[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:09.53,Default,,0000,0000,0000,,{\i1}preroll music{\i0}
Dialogue: 0,0:00:09.53,0:00:15.93,Default,,0000,0000,0000,,Herald: North Korea; not only famous for chocolate\Nbut for being a surveillance state
Dialogue: 0,0:00:15.93,0:00:22.29,Default,,0000,0000,0000,,And as a good surveillance state,\Nit has to have its own operation system.
Dialogue: 0,0:00:22.29,0:00:27.71,Default,,0000,0000,0000,,Because how will you do proper surveillance\Nwithout your own operation system?
Dialogue: 0,0:00:27.71,0:00:35.55,Default,,0000,0000,0000,,Today, we get a brief introduction\Nhow Red Star OS is working.
Dialogue: 0,0:00:35.55,0:00:38.91,Default,,0000,0000,0000,,The introduction will have a specific\Nfocus on the custom code
Dialogue: 0,0:00:38.91,0:00:45.35,Default,,0000,0000,0000,,which was inserted for surveillance,\Nand especially how to get around it.
Dialogue: 0,0:00:45.35,0:00:52.42,Default,,0000,0000,0000,,So please welcome Florian and Niklaus\Nwith a big round of applause.
Dialogue: 0,0:00:52.42,0:01:00.60,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:01:00.60,0:01:03.23,Default,,0000,0000,0000,,Florian Grunow: Hey everybody,\Nthanks for having us.
Dialogue: 0,0:01:03.23,0:01:08.07,Default,,0000,0000,0000,,We are going to give you a deep\Ndive into Red Star OS.
Dialogue: 0,0:01:08.07,0:01:12.07,Default,,0000,0000,0000,,Actually, we were kind of surprised that\Nthere is not so much information
Dialogue: 0,0:01:12.07,0:01:17.85,Default,,0000,0000,0000,,on the net about really the core of Red\NStar and what is it doing.
Dialogue: 0,0:01:17.85,0:01:22.31,Default,,0000,0000,0000,,So we thought we would change this,\Nand give you an insight in how
Dialogue: 0,0:01:22.31,0:01:26.50,Default,,0000,0000,0000,,this Operating System works,\Nand by looking into the technical aspects
Dialogue: 0,0:01:26.50,0:01:33.70,Default,,0000,0000,0000,,of Red Star you can also draw conclusions\Nabout how development in North Korea
Dialogue: 0,0:01:33.70,0:01:38.20,Default,,0000,0000,0000,,is evolving and is, maybe, catching up.
Dialogue: 0,0:01:38.20,0:01:42.39,Default,,0000,0000,0000,,So what we're going to talk about is:\NFirst of all, a short introduction
Dialogue: 0,0:01:42.39,0:01:45.63,Default,,0000,0000,0000,,into the motivation; why are we doing\Nthis? We are going through
Dialogue: 0,0:01:45.63,0:01:49.72,Default,,0000,0000,0000,,the architecture of Red Star; we are going\Nto show you the components in the core
Dialogue: 0,0:01:49.72,0:01:53.64,Default,,0000,0000,0000,,in the operating system itself; and then\Nwe will take a deep dive into
Dialogue: 0,0:01:53.64,0:01:57.44,Default,,0000,0000,0000,,the additional components, all of the\Nprograms that are coming from North Korea
Dialogue: 0,0:01:57.44,0:02:01.47,Default,,0000,0000,0000,,and are supplied with the ISO\Nof Red Star OS.
Dialogue: 0,0:02:01.47,0:02:06.50,Default,,0000,0000,0000,,After that, we are going to give you a\Ndeep dive into the most interesting features
Dialogue: 0,0:02:06.50,0:02:13.29,Default,,0000,0000,0000,,of Red Star OS; and then we will be able\Nto draw our own conclusions;
Dialogue: 0,0:02:13.29,0:02:16.07,Default,,0000,0000,0000,,and afterwards we will have time\Nfor questions, we hope.
Dialogue: 0,0:02:16.07,0:02:21.46,Default,,0000,0000,0000,,By the way, this picture on the left you\Ncan see here is actually one of the--
Dialogue: 0,0:02:21.46,0:02:28.58,Default,,0000,0000,0000,,I think it's the screensaver right from\NRed Star OS. {\i1}Laughter{\i0} So, um, yeah.
Dialogue: 0,0:02:28.58,0:02:32.85,Default,,0000,0000,0000,,So before we begin, we need to\Ndo this disclaimer:
Dialogue: 0,0:02:32.85,0:02:37.96,Default,,0000,0000,0000,,For your information we have never visited\NDPRK, we have never been to North Korea.
Dialogue: 0,0:02:37.96,0:02:41.55,Default,,0000,0000,0000,,All we know about North Korea is from\Npublic sources, from the internet,
Dialogue: 0,0:02:41.55,0:02:47.45,Default,,0000,0000,0000,,from media, whatever. So what we are\Ngoing to say about North Korea
Dialogue: 0,0:02:47.45,0:02:52.59,Default,,0000,0000,0000,,has to be speculation because we don't\Nknow exactly what happens in North Korea.
Dialogue: 0,0:02:52.59,0:02:58.37,Default,,0000,0000,0000,,Also, the ISOs that we have been analysing\Nare found publicly available on
Dialogue: 0,0:02:58.37,0:03:02.50,Default,,0000,0000,0000,,the internet, [and] may be fake. We don't\Nthink that they are fake because
Dialogue: 0,0:03:02.50,0:03:09.34,Default,,0000,0000,0000,,Will Scott has shown last year on the 31C3\Nhow Red Star looks, and everything that
Dialogue: 0,0:03:09.34,0:03:15.72,Default,,0000,0000,0000,,he has been showing is basically in the\NISO, so we think it is legit.
Dialogue: 0,0:03:15.72,0:03:20.84,Default,,0000,0000,0000,,Remember that we are not going to make fun\Nof anybody in this talk. We are not going
Dialogue: 0,0:03:20.84,0:03:24.32,Default,,0000,0000,0000,,to make fun of the developers, and we are\Ncertainly not going to make fun of
Dialogue: 0,0:03:24.32,0:03:30.04,Default,,0000,0000,0000,,the people in the DPRK, because we think\Nthat our presentation might have some
Dialogue: 0,0:03:30.04,0:03:36.12,Default,,0000,0000,0000,,funny aspects or something that makes\Nyou laugh - which is perfectly fine - but
Dialogue: 0,0:03:36.12,0:03:41.89,Default,,0000,0000,0000,,looking at Red Star in detail is kind of a\Nsurveillance mess, I would say, and
Dialogue: 0,0:03:41.89,0:03:48.45,Default,,0000,0000,0000,,it's a security or privacy nightmare.\NSo keep these aspects in mind.
Dialogue: 0,0:03:48.45,0:03:51.85,Default,,0000,0000,0000,,Also, this talk is not going to focus\Nabout security. We're not going to talk
Dialogue: 0,0:03:51.85,0:03:56.01,Default,,0000,0000,0000,,about security. Many of the publications\Navailable on the internet are
Dialogue: 0,0:03:56.01,0:04:00.29,Default,,0000,0000,0000,,about security, and we're not going to\Nfocus on this in this presentation.
Dialogue: 0,0:04:00.29,0:04:06.85,Default,,0000,0000,0000,,So, why are we doing this? Red Star ISOs\Nhave been leaked some time ago; there is
Dialogue: 0,0:04:06.85,0:04:12.29,Default,,0000,0000,0000,,a version 2 hanging around the internet\Nand there is obviously a version 3.0
Dialogue: 0,0:04:12.29,0:04:17.10,Default,,0000,0000,0000,,which has been leaked at the end of 2014,\Nand we were quite surprised at the middle
Dialogue: 0,0:04:17.10,0:04:20.46,Default,,0000,0000,0000,,of the year that there is no in-depth\Nanalysis of this operating system.
Dialogue: 0,0:04:20.46,0:04:25.08,Default,,0000,0000,0000,,So most of the blogs and news articles are\Nquite superficial that you can find out there,
Dialogue: 0,0:04:25.08,0:04:31.37,Default,,0000,0000,0000,,and this is kind of surprising because\Nif there is some kind of state that
Dialogue: 0,0:04:31.37,0:04:35.68,Default,,0000,0000,0000,,doesn't put focus on transparency and free\Nspeech, and they are putting out an
Dialogue: 0,0:04:35.68,0:04:41.42,Default,,0000,0000,0000,,operating system, you kind of want to know\Nhow do they build their operating system.
Dialogue: 0,0:04:41.42,0:04:46.35,Default,,0000,0000,0000,,So that was one of the major aspects for\Nus to look into it. The other aspect was
Dialogue: 0,0:04:46.35,0:04:50.58,Default,,0000,0000,0000,,to find out how is the state of\Nsoftware development in DPRK;
Dialogue: 0,0:04:50.58,0:04:58.52,Default,,0000,0000,0000,,how are they developing software? Do they\Nhave a well-thought architecture;
Dialogue: 0,0:04:58.52,0:05:04.23,Default,,0000,0000,0000,,are they thinking about what they are\Ndoing? How is the skill level of software
Dialogue: 0,0:05:04.23,0:05:08.67,Default,,0000,0000,0000,,development in North Korea?\NSo these were the two aspects that
Dialogue: 0,0:05:08.67,0:05:10.37,Default,,0000,0000,0000,,we wanted to find out.
Dialogue: 0,0:05:10.37,0:05:15.19,Default,,0000,0000,0000,,So if you look at previous work, as I said\Nthere is mostly superficial stuff.
Dialogue: 0,0:05:15.19,0:05:22.66,Default,,0000,0000,0000,,There is some information that Red Star OS\Nactually looks like Mac OSX, and we will
Dialogue: 0,0:05:22.66,0:05:27.13,Default,,0000,0000,0000,,go into this a little bit further.\NThen we have this talk from Will Scott
Dialogue: 0,0:05:27.13,0:05:31.44,Default,,0000,0000,0000,,last year at 31C3, who was talking about\NComputer Science in DPRK which was
Dialogue: 0,0:05:31.44,0:05:37.16,Default,,0000,0000,0000,,very very interesting, and gave a pretty good\Ninsight into what's happening in DPRK.
Dialogue: 0,0:05:37.16,0:05:44.35,Default,,0000,0000,0000,,And then we have a bunch of guys who\Nlooked into the browser of Red Star,
Dialogue: 0,0:05:44.35,0:05:46.32,Default,,0000,0000,0000,,which is also quite interesting.
Dialogue: 0,0:05:46.32,0:05:53.31,Default,,0000,0000,0000,,So what we are going to do now is--\NI'm going to show you the custom basic
Dialogue: 0,0:05:53.31,0:05:58.18,Default,,0000,0000,0000,,components; I'm going to talk a little bit\Nabout integrity on the system; then I will
Dialogue: 0,0:05:58.18,0:06:04.61,Default,,0000,0000,0000,,hand over to Niklaus who will be looking\Ninto the core and surveillance features;
Dialogue: 0,0:06:04.61,0:06:08.32,Default,,0000,0000,0000,,and then as I said, we will have time\Nfor questions afterwards.
Dialogue: 0,0:06:08.32,0:06:13.34,Default,,0000,0000,0000,,So there are different leaked versions out\Nthere, as I said. We have a desktop and
Dialogue: 0,0:06:13.34,0:06:19.32,Default,,0000,0000,0000,,a server version of Red Star, so you can\Nalso use Red Star as a server, and it
Dialogue: 0,0:06:19.32,0:06:23.43,Default,,0000,0000,0000,,turns out that server version 3 is\Nactually used on the internet right now.
Dialogue: 0,0:06:23.43,0:06:28.52,Default,,0000,0000,0000,,As you can see, there is a server\Nheader returned: "Red Star 3.0"
Dialogue: 0,0:06:28.52,0:06:32.75,Default,,0000,0000,0000,,This is an IP address of the server, and\Nit is pointing into North Korea.
Dialogue: 0,0:06:32.75,0:06:37.38,Default,,0000,0000,0000,,So this is one of the few web sites that\Nis publicly facing the internet from
Dialogue: 0,0:06:37.38,0:06:44.26,Default,,0000,0000,0000,,North Korea, and they are obviously using\Nthe server version 3.0. So 3.0 might
Dialogue: 0,0:06:44.26,0:06:48.50,Default,,0000,0000,0000,,actually be the latest version.\NThere is another version, it's 2.0,
Dialogue: 0,0:06:48.50,0:06:53.55,Default,,0000,0000,0000,,which has also been leaked to the internet,\Nand then there is supposedly something
Dialogue: 0,0:06:53.55,0:07:02.14,Default,,0000,0000,0000,,that looks like 2.5; we have found some\NSouth Korean documents that seem to be
Dialogue: 0,0:07:02.14,0:07:08.91,Default,,0000,0000,0000,,analysing the system quite superficially,\Nand it looks like 2.5 actually resembles
Dialogue: 0,0:07:08.91,0:07:14.14,Default,,0000,0000,0000,,the look and feel of Windows XP. So you\Nkind of see this evolution right now from
Dialogue: 0,0:07:14.14,0:07:19.32,Default,,0000,0000,0000,,2.5 XP going to 3.0 mimicking Mac OSX.
