that the system's[br]quite self-protecting. They not only

0:43:21.789,0:43:26.450
implemented several services for[br]integrity checking themselves but also

0:43:26.450,0:43:31.150
they configured and implemented selinux[br]and something like that, to just protect

0:43:31.150,0:43:35.450
the system and make it more secure.

0:43:35.450,0:43:39.479
What we think is really bad is this[br]virus scanning and watermarking,

0:43:39.479,0:43:43.529
because it actually allows you to[br]track not only the origin but the

0:43:43.529,0:43:47.859
complete distribution within the network[br]of those files, and combined with the

0:43:47.859,0:43:53.379
virus scanner where the developers are[br]able to actually say what files are really

0:43:53.379,0:43:58.369
malicious and what shouldn't be[br]distributed within the network,

0:43:58.369,0:44:04.249
it just deletes those files. So these[br]two combined are a really strong

0:44:04.249,0:44:10.349
framework which can help you to track[br]malicious people within your network.

0:44:10.349,0:44:14.950
But some words about security: Like I[br]said, they have a lot of problems with

0:44:14.950,0:44:22.480
file permissions. There are actually some[br]documents on the ISO of the server

0:44:22.480,0:44:26.630
version of Red Star OS 3.0, and there are[br]some user guides and administration

0:44:26.630,0:44:30.180
guides which are quite interesting, and[br]they talk a lot about how to make the

0:44:30.180,0:44:34.960
system secure, how to run it secure, and[br]why they are doing different kinds of

0:44:34.960,0:44:42.089
stuff to save the integrity of the system.[br]They have a huge chapter talking about

0:44:42.089,0:44:46.569
file permissions, but they actually didn't[br]manage to fix them themselves which

0:44:46.569,0:44:52.279
is quite weird. And even their custom code[br]uses basic memory corruption protection

0:44:52.279,0:44:57.660
like stack cookies, and non-executable[br]stacks which we saw that a lot of security

0:44:57.660,0:45:02.999
vendors don't bother to use, so we[br]thought this is quite funny.

0:45:02.999,0:45:06.580
Some of their code is more secure than[br]a lot of security appliances.

0:45:06.580,0:45:08.789
<i>Slight laughter</i>

0:45:08.789,0:45:12.569
Florian: So to wrap this up--[br]Am I going, can you hear me? Yes.

0:45:12.569,0:45:18.869
Okay so to wrap this up, again we think -[br]this is a guess - that primarily they try

0:45:18.869,0:45:24.690
to protect and to save the integrity[br]of the system, which totally makes

0:45:24.690,0:45:28.960
sense if you're putting out an[br]operating system from North Korea.

0:45:28.960,0:45:32.150
The system was, in our opinion,[br]definitely built for home computers,

0:45:32.150,0:45:37.460
so it's not like industrial control or[br]something else, it's definitely built

0:45:37.460,0:45:43.099
for a home user because it mimics[br]Mac OSX and gives you all of the tools.

0:45:43.099,0:45:46.849
Maybe the reason why we didn't find[br]backdoors is they actually know that

0:45:46.849,0:45:51.390
backdoors are bullshit. Could be a[br]reason, we don't know.

0:45:51.390,0:45:55.829
If you want to look into Red Star OS and[br]help us out, especially with the crypto,

0:45:55.829,0:46:01.640
the pilsung kernel module which provides[br]custom crypto, with a look into the kernel

0:46:01.640,0:46:05.839
to see if there is something hidden there,[br]if maybe there are backdoors there,

0:46:05.839,0:46:09.390
take a look at our github.[br]Please contribute if you find

0:46:09.390,0:46:13.079
something, because we think that this[br]message and all of this stuff has to

0:46:13.079,0:46:17.849
be put out to the public, so it is a[br]well-known fact that this operating

0:46:17.849,0:46:25.269
system is actually abusing free software[br]to actually make free speech harder

0:46:25.269,0:46:28.509
in a country that is quite oppressed.

0:46:28.509,0:46:33.940
So with this, we are at our end and we[br]are going to take your questions now.

0:46:33.940,0:46:46.010
<i>Applause</i>

0:46:46.010,0:46:51.619
Herald: Thank you very much. We have[br]about 15 minutes time for questions.

