WEBVTT
00:00:00.000 --> 00:00:09.534
preroll music
00:00:09.534 --> 00:00:15.929
Herald: North Korea; not only famous for chocolate
but for being a surveillance state
00:00:15.929 --> 00:00:22.289
And as a good surveillance state,
it has to have its own operation system.
00:00:22.289 --> 00:00:27.710
Because how will you do proper surveillance
without your own operation system?
00:00:27.710 --> 00:00:35.550
Today, we get a brief introduction
how Red Star OS is working.
00:00:35.550 --> 00:00:38.910
The introduction will have a specific
focus on the custom code
00:00:38.910 --> 00:00:45.350
which was inserted for surveillance,
and especially how to get around it.
00:00:45.350 --> 00:00:52.420
So please welcome Florian and Niklaus
with a big round of applause.
00:00:52.420 --> 00:01:00.600
Applause
00:01:00.600 --> 00:01:03.230
Florian Grunow: Hey everybody,
thanks for having us.
00:01:03.230 --> 00:01:08.070
We are going to give you a deep
dive into Red Star OS.
00:01:08.070 --> 00:01:12.070
Actually, we were kind of surprised that
there is not so much information
00:01:12.070 --> 00:01:17.850
on the net about really the core of Red
Star and what is it doing.
00:01:17.850 --> 00:01:22.310
So we thought we would change this,
and give you an insight in how
00:01:22.310 --> 00:01:26.500
this Operating System works,
and by looking into the technical aspects
00:01:26.500 --> 00:01:33.700
of Red Star you can also draw conclusions
about how development in North Korea
00:01:33.700 --> 00:01:38.200
is evolving and is, maybe, catching up.
00:01:38.200 --> 00:01:42.390
So what we're going to talk about is:
First of all, a short introduction
00:01:42.390 --> 00:01:45.630
into the motivation; why are we doing
this? We are going through
00:01:45.630 --> 00:01:49.720
the architecture of Red Star; we are going
to show you the components in the core
00:01:49.720 --> 00:01:53.640
in the operating system itself; and then
we will take a deep dive into
00:01:53.640 --> 00:01:57.440
the additional components, all of the
programs that are coming from North Korea
00:01:57.440 --> 00:02:01.470
and are supplied with the ISO
of Red Star OS.
00:02:01.470 --> 00:02:06.500
After that, we are going to give you a
deep dive into the most interesting features
00:02:06.500 --> 00:02:13.290
of Red Star OS; and then we will be able
to draw our own conclusions;
00:02:13.290 --> 00:02:16.069
and afterwards we will have time
for questions, we hope.
00:02:16.069 --> 00:02:21.459
By the way, this picture on the left you
can see here is actually one of the--
00:02:21.459 --> 00:02:28.579
I think it's the screensaver right from
Red Star OS. Laughter So, um, yeah.
00:02:28.579 --> 00:02:32.849
So before we begin, we need to
do this disclaimer:
00:02:32.849 --> 00:02:37.959
For your information we have never visited
DPRK, we have never been to North Korea.
00:02:37.959 --> 00:02:41.549
All we know about North Korea is from
public sources, from the internet,
00:02:41.549 --> 00:02:47.450
from media, whatever. So what we are
going to say about North Korea
00:02:47.450 --> 00:02:52.590
has to be speculation because we don't
know exactly what happens in North Korea.
00:02:52.590 --> 00:02:58.370
Also, the ISOs that we have been analysing
are found publicly available on
00:02:58.370 --> 00:03:02.499
the internet, [and] may be fake. We don't
think that they are fake because
00:03:02.499 --> 00:03:09.340
Will Scott has shown last year on the 31C3
how Red Star looks, and everything that
00:03:09.340 --> 00:03:15.719
he has been showing is basically in the
ISO, so we think it is legit.
00:03:15.719 --> 00:03:20.840
Remember that we are not going to make fun
of anybody in this talk. We are not going
00:03:20.840 --> 00:03:24.319
to make fun of the developers, and we are
certainly not going to make fun of
00:03:24.319 --> 00:03:30.040
the people in the DPRK, because we think
that our presentation might have some
00:03:30.040 --> 00:03:36.120
funny aspects or something that makes
you laugh - which is perfectly fine - but
00:03:36.120 --> 00:03:41.889
looking at Red Star in detail is kind of a
surveillance mess, I would say, and
00:03:41.889 --> 00:03:48.449
it's a security or privacy nightmare.
So keep these aspects in mind.
00:03:48.449 --> 00:03:51.849
Also, this talk is not going to focus
about security. We're not going to talk
00:03:51.849 --> 00:03:56.010
about security. Many of the publications
available on the internet are
00:03:56.010 --> 00:04:00.290
about security, and we're not going to
focus on this in this presentation.
00:04:00.290 --> 00:04:06.849
So, why are we doing this? Red Star ISOs
have been leaked some time ago; there is
00:04:06.849 --> 00:04:12.290
a version 2 hanging around the internet
and there is obviously a version 3.0
00:04:12.290 --> 00:04:17.099
which has been leaked at the end of 2014,
and we were quite surprised at the middle
00:04:17.099 --> 00:04:20.459
of the year that there is no in-depth
analysis of this operating system.
00:04:20.459 --> 00:04:25.080
So most of the blogs and news articles are
quite superficial that you can find out there,
00:04:25.080 --> 00:04:31.370
and this is kind of surprising because
if there is some kind of state that
00:04:31.370 --> 00:04:35.680
doesn't put focus on transparency and free
speech, and they are putting out an
00:04:35.680 --> 00:04:41.419
operating system, you kind of want to know
how do they build their operating system.
00:04:41.419 --> 00:04:46.349
So that was one of the major aspects for
us to look into it. The other aspect was
00:04:46.349 --> 00:04:50.580
to find out how is the state of
software development in DPRK;
00:04:50.580 --> 00:04:58.519
how are they developing software? Do they
have a well-thought architecture;
00:04:58.519 --> 00:05:04.229
are they thinking about what they are
doing? How is the skill level of software
00:05:04.229 --> 00:05:08.669
development in North Korea?
So these were the two aspects that
00:05:08.669 --> 00:05:10.370
we wanted to find out.
00:05:10.370 --> 00:05:15.189
So if you look at previous work, as I said
there is mostly superficial stuff.
00:05:15.189 --> 00:05:22.659
There is some information that Red Star OS
actually looks like Mac OSX, and we will
00:05:22.659 --> 00:05:27.129
go into this a little bit further.
Then we have this talk from Will Scott
00:05:27.129 --> 00:05:31.439
last year at 31C3, who was talking about
Computer Science in DPRK which was
00:05:31.439 --> 00:05:37.159
very very interesting, and gave a pretty good
insight into what's happening in DPRK.
00:05:37.159 --> 00:05:44.349
And then we have a bunch of guys who
looked into the browser of Red Star,
00:05:44.349 --> 00:05:46.319
which is also quite interesting.
00:05:46.319 --> 00:05:53.310
So what we are going to do now is--
I'm going to show you the custom basic
00:05:53.310 --> 00:05:58.180
components; I'm going to talk a little bit
about integrity on the system; then I will
00:05:58.180 --> 00:06:04.610
hand over to Niklaus who will be looking
into the core and surveillance features;
00:06:04.610 --> 00:06:08.319
and then as I said, we will have time
for questions afterwards.
00:06:08.319 --> 00:06:13.340
So there are different leaked versions out
there, as I said. We have a desktop and
00:06:13.340 --> 00:06:19.319
a server version of Red Star, so you can
also use Red Star as a server, and it
00:06:19.319 --> 00:06:23.430
turns out that server version 3 is
actually used on the internet right now.