Dialogue: 0,0:07:19.32,0:07:24.50,Default,,0000,0000,0000,,Our talk will focus on the\Ndesktop version which is desktop 3.0
Dialogue: 0,0:07:24.50,0:07:28.77,Default,,0000,0000,0000,,If you look at the timeline, which is\Na guess - there's no documentation available
Dialogue: 0,0:07:28.77,0:07:35.40,Default,,0000,0000,0000,,on how they did it, obviously - if you\Nlook at the 3.0 version you see that it is
Dialogue: 0,0:07:35.40,0:07:41.78,Default,,0000,0000,0000,,based on Fedora 11 which came out in 2009.\NSo our guess is they started developing 3.0
Dialogue: 0,0:07:41.78,0:07:48.03,Default,,0000,0000,0000,,in 2009 with this Fedora 11 release.\NThe kernel that they are using is 2.6.38
Dialogue: 0,0:07:48.03,0:07:55.84,Default,,0000,0000,0000,,which came out with Fedora 15 in 2011.\NSo it could be that the OS itself is
Dialogue: 0,0:07:55.84,0:08:00.76,Default,,0000,0000,0000,,a little bit older, the kernel is a little\Nbit newer, and the latest package build
Dialogue: 0,0:08:00.76,0:08:05.15,Default,,0000,0000,0000,,dates that you can see in\NRed Star OS date to June 2013.
Dialogue: 0,0:08:05.15,0:08:11.79,Default,,0000,0000,0000,,So our educated guess is that Red Star\Ncame out in June 2013 or a little bit later,
Dialogue: 0,0:08:11.79,0:08:13.94,Default,,0000,0000,0000,,a few weeks later or months later.
Dialogue: 0,0:08:13.94,0:08:18.22,Default,,0000,0000,0000,,In December 2014 we had the public leak,\Nso the ISOs have been leaked to the internet
Dialogue: 0,0:08:18.22,0:08:21.48,Default,,0000,0000,0000,,and are publicly available right now.
Dialogue: 0,0:08:21.48,0:08:26.45,Default,,0000,0000,0000,,If you look into the operating system,\Nit's basically a fully-featured desktop system
Dialogue: 0,0:08:26.45,0:08:31.15,Default,,0000,0000,0000,,you might imagine. It's based on KDE\Nand Fedora as I already said, and it tries
Dialogue: 0,0:08:31.15,0:08:36.23,Default,,0000,0000,0000,,to mimic the look and feel of Mac OSX.\NYou have an e-mail client, a calendar,
Dialogue: 0,0:08:36.23,0:08:41.26,Default,,0000,0000,0000,,a word processor, you've got Quicktime and\Nall of that stuff. You even have a disk
Dialogue: 0,0:08:41.26,0:08:45.85,Default,,0000,0000,0000,,encryption utility that Will Scott\Nhas shown last year.
Dialogue: 0,0:08:45.85,0:08:51.63,Default,,0000,0000,0000,,They implemented additional kernel modules\Nand they touched a lot of kernel modules.
Dialogue: 0,0:08:51.63,0:08:55.18,Default,,0000,0000,0000,,They have this kernel module "rtscan"\Nwhich Niklaus is going to say a little bit
Dialogue: 0,0:08:55.18,0:09:00.12,Default,,0000,0000,0000,,more about, they have this kernel module\Ncalled "pilsung" - I was told this
Dialogue: 0,0:09:00.12,0:09:05.21,Default,,0000,0000,0000,,means "victory" in Korean - and that\Nkind of is a kernel module that supplies
Dialogue: 0,0:09:05.21,0:09:12.28,Default,,0000,0000,0000,,AES encryption. So they implemented an own\Nkernel module to supply something like AES.
Dialogue: 0,0:09:12.28,0:09:16.29,Default,,0000,0000,0000,,Then there is a kernel module called "kdm"\Nwhich is the Korean Display Module,
Dialogue: 0,0:09:16.29,0:09:20.96,Default,,0000,0000,0000,,and "kimm"-- {\i1}muffled laughter{\i0}\N--which is not what it's like--
Dialogue: 0,0:09:20.96,0:09:24.80,Default,,0000,0000,0000,,it's not looking-- {\i1}laughter{\i0}\NWell, I'll just go on.
Dialogue: 0,0:09:24.80,0:09:31.13,Default,,0000,0000,0000,,It basically just does something with\NKorean letters and displaying Korean
Dialogue: 0,0:09:31.13,0:09:35.25,Default,,0000,0000,0000,,letters on the screen.
Dialogue: 0,0:09:35.25,0:09:39.71,Default,,0000,0000,0000,,Red Star has been developed by the KCC,\Nthe Korean Computer Centre.
Dialogue: 0,0:09:39.71,0:09:46.72,Default,,0000,0000,0000,,It's quite interesting that since a few\Nyears ago they had an office in Berlin.
Dialogue: 0,0:09:46.72,0:09:50.75,Default,,0000,0000,0000,,I don't know what they did there, but\Nthey obviously had an office in Berlin
Dialogue: 0,0:09:50.75,0:09:55.32,Default,,0000,0000,0000,,maybe for knowledge sharing, whatever.\NIf you look at the system hardening,
Dialogue: 0,0:09:55.32,0:09:58.48,Default,,0000,0000,0000,,it's quite interesting that they\Ntook care of system hardening.
Dialogue: 0,0:09:58.48,0:10:02.78,Default,,0000,0000,0000,,So they implemented SELinux rules with\Ncustom modules, they have IP tables
Dialogue: 0,0:10:02.78,0:10:06.86,Default,,0000,0000,0000,,rolled out immediately so you don't have\Nto activate it or put your rules into it;
Dialogue: 0,0:10:06.86,0:10:11.64,Default,,0000,0000,0000,,the firewall is working. They even have\NSnort installed on the system.
Dialogue: 0,0:10:11.64,0:10:16.29,Default,,0000,0000,0000,,It's not running by default but they are\Nkind of delivering it by default, and they
Dialogue: 0,0:10:16.29,0:10:21.59,Default,,0000,0000,0000,,have a lot of custom services that we are\Ngoing to look into right now.
Dialogue: 0,0:10:21.59,0:10:25.88,Default,,0000,0000,0000,,Quite interesting is-- so why should\NNorth Korea mimic Mac OSX?
Dialogue: 0,0:10:25.88,0:10:30.15,Default,,0000,0000,0000,,That might be one reason right there:\Nbecause this young fella sitting on the left
Dialogue: 0,0:10:30.15,0:10:35.90,Default,,0000,0000,0000,,is actually using an iMac right here.\NSo this is one reason.
Dialogue: 0,0:10:35.90,0:10:40.70,Default,,0000,0000,0000,,So why should they implement their own\Noperating system? There actually are
Dialogue: 0,0:10:40.70,0:10:48.21,Default,,0000,0000,0000,,so-called anthologies put out by the leader,\Nand one anthology by Kim Jong-il says that
Dialogue: 0,0:10:48.21,0:10:54.22,Default,,0000,0000,0000,,- if you translate it correctly, and we\Ntry to - "in the process of programming,
Dialogue: 0,0:10:54.22,0:10:59.29,Default,,0000,0000,0000,,it is important to develop one in our own\Nstyle," and with "one" he means programs
Dialogue: 0,0:10:59.29,0:11:05.99,Default,,0000,0000,0000,,and operating systems. So there is this\Nclear guidance that North Korea should not
Dialogue: 0,0:11:05.99,0:11:11.62,Default,,0000,0000,0000,,rely on third-party Western operating\Nsystem and programs, they should
Dialogue: 0,0:11:11.62,0:11:15.29,Default,,0000,0000,0000,,develop this stuff on their own.\NAnd by looking at the code and everything
Dialogue: 0,0:11:15.29,0:11:19.47,Default,,0000,0000,0000,,that we have by Red Star OS, this is\Nexactly what they did. They touched
Dialogue: 0,0:11:19.47,0:11:24.26,Default,,0000,0000,0000,,nearly everything on the operating system,\Nchanged it a little bit, added custom code
Dialogue: 0,0:11:24.26,0:11:28.71,Default,,0000,0000,0000,,and so this is actually what they\Nare doing right there.
Dialogue: 0,0:11:28.71,0:11:34.06,Default,,0000,0000,0000,,The custom applications that you have is\Na browser, which translates to "my country."
Dialogue: 0,0:11:34.06,0:11:40.47,Default,,0000,0000,0000,,You also have a crypto tool that Will Scott\Nhas shown last year which is called Bokem
Dialogue: 0,0:11:40.47,0:11:44.23,Default,,0000,0000,0000,,which if you translate it kind of\Ntranslates to "sword."
Dialogue: 0,0:11:44.23,0:11:49.78,Default,,0000,0000,0000,,You have Sogwang Office which is an\NOpenOffice customised for North Korean use.
Dialogue: 0,0:11:49.78,0:11:53.92,Default,,0000,0000,0000,,A software manager; you have MusicScore\Nwhich is an application you can compose
Dialogue: 0,0:11:53.92,0:11:59.27,Default,,0000,0000,0000,,music with. Then you have a program which\Nis called "rootsetting" and it basically
Dialogue: 0,0:11:59.27,0:12:03.52,Default,,0000,0000,0000,,gives you root. So if you look into the\Ndocumentation, it says you are not
Dialogue: 0,0:12:03.52,0:12:07.52,Default,,0000,0000,0000,,supposed to have root on the system for\Nintegrity reasons, but if you want to get
Dialogue: 0,0:12:07.52,0:12:12.94,Default,,0000,0000,0000,,root you can use this tool, so they're not\Nhiding anything. So there are rumours
Dialogue: 0,0:12:12.94,0:12:16.11,Default,,0000,0000,0000,,on the net that say that you're not\Nsupposed to get root on the system
Dialogue: 0,0:12:16.11,0:12:21.37,Default,,0000,0000,0000,,because it's so locked down. This is not\Ntrue obviously because there is software
Dialogue: 0,0:12:21.37,0:12:24.14,Default,,0000,0000,0000,,intended to give you administrative privileges.
Dialogue: 0,0:12:24.14,0:12:30.24,Default,,0000,0000,0000,,They even touched KDM, so the code base\Nthat they touched is really, really big.
Dialogue: 0,0:12:30.24,0:12:32.76,Default,,0000,0000,0000,,Nearly the whole operating system.
Dialogue: 0,0:12:32.76,0:12:38.25,Default,,0000,0000,0000,,We are now going to give you a demo.\NThe first demo that we are doing, we are
Dialogue: 0,0:12:38.25,0:12:42.39,Default,,0000,0000,0000,,doing it right now, because we are\Nactually doing this presentation
Dialogue: 0,0:12:42.39,0:12:55.08,Default,,0000,0000,0000,,in Red Star OS.\N{\i1}Laughter and applause{\i0}
Dialogue: 0,0:12:55.08,0:12:58.99,Default,,0000,0000,0000,,So what you see right here is basically\NRed Star OS. We're going to show
Dialogue: 0,0:12:58.99,0:13:03.48,Default,,0000,0000,0000,,some of the aspects to you. There are many many\Nscreenshots on the internet, some of you might already
Dialogue: 0,0:13:03.48,0:13:06.98,Default,,0000,0000,0000,,know how Red Star works, you might have\Nexperience yourself.
Dialogue: 0,0:13:06.98,0:13:09.60,Default,,0000,0000,0000,,We're just going over a few interesting issues.
Dialogue: 0,0:13:09.60,0:13:16.11,Default,,0000,0000,0000,,So as you have seen, there is a full-blown\Nset of word processing, Powerpoint
Dialogue: 0,0:13:16.11,0:13:22.15,Default,,0000,0000,0000,,presentation stuff. I'm going to open up\Nthe browser-- pfft, whatever. {\i1}Laughter{\i0}
Dialogue: 0,0:13:22.15,0:13:31.24,Default,,0000,0000,0000,,--and going into the preferences just to\Ngive you a quick-- no. {\i1}Muted laughter{\i0}
Dialogue: 0,0:13:31.24,0:13:38.58,Default,,0000,0000,0000,,Oh. {\i1}Laughter{\i0} Yeah, to give you an insight\Non the Certificate Authorities that are
Dialogue: 0,0:13:38.58,0:13:43.72,Default,,0000,0000,0000,,implemented in this Firefox version - it's\NFirefox 3 - so you see there is not so many
Dialogue: 0,0:13:43.72,0:13:50.74,Default,,0000,0000,0000,,Certificate Authorities right here, and\Nthey all are I guess from North Korea.
Dialogue: 0,0:13:50.74,0:13:55.78,Default,,0000,0000,0000,,So the browser is totally created to not\Nbe used outside of North Korea,
Dialogue: 0,0:13:55.78,0:14:04.17,Default,,0000,0000,0000,,which you can see in the URL bar.\NThere is an internal IP address
Dialogue: 0,0:14:04.17,0:14:08.63,Default,,0000,0000,0000,,which points into the network of\NNorth Korea, and all of the settings,
Dialogue: 0,0:14:08.63,0:14:11.94,Default,,0000,0000,0000,,proxy settings, hard-coded IP addresses,\Nor whatever, all point into this
Dialogue: 0,0:14:11.94,0:14:16.07,Default,,0000,0000,0000,,internal infrastructure of North Korea.\NSo this browser and the e-mail program
Dialogue: 0,0:14:16.07,0:14:19.38,Default,,0000,0000,0000,,was never intended to be used\Noutside of North Korea.
Dialogue: 0,0:14:19.38,0:14:22.90,Default,,0000,0000,0000,,{\i1}Pfft{\i0} Okay. {\i1}Laughter{\i0}\NWhat else do we have?
Dialogue: 0,0:14:22.90,0:14:29.00,Default,,0000,0000,0000,,Okay, we have a Quicktime player.\NSo speaking of Mac OSX,
Dialogue: 0,0:14:29.00,0:14:41.00,Default,,0000,0000,0000,,you all have seen this. Woo! Swoosh. Right?\NOkay, so that perfectly mimics Mac OSX.