0:46:51.619,0:46:54.690
If you want to ask a question, please[br]come to the microphones.

0:46:54.690,0:46:58.630
There are some on the right[br]and some on the left aisle.

0:46:58.630,0:47:03.859
If you for any reason can't come to[br]the microphones, please raise your

0:47:03.859,0:47:09.019
hand and I'll come to you[br]with my microphone.

0:47:19.079,0:47:28.349
Okay, please line up there. If you[br]wanna leave now, please do this

0:47:28.349,0:47:35.089
quietly through the front door.

0:47:35.089,0:47:37.479
Florian: Could you raise your hand if[br]you have questions and standing at

0:47:37.479,0:47:39.639
the microphone? There are like[br]three questions over there.

0:47:39.639,0:47:42.030
Herald: Yeah, on the left one please.

0:47:42.030,0:47:46.489
Audience 1: Hello? Yeah. So thank you[br]very much, it was very interesting.

0:47:46.489,0:47:55.019
I have two questions: Have you tried[br]isolating the system in a chroot jail?

0:47:55.019,0:48:00.410
And the second one is: Were there any[br]outbound connections, like automatic

0:48:00.410,0:48:02.509
outbound connections it made?

0:48:02.509,0:48:06.609
Florian: Okay so for the first question,[br]we did not try to run it in an isolated

0:48:06.609,0:48:09.950
environment. We actually didn't--[br]Did we install it on a live system?

0:48:09.950,0:48:12.459
I don't think so. Did we?[br]Niklaus: Yeah.

0:48:12.459,0:48:14.910
Florian: Yeah, okay. But we didn't do any[br]observations that this changed the

0:48:14.910,0:48:20.479
behaviour of the system. Concerning the[br]second question, there actually is not

0:48:20.479,0:48:24.559
really outbound traffic. What it is doing[br]is on the local network it is talking a

0:48:24.559,0:48:31.150
lot of NetBIOS stuff. So there is an[br]SNMP and an nmbdaemon running

0:48:31.150,0:48:35.249
on the system and it's talking a[br]lot of NetBIOS. But this is basically

0:48:35.249,0:48:39.119
everything we could find. We have even[br]left it running for like two days, to see

0:48:39.119,0:48:43.410
if there is an outbound connection for one[br]day or something like that. We couldn't

0:48:43.410,0:48:50.229
see anything like that. So the only stuff[br]that Red Star's talking to the network

0:48:50.229,0:48:57.009
is like this Windows NetBIOS stuff, and if[br]you push the button on the update

0:48:57.009,0:49:00.829
feature of the virus scanner, it's[br]actually trying to initiate an update

0:49:00.829,0:49:06.029
process that goes to five hard-coded[br]IP addresses that are all local.

0:49:06.029,0:49:12.039
So like 192.168.9 something, and[br]172 whatever. These are the only

0:49:12.039,0:49:16.510
network connections that we could trigger,[br]or that we have observed so far.

0:49:16.510,0:49:20.589
A1: Thank you.[br]Herald: The next question is also

0:49:20.589,0:49:27.459
from this microphone.[br]Audience 2: Two questions:

0:49:27.459,0:49:33.739
Might it be possible that when you install[br]the system it gets code from North Korea

0:49:33.739,0:49:39.150
so you cannot find out if it's calling[br]home because you don't get the call?

0:49:39.150,0:49:42.769
Florian: Could be. Our guess is actually[br]that there is far more stuff that you get

0:49:42.769,0:49:49.999
when you pull up the operating system in[br]North Korea. One reason is the organ file

0:49:49.999,0:49:53.719
that Niklaus mentioned that is missing on[br]the system with the additional crypto

0:49:53.719,0:49:58.190
information that is used for the extended[br]watermarking that they are applying.