00:06:23.430 --> 00:06:28.520
As you can see, there is a server
header returned: "Red Star 3.0"
00:06:28.520 --> 00:06:32.750
This is an IP address of the server, and
it is pointing into North Korea.
00:06:32.750 --> 00:06:37.379
So this is one of the few web sites that
is publicly facing the internet from
00:06:37.379 --> 00:06:44.259
North Korea, and they are obviously using
the server version 3.0. So 3.0 might
00:06:44.259 --> 00:06:48.500
actually be the latest version.
There is another version, it's 2.0,
00:06:48.500 --> 00:06:53.550
which has also been leaked to the internet,
and then there is supposedly something
00:06:53.550 --> 00:07:02.139
that looks like 2.5; we have found some
South Korean documents that seem to be
00:07:02.139 --> 00:07:08.909
analysing the system quite superficially,
and it looks like 2.5 actually resembles
00:07:08.909 --> 00:07:14.139
the look and feel of Windows XP. So you
kind of see this evolution right now from
00:07:14.139 --> 00:07:19.319
2.5 XP going to 3.0 mimicking Mac OSX.
00:07:19.319 --> 00:07:24.499
Our talk will focus on the
desktop version which is desktop 3.0
00:07:24.499 --> 00:07:28.770
If you look at the timeline, which is
a guess - there's no documentation available
00:07:28.770 --> 00:07:35.400
on how they did it, obviously - if you
look at the 3.0 version you see that it is
00:07:35.400 --> 00:07:41.780
based on Fedora 11 which came out in 2009.
So our guess is they started developing 3.0
00:07:41.780 --> 00:07:48.029
in 2009 with this Fedora 11 release.
The kernel that they are using is 2.6.38
00:07:48.029 --> 00:07:55.840
which came out with Fedora 15 in 2011.
So it could be that the OS itself is
00:07:55.840 --> 00:08:00.759
a little bit older, the kernel is a little
bit newer, and the latest package build
00:08:00.759 --> 00:08:05.150
dates that you can see in
Red Star OS date to June 2013.
00:08:05.150 --> 00:08:11.789
So our educated guess is that Red Star
came out in June 2013 or a little bit later,
00:08:11.789 --> 00:08:13.939
a few weeks later or months later.
00:08:13.939 --> 00:08:18.219
In December 2014 we had the public leak,
so the ISOs have been leaked to the internet
00:08:18.219 --> 00:08:21.479
and are publicly available right now.
00:08:21.479 --> 00:08:26.449
If you look into the operating system,
it's basically a fully-featured desktop system
00:08:26.449 --> 00:08:31.150
you might imagine. It's based on KDE
and Fedora as I already said, and it tries
00:08:31.150 --> 00:08:36.230
to mimic the look and feel of Mac OSX.
You have an e-mail client, a calendar,
00:08:36.230 --> 00:08:41.260
a word processor, you've got Quicktime and
all of that stuff. You even have a disk
00:08:41.260 --> 00:08:45.850
encryption utility that Will Scott
has shown last year.
00:08:45.850 --> 00:08:51.630
They implemented additional kernel modules
and they touched a lot of kernel modules.
00:08:51.630 --> 00:08:55.180
They have this kernel module "rtscan"
which Niklaus is going to say a little bit
00:08:55.180 --> 00:09:00.120
more about, they have this kernel module
called "pilsung" - I was told this
00:09:00.120 --> 00:09:05.210
means "victory" in Korean - and that
kind of is a kernel module that supplies
00:09:05.210 --> 00:09:12.280
AES encryption. So they implemented an own
kernel module to supply something like AES.
00:09:12.280 --> 00:09:16.290
Then there is a kernel module called "kdm"
which is the Korean Display Module,
00:09:16.290 --> 00:09:20.960
and "kimm"-- muffled laughter
--which is not what it's like--
00:09:20.960 --> 00:09:24.800
it's not looking-- laughter
Well, I'll just go on.
00:09:24.800 --> 00:09:31.130
It basically just does something with
Korean letters and displaying Korean
00:09:31.130 --> 00:09:35.250
letters on the screen.
00:09:35.250 --> 00:09:39.710
Red Star has been developed by the KCC,
the Korean Computer Centre.
00:09:39.710 --> 00:09:46.720
It's quite interesting that since a few
years ago they had an office in Berlin.
00:09:46.720 --> 00:09:50.750
I don't know what they did there, but
they obviously had an office in Berlin
00:09:50.750 --> 00:09:55.320
maybe for knowledge sharing, whatever.
If you look at the system hardening,
00:09:55.320 --> 00:09:58.480
it's quite interesting that they
took care of system hardening.
00:09:58.480 --> 00:10:02.780
So they implemented SELinux rules with
custom modules, they have IP tables
00:10:02.780 --> 00:10:06.860
rolled out immediately so you don't have
to activate it or put your rules into it;
00:10:06.860 --> 00:10:11.640
the firewall is working. They even have
Snort installed on the system.
00:10:11.640 --> 00:10:16.290
It's not running by default but they are
kind of delivering it by default, and they
00:10:16.290 --> 00:10:21.590
have a lot of custom services that we are
going to look into right now.
00:10:21.590 --> 00:10:25.880
Quite interesting is-- so why should
North Korea mimic Mac OSX?
00:10:25.880 --> 00:10:30.150
That might be one reason right there:
because this young fella sitting on the left
00:10:30.150 --> 00:10:35.900
is actually using an iMac right here.
So this is one reason.
00:10:35.900 --> 00:10:40.700
So why should they implement their own
operating system? There actually are
00:10:40.700 --> 00:10:48.210
so-called anthologies put out by the leader,
and one anthology by Kim Jong-il says that
00:10:48.210 --> 00:10:54.220
- if you translate it correctly, and we
try to - "in the process of programming,
00:10:54.220 --> 00:10:59.290
it is important to develop one in our own
style," and with "one" he means programs
00:10:59.290 --> 00:11:05.990
and operating systems. So there is this
clear guidance that North Korea should not
00:11:05.990 --> 00:11:11.620
rely on third-party Western operating
system and programs, they should
00:11:11.620 --> 00:11:15.290
develop this stuff on their own.
And by looking at the code and everything
00:11:15.290 --> 00:11:19.470
that we have by Red Star OS, this is
exactly what they did. They touched
00:11:19.470 --> 00:11:24.260
nearly everything on the operating system,
changed it a little bit, added custom code
00:11:24.260 --> 00:11:28.710
and so this is actually what they
are doing right there.
00:11:28.710 --> 00:11:34.060
The custom applications that you have is
a browser, which translates to "my country."
00:11:34.060 --> 00:11:40.470
You also have a crypto tool that Will Scott
has shown last year which is called Bokem
00:11:40.470 --> 00:11:44.230
which if you translate it kind of
translates to "sword."
00:11:44.230 --> 00:11:49.780
You have Sogwang Office which is an
OpenOffice customised for North Korean use.
00:11:49.780 --> 00:11:53.920
A software manager; you have MusicScore
which is an application you can compose
00:11:53.920 --> 00:11:59.270
music with. Then you have a program which
is called "rootsetting" and it basically
00:11:59.270 --> 00:12:03.520
gives you root. So if you look into the
documentation, it says you are not
00:12:03.520 --> 00:12:07.520
supposed to have root on the system for
integrity reasons, but if you want to get
00:12:07.520 --> 00:12:12.940
root you can use this tool, so they're not
hiding anything. So there are rumours
00:12:12.940 --> 00:12:16.110
on the net that say that you're not
supposed to get root on the system
00:12:16.110 --> 00:12:21.370
because it's so locked down. This is not
true obviously because there is software
00:12:21.370 --> 00:12:24.140
intended to give you administrative privileges.