Dialogue: 0,0:14:41.00,0:14:45.67,Default,,0000,0000,0000,,So let me try to find--\NI'll try with aplay right here.
Dialogue: 0,0:14:45.67,0:14:51.80,Default,,0000,0000,0000,,So this is the shell. Quite interesting is\Nthat when we were looking through
Dialogue: 0,0:14:51.80,0:14:57.31,Default,,0000,0000,0000,,all of this stuff, there is a bunch of\Nfiles that have a certain protection,
Dialogue: 0,0:14:57.31,0:15:00.42,Default,,0000,0000,0000,,and they seem to be pretty important\Nfor the system, and there is a
Dialogue: 0,0:15:00.42,0:15:06.63,Default,,0000,0000,0000,,wave file - an audio wave file - that\Nactually is protected.
Dialogue: 0,0:15:06.63,0:15:15.17,Default,,0000,0000,0000,,It's usr/lib/Warnning.wav;\NI don't know if we can hear this.
Dialogue: 0,0:15:15.17,0:15:19.00,Default,,0000,0000,0000,,I hope that your ears are not going to\Nexplode right now. I'll just try it.
Dialogue: 0,0:15:19.00,0:15:22.43,Default,,0000,0000,0000,,{\i1}Pig squealing{\i0}\NI'll try it again.
Dialogue: 0,0:15:22.43,0:15:25.87,Default,,0000,0000,0000,,{\i1}Pig squealing{\i0}\NYou hear that? {\i1}Laughter{\i0}
Dialogue: 0,0:15:25.87,0:15:28.74,Default,,0000,0000,0000,,{\i1}Pig squealing{\i0}\NDoes anybody know what this is?
Dialogue: 0,0:15:28.74,0:15:33.67,Default,,0000,0000,0000,,{\i1}Shouts of "pig" from audience{\i0}\NPardon me? Pig, exactly.
Dialogue: 0,0:15:33.67,0:15:36.43,Default,,0000,0000,0000,,And where is it coming from?\NDoes anybody know?
Dialogue: 0,0:15:36.43,0:15:39.97,Default,,0000,0000,0000,,That's stolen from Kaspersky antivirus,\Nbecause in the older version of
Dialogue: 0,0:15:39.97,0:15:45.34,Default,,0000,0000,0000,,Kaspersky antivirus if you find a virus\Nit actually will play this sound, and it's
Dialogue: 0,0:15:45.34,0:15:49.97,Default,,0000,0000,0000,,exactly the wav file from Kaspersky;\Nwe verified this by doing checksums, okay.
Dialogue: 0,0:15:49.97,0:16:03.31,Default,,0000,0000,0000,,{\i1}Laughter{\i0} So we have a copyright violation\Nright here. {\i1}Laughter and applause{\i0}
Dialogue: 0,0:16:03.31,0:16:07.77,Default,,0000,0000,0000,,So what else do we have? I've been talking\Nabout this, you can create your own music.
Dialogue: 0,0:16:07.77,0:16:12.63,Default,,0000,0000,0000,,I'm not going to do this now because\NI'm not good at making music.
Dialogue: 0,0:16:12.63,0:16:16.30,Default,,0000,0000,0000,,What else do we have? We have the browser.\NDid we want to show-- ah yeah.
Dialogue: 0,0:16:16.30,0:16:20.57,Default,,0000,0000,0000,,I'm going to show you one more thing.\NI'm not going to show you the encryption
Dialogue: 0,0:16:20.57,0:16:28.98,Default,,0000,0000,0000,,tool because Will Scott has done this\Nlast year, but to give you an insight into
Dialogue: 0,0:16:28.98,0:16:33.97,Default,,0000,0000,0000,,the crypto tool, it's pretty interesting.\NIf you look at the description of the bokem3,
Dialogue: 0,0:16:33.97,0:16:38.26,Default,,0000,0000,0000,,bokem is the tool that is used for disk\Nencryption so it provides the user a tool
Dialogue: 0,0:16:38.26,0:16:42.47,Default,,0000,0000,0000,,to encrypt files or even the complete\Nhard drive, and if you look into
Dialogue: 0,0:16:42.47,0:16:49.73,Default,,0000,0000,0000,,the description it says "this allows the user\Nto store his/her privacy data with encrypted,"
Dialogue: 0,0:16:49.73,0:16:56.42,Default,,0000,0000,0000,,which is quite nice. I mean, we didn't\Nexpect to have something like this
Dialogue: 0,0:16:56.42,0:17:04.00,Default,,0000,0000,0000,,in Red Star. So the user can at least\Ntry to encrypt files.
Dialogue: 0,0:17:04.00,0:17:08.75,Default,,0000,0000,0000,,Bokem is using out-of-the-box crypto\Nthat comes with the kernel.
Dialogue: 0,0:17:08.75,0:17:14.24,Default,,0000,0000,0000,,It also uses pilsung, which we don't know\Nif there are any backdoors in it or not,
Dialogue: 0,0:17:14.24,0:17:19.85,Default,,0000,0000,0000,,so we have no idea if this is possible to\Ndecrypt with a master key or something.
Dialogue: 0,0:17:19.85,0:17:24.14,Default,,0000,0000,0000,,If you want to look into this, we would be\Nhappy if someone with big crypto
Dialogue: 0,0:17:24.14,0:17:32.75,Default,,0000,0000,0000,,experience would look into it.\NSo let me get back to the presentation.
Dialogue: 0,0:17:32.75,0:17:39.44,Default,,0000,0000,0000,,Ah! One thing I need to show you is this\Nred flag on the right corner, right here.
Dialogue: 0,0:17:39.44,0:17:46.41,Default,,0000,0000,0000,,If you look into this, and you translate -\NI didn't click the right one - if you are
Dialogue: 0,0:17:46.41,0:17:52.11,Default,,0000,0000,0000,,going to translate all of this, you will\Nfind that all of the strings and all of
Dialogue: 0,0:17:52.11,0:17:59.16,Default,,0000,0000,0000,,the text that you see right here, they\Nseem to be an antivirus scanner.
Dialogue: 0,0:17:59.16,0:18:03.51,Default,,0000,0000,0000,,So they even implemented from scratch\Nan antivirus scanner in Red Star OS.
Dialogue: 0,0:18:03.51,0:18:08.23,Default,,0000,0000,0000,,You can now select the folder or a file\Nand say run a check on the file,
Dialogue: 0,0:18:08.23,0:18:13.05,Default,,0000,0000,0000,,and if the file is actually a malicious\Nfile - we will come to that part later,
Dialogue: 0,0:18:13.05,0:18:17.87,Default,,0000,0000,0000,,what "malicious" is - it will instantly\Nbe deleted from the hard drive.
Dialogue: 0,0:18:17.87,0:18:25.26,Default,,0000,0000,0000,,So this is an interesting feature, having\Na virus scanner in a Linux OS.
Dialogue: 0,0:18:25.26,0:18:28.57,Default,,0000,0000,0000,,Okay so let's look at the custom\Ncomponents. We have been
Dialogue: 0,0:18:28.57,0:18:32.29,Default,,0000,0000,0000,,looking into the user space a little bit,\Nand all of the programs that come with it.
Dialogue: 0,0:18:32.29,0:18:37.40,Default,,0000,0000,0000,,There is far more stuff. Download the ISO,\Nplay around with it a little bit.
Dialogue: 0,0:18:37.40,0:18:41.61,Default,,0000,0000,0000,,First, change the language to English.\NYou will obviously not get far
Dialogue: 0,0:18:41.61,0:18:46.26,Default,,0000,0000,0000,,if your Korean is bad.\NSo change the language and
Dialogue: 0,0:18:46.26,0:18:48.03,Default,,0000,0000,0000,,play around with it a little bit.
Dialogue: 0,0:18:48.03,0:18:53.02,Default,,0000,0000,0000,,So Red Star Comes with\Ninteresting packages.
Dialogue: 0,0:18:53.02,0:18:56.62,Default,,0000,0000,0000,,They touched KDE as I said.\NThey are getting out an integrity
Dialogue: 0,0:18:56.62,0:19:00.21,Default,,0000,0000,0000,,checker and a security daemon.\NThere are signature packages right here
Dialogue: 0,0:19:00.21,0:19:05.84,Default,,0000,0000,0000,,which Niklaus is going to talk about\Na little bit, there are policies for selinux,
Dialogue: 0,0:19:05.84,0:19:11.28,Default,,0000,0000,0000,,and I'm going to talk about two of the\Nintegrity checking mechanisms that
Dialogue: 0,0:19:11.28,0:19:12.30,Default,,0000,0000,0000,,Red Star has.
Dialogue: 0,0:19:12.30,0:19:17.73,Default,,0000,0000,0000,,So by looking at Red Star, we saw that\None thing was pretty important to them:
Dialogue: 0,0:19:17.73,0:19:22.71,Default,,0000,0000,0000,,They wanted to preserve the integrity\Nof the system, and one way to do this
Dialogue: 0,0:19:22.71,0:19:27.14,Default,,0000,0000,0000,,is using this process right here,\Nit's called "intcheck."
Dialogue: 0,0:19:27.14,0:19:32.28,Default,,0000,0000,0000,,It comes with an SQLite database with\Nhashes of files on the system,
Dialogue: 0,0:19:32.28,0:19:36.92,Default,,0000,0000,0000,,like signatures for the system, and\Nyou can configure it from user space so
Dialogue: 0,0:19:36.92,0:19:40.77,Default,,0000,0000,0000,,it's not pretty hidden, it's pretty\Ntransparent to the user.
Dialogue: 0,0:19:40.77,0:19:44.66,Default,,0000,0000,0000,,I think there even comes a UI with it\Nwhere you can configure everything,
Dialogue: 0,0:19:44.66,0:19:48.54,Default,,0000,0000,0000,,and it's run at boot. It checks the files\Nand if it sees that the files have been
Dialogue: 0,0:19:48.54,0:19:52.35,Default,,0000,0000,0000,,manipulated or tampered with - if the\Nchecksum changes - then it will issue
Dialogue: 0,0:19:52.35,0:19:55.60,Default,,0000,0000,0000,,a warning to the user.\NSo you get a small popup that says,
Dialogue: 0,0:19:55.60,0:20:00.38,Default,,0000,0000,0000,,"this file has been tampered with," the\Nsecurity or the integrity of the system
Dialogue: 0,0:20:00.38,0:20:05.95,Default,,0000,0000,0000,,is not where it should be. So that's\Npretty much what this thing does.
Dialogue: 0,0:20:05.95,0:20:11.27,Default,,0000,0000,0000,,securityd is kind of interesting, because\Nsecurityd is also a process that is known
Dialogue: 0,0:20:11.27,0:20:18.09,Default,,0000,0000,0000,,to run under Mac OSX. I'm not a Mac user,\Nand I think that Mac OSX with securityd
Dialogue: 0,0:20:18.09,0:20:21.44,Default,,0000,0000,0000,,is keeping track of certificates\Nand stuff like that.
Dialogue: 0,0:20:21.44,0:20:26.91,Default,,0000,0000,0000,,So what they did is they reimplemented\Nsecurityd for Linux, and they included
Dialogue: 0,0:20:26.91,0:20:32.90,Default,,0000,0000,0000,,various plugins. One interesting issue\Nwith securityd is it comes with a library
Dialogue: 0,0:20:32.90,0:20:37.26,Default,,0000,0000,0000,,that provides a function called\Nvalidate_os(), and what this function does
Dialogue: 0,0:20:37.26,0:20:43.28,Default,,0000,0000,0000,,is it has a hard-coded list of files.\NYou can see like our wav file right here,
Dialogue: 0,0:20:43.28,0:20:48.93,Default,,0000,0000,0000,,you can see configuration files, and\Nautostart files for scnprc which is
Dialogue: 0,0:20:48.93,0:20:54.19,Default,,0000,0000,0000,,the antivirus scanner. So it checks if\Nthese files are untouched, and if
Dialogue: 0,0:20:54.19,0:20:59.02,Default,,0000,0000,0000,,these files have been tampered with it\Ninitiates a reboot instantly.
Dialogue: 0,0:20:59.02,0:21:03.50,Default,,0000,0000,0000,,So if you touch one of these files,\Nyour machine will reboot instantly.
Dialogue: 0,0:21:03.50,0:21:11.08,Default,,0000,0000,0000,,The same library is also used from KDM,\Nso during the startup process when KDM is
Dialogue: 0,0:21:11.08,0:21:15.82,Default,,0000,0000,0000,,starting it is also doing an integrity check,\Nand if it finds that one of these files has
Dialogue: 0,0:21:15.82,0:21:20.46,Default,,0000,0000,0000,,been tampered with it actually immediately\Nissues a reboot, and the problem is
Dialogue: 0,0:21:20.46,0:21:24.00,Default,,0000,0000,0000,,that if you start tampering with the system\Nyou will end up in reboot loops
Dialogue: 0,0:21:24.00,0:21:29.81,Default,,0000,0000,0000,,all of the time if you're doing research,\Nbecause once KDM is saying reboot
Dialogue: 0,0:21:29.81,0:21:33.45,Default,,0000,0000,0000,,the system, it's going to check it again\Nif it's rebooted and sees that it's
Dialogue: 0,0:21:33.45,0:21:36.66,Default,,0000,0000,0000,,still tampered with and it reboots again,\Nand again, and again, and then your
Dialogue: 0,0:21:36.66,0:21:40.00,Default,,0000,0000,0000,,system is basically dead.\NSo what they tried to do with intcheck
Dialogue: 0,0:21:40.00,0:21:45.86,Default,,0000,0000,0000,,and securityd is try and protect certain files,\Nconserve the integrity of these files,
Dialogue: 0,0:21:45.86,0:21:50.60,Default,,0000,0000,0000,,and if these files get tampered with they\Nassume that it is better to have an
Dialogue: 0,0:21:50.60,0:21:55.28,Default,,0000,0000,0000,,operating system that you cannot work with\Nany more than to still let it run or
Dialogue: 0,0:21:55.28,0:22:00.22,Default,,0000,0000,0000,,issue any warning.\NSo integrity is one of the main aspects
Dialogue: 0,0:22:00.22,0:22:03.03,Default,,0000,0000,0000,,they were looking for in\Nimplementing Red Star.