0:49:58.190,0:50:01.539
We don't know where this file is coming[br]from, and from our perspective it totally

0:50:01.539,0:50:06.150
makes sense to not distribute this file[br]on the ISO but to kind of give it as an--

0:50:06.150,0:50:09.619
I don't know, somebody has to come to[br]your house to install the software and

0:50:09.619,0:50:14.089
then he puts like this dedicated organ[br]file on your desktop that is specific

0:50:14.089,0:50:18.670
to you, for example. That would totally[br]make sense because, as you know,

0:50:18.670,0:50:21.299
stuff works a little bit different.[br]It's not like downloading an ISO

0:50:21.299,0:50:25.130
and installing it, it's probably more[br]complex to get this onto your system

0:50:25.130,0:50:29.390
if you want to use this. So there might[br]be more stuff that is pushed either

0:50:29.390,0:50:34.660
via updates - only internal - and this[br]organ file and other stuff that can get

0:50:34.660,0:50:39.170
to your computer-- We don't know if this[br]is possible or if something is happening

0:50:39.170,0:50:44.910
with this feature.[br]A2: And the second question is if you look

0:50:44.910,0:50:49.579
at it from the North Korean view, that's[br]like they had the problem. They are quite

0:50:49.579,0:50:54.039
happy, have a nice state, everything's[br]working fine from what they see, and

0:50:54.039,0:50:57.839
now people come from South Korea,[br]from Western countries, bring their USB

0:50:57.839,0:51:03.289
sticks with Western propaganda that to[br]have stuff like this watermarking even

0:51:03.289,0:51:08.180
if it is like evil. Like a natural reaction[br]from a closed system.

0:51:08.180,0:51:11.589
Florian: So actually it totally makes[br]sense to develop the system in the

0:51:11.589,0:51:16.430
way they developed it. It totally makes[br]sense, because it kind of reflects a

0:51:16.430,0:51:23.369
little bit how the government is working.[br]Because integrity is not only a critical

0:51:23.369,0:51:30.390
part not only for the operating system,[br]it's also a part for the state itself.

0:51:30.390,0:51:34.190
Like shutting down everything, closing[br]off everything - that's, by the way,

0:51:34.190,0:51:40.269
the screensaver - and closing down[br]everything also totally makes sense.

0:51:40.269,0:51:44.459
And tracking stuff that is distributed[br]in the country or deleting unwanted stuff

0:51:44.459,0:51:52.709
also makes sense. So what we think that[br]Red Star resembles this and matches

0:51:52.709,0:51:57.959
how culture is in North Korea, actually.

0:51:57.959,0:52:02.920
Herald: Okay, we also have two questions[br]of the IRC which I would like to shift in.

0:52:02.920,0:52:08.779
Signal angel: Thank you. Okay, the first question[br]is if you have any theory on how and why

0:52:08.779,0:52:17.209
the ISO got leaked.

0:52:17.209,0:52:23.269
Florian: We don't know this, actually. 'Why?' is--[br]We don't think that it was somebody

0:52:23.269,0:52:27.509
from North Korea, we think that it might[br]be a foreigner that got it.

0:52:27.509,0:52:31.450
Like Will Scott told us last year that he[br]was able to get a copy of it and get it

0:52:31.450,0:52:34.690
out of the country. There might[br]be others that are able.

0:52:34.690,0:52:39.180
There is actually tourism in North Korea.[br]You can go there for your holidays.

0:52:39.180,0:52:45.349
So I guess that if you put a little bit[br]of effort into it, it's possible to get

0:52:45.349,0:52:49.049
nearly anything out of the country if[br]you want to try to take the risk.

0:52:49.049,0:52:53.759
But we don't know who leaked the version[br]and we don't know why it actually was leaked.

0:52:53.759,0:52:58.099
Niklaus: There are actually rumours that[br]it was a Russian student who was studying

0:52:58.099,0:53:01.920
in North Korea, and he bought this on the[br]street and just brought it out of the country

0:53:01.920,0:53:05.630
and put it on his blog, but we cannot[br]confirm that this is actually true.

0:53:05.630,0:53:11.789
Signal angel: Okay, thanks. And the second question[br]is if there has been any attempt at the

0:53:11.789,0:53:14.749
custom kernel modules yet, like[br]reverse engineering or something.

0:53:14.749,0:53:19.589
Florian: Well we reverse engineered rtscan[br]which is pretty simple because it just

0:53:19.589,0:53:25.719
hooks a few function calls, that's it.[br]We have taken a look at the

0:53:25.719,0:53:30.670
Korean Display Module on a first glance.[br]It seems to do what it is supposed to do,

0:53:30.670,0:53:35.589
having something to do with display[br]management, but we didn't take a look

0:53:35.589,0:53:38.799
at all of the kernel modules, all the rest[br]of the remaining kernel modules,

0:53:38.799,0:53:43.999
because the code base is so massive[br]that we actually need you guys to

0:53:43.999,0:53:49.089
help us out a little bit.