00:12:24.140 --> 00:12:30.240
They even touched KDM, so the code base
that they touched is really, really big.
00:12:30.240 --> 00:12:32.760
Nearly the whole operating system.
00:12:32.760 --> 00:12:38.250
We are now going to give you a demo.
The first demo that we are doing, we are
00:12:38.250 --> 00:12:42.390
doing it right now, because we are
actually doing this presentation
00:12:42.390 --> 00:12:55.080
in Red Star OS.
Laughter and applause
00:12:55.080 --> 00:12:58.990
So what you see right here is basically
Red Star OS. We're going to show
00:12:58.990 --> 00:13:03.480
some of the aspects to you. There are many many
screenshots on the internet, some of you might already
00:13:03.480 --> 00:13:06.980
know how Red Star works, you might have
experience yourself.
00:13:06.980 --> 00:13:09.600
We're just going over a few interesting issues.
00:13:09.600 --> 00:13:16.110
So as you have seen, there is a full-blown
set of word processing, Powerpoint
00:13:16.110 --> 00:13:22.150
presentation stuff. I'm going to open up
the browser-- pfft, whatever. Laughter
00:13:22.150 --> 00:13:31.240
--and going into the preferences just to
give you a quick-- no. Muted laughter
00:13:31.240 --> 00:13:38.580
Oh. Laughter Yeah, to give you an insight
on the Certificate Authorities that are
00:13:38.580 --> 00:13:43.720
implemented in this Firefox version - it's
Firefox 3 - so you see there is not so many
00:13:43.720 --> 00:13:50.740
Certificate Authorities right here, and
they all are I guess from North Korea.
00:13:50.740 --> 00:13:55.780
So the browser is totally created to not
be used outside of North Korea,
00:13:55.780 --> 00:14:04.170
which you can see in the URL bar.
There is an internal IP address
00:14:04.170 --> 00:14:08.630
which points into the network of
North Korea, and all of the settings,
00:14:08.630 --> 00:14:11.940
proxy settings, hard-coded IP addresses,
or whatever, all point into this
00:14:11.940 --> 00:14:16.070
internal infrastructure of North Korea.
So this browser and the e-mail program
00:14:16.070 --> 00:14:19.380
was never intended to be used
outside of North Korea.
00:14:19.380 --> 00:14:22.900
Pfft Okay. Laughter
What else do we have?
00:14:22.900 --> 00:14:29.000
Okay, we have a Quicktime player.
So speaking of Mac OSX,
00:14:29.000 --> 00:14:41.000
you all have seen this. Woo! Swoosh. Right?
Okay, so that perfectly mimics Mac OSX.
00:14:41.000 --> 00:14:45.670
So let me try to find--
I'll try with aplay right here.
00:14:45.670 --> 00:14:51.800
So this is the shell. Quite interesting is
that when we were looking through
00:14:51.800 --> 00:14:57.310
all of this stuff, there is a bunch of
files that have a certain protection,
00:14:57.310 --> 00:15:00.420
and they seem to be pretty important
for the system, and there is a
00:15:00.420 --> 00:15:06.630
wave file - an audio wave file - that
actually is protected.
00:15:06.630 --> 00:15:15.170
It's usr/lib/Warnning.wav;
I don't know if we can hear this.
00:15:15.170 --> 00:15:19.000
I hope that your ears are not going to
explode right now. I'll just try it.
00:15:19.000 --> 00:15:22.430
Pig squealing
I'll try it again.
00:15:22.430 --> 00:15:25.870
Pig squealing
You hear that? Laughter
00:15:25.870 --> 00:15:28.740
Pig squealing
Does anybody know what this is?
00:15:28.740 --> 00:15:33.670
Shouts of "pig" from audience
Pardon me? Pig, exactly.
00:15:33.670 --> 00:15:36.430
And where is it coming from?
Does anybody know?
00:15:36.430 --> 00:15:39.970
That's stolen from Kaspersky antivirus,
because in the older version of
00:15:39.970 --> 00:15:45.340
Kaspersky antivirus if you find a virus
it actually will play this sound, and it's
00:15:45.340 --> 00:15:49.970
exactly the wav file from Kaspersky;
we verified this by doing checksums, okay.
00:15:49.970 --> 00:16:03.310
Laughter So we have a copyright violation
right here. Laughter and applause
00:16:03.310 --> 00:16:07.770
So what else do we have? I've been talking
about this, you can create your own music.
00:16:07.770 --> 00:16:12.630
I'm not going to do this now because
I'm not good at making music.
00:16:12.630 --> 00:16:16.300
What else do we have? We have the browser.
Did we want to show-- ah yeah.
00:16:16.300 --> 00:16:20.570
I'm going to show you one more thing.
I'm not going to show you the encryption
00:16:20.570 --> 00:16:28.980
tool because Will Scott has done this
last year, but to give you an insight into
00:16:28.980 --> 00:16:33.970
the crypto tool, it's pretty interesting.
If you look at the description of the bokem3,
00:16:33.970 --> 00:16:38.260
bokem is the tool that is used for disk
encryption so it provides the user a tool
00:16:38.260 --> 00:16:42.470
to encrypt files or even the complete
hard drive, and if you look into
00:16:42.470 --> 00:16:49.730
the description it says "this allows the user
to store his/her privacy data with encrypted,"
00:16:49.730 --> 00:16:56.420
which is quite nice. I mean, we didn't
expect to have something like this
00:16:56.420 --> 00:17:04.000
in Red Star. So the user can at least
try to encrypt files.
00:17:04.000 --> 00:17:08.750
Bokem is using out-of-the-box crypto
that comes with the kernel.
00:17:08.750 --> 00:17:14.240
It also uses pilsung, which we don't know
if there are any backdoors in it or not,
00:17:14.240 --> 00:17:19.849
so we have no idea if this is possible to
decrypt with a master key or something.
00:17:19.849 --> 00:17:24.140
If you want to look into this, we would be
happy if someone with big crypto
00:17:24.140 --> 00:17:32.750
experience would look into it.
So let me get back to the presentation.
00:17:32.750 --> 00:17:39.440
Ah! One thing I need to show you is this
red flag on the right corner, right here.
00:17:39.440 --> 00:17:46.410
If you look into this, and you translate -
I didn't click the right one - if you are
00:17:46.410 --> 00:17:52.110
going to translate all of this, you will
find that all of the strings and all of
00:17:52.110 --> 00:17:59.160
the text that you see right here, they
seem to be an antivirus scanner.
00:17:59.160 --> 00:18:03.510
So they even implemented from scratch
an antivirus scanner in Red Star OS.
00:18:03.510 --> 00:18:08.230
You can now select the folder or a file
and say run a check on the file,
00:18:08.230 --> 00:18:13.050
and if the file is actually a malicious
file - we will come to that part later,
00:18:13.050 --> 00:18:17.870
what "malicious" is - it will instantly
be deleted from the hard drive.
00:18:17.870 --> 00:18:25.260
So this is an interesting feature, having
a virus scanner in a Linux OS.
00:18:25.260 --> 00:18:28.570
Okay so let's look at the custom
components. We have been
00:18:28.570 --> 00:18:32.290
looking into the user space a little bit,
and all of the programs that come with it.