Dialogue: 0,0:22:03.03,0:22:08.00,Default,,0000,0000,0000,,Okay, I will hand over to Niklaus and\Nhe will go into the guts and the
Dialogue: 0,0:22:08.00,0:22:12.50,Default,,0000,0000,0000,,surveillance features a little bit more.
Dialogue: 0,0:22:12.50,0:22:14.94,Default,,0000,0000,0000,,Niklaus Schiess: The most interesting\Nfeature-- package we found was this
Dialogue: 0,0:22:14.94,0:22:21.28,Default,,0000,0000,0000,,esig-cb package, which actually says\Nin the description that it's an
Dialogue: 0,0:22:21.28,0:22:26.79,Default,,0000,0000,0000,,"electronic signature system," but we\Nfound that it is doing a lot of weird stuff.
Dialogue: 0,0:22:26.79,0:22:30.57,Default,,0000,0000,0000,,This is actually one of the pictures\Nwhich is included in the package,
Dialogue: 0,0:22:30.57,0:22:34.42,Default,,0000,0000,0000,,which is also protected. We don't know\Nreally why, but it says something like
Dialogue: 0,0:22:34.42,0:22:38.30,Default,,0000,0000,0000,,"this is our copyright;"\Nand "don't break it;"
Dialogue: 0,0:22:38.30,0:22:41.02,Default,,0000,0000,0000,,and "don't copy it;" and stuff like that.
Dialogue: 0,0:22:41.02,0:22:45.56,Default,,0000,0000,0000,,But it's actually doing\Nsomething really different.
Dialogue: 0,0:22:45.56,0:22:49.50,Default,,0000,0000,0000,,It includes several pretty interesting files.\NWe have some configuration files,
Dialogue: 0,0:22:49.50,0:22:54.06,Default,,0000,0000,0000,,we have a kernel module, and we also\Nhave this redflag.bmp which is the
Dialogue: 0,0:22:54.06,0:22:57.82,Default,,0000,0000,0000,,picture you just saw, and we have the\Nwarning file, and we have some
Dialogue: 0,0:22:57.82,0:23:03.50,Default,,0000,0000,0000,,shared libraries, and we'll go now\Ninto details what these are actually doing.
Dialogue: 0,0:23:03.50,0:23:07.64,Default,,0000,0000,0000,,So the first thing we looked at was\Nbecause there is a kernel module
Dialogue: 0,0:23:07.64,0:23:11.89,Default,,0000,0000,0000,,loaded by default, and we thought\Nif you want to put some backdoors in it
Dialogue: 0,0:23:11.89,0:23:16.01,Default,,0000,0000,0000,,where would you want to put it?\NRight in the kernel module, probably.
Dialogue: 0,0:23:16.01,0:23:20.29,Default,,0000,0000,0000,,And what it does, it's actually just\Nhooking several system calls which
Dialogue: 0,0:23:20.29,0:23:26.63,Default,,0000,0000,0000,,provides a device which is actually\Ninterfaced to the kernel so you have
Dialogue: 0,0:23:26.63,0:23:30.50,Default,,0000,0000,0000,,different services running on a system\Nwho are actually talking to this
Dialogue: 0,0:23:30.50,0:23:33.73,Default,,0000,0000,0000,,kernel module via this device,\Nand it has some functionality like
Dialogue: 0,0:23:33.73,0:23:39.08,Default,,0000,0000,0000,,it can protect PIDs. So when you're\Nprotecting a specific process then
Dialogue: 0,0:23:39.08,0:23:42.43,Default,,0000,0000,0000,,even root cannot kill this process,\Nwhich will be quite interesting
Dialogue: 0,0:23:42.43,0:23:47.99,Default,,0000,0000,0000,,in the next slides. It also provides\Nfunctionality to on one side protect
Dialogue: 0,0:23:47.99,0:23:52.67,Default,,0000,0000,0000,,files, and on the other side to hide files.\NSo protect means you cannot edit
Dialogue: 0,0:23:52.67,0:23:56.04,Default,,0000,0000,0000,,the file, and hide means you\Ncannot even read the file.
Dialogue: 0,0:23:56.04,0:23:59.71,Default,,0000,0000,0000,,So even if you had root user,\Nyou can't even read those files.
Dialogue: 0,0:23:59.71,0:24:04.68,Default,,0000,0000,0000,,And on the right side is actually how\Nthe services are interacting with this
Dialogue: 0,0:24:04.68,0:24:10.84,Default,,0000,0000,0000,,kernel module, and this is one function which\Nmostly protects and hides the files
Dialogue: 0,0:24:10.84,0:24:15.52,Default,,0000,0000,0000,,which we just saw, which are included\Nin this esignature package.
Dialogue: 0,0:24:15.52,0:24:19.56,Default,,0000,0000,0000,,Then like Florian said, we have this\Nvirus scanner which at first glance
Dialogue: 0,0:24:19.56,0:24:25.20,Default,,0000,0000,0000,,at least looks like a virus scanner,\Nand this is this "scnprc" process.
Dialogue: 0,0:24:25.20,0:24:29.03,Default,,0000,0000,0000,,It provides a GUI to the user so it's\Nquite transparent so the user can see
Dialogue: 0,0:24:29.03,0:24:32.41,Default,,0000,0000,0000,,"okay, I have something that looks\Nlike a virus scanner, and I can also
Dialogue: 0,0:24:32.41,0:24:35.32,Default,,0000,0000,0000,,trigger some scans of\Ndifferent directories,"
Dialogue: 0,0:24:35.32,0:24:40.76,Default,,0000,0000,0000,,and it's started by kdeinit. So there's\Nthis scnprc desktop file which is
Dialogue: 0,0:24:40.76,0:24:45.55,Default,,0000,0000,0000,,quite interesting because what you\Nwant to do is disable it, but you
Dialogue: 0,0:24:45.55,0:24:48.22,Default,,0000,0000,0000,,cannot actually edit these file.\NSo as soon as you edit this file
Dialogue: 0,0:24:48.22,0:24:51.34,Default,,0000,0000,0000,,and save it, then the system\Nwill immediately reboot.
Dialogue: 0,0:24:51.34,0:24:54.48,Default,,0000,0000,0000,,So disabling it is not so easy.
Dialogue: 0,0:24:54.48,0:24:58.57,Default,,0000,0000,0000,,Like I already said, you have different\Nways of scanning. You can just click
Dialogue: 0,0:24:58.57,0:25:02.15,Default,,0000,0000,0000,,on a folder and say "scan this," but\Nalso if you for example plug in
Dialogue: 0,0:25:02.15,0:25:06.86,Default,,0000,0000,0000,,a USB stick into the system then it will\Nautomatically scan the files on the USB stick.
Dialogue: 0,0:25:06.86,0:25:11.61,Default,,0000,0000,0000,,And this scnprc service is actually\Nloading the kernel module, and
Dialogue: 0,0:25:11.61,0:25:15.52,Default,,0000,0000,0000,,it starts another service which is\Ncalled "opprc" which we are going to
Dialogue: 0,0:25:15.52,0:25:22.79,Default,,0000,0000,0000,,look in detail in a minute, and this is\Nalso quite interesting this next service.
Dialogue: 0,0:25:22.79,0:25:28.96,Default,,0000,0000,0000,,But the pattern matching, we looked into\Nthis a little bit and there's another
Dialogue: 0,0:25:28.96,0:25:34.73,Default,,0000,0000,0000,,package. So we have this esig-cb package\Nand you have esic-cb-db package which
Dialogue: 0,0:25:34.73,0:25:40.10,Default,,0000,0000,0000,,actually just provides this one single\N"AnGae" file. As far as we know,
Dialogue: 0,0:25:40.10,0:25:44.52,Default,,0000,0000,0000,,it means "fog" in Korean. And this is\Nbasically a signature file, or how the
Dialogue: 0,0:25:44.52,0:25:49.81,Default,,0000,0000,0000,,code references it a pattern file.\NIt's a file with a well-defined file format
Dialogue: 0,0:25:49.81,0:25:53.43,Default,,0000,0000,0000,,and it includes patterns which are\Nloaded into memory, and as soon as
Dialogue: 0,0:25:53.43,0:25:57.38,Default,,0000,0000,0000,,you are scanning a file it just checks if\Nthese patterns are matching and as soon
Dialogue: 0,0:25:57.38,0:26:02.31,Default,,0000,0000,0000,,as the patterns are matched then it\Nimmediately deletes the file and it
Dialogue: 0,0:26:02.31,0:26:08.63,Default,,0000,0000,0000,,plays the warning, and this is one of\Nthe hidden files so even if you get root
Dialogue: 0,0:26:08.63,0:26:12.04,Default,,0000,0000,0000,,privilege on the system you are not\Nable to actually read this file.
Dialogue: 0,0:26:12.04,0:26:15.54,Default,,0000,0000,0000,,So a user of the operating system won't\Nbe able to check "okay, what does it
Dialogue: 0,0:26:15.54,0:26:20.03,Default,,0000,0000,0000,,check and can I produce documents\Nwhich won't be detected by this"
Dialogue: 0,0:26:20.03,0:26:23.01,Default,,0000,0000,0000,,because you cannot actually read this file.
Dialogue: 0,0:26:23.01,0:26:31.37,Default,,0000,0000,0000,,We took a look into this. Most likely our\Nbest guess is that these contain--
Dialogue: 0,0:26:31.37,0:26:35.11,Default,,0000,0000,0000,,A lot of the files are little-endian so\Nyou always have to switch the bytes
Dialogue: 0,0:26:35.11,0:26:40.72,Default,,0000,0000,0000,,and we saw that it looks at least like\Nthey are UTF-16 strings with Korean,
Dialogue: 0,0:26:40.72,0:26:45.00,Default,,0000,0000,0000,,Chinese, and some other weird characters,\Nand if we put these in Google Translate
Dialogue: 0,0:26:45.00,0:26:49.72,Default,,0000,0000,0000,,then there are actually some pretty weird\Nand disturbing terms in those files.
Dialogue: 0,0:26:49.72,0:26:53.62,Default,,0000,0000,0000,,But we actually cannot confirm this.\NIt looks like they are actually not
Dialogue: 0,0:26:53.62,0:26:57.91,Default,,0000,0000,0000,,scanning for malware in the system, so\Nmost likely they are checking documents
Dialogue: 0,0:26:57.91,0:27:02.02,Default,,0000,0000,0000,,and if those documents match those\Npatterns then they are most likely--
Dialogue: 0,0:27:02.02,0:27:05.46,Default,,0000,0000,0000,,for example, governments don't want these\Nfiles to be distributed within the intranet
Dialogue: 0,0:27:05.46,0:27:07.85,Default,,0000,0000,0000,,of North Korea then it just\Ndeletes those files.
Dialogue: 0,0:27:07.85,0:27:12.20,Default,,0000,0000,0000,,But actually we cannot confirm this\Nbecause we are not quite sure if you
Dialogue: 0,0:27:12.20,0:27:17.57,Default,,0000,0000,0000,,put those strings in Google Translate that\Nthey are actually real translations.
Dialogue: 0,0:27:17.57,0:27:22.81,Default,,0000,0000,0000,,But you can always update these pattern\Nfiles, so on the one side is scnprc has a
Dialogue: 0,0:27:22.81,0:27:26.61,Default,,0000,0000,0000,,built-in update process where it just\Nupdates the file itself, or you can just
Dialogue: 0,0:27:26.61,0:27:30.34,Default,,0000,0000,0000,,when you are doing operating system\Nupdate via your package manager
Dialogue: 0,0:27:30.34,0:27:35.81,Default,,0000,0000,0000,,and you update this esig-cb-db package\Nand you also get a brand new file.
Dialogue: 0,0:27:35.81,0:27:40.83,Default,,0000,0000,0000,,The interesting part of this is that the\Ndevelopers decide what is malicious.
Dialogue: 0,0:27:40.83,0:27:46.11,Default,,0000,0000,0000,,So it's not necessarily that "malicious"\Nmeans that it's malware, that it's
Dialogue: 0,0:27:46.11,0:27:52.18,Default,,0000,0000,0000,,bad for you, but somewhere the developers\Nand officials will actually say,
Dialogue: 0,0:27:52.18,0:27:55.56,Default,,0000,0000,0000,,"okay, we don't want those files\Ndistributed, just delete them
Dialogue: 0,0:27:55.56,0:27:57.98,Default,,0000,0000,0000,,"because we think they are malicious."
Dialogue: 0,0:27:57.98,0:28:02.80,Default,,0000,0000,0000,,There is this other service which I was\Nalso talking about, this "opprc."
Dialogue: 0,0:28:02.80,0:28:06.26,Default,,0000,0000,0000,,This is more interesting than the\Nvirus scanning itself.
Dialogue: 0,0:28:06.26,0:28:10.18,Default,,0000,0000,0000,,It's running in the background, so\Nactually a user will not see that there
Dialogue: 0,0:28:10.18,0:28:13.55,Default,,0000,0000,0000,,is actually another service running, you\Ndon't have any GUI or something like that,
Dialogue: 0,0:28:13.55,0:28:17.81,Default,,0000,0000,0000,,you cannot trick or something with this,\Nand this is one of the protected PIDs.