0:53:49.089,0:53:52.749
Herald: Next question from the mic please.[br]Audience 3: Yes, I have another question.

0:53:52.749,0:53:56.469
You said that most of the software is[br]based of other open source software

0:53:56.469,0:54:01.150
for which you don't have the source code,[br]and it didn't come with the ISO, so it's

0:54:01.150,0:54:03.269
pretty much a massive violation of[br]open source licenses.

0:54:03.269,0:54:05.979
Florian: Yep, absolutely.[br]A3: So my question would be:

0:54:05.979,0:54:12.229
Could you get an inside on what other[br]packages are available, or from the

0:54:12.229,0:54:14.450
package manager, and what[br]other packages are there?

0:54:14.450,0:54:20.180
Florian: Actually, there is a DVD which[br]also was leaked. I think that it was for

0:54:20.180,0:54:25.959
Red Star 2. I'm not sure if it is also[br]for the latest version, but there is

0:54:25.959,0:54:32.239
a CD with additional software and you[br]have stuff like Apache, MYSQL-- <i>pfff</i>

0:54:32.239,0:54:35.930
I don't know. All of the stuff you[br]basically need to run a full-blown

0:54:35.930,0:54:40.589
operating system on Linux. So there is[br]additional software out there, you can

0:54:40.589,0:54:47.529
download the DVD and install this[br]software on the machine.

0:54:47.529,0:54:52.640
If you go through the RPM descriptions[br]you will see that for some of the

0:54:52.640,0:55:00.989
software they even wrote-- They kind of[br]used a description for the license which

0:55:00.989,0:55:05.130
says "KCC" which is the Korean Computer[br]Centre. And sometimes they use GPL,

0:55:05.130,0:55:09.250
and sometimes they use GNU, and yeah.[br]So massive violations.

0:55:09.250,0:55:12.239
A3: Did you ask them for the source code?[br]<i>Laughter</i>

0:55:12.239,0:55:16.119
Florian: Actually, we think that there is[br]an internal git in North Korea where you

0:55:16.119,0:55:20.910
can just check out everything, so...[br]We suppose it is this way because it's

0:55:20.910,0:55:30.259
open source, right? By the way,[br]open source. <i>Laughter</i>

0:55:30.259,0:55:35.440
Herald: Very nice. One more question[br]from here? Are you having a question?

0:55:35.440,0:55:38.079
No, okay then we have one more[br]question from the internet.

0:55:38.079,0:55:42.449
IRC: Yes, the question is if there is a[br]possibility to fake the watermarks

0:55:42.449,0:55:46.529
to get some innocent North Korean[br]into trouble. <i>Quiet laughter</i>

0:55:46.529,0:55:50.619
Florian: Yeah, no problem because the[br]key's hard coded. You could, like--

0:55:50.619,0:55:57.229
You know how to scramble the hardware ID[br]or the disk serial, and you could perfectly

0:55:57.229,0:56:01.690
forge documents. That would be not a[br]problem. Not a problem at all.

0:56:01.690,0:56:07.209
You just need the serial number, basically.[br]A3: Okay, and I've just got another question

0:56:07.209,0:56:11.279
that is: Does the warning.wav[br]have a watermark?

0:56:11.279,0:56:14.809
Florian: Umm...[br]Niklaus: No, actually it has the exact

0:56:14.809,0:56:19.729
same checksum as the original file.[br]Florian: Actually we didn't check if it--

0:56:19.729,0:56:23.890
No, so it does not have a watermark[br]because as Niklaus said, it's the same

0:56:23.890,0:56:27.739
checksum as the Kaspersky one.[br]A3: Okay, thanks.

0:56:27.739,0:56:32.910
Herald: Okay, thank you very much.[br]Please give Florian and Niklaus another

0:56:32.910,0:56:36.489
big round of applause for an amazing talk.[br]Florian: Thank you.

0:56:36.489,0:56:40.093
<i>Applause</i>

0:56:40.093,0:56:46.054
<i>postroll music</i>

0:56:46.054,0:56:52.000
subtitles created by c3subtitles.de[br]Join, and help us!