00:18:32.290 --> 00:18:37.400
There is far more stuff. Download the ISO,
play around with it a little bit.
00:18:37.400 --> 00:18:41.610
First, change the language to English.
You will obviously not get far
00:18:41.610 --> 00:18:46.260
if your Korean is bad.
So change the language and
00:18:46.260 --> 00:18:48.030
play around with it a little bit.
00:18:48.030 --> 00:18:53.020
So Red Star Comes with
interesting packages.
00:18:53.020 --> 00:18:56.620
They touched KDE as I said.
They are getting out an integrity
00:18:56.620 --> 00:19:00.210
checker and a security daemon.
There are signature packages right here
00:19:00.210 --> 00:19:05.840
which Niklaus is going to talk about
a little bit, there are policies for selinux,
00:19:05.840 --> 00:19:11.280
and I'm going to talk about two of the
integrity checking mechanisms that
00:19:11.280 --> 00:19:12.300
Red Star has.
00:19:12.300 --> 00:19:17.730
So by looking at Red Star, we saw that
one thing was pretty important to them:
00:19:17.730 --> 00:19:22.710
They wanted to preserve the integrity
of the system, and one way to do this
00:19:22.710 --> 00:19:27.140
is using this process right here,
it's called "intcheck."
00:19:27.140 --> 00:19:32.280
It comes with an SQLite database with
hashes of files on the system,
00:19:32.280 --> 00:19:36.920
like signatures for the system, and
you can configure it from user space so
00:19:36.920 --> 00:19:40.770
it's not pretty hidden, it's pretty
transparent to the user.
00:19:40.770 --> 00:19:44.660
I think there even comes a UI with it
where you can configure everything,
00:19:44.660 --> 00:19:48.540
and it's run at boot. It checks the files
and if it sees that the files have been
00:19:48.540 --> 00:19:52.350
manipulated or tampered with - if the
checksum changes - then it will issue
00:19:52.350 --> 00:19:55.600
a warning to the user.
So you get a small popup that says,
00:19:55.600 --> 00:20:00.380
"this file has been tampered with," the
security or the integrity of the system
00:20:00.380 --> 00:20:05.950
is not where it should be. So that's
pretty much what this thing does.
00:20:05.950 --> 00:20:11.270
securityd is kind of interesting, because
securityd is also a process that is known
00:20:11.270 --> 00:20:18.090
to run under Mac OSX. I'm not a Mac user,
and I think that Mac OSX with securityd
00:20:18.090 --> 00:20:21.440
is keeping track of certificates
and stuff like that.
00:20:21.440 --> 00:20:26.910
So what they did is they reimplemented
securityd for Linux, and they included
00:20:26.910 --> 00:20:32.900
various plugins. One interesting issue
with securityd is it comes with a library
00:20:32.900 --> 00:20:37.260
that provides a function called
validate_os(), and what this function does
00:20:37.260 --> 00:20:43.280
is it has a hard-coded list of files.
You can see like our wav file right here,
00:20:43.280 --> 00:20:48.930
you can see configuration files, and
autostart files for scnprc which is
00:20:48.930 --> 00:20:54.190
the antivirus scanner. So it checks if
these files are untouched, and if
00:20:54.190 --> 00:20:59.020
these files have been tampered with it
initiates a reboot instantly.
00:20:59.020 --> 00:21:03.500
So if you touch one of these files,
your machine will reboot instantly.
00:21:03.500 --> 00:21:11.080
The same library is also used from KDM,
so during the startup process when KDM is
00:21:11.080 --> 00:21:15.820
starting it is also doing an integrity check,
and if it finds that one of these files has
00:21:15.820 --> 00:21:20.460
been tampered with it actually immediately
issues a reboot, and the problem is
00:21:20.460 --> 00:21:24.000
that if you start tampering with the system
you will end up in reboot loops
00:21:24.000 --> 00:21:29.809
all of the time if you're doing research,
because once KDM is saying reboot
00:21:29.809 --> 00:21:33.450
the system, it's going to check it again
if it's rebooted and sees that it's
00:21:33.450 --> 00:21:36.660
still tampered with and it reboots again,
and again, and again, and then your
00:21:36.660 --> 00:21:40.000
system is basically dead.
So what they tried to do with intcheck
00:21:40.000 --> 00:21:45.860
and securityd is try and protect certain files,
conserve the integrity of these files,
00:21:45.860 --> 00:21:50.600
and if these files get tampered with they
assume that it is better to have an
00:21:50.600 --> 00:21:55.280
operating system that you cannot work with
any more than to still let it run or
00:21:55.280 --> 00:22:00.220
issue any warning.
So integrity is one of the main aspects
00:22:00.220 --> 00:22:03.030
they were looking for in
implementing Red Star.
00:22:03.030 --> 00:22:08.000
Okay, I will hand over to Niklaus and
he will go into the guts and the
00:22:08.000 --> 00:22:12.500
surveillance features a little bit more.
00:22:12.500 --> 00:22:14.940
Niklaus Schiess: The most interesting
feature-- package we found was this
00:22:14.940 --> 00:22:21.280
esig-cb package, which actually says
in the description that it's an
00:22:21.280 --> 00:22:26.790
"electronic signature system," but we
found that it is doing a lot of weird stuff.
00:22:26.790 --> 00:22:30.570
This is actually one of the pictures
which is included in the package,
00:22:30.570 --> 00:22:34.420
which is also protected. We don't know
really why, but it says something like
00:22:34.420 --> 00:22:38.300
"this is our copyright;"
and "don't break it;"
00:22:38.300 --> 00:22:41.020
and "don't copy it;" and stuff like that.
00:22:41.020 --> 00:22:45.559
But it's actually doing
something really different.
00:22:45.559 --> 00:22:49.500
It includes several pretty interesting files.
We have some configuration files,
00:22:49.500 --> 00:22:54.059
we have a kernel module, and we also
have this redflag.bmp which is the
00:22:54.059 --> 00:22:57.820
picture you just saw, and we have the
warning file, and we have some
00:22:57.820 --> 00:23:03.500
shared libraries, and we'll go now
into details what these are actually doing.
00:23:03.500 --> 00:23:07.640
So the first thing we looked at was
because there is a kernel module
00:23:07.640 --> 00:23:11.890
loaded by default, and we thought
if you want to put some backdoors in it
00:23:11.890 --> 00:23:16.010
where would you want to put it?
Right in the kernel module, probably.
00:23:16.010 --> 00:23:20.290
And what it does, it's actually just
hooking several system calls which
00:23:20.290 --> 00:23:26.630
provides a device which is actually
interfaced to the kernel so you have
00:23:26.630 --> 00:23:30.500
different services running on a system
who are actually talking to this
00:23:30.500 --> 00:23:33.730
kernel module via this device,
and it has some functionality like
00:23:33.730 --> 00:23:39.080
it can protect PIDs. So when you're
protecting a specific process then
00:23:39.080 --> 00:23:42.429
even root cannot kill this process,
which will be quite interesting
00:23:42.429 --> 00:23:47.990
in the next slides. It also provides
functionality to on one side protect
00:23:47.990 --> 00:23:52.670
files, and on the other side to hide files.
So protect means you cannot edit
00:23:52.670 --> 00:23:56.040
the file, and hide means you
cannot even read the file.
00:23:56.040 --> 00:23:59.710
So even if you had root user,
you can't even read those files.
00:23:59.710 --> 00:24:04.679
And on the right side is actually how
the services are interacting with this
00:24:04.679 --> 00:24:10.840
kernel module, and this is one function which
mostly protects and hides the files
00:24:10.840 --> 00:24:15.520
which we just saw, which are included
in this esignature package.