Dialogue: 0,0:28:17.81,0:28:23.75,Default,,0000,0000,0000,,So scnprc for example you can just kill\Nwith root privileges, but this is a process
Dialogue: 0,0:28:23.75,0:28:27.71,Default,,0000,0000,0000,,no one can kill on the system, and\Nthis is quite interesting because
Dialogue: 0,0:28:27.71,0:28:32.24,Default,,0000,0000,0000,,you cannot unload the kernel module\Nunless this service is killed, so they
Dialogue: 0,0:28:32.24,0:28:37.36,Default,,0000,0000,0000,,are actually protecting each other so that\Nno one can stop the services at all.
Dialogue: 0,0:28:37.36,0:28:40.66,Default,,0000,0000,0000,,And this service shares a lot of\Ncode with the scnprc.
Dialogue: 0,0:28:40.66,0:28:45.56,Default,,0000,0000,0000,,We just did some entropy checking\Nand saw okay-- I will talk in a minute
Dialogue: 0,0:28:45.56,0:28:51.61,Default,,0000,0000,0000,,when we are comparing more of these\Nfiles why we think that this looks
Dialogue: 0,0:28:51.61,0:28:55.02,Default,,0000,0000,0000,,pretty much the same, why they are\Nsharing so much code, because
Dialogue: 0,0:28:55.02,0:28:58.71,Default,,0000,0000,0000,,we found something interesting with\Nolder versions of those services.
Dialogue: 0,0:28:58.71,0:29:03.60,Default,,0000,0000,0000,,But the most interesting thing this\Nservice is doing is it watermarks files.
Dialogue: 0,0:29:03.60,0:29:07.63,Default,,0000,0000,0000,,And now we are going to look deeper\Ninto what this watermarking means.
Dialogue: 0,0:29:07.63,0:29:11.85,Default,,0000,0000,0000,,So actually as soon as this system is\Nstarted, it reads your hard disk serial
Dialogue: 0,0:29:11.85,0:29:15.66,Default,,0000,0000,0000,,and then scrambles it a little bit,\Nand as soon as you are for example
Dialogue: 0,0:29:15.66,0:29:20.74,Default,,0000,0000,0000,,plugging a USB stick into your system\Nthen it will trigger a watermarking
Dialogue: 0,0:29:20.74,0:29:25.08,Default,,0000,0000,0000,,process where it takes the serial,\Ntakes a hard-coded DES key from
Dialogue: 0,0:29:25.08,0:29:28.85,Default,,0000,0000,0000,,the binary itself, and then encrypts\Nit and then puts it into your file.
Dialogue: 0,0:29:28.85,0:29:35.05,Default,,0000,0000,0000,,And when you are converting this hex key\Ninto a decimal representation then you
Dialogue: 0,0:29:35.05,0:29:39.41,Default,,0000,0000,0000,,see that it is actually two dates.\NWe actually cannot confirm what
Dialogue: 0,0:29:39.41,0:29:45.12,Default,,0000,0000,0000,,those two dates mean, but one of those\Nmatches Madonna's birth date, and
Dialogue: 0,0:29:45.12,0:29:51.01,Default,,0000,0000,0000,,there are rumours that some people in\NNorth Korea might really like Madonna.
Dialogue: 0,0:29:51.01,0:29:57.53,Default,,0000,0000,0000,,This is just speculation, but if you have a\Nbetter conspiracy theory then just let us know.
Dialogue: 0,0:29:57.53,0:30:01.89,Default,,0000,0000,0000,,Because we found some pretty interesting\Nstuff, but we cannot confirm this.
Dialogue: 0,0:30:01.89,0:30:07.42,Default,,0000,0000,0000,,So technically the watermarks have an\NASCII EOF appended, which is most likely
Dialogue: 0,0:30:07.42,0:30:11.20,Default,,0000,0000,0000,,used by the code itself to parse\Nthe files and see if there's already
Dialogue: 0,0:30:11.20,0:30:15.69,Default,,0000,0000,0000,,a watermark in there, and for JPEG\Nand AVI files, for example, it just
Dialogue: 0,0:30:15.69,0:30:20.33,Default,,0000,0000,0000,,appends this watermark to the end of the\Nfile, and when you have a DOCX for example
Dialogue: 0,0:30:20.33,0:30:24.00,Default,,0000,0000,0000,,it just appends it near the header where\Nthere are a bunch of null bytes, and then
Dialogue: 0,0:30:24.00,0:30:27.61,Default,,0000,0000,0000,,it just puts it in there.
Dialogue: 0,0:30:27.61,0:30:32.32,Default,,0000,0000,0000,,So the watermarking itself is as soon as\Nyou open a document file with Office then
Dialogue: 0,0:30:32.32,0:30:38.31,Default,,0000,0000,0000,,it will be watermarked, and actually they\Nhave code which watermarks files even if
Dialogue: 0,0:30:38.31,0:30:43.77,Default,,0000,0000,0000,,you don't open those files, but as soon\Nas we saw this-- it's pretty buggy.
Dialogue: 0,0:30:43.77,0:30:48.35,Default,,0000,0000,0000,,It doesn't work every time, but they have\Ncode for this implemented, and mostly
Dialogue: 0,0:30:48.35,0:30:54.36,Default,,0000,0000,0000,,it works but sometimes it just fails.\NThe supported types that we can confirm
Dialogue: 0,0:30:54.36,0:31:01.76,Default,,0000,0000,0000,,are DOCX files, image files like JPEG and\NPNG and AVI video files. But the code
Dialogue: 0,0:31:01.76,0:31:06.72,Default,,0000,0000,0000,,indicates there are several more file\Ntypes available for watermarking, but
Dialogue: 0,0:31:06.72,0:31:11.38,Default,,0000,0000,0000,,we most likely didn't look into this.\NBut the most interesting thing here
Dialogue: 0,0:31:11.38,0:31:16.86,Default,,0000,0000,0000,,is that only media files are affected.\NSo they don't watermark any binaries
Dialogue: 0,0:31:16.86,0:31:22.95,Default,,0000,0000,0000,,or something like that, they are reducing\Ntheir surface to files which could be used
Dialogue: 0,0:31:22.95,0:31:31.30,Default,,0000,0000,0000,,to carry information, which could be used\Nto put out information for free speech
Dialogue: 0,0:31:31.30,0:31:36.25,Default,,0000,0000,0000,,purposes, and actually what we think is\Nthat this is not a security feature.
Dialogue: 0,0:31:36.25,0:31:40.58,Default,,0000,0000,0000,,So they are actually trying to watermark\Nfree speech in general, so that every time
Dialogue: 0,0:31:40.58,0:31:46.56,Default,,0000,0000,0000,,you have a document file, an image, or\Na video file, then they want to know who
Dialogue: 0,0:31:46.56,0:31:52.49,Default,,0000,0000,0000,,had this file and they watermark it so\Nthey can track the origin of the file.
Dialogue: 0,0:31:52.49,0:32:00.09,Default,,0000,0000,0000,,We have a short demo where you can see\Nfor example I have a USB stick.
Dialogue: 0,0:32:00.09,0:32:09.61,Default,,0000,0000,0000,,Let me put it in my system.
Dialogue: 0,0:32:09.61,0:32:15.13,Default,,0000,0000,0000,,There is a file on the USB stick which\Nis a love letter from Kim, and it has
Dialogue: 0,0:32:15.13,0:32:21.38,Default,,0000,0000,0000,,a checksum which starts with "529", and\Nas soon as I plug this into the system--
Dialogue: 0,0:32:21.38,0:32:34.74,Default,,0000,0000,0000,,I hope that it will notice this.
Dialogue: 0,0:32:34.74,0:32:38.74,Default,,0000,0000,0000,,You can see okay, it recognised something\Nlike a USB stick on the system, but I won't
Dialogue: 0,0:32:38.74,0:32:55.22,Default,,0000,0000,0000,,open it, and I won't open any file on the\NUSB stick. I just will eject it.
Dialogue: 0,0:32:55.22,0:33:03.36,Default,,0000,0000,0000,,I hope that it works.\NWill it actually open?
Dialogue: 0,0:33:03.36,0:33:07.41,Default,,0000,0000,0000,,This is what I meant, that it's kind of\Nbuggy, so it doesn't always work with
Dialogue: 0,0:33:07.41,0:33:12.72,Default,,0000,0000,0000,,the watermarking, but most likely if you\Nopen the file itself then it will work.
Dialogue: 0,0:33:12.72,0:33:17.52,Default,,0000,0000,0000,,I guess we didn't have the case that it\Ndoesn't work when you open it. [sic]
Dialogue: 0,0:33:17.52,0:33:28.69,Default,,0000,0000,0000,,--which then opens Office, and I close\Nit again and-- just close this.
Dialogue: 0,0:33:28.69,0:33:33.86,Default,,0000,0000,0000,,Go back, and then hopefully if we mount\Nthis again then you can see it has
Dialogue: 0,0:33:33.86,0:33:39.25,Default,,0000,0000,0000,,been changed. So we didn't change anything\Nin the file, it was just the operating system
Dialogue: 0,0:33:39.25,0:33:44.35,Default,,0000,0000,0000,,who's changing files, and this was\Ninitially the part where we started to
Dialogue: 0,0:33:44.35,0:33:47.57,Default,,0000,0000,0000,,look into this more deeply because we\Nthought an operating system who is
Dialogue: 0,0:33:47.57,0:33:57.22,Default,,0000,0000,0000,,just changing files when you are plugging\Ninto the system is kind of annoying.
Dialogue: 0,0:33:57.22,0:34:00.69,Default,,0000,0000,0000,,Just to make this easier for you--\NSo what it actually does in the file,
Dialogue: 0,0:34:00.69,0:34:04.57,Default,,0000,0000,0000,,we have here the header of the file\Nwhich is a document, a DOCX file,
Dialogue: 0,0:34:04.57,0:34:09.09,Default,,0000,0000,0000,,and it just added this string which is\Nmarked right here. This is actually
Dialogue: 0,0:34:09.09,0:34:13.65,Default,,0000,0000,0000,,the watermark it's putting in there.\NOpposite there you can see the plaintext
Dialogue: 0,0:34:13.65,0:34:17.68,Default,,0000,0000,0000,,which is actually encrypted and then\Nput into the file, and the serial starts
Dialogue: 0,0:34:17.68,0:34:23.44,Default,,0000,0000,0000,,with "B48" so every time it puts the\Nserial into the file, it prefixes it with
Dialogue: 0,0:34:23.44,0:34:24.98,Default,,0000,0000,0000,,"WM"
Dialogue: 0,0:34:24.98,0:34:29.100,Default,,0000,0000,0000,,we think stands for "watermark" probably,\Nand you can see the EOF at the end of
Dialogue: 0,0:34:29.100,0:34:35.40,Default,,0000,0000,0000,,the file. This allows basically everyone\Nwho can access this file, who can
Dialogue: 0,0:34:35.40,0:34:40.68,Default,,0000,0000,0000,,decrypt this watermark which is actually\Nencoded with the hard-coded key,
Dialogue: 0,0:34:40.68,0:34:45.99,Default,,0000,0000,0000,,so pretty much everyone who has access\Nto this ISO can get this key and can
Dialogue: 0,0:34:45.99,0:34:51.32,Default,,0000,0000,0000,,decrypt this. And this allows you to\Nreally track back the origin of the file,
Dialogue: 0,0:34:51.32,0:34:54.19,Default,,0000,0000,0000,,where it came from.
Dialogue: 0,0:34:54.19,0:35:00.59,Default,,0000,0000,0000,,But there is a pretty funny example.\NSo imagine you have this picture, and
Dialogue: 0,0:35:00.59,0:35:05.13,Default,,0000,0000,0000,,you are inside North Korea and you think\N"okay, this is pretty cool, and I want to
Dialogue: 0,0:35:05.13,0:35:09.16,Default,,0000,0000,0000,,distribute this to all of my friends."\NSo you think "okay, they might be
Dialogue: 0,0:35:09.16,0:35:12.47,Default,,0000,0000,0000,,intercepting all of my e-mail and my\Nbrowser communication," so you put it
Dialogue: 0,0:35:12.47,0:35:16.24,Default,,0000,0000,0000,,on a USB stick and give it to your friends\Nso that you think, "okay, no-one actually
Dialogue: 0,0:35:16.24,0:35:22.76,Default,,0000,0000,0000,,on the internet can access this file"\Nand you give it to someone else.
Dialogue: 0,0:35:22.76,0:35:26.68,Default,,0000,0000,0000,,Then at the beginning we have this\Nsituation, where this is the original file.
Dialogue: 0,0:35:26.68,0:35:31.90,Default,,0000,0000,0000,,This is the end of the JPEG file - which\Nby definition always ends with an "FF D9"
Dialogue: 0,0:35:31.90,0:35:37.02,Default,,0000,0000,0000,,hexadecimal - and as soon as you give this\Nto your friend and he plugs the USB stick
Dialogue: 0,0:35:37.02,0:35:42.02,Default,,0000,0000,0000,,into his computer which is running Red\NStar OS, then the file will actually
Dialogue: 0,0:35:42.02,0:35:45.80,Default,,0000,0000,0000,,change and it will look like this.\NSo for JPEG files, as I said it just
Dialogue: 0,0:35:45.80,0:35:49.64,Default,,0000,0000,0000,,appends the watermark to the end of\Nthe file. So you can see the "FF D9," this
Dialogue: 0,0:35:49.64,0:35:53.89,Default,,0000,0000,0000,,is the actual end of the image file, and\Nthey're appending the watermark there,
Dialogue: 0,0:35:53.89,0:35:57.51,Default,,0000,0000,0000,,like you can see with the EOF.\NBut where it gets interesting
Dialogue: 0,0:35:57.51,0:36:02.14,Default,,0000,0000,0000,,is when your friend is actually\Ndistributing the file to another friend.
Dialogue: 0,0:36:02.14,0:36:06.92,Default,,0000,0000,0000,,So what Red Star OS is actually doing,\Nit appends also the watermark of your
Dialogue: 0,0:36:06.92,0:36:09.93,Default,,0000,0000,0000,,third friend. {\i1}Slight laughter{\i0}\NSo what you then can do--
Dialogue: 0,0:36:09.93,0:36:14.88,Default,,0000,0000,0000,,If you technically combine this together,\Nthen you can see not only where the file
Dialogue: 0,0:36:14.88,0:36:19.12,Default,,0000,0000,0000,,has its origins, but you can also track\Neach and everyone who had this file
Dialogue: 0,0:36:19.12,0:36:24.50,Default,,0000,0000,0000,,and who distributed this file, and with\Nthis knowledge you might be able to
Dialogue: 0,0:36:24.50,0:36:29.08,Default,,0000,0000,0000,,construct something like this, where you\Ncan track the distribution of all of the
Dialogue: 0,0:36:29.08,0:36:33.15,Default,,0000,0000,0000,,media files which are distributed\Nover the intranet in North Korea.
Dialogue: 0,0:36:33.15,0:36:37.05,Default,,0000,0000,0000,,You can see then in the centre we have\Nthis one really weird guy who is always
Dialogue: 0,0:36:37.05,0:36:41.77,Default,,0000,0000,0000,,distributing images that we don't like,\Nand you can see also who gets these files
Dialogue: 0,0:36:41.77,0:36:45.30,Default,,0000,0000,0000,,and trace it back to all of the persons\Nwho ever had this file, and then you
Dialogue: 0,0:36:45.30,0:36:49.50,Default,,0000,0000,0000,,can just go home to him and then shut\Nhim down and take his computer.
Dialogue: 0,0:36:49.50,0:36:54.86,Default,,0000,0000,0000,,And we have actually not seen any\Nfunctionality, but probably there is
Dialogue: 0,0:36:54.86,0:36:58.51,Default,,0000,0000,0000,,functionality in the system implemented\Nwhere it always sends your hard disk
Dialogue: 0,0:36:58.51,0:37:04.57,Default,,0000,0000,0000,,serial to their servers, so the OS can\Nprobably be able to match your IP
Dialogue: 0,0:37:04.57,0:37:07.76,Default,,0000,0000,0000,,address to your hard disk serial, and\Nthen they don't even have to go to your
Dialogue: 0,0:37:07.76,0:37:12.60,Default,,0000,0000,0000,,home and get to your computer and check\Nyour hard disk serial, they just can do
Dialogue: 0,0:37:12.60,0:37:16.28,Default,,0000,0000,0000,,this remotely and can check all of the\Ndistribution of all malicious media files
Dialogue: 0,0:37:16.28,0:37:21.73,Default,,0000,0000,0000,,within the intranet of North Korea.
Dialogue: 0,0:37:21.73,0:37:27.21,Default,,0000,0000,0000,,What we thought is pretty hard for someone\Nwho doesn't have access to a system other
Dialogue: 0,0:37:27.21,0:37:31.70,Default,,0000,0000,0000,,than Red Star OS, who just has this one\Nsystem, and tries to disable all of this
Dialogue: 0,0:37:31.70,0:37:35.21,Default,,0000,0000,0000,,malicious functionality like the virus\Nscanning that can delete all of your files
Dialogue: 0,0:37:35.21,0:37:40.62,Default,,0000,0000,0000,,that someone else doesn't like, or the\Nwatermarking/the tracking of those files.
Dialogue: 0,0:37:40.62,0:37:44.57,Default,,0000,0000,0000,,And this is actually quite hard, because\Nsome of those services are depending
Dialogue: 0,0:37:44.57,0:37:49.47,Default,,0000,0000,0000,,on each other and can only be killed\Nwhen the other service is not running.
Dialogue: 0,0:37:49.47,0:37:53.70,Default,,0000,0000,0000,,So what you actually have to do is you\Nhave to get root privileges, and then you
Dialogue: 0,0:37:53.70,0:37:58.24,Default,,0000,0000,0000,,have to kill those two integrity checking\Ndaemons which Florian was talking about
Dialogue: 0,0:37:58.24,0:38:02.82,Default,,0000,0000,0000,,so that it doesn't always reboot the\Nsystem when you're changing anything.
Dialogue: 0,0:38:02.82,0:38:07.53,Default,,0000,0000,0000,,Then you can via ioctl calls to the kernel\Nmodule, and say just "disable" because
Dialogue: 0,0:38:07.53,0:38:10.89,Default,,0000,0000,0000,,it has this nice feature where you can\Nenable and disable it, and then you
Dialogue: 0,0:38:10.89,0:38:18.39,Default,,0000,0000,0000,,can kill scnprc, opprc, and the\Nbest thing you can do is--
Dialogue: 0,0:38:18.39,0:38:23.61,Default,,0000,0000,0000,,Weirdly, the libos file is not protected\Nby anyone, so you can just exchange
Dialogue: 0,0:38:23.61,0:38:27.70,Default,,0000,0000,0000,,this with a validate_os() function which\Nalways returns 1 which says everything
Dialogue: 0,0:38:27.70,0:38:31.56,Default,,0000,0000,0000,,is fine, and then at the end you can\Ndelete the desktop file which is used
Dialogue: 0,0:38:31.56,0:38:35.83,Default,,0000,0000,0000,,by KDE in it to start all of these\Nprocesses, and then you are fine.
Dialogue: 0,0:38:35.83,0:38:38.88,Default,,0000,0000,0000,,And we don't think that actually anyone\Nin North Korea who only has access
Dialogue: 0,0:38:38.88,0:38:43.78,Default,,0000,0000,0000,,to this one system-- It will be extremely\Nhard to figure all of this out and
Dialogue: 0,0:38:43.78,0:38:48.60,Default,,0000,0000,0000,,to completely disable it. So they did\Na pretty good job in building an
Dialogue: 0,0:38:48.60,0:38:53.66,Default,,0000,0000,0000,,architecture which is quite self-protecting,\Nand they put a lot of effort into it
Dialogue: 0,0:38:53.66,0:39:01.18,Default,,0000,0000,0000,,to just prevent you from disabling all of\Nthe malicious functionality.
Dialogue: 0,0:39:01.18,0:39:07.06,Default,,0000,0000,0000,,We also took a quick look on the second\Nversion of Red Star OS, just to compare
Dialogue: 0,0:39:07.06,0:39:12.52,Default,,0000,0000,0000,,some of those services, and there we can\Nsee there is quite an evolution from the
Dialogue: 0,0:39:12.52,0:39:19.39,Default,,0000,0000,0000,,older version to the current version.\NThe thing which I was talking about,
Dialogue: 0,0:39:19.39,0:39:22.73,Default,,0000,0000,0000,,that the binaries are quite similar,\Nis that in the older version they used
Dialogue: 0,0:39:22.73,0:39:27.20,Default,,0000,0000,0000,,a lot of shared libraries, and in the\Ncurrent version they statically linked
Dialogue: 0,0:39:27.20,0:39:32.86,Default,,0000,0000,0000,,a lot of code into the binaries themselves\Neven if they don't use it, so the codebase
Dialogue: 0,0:39:32.86,0:39:38.61,Default,,0000,0000,0000,,looks quite the same. And the chain of\Nstarting the processes is a little bit
Dialogue: 0,0:39:38.61,0:39:44.11,Default,,0000,0000,0000,,different, so they put a lot in the init\Nprocess which will be started at first
Dialogue: 0,0:39:44.11,0:39:48.78,Default,,0000,0000,0000,,and not like this depending-on-each-other\Ninfrastructure which they have in the
Dialogue: 0,0:39:48.78,0:39:52.88,Default,,0000,0000,0000,,current version. In the current version\Nthey also have a lot of problems with
Dialogue: 0,0:39:52.88,0:39:57.45,Default,,0000,0000,0000,,file privileges, so privilege escalations\Nwould be pretty easy, even if you don't
Dialogue: 0,0:39:57.45,0:40:02.92,Default,,0000,0000,0000,,have this root setting file. But also they\Nhave a lot of binaries that are just
Dialogue: 0,0:40:02.92,0:40:07.75,Default,,0000,0000,0000,,setting that everyone can read and write\Nthis interface to the kernel module,
Dialogue: 0,0:40:07.75,0:40:11.26,Default,,0000,0000,0000,,which basically allows you even as a\Nnon-root user to disable the kernel
Dialogue: 0,0:40:11.26,0:40:14.74,Default,,0000,0000,0000,,module, and then you can kill all of the\Nbinaries but you cannot actually delete
Dialogue: 0,0:40:14.74,0:40:19.50,Default,,0000,0000,0000,,something because it will then\Nend up in the reboot loop.
Dialogue: 0,0:40:19.50,0:40:23.90,Default,,0000,0000,0000,,And when you are doing something malicious\Nthen the OS reboots, in the older version
Dialogue: 0,0:40:23.90,0:40:29.56,Default,,0000,0000,0000,,it just shuts down the system, so we\Nthought this is a pretty interesting thing.
Dialogue: 0,0:40:29.56,0:40:34.63,Default,,0000,0000,0000,,And we think, and we saw, that there's\Na more advanced watermarking
Dialogue: 0,0:40:34.63,0:40:38.98,Default,,0000,0000,0000,,technique in there which is not just\Nappending watermarks into the files
Dialogue: 0,0:40:38.98,0:40:43.13,Default,,0000,0000,0000,,but it looks like they are doing, for\Nvideo and audio files at least,
Dialogue: 0,0:40:43.13,0:40:47.17,Default,,0000,0000,0000,,something like they are putting the\Nwatermarks as filters on the files.
Dialogue: 0,0:40:47.17,0:40:51.95,Default,,0000,0000,0000,,So this will be a little bit harder to\Nactually see those watermarks
Dialogue: 0,0:40:51.95,0:40:55.38,Default,,0000,0000,0000,,and read those watermarks, because it\Nis not so obvious like when you have
Dialogue: 0,0:40:55.38,0:40:58.87,Default,,0000,0000,0000,,this "EOF" string at the end which\Nis always quite weird.
Dialogue: 0,0:40:58.87,0:41:03.80,Default,,0000,0000,0000,,But it uses this "/usr/lib/organ" file\Nwhich is actually not present on the
Dialogue: 0,0:41:03.80,0:41:08.66,Default,,0000,0000,0000,,ISO we had. We're going to talk about\Nthis in the conclusion why we think
Dialogue: 0,0:41:08.66,0:41:12.36,Default,,0000,0000,0000,,this might not be there, but it's\Nactually not available. It's referenced
Dialogue: 0,0:41:12.36,0:41:17.56,Default,,0000,0000,0000,,a lot in the code, but we actually\Nhaven't had this file and unfortunately
Dialogue: 0,0:41:17.56,0:41:21.88,Default,,0000,0000,0000,,we couldn't look into this more deeply.
Dialogue: 0,0:41:21.88,0:41:27.78,Default,,0000,0000,0000,,So what we didn't find were quite obvious\Nbackdoors which we thought would be
Dialogue: 0,0:41:27.78,0:41:34.82,Default,,0000,0000,0000,,in place, and that they would be pretty\Neasy to spot. But we didn't see any of those.
Dialogue: 0,0:41:34.82,0:41:38.63,Default,,0000,0000,0000,,It doesn't mean that there are no\Nbackdoors, but we have some
Dialogue: 0,0:41:38.63,0:41:44.55,Default,,0000,0000,0000,,speculations for this, and one of these\Nis that like we saw at the beginning of
Dialogue: 0,0:41:44.55,0:41:48.02,Default,,0000,0000,0000,,the talk that there are actually systems\Non the internet running this version
Dialogue: 0,0:41:48.02,0:41:52.21,Default,,0000,0000,0000,,of Red Star OS, so it would be pretty\Nweird if they would backdoor a system
Dialogue: 0,0:41:52.21,0:41:57.51,Default,,0000,0000,0000,,and then put it on the internet.\NAs far as someone gets the ISO file,
Dialogue: 0,0:41:57.51,0:42:03.56,Default,,0000,0000,0000,,and can look for backdoors and can find\Nsome of them, they would be actually
Dialogue: 0,0:42:03.56,0:42:07.44,Default,,0000,0000,0000,,able to exploit the system\Nfrom the internet.
Dialogue: 0,0:42:07.44,0:42:12.63,Default,,0000,0000,0000,,Actually the system has a package manager\Nand as we saw with the pattern file
Dialogue: 0,0:42:12.63,0:42:17.60,Default,,0000,0000,0000,,it has built-in update functionality and\Ndifferent services, so backdoors could
Dialogue: 0,0:42:17.60,0:42:22.34,Default,,0000,0000,0000,,just be loaded via updates\Nbecause probably they thought
Dialogue: 0,0:42:22.34,0:42:27.22,Default,,0000,0000,0000,,"okay, these ISOs might be leaked into\Nthe outside world" and you just get
Dialogue: 0,0:42:27.22,0:42:33.02,Default,,0000,0000,0000,,an ISO, install it, update your system -\Nwhich is only possible from within the
Dialogue: 0,0:42:33.02,0:42:39.17,Default,,0000,0000,0000,,intranet of North Korea, with hard coded\Ninternal IP addresses - so probably they
Dialogue: 0,0:42:39.17,0:42:43.42,Default,,0000,0000,0000,,thought "we only want our backdoors on\Nthe systems which are actually located
Dialogue: 0,0:42:43.42,0:42:47.69,Default,,0000,0000,0000,,within North Korea."