00:24:15.520 --> 00:24:19.559
Then like Florian said, we have this
virus scanner which at first glance
00:24:19.559 --> 00:24:25.200
at least looks like a virus scanner,
and this is this "scnprc" process.
00:24:25.200 --> 00:24:29.030
It provides a GUI to the user so it's
quite transparent so the user can see
00:24:29.030 --> 00:24:32.410
"okay, I have something that looks
like a virus scanner, and I can also
00:24:32.410 --> 00:24:35.320
trigger some scans of
different directories,"
00:24:35.320 --> 00:24:40.760
and it's started by kdeinit. So there's
this scnprc desktop file which is
00:24:40.760 --> 00:24:45.550
quite interesting because what you
want to do is disable it, but you
00:24:45.550 --> 00:24:48.220
cannot actually edit these file.
So as soon as you edit this file
00:24:48.220 --> 00:24:51.340
and save it, then the system
will immediately reboot.
00:24:51.340 --> 00:24:54.479
So disabling it is not so easy.
00:24:54.479 --> 00:24:58.570
Like I already said, you have different
ways of scanning. You can just click
00:24:58.570 --> 00:25:02.150
on a folder and say "scan this," but
also if you for example plug in
00:25:02.150 --> 00:25:06.860
a USB stick into the system then it will
automatically scan the files on the USB stick.
00:25:06.860 --> 00:25:11.610
And this scnprc service is actually
loading the kernel module, and
00:25:11.610 --> 00:25:15.520
it starts another service which is
called "opprc" which we are going to
00:25:15.520 --> 00:25:22.790
look in detail in a minute, and this is
also quite interesting this next service.
00:25:22.790 --> 00:25:28.960
But the pattern matching, we looked into
this a little bit and there's another
00:25:28.960 --> 00:25:34.730
package. So we have this esig-cb package
and you have esic-cb-db package which
00:25:34.730 --> 00:25:40.100
actually just provides this one single
"AnGae" file. As far as we know,
00:25:40.100 --> 00:25:44.520
it means "fog" in Korean. And this is
basically a signature file, or how the
00:25:44.520 --> 00:25:49.809
code references it a pattern file.
It's a file with a well-defined file format
00:25:49.809 --> 00:25:53.429
and it includes patterns which are
loaded into memory, and as soon as
00:25:53.429 --> 00:25:57.380
you are scanning a file it just checks if
these patterns are matching and as soon
00:25:57.380 --> 00:26:02.309
as the patterns are matched then it
immediately deletes the file and it
00:26:02.309 --> 00:26:08.630
plays the warning, and this is one of
the hidden files so even if you get root
00:26:08.630 --> 00:26:12.040
privilege on the system you are not
able to actually read this file.
00:26:12.040 --> 00:26:15.540
So a user of the operating system won't
be able to check "okay, what does it
00:26:15.540 --> 00:26:20.030
check and can I produce documents
which won't be detected by this"
00:26:20.030 --> 00:26:23.010
because you cannot actually read this file.
00:26:23.010 --> 00:26:31.370
We took a look into this. Most likely our
best guess is that these contain--
00:26:31.370 --> 00:26:35.110
A lot of the files are little-endian so
you always have to switch the bytes
00:26:35.110 --> 00:26:40.720
and we saw that it looks at least like
they are UTF-16 strings with Korean,
00:26:40.720 --> 00:26:45.000
Chinese, and some other weird characters,
and if we put these in Google Translate
00:26:45.000 --> 00:26:49.720
then there are actually some pretty weird
and disturbing terms in those files.
00:26:49.720 --> 00:26:53.620
But we actually cannot confirm this.
It looks like they are actually not
00:26:53.620 --> 00:26:57.910
scanning for malware in the system, so
most likely they are checking documents
00:26:57.910 --> 00:27:02.020
and if those documents match those
patterns then they are most likely--
00:27:02.020 --> 00:27:05.460
for example, governments don't want these
files to be distributed within the intranet
00:27:05.460 --> 00:27:07.850
of North Korea then it just
deletes those files.
00:27:07.850 --> 00:27:12.200
But actually we cannot confirm this
because we are not quite sure if you
00:27:12.200 --> 00:27:17.570
put those strings in Google Translate that
they are actually real translations.
00:27:17.570 --> 00:27:22.809
But you can always update these pattern
files, so on the one side is scnprc has a
00:27:22.809 --> 00:27:26.610
built-in update process where it just
updates the file itself, or you can just
00:27:26.610 --> 00:27:30.340
when you are doing operating system
update via your package manager
00:27:30.340 --> 00:27:35.809
and you update this esig-cb-db package
and you also get a brand new file.
00:27:35.809 --> 00:27:40.830
The interesting part of this is that the
developers decide what is malicious.
00:27:40.830 --> 00:27:46.110
So it's not necessarily that "malicious"
means that it's malware, that it's
00:27:46.110 --> 00:27:52.179
bad for you, but somewhere the developers
and officials will actually say,
00:27:52.179 --> 00:27:55.559
"okay, we don't want those files
distributed, just delete them
00:27:55.559 --> 00:27:57.980
"because we think they are malicious."
00:27:57.980 --> 00:28:02.799
There is this other service which I was
also talking about, this "opprc."
00:28:02.799 --> 00:28:06.260
This is more interesting than the
virus scanning itself.
00:28:06.260 --> 00:28:10.179
It's running in the background, so
actually a user will not see that there
00:28:10.179 --> 00:28:13.549
is actually another service running, you
don't have any GUI or something like that,
00:28:13.549 --> 00:28:17.809
you cannot trick or something with this,
and this is one of the protected PIDs.
00:28:17.809 --> 00:28:23.750
So scnprc for example you can just kill
with root privileges, but this is a process
00:28:23.750 --> 00:28:27.710
no one can kill on the system, and
this is quite interesting because
00:28:27.710 --> 00:28:32.240
you cannot unload the kernel module
unless this service is killed, so they
00:28:32.240 --> 00:28:37.360
are actually protecting each other so that
no one can stop the services at all.
00:28:37.360 --> 00:28:40.660
And this service shares a lot of
code with the scnprc.
00:28:40.660 --> 00:28:45.559
We just did some entropy checking
and saw okay-- I will talk in a minute
00:28:45.559 --> 00:28:51.610
when we are comparing more of these
files why we think that this looks
00:28:51.610 --> 00:28:55.020
pretty much the same, why they are
sharing so much code, because
00:28:55.020 --> 00:28:58.710
we found something interesting with
older versions of those services.
00:28:58.710 --> 00:29:03.600
But the most interesting thing this
service is doing is it watermarks files.
00:29:03.600 --> 00:29:07.630
And now we are going to look deeper
into what this watermarking means.
00:29:07.630 --> 00:29:11.850
So actually as soon as this system is
started, it reads your hard disk serial
00:29:11.850 --> 00:29:15.660
and then scrambles it a little bit,
and as soon as you are for example
00:29:15.660 --> 00:29:20.740
plugging a USB stick into your system
then it will trigger a watermarking
00:29:20.740 --> 00:29:25.080
process where it takes the serial,
takes a hard-coded DES key from
00:29:25.080 --> 00:29:28.850
the binary itself, and then encrypts
it and then puts it into your file.
00:29:28.850 --> 00:29:35.049
And when you are converting this hex key
into a decimal representation then you
00:29:35.049 --> 00:29:39.410
see that it is actually two dates.