Dialogue: 0,0:42:47.69,0:42:55.100,Default,,0000,0000,0000,,This is what we thought, that they thought\Nthe ISO might be leaked, which is what
Dialogue: 0,0:42:55.100,0:43:00.44,Default,,0000,0000,0000,,actually happened. Another problem\Nis that, like Florian already said, they
Dialogue: 0,0:43:00.44,0:43:05.50,Default,,0000,0000,0000,,will touch a lot of code within the\Noperating system and we didn't manage
Dialogue: 0,0:43:05.50,0:43:09.90,Default,,0000,0000,0000,,to check all of the code. We mostly\Nfocused on the watermarking and the
Dialogue: 0,0:43:09.90,0:43:14.97,Default,,0000,0000,0000,,virus scanning stuff, and there might be a\Nlot of code that should be checked further.
Dialogue: 0,0:43:14.97,0:43:21.79,Default,,0000,0000,0000,,The conclusion also is that the system's\Nquite self-protecting. They not only
Dialogue: 0,0:43:21.79,0:43:26.45,Default,,0000,0000,0000,,implemented several services for\Nintegrity checking themselves but also
Dialogue: 0,0:43:26.45,0:43:31.15,Default,,0000,0000,0000,,they configured and implemented selinux\Nand something like that, to just protect
Dialogue: 0,0:43:31.15,0:43:35.45,Default,,0000,0000,0000,,the system and make it more secure.
Dialogue: 0,0:43:35.45,0:43:39.48,Default,,0000,0000,0000,,What we think is really bad is this\Nvirus scanning and watermarking,
Dialogue: 0,0:43:39.48,0:43:43.53,Default,,0000,0000,0000,,because it actually allows you to\Ntrack not only the origin but the
Dialogue: 0,0:43:43.53,0:43:47.86,Default,,0000,0000,0000,,complete distribution within the network\Nof those files, and combined with the
Dialogue: 0,0:43:47.86,0:43:53.38,Default,,0000,0000,0000,,virus scanner where the developers are\Nable to actually say what files are really
Dialogue: 0,0:43:53.38,0:43:58.37,Default,,0000,0000,0000,,malicious and what shouldn't be\Ndistributed within the network,
Dialogue: 0,0:43:58.37,0:44:04.25,Default,,0000,0000,0000,,it just deletes those files. So these\Ntwo combined are a really strong
Dialogue: 0,0:44:04.25,0:44:10.35,Default,,0000,0000,0000,,framework which can help you to track\Nmalicious people within your network.
Dialogue: 0,0:44:10.35,0:44:14.95,Default,,0000,0000,0000,,But some words about security: Like I\Nsaid, they have a lot of problems with
Dialogue: 0,0:44:14.95,0:44:22.48,Default,,0000,0000,0000,,file permissions. There are actually some\Ndocuments on the ISO of the server
Dialogue: 0,0:44:22.48,0:44:26.63,Default,,0000,0000,0000,,version of Red Star OS 3.0, and there are\Nsome user guides and administration
Dialogue: 0,0:44:26.63,0:44:30.18,Default,,0000,0000,0000,,guides which are quite interesting, and\Nthey talk a lot about how to make the
Dialogue: 0,0:44:30.18,0:44:34.96,Default,,0000,0000,0000,,system secure, how to run it secure, and\Nwhy they are doing different kinds of
Dialogue: 0,0:44:34.96,0:44:42.09,Default,,0000,0000,0000,,stuff to save the integrity of the system.\NThey have a huge chapter talking about
Dialogue: 0,0:44:42.09,0:44:46.57,Default,,0000,0000,0000,,file permissions, but they actually didn't\Nmanage to fix them themselves which
Dialogue: 0,0:44:46.57,0:44:52.28,Default,,0000,0000,0000,,is quite weird. And even their custom code\Nuses basic memory corruption protection
Dialogue: 0,0:44:52.28,0:44:57.66,Default,,0000,0000,0000,,like stack cookies, and non-executable\Nstacks which we saw that a lot of security
Dialogue: 0,0:44:57.66,0:45:02.100,Default,,0000,0000,0000,,vendors don't bother to use, so we\Nthought this is quite funny.
Dialogue: 0,0:45:02.100,0:45:06.58,Default,,0000,0000,0000,,Some of their code is more secure than\Na lot of security appliances.
Dialogue: 0,0:45:06.58,0:45:08.79,Default,,0000,0000,0000,,{\i1}Slight laughter{\i0}
Dialogue: 0,0:45:08.79,0:45:12.57,Default,,0000,0000,0000,,Florian: So to wrap this up--\NAm I going, can you hear me? Yes.
Dialogue: 0,0:45:12.57,0:45:18.87,Default,,0000,0000,0000,,Okay so to wrap this up, again we think -\Nthis is a guess - that primarily they try
Dialogue: 0,0:45:18.87,0:45:24.69,Default,,0000,0000,0000,,to protect and to save the integrity\Nof the system, which totally makes
Dialogue: 0,0:45:24.69,0:45:28.96,Default,,0000,0000,0000,,sense if you're putting out an\Noperating system from North Korea.
Dialogue: 0,0:45:28.96,0:45:32.15,Default,,0000,0000,0000,,The system was, in our opinion,\Ndefinitely built for home computers,
Dialogue: 0,0:45:32.15,0:45:37.46,Default,,0000,0000,0000,,so it's not like industrial control or\Nsomething else, it's definitely built
Dialogue: 0,0:45:37.46,0:45:43.10,Default,,0000,0000,0000,,for a home user because it mimics\NMac OSX and gives you all of the tools.
Dialogue: 0,0:45:43.10,0:45:46.85,Default,,0000,0000,0000,,Maybe the reason why we didn't find\Nbackdoors is they actually know that
Dialogue: 0,0:45:46.85,0:45:51.39,Default,,0000,0000,0000,,backdoors are bullshit. Could be a\Nreason, we don't know.
Dialogue: 0,0:45:51.39,0:45:55.83,Default,,0000,0000,0000,,If you want to look into Red Star OS and\Nhelp us out, especially with the crypto,
Dialogue: 0,0:45:55.83,0:46:01.64,Default,,0000,0000,0000,,the pilsung kernel module which provides\Ncustom crypto, with a look into the kernel
Dialogue: 0,0:46:01.64,0:46:05.84,Default,,0000,0000,0000,,to see if there is something hidden there,\Nif maybe there are backdoors there,
Dialogue: 0,0:46:05.84,0:46:09.39,Default,,0000,0000,0000,,take a look at our github.\NPlease contribute if you find
Dialogue: 0,0:46:09.39,0:46:13.08,Default,,0000,0000,0000,,something, because we think that this\Nmessage and all of this stuff has to
Dialogue: 0,0:46:13.08,0:46:17.85,Default,,0000,0000,0000,,be put out to the public, so it is a\Nwell-known fact that this operating
Dialogue: 0,0:46:17.85,0:46:25.27,Default,,0000,0000,0000,,system is actually abusing free software\Nto actually make free speech harder
Dialogue: 0,0:46:25.27,0:46:28.51,Default,,0000,0000,0000,,in a country that is quite oppressed.
Dialogue: 0,0:46:28.51,0:46:33.94,Default,,0000,0000,0000,,So with this, we are at our end and we\Nare going to take your questions now.
Dialogue: 0,0:46:33.94,0:46:46.01,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:46:46.01,0:46:51.62,Default,,0000,0000,0000,,Herald: Thank you very much. We have\Nabout 15 minutes time for questions.
Dialogue: 0,0:46:51.62,0:46:54.69,Default,,0000,0000,0000,,If you want to ask a question, please\Ncome to the microphones.
Dialogue: 0,0:46:54.69,0:46:58.63,Default,,0000,0000,0000,,There are some on the right\Nand some on the left aisle.
Dialogue: 0,0:46:58.63,0:47:03.86,Default,,0000,0000,0000,,If you for any reason can't come to\Nthe microphones, please raise your
Dialogue: 0,0:47:03.86,0:47:09.02,Default,,0000,0000,0000,,hand and I'll come to you\Nwith my microphone.
Dialogue: 0,0:47:19.08,0:47:28.35,Default,,0000,0000,0000,,Okay, please line up there. If you\Nwanna leave now, please do this
Dialogue: 0,0:47:28.35,0:47:35.09,Default,,0000,0000,0000,,quietly through the front door.
Dialogue: 0,0:47:35.09,0:47:37.48,Default,,0000,0000,0000,,Florian: Could you raise your hand if\Nyou have questions and standing at
Dialogue: 0,0:47:37.48,0:47:39.64,Default,,0000,0000,0000,,the microphone? There are like\Nthree questions over there.
Dialogue: 0,0:47:39.64,0:47:42.03,Default,,0000,0000,0000,,Herald: Yeah, on the left one please.
Dialogue: 0,0:47:42.03,0:47:46.49,Default,,0000,0000,0000,,Audience 1: Hello? Yeah. So thank you\Nvery much, it was very interesting.
Dialogue: 0,0:47:46.49,0:47:55.02,Default,,0000,0000,0000,,I have two questions: Have you tried\Nisolating the system in a chroot jail?
Dialogue: 0,0:47:55.02,0:48:00.41,Default,,0000,0000,0000,,And the second one is: Were there any\Noutbound connections, like automatic
Dialogue: 0,0:48:00.41,0:48:02.51,Default,,0000,0000,0000,,outbound connections it made?
Dialogue: 0,0:48:02.51,0:48:06.61,Default,,0000,0000,0000,,Florian: Okay so for the first question,\Nwe did not try to run it in an isolated
Dialogue: 0,0:48:06.61,0:48:09.95,Default,,0000,0000,0000,,environment. We actually didn't--\NDid we install it on a live system?
Dialogue: 0,0:48:09.95,0:48:12.46,Default,,0000,0000,0000,,I don't think so. Did we?\NNiklaus: Yeah.
Dialogue: 0,0:48:12.46,0:48:14.91,Default,,0000,0000,0000,,Florian: Yeah, okay. But we didn't do any\Nobservations that this changed the
Dialogue: 0,0:48:14.91,0:48:20.48,Default,,0000,0000,0000,,behaviour of the system. Concerning the\Nsecond question, there actually is not
Dialogue: 0,0:48:20.48,0:48:24.56,Default,,0000,0000,0000,,really outbound traffic. What it is doing\Nis on the local network it is talking a
Dialogue: 0,0:48:24.56,0:48:31.15,Default,,0000,0000,0000,,lot of NetBIOS stuff. So there is an\NSNMP and an nmbdaemon running
Dialogue: 0,0:48:31.15,0:48:35.25,Default,,0000,0000,0000,,on the system and it's talking a\Nlot of NetBIOS. But this is basically
Dialogue: 0,0:48:35.25,0:48:39.12,Default,,0000,0000,0000,,everything we could find. We have even\Nleft it running for like two days, to see
Dialogue: 0,0:48:39.12,0:48:43.41,Default,,0000,0000,0000,,if there is an outbound connection for one\Nday or something like that. We couldn't
Dialogue: 0,0:48:43.41,0:48:50.23,Default,,0000,0000,0000,,see anything like that. So the only stuff\Nthat Red Star's talking to the network
Dialogue: 0,0:48:50.23,0:48:57.01,Default,,0000,0000,0000,,is like this Windows NetBIOS stuff, and if\Nyou push the button on the update
Dialogue: 0,0:48:57.01,0:49:00.83,Default,,0000,0000,0000,,feature of the virus scanner, it's\Nactually trying to initiate an update
Dialogue: 0,0:49:00.83,0:49:06.03,Default,,0000,0000,0000,,process that goes to five hard-coded\NIP addresses that are all local.
Dialogue: 0,0:49:06.03,0:49:12.04,Default,,0000,0000,0000,,So like 192.168.9 something, and\N172 whatever. These are the only
Dialogue: 0,0:49:12.04,0:49:16.51,Default,,0000,0000,0000,,network connections that we could trigger,\Nor that we have observed so far.
Dialogue: 0,0:49:16.51,0:49:20.59,Default,,0000,0000,0000,,A1: Thank you.\NHerald: The next question is also
Dialogue: 0,0:49:20.59,0:49:27.46,Default,,0000,0000,0000,,from this microphone.\NAudience 2: Two questions:
Dialogue: 0,0:49:27.46,0:49:33.74,Default,,0000,0000,0000,,Might it be possible that when you install\Nthe system it gets code from North Korea
Dialogue: 0,0:49:33.74,0:49:39.15,Default,,0000,0000,0000,,so you cannot find out if it's calling\Nhome because you don't get the call?
Dialogue: 0,0:49:39.15,0:49:42.77,Default,,0000,0000,0000,,Florian: Could be. Our guess is actually\Nthat there is far more stuff that you get
Dialogue: 0,0:49:42.77,0:49:49.100,Default,,0000,0000,0000,,when you pull up the operating system in\NNorth Korea. One reason is the organ file
Dialogue: 0,0:49:49.100,0:49:53.72,Default,,0000,0000,0000,,that Niklaus mentioned that is missing on\Nthe system with the additional crypto
Dialogue: 0,0:49:53.72,0:49:58.19,Default,,0000,0000,0000,,information that is used for the extended\Nwatermarking that they are applying.