We actually cannot confirm what
00:29:39.410 --> 00:29:45.120
those two dates mean, but one of those
matches Madonna's birth date, and
00:29:45.120 --> 00:29:51.010
there are rumours that some people in
North Korea might really like Madonna.
00:29:51.010 --> 00:29:57.530
This is just speculation, but if you have a
better conspiracy theory then just let us know.
00:29:57.530 --> 00:30:01.890
Because we found some pretty interesting
stuff, but we cannot confirm this.
00:30:01.890 --> 00:30:07.420
So technically the watermarks have an
ASCII EOF appended, which is most likely
00:30:07.420 --> 00:30:11.200
used by the code itself to parse
the files and see if there's already
00:30:11.200 --> 00:30:15.690
a watermark in there, and for JPEG
and AVI files, for example, it just
00:30:15.690 --> 00:30:20.330
appends this watermark to the end of the
file, and when you have a DOCX for example
00:30:20.330 --> 00:30:24.000
it just appends it near the header where
there are a bunch of null bytes, and then
00:30:24.000 --> 00:30:27.610
it just puts it in there.
00:30:27.610 --> 00:30:32.320
So the watermarking itself is as soon as
you open a document file with Office then
00:30:32.320 --> 00:30:38.309
it will be watermarked, and actually they
have code which watermarks files even if
00:30:38.309 --> 00:30:43.770
you don't open those files, but as soon
as we saw this-- it's pretty buggy.
00:30:43.770 --> 00:30:48.350
It doesn't work every time, but they have
code for this implemented, and mostly
00:30:48.350 --> 00:30:54.360
it works but sometimes it just fails.
The supported types that we can confirm
00:30:54.360 --> 00:31:01.760
are DOCX files, image files like JPEG and
PNG and AVI video files. But the code
00:31:01.760 --> 00:31:06.720
indicates there are several more file
types available for watermarking, but
00:31:06.720 --> 00:31:11.380
we most likely didn't look into this.
But the most interesting thing here
00:31:11.380 --> 00:31:16.860
is that only media files are affected.
So they don't watermark any binaries
00:31:16.860 --> 00:31:22.950
or something like that, they are reducing
their surface to files which could be used
00:31:22.950 --> 00:31:31.299
to carry information, which could be used
to put out information for free speech
00:31:31.299 --> 00:31:36.250
purposes, and actually what we think is
that this is not a security feature.
00:31:36.250 --> 00:31:40.580
So they are actually trying to watermark
free speech in general, so that every time
00:31:40.580 --> 00:31:46.559
you have a document file, an image, or
a video file, then they want to know who
00:31:46.559 --> 00:31:52.489
had this file and they watermark it so
they can track the origin of the file.
00:31:52.489 --> 00:32:00.090
We have a short demo where you can see
for example I have a USB stick.
00:32:00.090 --> 00:32:09.610
Let me put it in my system.
00:32:09.610 --> 00:32:15.130
There is a file on the USB stick which
is a love letter from Kim, and it has
00:32:15.130 --> 00:32:21.380
a checksum which starts with "529", and
as soon as I plug this into the system--
00:32:21.380 --> 00:32:34.740
I hope that it will notice this.
00:32:34.740 --> 00:32:38.740
You can see okay, it recognised something
like a USB stick on the system, but I won't
00:32:38.740 --> 00:32:55.220
open it, and I won't open any file on the
USB stick. I just will eject it.
00:32:55.220 --> 00:33:03.360
I hope that it works.
Will it actually open?
00:33:03.360 --> 00:33:07.410
This is what I meant, that it's kind of
buggy, so it doesn't always work with
00:33:07.410 --> 00:33:12.720
the watermarking, but most likely if you
open the file itself then it will work.
00:33:12.720 --> 00:33:17.520
I guess we didn't have the case that it
doesn't work when you open it. [sic]
00:33:17.520 --> 00:33:28.690
--which then opens Office, and I close
it again and-- just close this.
00:33:28.690 --> 00:33:33.860
Go back, and then hopefully if we mount
this again then you can see it has
00:33:33.860 --> 00:33:39.250
been changed. So we didn't change anything
in the file, it was just the operating system
00:33:39.250 --> 00:33:44.350
who's changing files, and this was
initially the part where we started to
00:33:44.350 --> 00:33:47.570
look into this more deeply because we
thought an operating system who is
00:33:47.570 --> 00:33:57.219
just changing files when you are plugging
into the system is kind of annoying.
00:33:57.219 --> 00:34:00.690
Just to make this easier for you--
So what it actually does in the file,
00:34:00.690 --> 00:34:04.570
we have here the header of the file
which is a document, a DOCX file,
00:34:04.570 --> 00:34:09.089
and it just added this string which is
marked right here. This is actually
00:34:09.089 --> 00:34:13.649
the watermark it's putting in there.
Opposite there you can see the plaintext
00:34:13.649 --> 00:34:17.679
which is actually encrypted and then
put into the file, and the serial starts
00:34:17.679 --> 00:34:23.440
with "B48" so every time it puts the
serial into the file, it prefixes it with
00:34:23.440 --> 00:34:24.978
"WM"
00:34:24.978 --> 00:34:29.998
we think stands for "watermark" probably,
and you can see the EOF at the end of
00:34:29.998 --> 00:34:35.399
the file. This allows basically everyone
who can access this file, who can
00:34:35.399 --> 00:34:40.679
decrypt this watermark which is actually
encoded with the hard-coded key,
00:34:40.679 --> 00:34:45.989
so pretty much everyone who has access
to this ISO can get this key and can
00:34:45.989 --> 00:34:51.319
decrypt this. And this allows you to
really track back the origin of the file,
00:34:51.319 --> 00:34:54.190
where it came from.
00:34:54.190 --> 00:35:00.589
But there is a pretty funny example.
So imagine you have this picture, and
00:35:00.589 --> 00:35:05.130
you are inside North Korea and you think
"okay, this is pretty cool, and I want to
00:35:05.130 --> 00:35:09.160
distribute this to all of my friends."
So you think "okay, they might be
00:35:09.160 --> 00:35:12.470
intercepting all of my e-mail and my
browser communication," so you put it
00:35:12.470 --> 00:35:16.239
on a USB stick and give it to your friends
so that you think, "okay, no-one actually
00:35:16.239 --> 00:35:22.759
on the internet can access this file"
and you give it to someone else.
00:35:22.759 --> 00:35:26.680
Then at the beginning we have this
situation, where this is the original file.
00:35:26.680 --> 00:35:31.900
This is the end of the JPEG file - which
by definition always ends with an "FF D9"
00:35:31.900 --> 00:35:37.019
hexadecimal - and as soon as you give this
to your friend and he plugs the USB stick
00:35:37.019 --> 00:35:42.019
into his computer which is running Red
Star OS, then the file will actually
00:35:42.019 --> 00:35:45.799
change and it will look like this.
So for JPEG files, as I said it just
00:35:45.799 --> 00:35:49.640
appends the watermark to the end of
the file. So you can see the "FF D9," this
00:35:49.640 --> 00:35:53.890
is the actual end of the image file, and
they're appending the watermark there,
00:35:53.890 --> 00:35:57.509
like you can see with the EOF.
But where it gets interesting
00:35:57.509 --> 00:36:02.140
is when your friend is actually
distributing the file to another friend.
00:36:02.140 --> 00:36:06.920
So what Red Star OS is actually doing,
it appends also the watermark of your
00:36:06.920 --> 00:36:09.930
third friend. Slight laughter
So what you then can do--
00:36:09.930 --> 00:36:14.880
If you technically combine this together,
then you can see not only where the file
00:36:14.880 --> 00:36:19.119
has its origins, but you can also track
each and everyone who had this file
00:36:19.119 --> 00:36:24.499
and who distributed this file, and with
this knowledge you might be able to
00:36:24.499 --> 00:36:29.079
construct something like this, where you
can track the distribution of all of the
00:36:29.079 --> 00:36:33.150
media files which are distributed
over the intranet in North Korea.
00:36:33.150 --> 00:36:37.049
You can see then in the centre we have
this one really weird guy who is always
00:36:37.049 --> 00:36:41.769
distributing images that we don't like,
and you can see also who gets these files
00:36:41.769 --> 00:36:45.299
and trace it back to all of the persons
who ever had this file, and then you
00:36:45.299 --> 00:36:49.499
can just go home to him and then shut
him down and take his computer.
00:36:49.499 --> 00:36:54.859
And we have actually not seen any
functionality, but probably there is
00:36:54.859 --> 00:36:58.509
functionality in the system implemented
where it always sends your hard disk
00:36:58.509 --> 00:37:04.569
serial to their servers, so the OS can
probably be able to match your IP
00:37:04.569 --> 00:37:07.759
address to your hard disk serial, and
then they don't even have to go to your
00:37:07.759 --> 00:37:12.599
home and get to your computer and check
your hard disk serial, they just can do
00:37:12.599 --> 00:37:16.279
this remotely and can check all of the
distribution of all malicious media files
00:37:16.279 --> 00:37:21.729
within the intranet of North Korea.
00:37:21.729 --> 00:37:27.210
What we thought is pretty hard for someone
who doesn't have access to a system other
00:37:27.210 --> 00:37:31.700
than Red Star OS, who just has this one
system, and tries to disable all of this
00:37:31.700 --> 00:37:35.210
malicious functionality like the virus
scanning that can delete all of your files
00:37:35.210 --> 00:37:40.619
that someone else doesn't like, or the
watermarking/the tracking of those files.
00:37:40.619 --> 00:37:44.569
And this is actually quite hard, because
some of those services are depending
00:37:44.569 --> 00:37:49.470
on each other and can only be killed
when the other service is not running.
00:37:49.470 --> 00:37:53.700
So what you actually have to do is you
have to get root privileges, and then you
00:37:53.700 --> 00:37:58.239
have to kill those two integrity checking
daemons which Florian was talking about
00:37:58.239 --> 00:38:02.819
so that it doesn't always reboot the
system when you're changing anything.
00:38:02.819 --> 00:38:07.529
Then you can via ioctl calls to the kernel
module, and say just "disable" because
00:38:07.529 --> 00:38:10.890
it has this nice feature where you can
enable and disable it, and then you
00:38:10.890 --> 00:38:18.390
can kill scnprc, opprc, and the
best thing you can do is--
00:38:18.390 --> 00:38:23.609
Weirdly, the libos file is not protected
by anyone, so you can just exchange
00:38:23.609 --> 00:38:27.700
this with a validate_os() function which
always returns 1 which says everything
00:38:27.700 --> 00:38:31.559
is fine, and then at the end you can
delete the desktop file which is used
00:38:31.559 --> 00:38:35.829
by KDE in it to start all of these
processes, and then you are fine.
00:38:35.829 --> 00:38:38.880
And we don't think that actually anyone
in North Korea who only has access
00:38:38.880 --> 00:38:43.779
to this one system-- It will be extremely
hard to figure all of this out and
00:38:43.779 --> 00:38:48.599
to completely disable it. So they did
a pretty good job in building an
00:38:48.599 --> 00:38:53.660
architecture which is quite self-protecting,
and they put a lot of effort into it
00:38:53.660 --> 00:39:01.180
to just prevent you from disabling all of
the malicious functionality.
00:39:01.180 --> 00:39:07.059
We also took a quick look on the second
version of Red Star OS, just to compare
00:39:07.059 --> 00:39:12.519
some of those services, and there we can
see there is quite an evolution from the
00:39:12.519 --> 00:39:19.390
older version to the current version.
The thing which I was talking about,
00:39:19.390 --> 00:39:22.729
that the binaries are quite similar,
is that in the older version they used
00:39:22.729 --> 00:39:27.200
a lot of shared libraries, and in the
current version they statically linked
00:39:27.200 --> 00:39:32.859
a lot of code into the binaries themselves
even if they don't use it, so the codebase
00:39:32.859 --> 00:39:38.609
looks quite the same. And the chain of
starting the processes is a little bit
00:39:38.609 --> 00:39:44.109
different, so they put a lot in the init
process which will be started at first
00:39:44.109 --> 00:39:48.779
and not like this depending-on-each-other
infrastructure which they have in the
00:39:48.779 --> 00:39:52.880
current version. In the current version
they also have a lot of problems with
00:39:52.880 --> 00:39:57.450
file privileges, so privilege escalations
would be pretty easy, even if you don't
00:39:57.450 --> 00:40:02.920
have this root setting file. But also they
have a lot of binaries that are just
00:40:02.920 --> 00:40:07.749
setting that everyone can read and write
this interface to the kernel module,
00:40:07.749 --> 00:40:11.259
which basically allows you even as a
non-root user to disable the kernel
00:40:11.259 --> 00:40:14.739
module, and then you can kill all of the
binaries but you cannot actually delete
00:40:14.739 --> 00:40:19.499
something because it will then
end up in the reboot loop.
00:40:19.499 --> 00:40:23.900
And when you are doing something malicious
then the OS reboots, in the older version
00:40:23.900 --> 00:40:29.559
it just shuts down the system, so we
thought this is a pretty interesting thing.
00:40:29.559 --> 00:40:34.630
And we think, and we saw, that there's
a more advanced watermarking
00:40:34.630 --> 00:40:38.979
technique in there which is not just
appending watermarks into the files
00:40:38.979 --> 00:40:43.130
but it looks like they are doing, for
video and audio files at least,
00:40:43.130 --> 00:40:47.170
something like they are putting the
watermarks as filters on the files.
00:40:47.170 --> 00:40:51.950
So this will be a little bit harder to
actually see those watermarks
00:40:51.950 --> 00:40:55.380
and read those watermarks, because it
is not so obvious like when you have
00:40:55.380 --> 00:40:58.869
this "EOF" string at the end which
is always quite weird.
00:40:58.869 --> 00:41:03.799
But it uses this "/usr/lib/organ" file
which is actually not present on the
00:41:03.799 --> 00:41:08.660
ISO we had. We're going to talk about
this in the conclusion why we think
00:41:08.660 --> 00:41:12.359
this might not be there, but it's
actually not available. It's referenced
00:41:12.359 --> 00:41:17.559
a lot in the code, but we actually
haven't had this file and unfortunately
00:41:17.559 --> 00:41:21.880
we couldn't look into this more deeply.
00:41:21.880 --> 00:41:27.779
So what we didn't find were quite obvious
backdoors which we thought would be
00:41:27.779 --> 00:41:34.819
in place, and that they would be pretty
easy to spot. But we didn't see any of those.
00:41:34.819 --> 00:41:38.630
It doesn't mean that there are no
backdoors, but we have some
00:41:38.630 --> 00:41:44.549
speculations for this, and one of these
is that like we saw at the beginning of
00:41:44.549 --> 00:41:48.019
the talk that there are actually systems
on the internet running this version
00:41:48.019 --> 00:41:52.210
of Red Star OS, so it would be pretty
weird if they would backdoor a system
00:41:52.210 --> 00:41:57.509
and then put it on the internet.