Dialogue: 0,0:49:58.19,0:50:01.54,Default,,0000,0000,0000,,We don't know where this file is coming\Nfrom, and from our perspective it totally
Dialogue: 0,0:50:01.54,0:50:06.15,Default,,0000,0000,0000,,makes sense to not distribute this file\Non the ISO but to kind of give it as an--
Dialogue: 0,0:50:06.15,0:50:09.62,Default,,0000,0000,0000,,I don't know, somebody has to come to\Nyour house to install the software and
Dialogue: 0,0:50:09.62,0:50:14.09,Default,,0000,0000,0000,,then he puts like this dedicated organ\Nfile on your desktop that is specific
Dialogue: 0,0:50:14.09,0:50:18.67,Default,,0000,0000,0000,,to you, for example. That would totally\Nmake sense because, as you know,
Dialogue: 0,0:50:18.67,0:50:21.30,Default,,0000,0000,0000,,stuff works a little bit different.\NIt's not like downloading an ISO
Dialogue: 0,0:50:21.30,0:50:25.13,Default,,0000,0000,0000,,and installing it, it's probably more\Ncomplex to get this onto your system
Dialogue: 0,0:50:25.13,0:50:29.39,Default,,0000,0000,0000,,if you want to use this. So there might\Nbe more stuff that is pushed either
Dialogue: 0,0:50:29.39,0:50:34.66,Default,,0000,0000,0000,,via updates - only internal - and this\Norgan file and other stuff that can get
Dialogue: 0,0:50:34.66,0:50:39.17,Default,,0000,0000,0000,,to your computer-- We don't know if this\Nis possible or if something is happening
Dialogue: 0,0:50:39.17,0:50:44.91,Default,,0000,0000,0000,,with this feature.\NA2: And the second question is if you look
Dialogue: 0,0:50:44.91,0:50:49.58,Default,,0000,0000,0000,,at it from the North Korean view, that's\Nlike they had the problem. They are quite
Dialogue: 0,0:50:49.58,0:50:54.04,Default,,0000,0000,0000,,happy, have a nice state, everything's\Nworking fine from what they see, and
Dialogue: 0,0:50:54.04,0:50:57.84,Default,,0000,0000,0000,,now people come from South Korea,\Nfrom Western countries, bring their USB
Dialogue: 0,0:50:57.84,0:51:03.29,Default,,0000,0000,0000,,sticks with Western propaganda that to\Nhave stuff like this watermarking even
Dialogue: 0,0:51:03.29,0:51:08.18,Default,,0000,0000,0000,,if it is like evil. Like a natural reaction\Nfrom a closed system.
Dialogue: 0,0:51:08.18,0:51:11.59,Default,,0000,0000,0000,,Florian: So actually it totally makes\Nsense to develop the system in the
Dialogue: 0,0:51:11.59,0:51:16.43,Default,,0000,0000,0000,,way they developed it. It totally makes\Nsense, because it kind of reflects a
Dialogue: 0,0:51:16.43,0:51:23.37,Default,,0000,0000,0000,,little bit how the government is working.\NBecause integrity is not only a critical
Dialogue: 0,0:51:23.37,0:51:30.39,Default,,0000,0000,0000,,part not only for the operating system,\Nit's also a part for the state itself.
Dialogue: 0,0:51:30.39,0:51:34.19,Default,,0000,0000,0000,,Like shutting down everything, closing\Noff everything - that's, by the way,
Dialogue: 0,0:51:34.19,0:51:40.27,Default,,0000,0000,0000,,the screensaver - and closing down\Neverything also totally makes sense.
Dialogue: 0,0:51:40.27,0:51:44.46,Default,,0000,0000,0000,,And tracking stuff that is distributed\Nin the country or deleting unwanted stuff
Dialogue: 0,0:51:44.46,0:51:52.71,Default,,0000,0000,0000,,also makes sense. So what we think that\NRed Star resembles this and matches
Dialogue: 0,0:51:52.71,0:51:57.96,Default,,0000,0000,0000,,how culture is in North Korea, actually.
Dialogue: 0,0:51:57.96,0:52:02.92,Default,,0000,0000,0000,,Herald: Okay, we also have two questions\Nof the IRC which I would like to shift in.
Dialogue: 0,0:52:02.92,0:52:08.78,Default,,0000,0000,0000,,Signal angel: Thank you. Okay, the first question\Nis if you have any theory on how and why
Dialogue: 0,0:52:08.78,0:52:17.21,Default,,0000,0000,0000,,the ISO got leaked.
Dialogue: 0,0:52:17.21,0:52:23.27,Default,,0000,0000,0000,,Florian: We don't know this, actually. 'Why?' is--\NWe don't think that it was somebody
Dialogue: 0,0:52:23.27,0:52:27.51,Default,,0000,0000,0000,,from North Korea, we think that it might\Nbe a foreigner that got it.
Dialogue: 0,0:52:27.51,0:52:31.45,Default,,0000,0000,0000,,Like Will Scott told us last year that he\Nwas able to get a copy of it and get it
Dialogue: 0,0:52:31.45,0:52:34.69,Default,,0000,0000,0000,,out of the country. There might\Nbe others that are able.
Dialogue: 0,0:52:34.69,0:52:39.18,Default,,0000,0000,0000,,There is actually tourism in North Korea.\NYou can go there for your holidays.
Dialogue: 0,0:52:39.18,0:52:45.35,Default,,0000,0000,0000,,So I guess that if you put a little bit\Nof effort into it, it's possible to get
Dialogue: 0,0:52:45.35,0:52:49.05,Default,,0000,0000,0000,,nearly anything out of the country if\Nyou want to try to take the risk.
Dialogue: 0,0:52:49.05,0:52:53.76,Default,,0000,0000,0000,,But we don't know who leaked the version\Nand we don't know why it actually was leaked.
Dialogue: 0,0:52:53.76,0:52:58.10,Default,,0000,0000,0000,,Niklaus: There are actually rumours that\Nit was a Russian student who was studying
Dialogue: 0,0:52:58.10,0:53:01.92,Default,,0000,0000,0000,,in North Korea, and he bought this on the\Nstreet and just brought it out of the country
Dialogue: 0,0:53:01.92,0:53:05.63,Default,,0000,0000,0000,,and put it on his blog, but we cannot\Nconfirm that this is actually true.
Dialogue: 0,0:53:05.63,0:53:11.79,Default,,0000,0000,0000,,Signal angel: Okay, thanks. And the second question\Nis if there has been any attempt at the
Dialogue: 0,0:53:11.79,0:53:14.75,Default,,0000,0000,0000,,custom kernel modules yet, like\Nreverse engineering or something.
Dialogue: 0,0:53:14.75,0:53:19.59,Default,,0000,0000,0000,,Florian: Well we reverse engineered rtscan\Nwhich is pretty simple because it just
Dialogue: 0,0:53:19.59,0:53:25.72,Default,,0000,0000,0000,,hooks a few function calls, that's it.\NWe have taken a look at the
Dialogue: 0,0:53:25.72,0:53:30.67,Default,,0000,0000,0000,,Korean Display Module on a first glance.\NIt seems to do what it is supposed to do,
Dialogue: 0,0:53:30.67,0:53:35.59,Default,,0000,0000,0000,,having something to do with display\Nmanagement, but we didn't take a look
Dialogue: 0,0:53:35.59,0:53:38.80,Default,,0000,0000,0000,,at all of the kernel modules, all the rest\Nof the remaining kernel modules,
Dialogue: 0,0:53:38.80,0:53:43.100,Default,,0000,0000,0000,,because the code base is so massive\Nthat we actually need you guys to
Dialogue: 0,0:53:43.100,0:53:49.09,Default,,0000,0000,0000,,help us out a little bit.
Dialogue: 0,0:53:49.09,0:53:52.75,Default,,0000,0000,0000,,Herald: Next question from the mic please.\NAudience 3: Yes, I have another question.
Dialogue: 0,0:53:52.75,0:53:56.47,Default,,0000,0000,0000,,You said that most of the software is\Nbased of other open source software
Dialogue: 0,0:53:56.47,0:54:01.15,Default,,0000,0000,0000,,for which you don't have the source code,\Nand it didn't come with the ISO, so it's
Dialogue: 0,0:54:01.15,0:54:03.27,Default,,0000,0000,0000,,pretty much a massive violation of\Nopen source licenses.
Dialogue: 0,0:54:03.27,0:54:05.98,Default,,0000,0000,0000,,Florian: Yep, absolutely.\NA3: So my question would be:
Dialogue: 0,0:54:05.98,0:54:12.23,Default,,0000,0000,0000,,Could you get an inside on what other\Npackages are available, or from the
Dialogue: 0,0:54:12.23,0:54:14.45,Default,,0000,0000,0000,,package manager, and what\Nother packages are there?
Dialogue: 0,0:54:14.45,0:54:20.18,Default,,0000,0000,0000,,Florian: Actually, there is a DVD which\Nalso was leaked. I think that it was for
Dialogue: 0,0:54:20.18,0:54:25.96,Default,,0000,0000,0000,,Red Star 2. I'm not sure if it is also\Nfor the latest version, but there is
Dialogue: 0,0:54:25.96,0:54:32.24,Default,,0000,0000,0000,,a CD with additional software and you\Nhave stuff like Apache, MYSQL-- {\i1}pfff{\i0}
Dialogue: 0,0:54:32.24,0:54:35.93,Default,,0000,0000,0000,,I don't know. All of the stuff you\Nbasically need to run a full-blown
Dialogue: 0,0:54:35.93,0:54:40.59,Default,,0000,0000,0000,,operating system on Linux. So there is\Nadditional software out there, you can
Dialogue: 0,0:54:40.59,0:54:47.53,Default,,0000,0000,0000,,download the DVD and install this\Nsoftware on the machine.
Dialogue: 0,0:54:47.53,0:54:52.64,Default,,0000,0000,0000,,If you go through the RPM descriptions\Nyou will see that for some of the
Dialogue: 0,0:54:52.64,0:55:00.99,Default,,0000,0000,0000,,software they even wrote-- They kind of\Nused a description for the license which
Dialogue: 0,0:55:00.99,0:55:05.13,Default,,0000,0000,0000,,says "KCC" which is the Korean Computer\NCentre. And sometimes they use GPL,
Dialogue: 0,0:55:05.13,0:55:09.25,Default,,0000,0000,0000,,and sometimes they use GNU, and yeah.\NSo massive violations.
Dialogue: 0,0:55:09.25,0:55:12.24,Default,,0000,0000,0000,,A3: Did you ask them for the source code?\N{\i1}Laughter{\i0}
Dialogue: 0,0:55:12.24,0:55:16.12,Default,,0000,0000,0000,,Florian: Actually, we think that there is\Nan internal git in North Korea where you
Dialogue: 0,0:55:16.12,0:55:20.91,Default,,0000,0000,0000,,can just check out everything, so...\NWe suppose it is this way because it's
Dialogue: 0,0:55:20.91,0:55:30.26,Default,,0000,0000,0000,,open source, right? By the way,\Nopen source. {\i1}Laughter{\i0}
Dialogue: 0,0:55:30.26,0:55:35.44,Default,,0000,0000,0000,,Herald: Very nice. One more question\Nfrom here? Are you having a question?
Dialogue: 0,0:55:35.44,0:55:38.08,Default,,0000,0000,0000,,No, okay then we have one more\Nquestion from the internet.
Dialogue: 0,0:55:38.08,0:55:42.45,Default,,0000,0000,0000,,IRC: Yes, the question is if there is a\Npossibility to fake the watermarks
Dialogue: 0,0:55:42.45,0:55:46.53,Default,,0000,0000,0000,,to get some innocent North Korean\Ninto trouble. {\i1}Quiet laughter{\i0}
Dialogue: 0,0:55:46.53,0:55:50.62,Default,,0000,0000,0000,,Florian: Yeah, no problem because the\Nkey's hard coded. You could, like--
Dialogue: 0,0:55:50.62,0:55:57.23,Default,,0000,0000,0000,,You know how to scramble the hardware ID\Nor the disk serial, and you could perfectly
Dialogue: 0,0:55:57.23,0:56:01.69,Default,,0000,0000,0000,,forge documents. That would be not a\Nproblem. Not a problem at all.
Dialogue: 0,0:56:01.69,0:56:07.21,Default,,0000,0000,0000,,You just need the serial number, basically.\NA3: Okay, and I've just got another question
Dialogue: 0,0:56:07.21,0:56:11.28,Default,,0000,0000,0000,,that is: Does the warning.wav\Nhave a watermark?
Dialogue: 0,0:56:11.28,0:56:14.81,Default,,0000,0000,0000,,Florian: Umm...\NNiklaus: No, actually it has the exact
Dialogue: 0,0:56:14.81,0:56:19.73,Default,,0000,0000,0000,,same checksum as the original file.\NFlorian: Actually we didn't check if it--
Dialogue: 0,0:56:19.73,0:56:23.89,Default,,0000,0000,0000,,No, so it does not have a watermark\Nbecause as Niklaus said, it's the same
Dialogue: 0,0:56:23.89,0:56:27.74,Default,,0000,0000,0000,,checksum as the Kaspersky one.\NA3: Okay, thanks.
Dialogue: 0,0:56:27.74,0:56:32.91,Default,,0000,0000,0000,,Herald: Okay, thank you very much.\NPlease give Florian and Niklaus another
Dialogue: 0,0:56:32.91,0:56:36.49,Default,,0000,0000,0000,,big round of applause for an amazing talk.\NFlorian: Thank you.
Dialogue: 0,0:56:36.49,0:56:40.09,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:56:40.09,0:56:46.05,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:56:46.05,0:56:52.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\NJoin, and help us!