As far as someone gets the ISO file,
00:41:57.509 --> 00:42:03.559
and can look for backdoors and can find
some of them, they would be actually
00:42:03.559 --> 00:42:07.440
able to exploit the system
from the internet.
00:42:07.440 --> 00:42:12.630
Actually the system has a package manager
and as we saw with the pattern file
00:42:12.630 --> 00:42:17.599
it has built-in update functionality and
different services, so backdoors could
00:42:17.599 --> 00:42:22.339
just be loaded via updates
because probably they thought
00:42:22.339 --> 00:42:27.219
"okay, these ISOs might be leaked into
the outside world" and you just get
00:42:27.219 --> 00:42:33.019
an ISO, install it, update your system -
which is only possible from within the
00:42:33.019 --> 00:42:39.170
intranet of North Korea, with hard coded
internal IP addresses - so probably they
00:42:39.170 --> 00:42:43.420
thought "we only want our backdoors on
the systems which are actually located
00:42:43.420 --> 00:42:47.690
within North Korea."
00:42:47.690 --> 00:42:55.999
This is what we thought, that they thought
the ISO might be leaked, which is what
00:42:55.999 --> 00:43:00.440
actually happened. Another problem
is that, like Florian already said, they
00:43:00.440 --> 00:43:05.499
will touch a lot of code within the
operating system and we didn't manage
00:43:05.499 --> 00:43:09.900
to check all of the code. We mostly
focused on the watermarking and the
00:43:09.900 --> 00:43:14.969
virus scanning stuff, and there might be a
lot of code that should be checked further.
00:43:14.969 --> 00:43:21.789
The conclusion also is that the system's
quite self-protecting. They not only
00:43:21.789 --> 00:43:26.450
implemented several services for
integrity checking themselves but also
00:43:26.450 --> 00:43:31.150
they configured and implemented selinux
and something like that, to just protect
00:43:31.150 --> 00:43:35.450
the system and make it more secure.
00:43:35.450 --> 00:43:39.479
What we think is really bad is this
virus scanning and watermarking,
00:43:39.479 --> 00:43:43.529
because it actually allows you to
track not only the origin but the
00:43:43.529 --> 00:43:47.859
complete distribution within the network
of those files, and combined with the
00:43:47.859 --> 00:43:53.379
virus scanner where the developers are
able to actually say what files are really
00:43:53.379 --> 00:43:58.369
malicious and what shouldn't be
distributed within the network,
00:43:58.369 --> 00:44:04.249
it just deletes those files. So these
two combined are a really strong
00:44:04.249 --> 00:44:10.349
framework which can help you to track
malicious people within your network.
00:44:10.349 --> 00:44:14.950
But some words about security: Like I
said, they have a lot of problems with
00:44:14.950 --> 00:44:22.480
file permissions. There are actually some
documents on the ISO of the server
00:44:22.480 --> 00:44:26.630
version of Red Star OS 3.0, and there are
some user guides and administration
00:44:26.630 --> 00:44:30.180
guides which are quite interesting, and
they talk a lot about how to make the
00:44:30.180 --> 00:44:34.960
system secure, how to run it secure, and
why they are doing different kinds of
00:44:34.960 --> 00:44:42.089
stuff to save the integrity of the system.
They have a huge chapter talking about
00:44:42.089 --> 00:44:46.569
file permissions, but they actually didn't
manage to fix them themselves which
00:44:46.569 --> 00:44:52.279
is quite weird. And even their custom code
uses basic memory corruption protection
00:44:52.279 --> 00:44:57.660
like stack cookies, and non-executable
stacks which we saw that a lot of security
00:44:57.660 --> 00:45:02.999
vendors don't bother to use, so we
thought this is quite funny.
00:45:02.999 --> 00:45:06.580
Some of their code is more secure than
a lot of security appliances.
00:45:06.580 --> 00:45:08.789
Slight laughter
00:45:08.789 --> 00:45:12.569
Florian: So to wrap this up--
Am I going, can you hear me? Yes.
00:45:12.569 --> 00:45:18.869
Okay so to wrap this up, again we think -
this is a guess - that primarily they try
00:45:18.869 --> 00:45:24.690
to protect and to save the integrity
of the system, which totally makes
00:45:24.690 --> 00:45:28.960
sense if you're putting out an
operating system from North Korea.
00:45:28.960 --> 00:45:32.150
The system was, in our opinion,
definitely built for home computers,
00:45:32.150 --> 00:45:37.460
so it's not like industrial control or
something else, it's definitely built
00:45:37.460 --> 00:45:43.099
for a home user because it mimics
Mac OSX and gives you all of the tools.
00:45:43.099 --> 00:45:46.849
Maybe the reason why we didn't find
backdoors is they actually know that
00:45:46.849 --> 00:45:51.390
backdoors are bullshit. Could be a
reason, we don't know.
00:45:51.390 --> 00:45:55.829
If you want to look into Red Star OS and
help us out, especially with the crypto,
00:45:55.829 --> 00:46:01.640
the pilsung kernel module which provides
custom crypto, with a look into the kernel
00:46:01.640 --> 00:46:05.839
to see if there is something hidden there,
if maybe there are backdoors there,
00:46:05.839 --> 00:46:09.390
take a look at our github.
Please contribute if you find
00:46:09.390 --> 00:46:13.079
something, because we think that this
message and all of this stuff has to
00:46:13.079 --> 00:46:17.849
be put out to the public, so it is a
well-known fact that this operating
00:46:17.849 --> 00:46:25.269
system is actually abusing free software
to actually make free speech harder
00:46:25.269 --> 00:46:28.509
in a country that is quite oppressed.
00:46:28.509 --> 00:46:33.940
So with this, we are at our end and we
are going to take your questions now.
00:46:33.940 --> 00:46:46.010
Applause
00:46:46.010 --> 00:46:51.619
Herald: Thank you very much. We have
about 15 minutes time for questions.
00:46:51.619 --> 00:46:54.690
If you want to ask a question, please
come to the microphones.
00:46:54.690 --> 00:46:58.630
There are some on the right
and some on the left aisle.
00:46:58.630 --> 00:47:03.859
If you for any reason can't come to
the microphones, please raise your
00:47:03.859 --> 00:47:09.019
hand and I'll come to you
with my microphone.
00:47:19.079 --> 00:47:28.349
Okay, please line up there. If you
wanna leave now, please do this
00:47:28.349 --> 00:47:35.089
quietly through the front door.
00:47:35.089 --> 00:47:37.479
Florian: Could you raise your hand if
you have questions and standing at
00:47:37.479 --> 00:47:39.639
the microphone? There are like
three questions over there.
00:47:39.639 --> 00:47:42.030
Herald: Yeah, on the left one please.
00:47:42.030 --> 00:47:46.489
Audience 1: Hello? Yeah. So thank you
very much, it was very interesting.
00:47:46.489 --> 00:47:55.019
I have two questions: Have you tried
isolating the system in a chroot jail?
00:47:55.019 --> 00:48:00.410
And the second one is: Were there any
outbound connections, like automatic
00:48:00.410 --> 00:48:02.509
outbound connections it made?
00:48:02.509 --> 00:48:06.609
Florian: Okay so for the first question,
we did not try to run it in an isolated
00:48:06.609 --> 00:48:09.950
environment. We actually didn't--
Did we install it on a live system?
00:48:09.950 --> 00:48:12.459
I don't think so. Did we?
Niklaus: Yeah.
00:48:12.459 --> 00:48:14.910
Florian: Yeah, okay. But we didn't do any
observations that this changed the
00:48:14.910 --> 00:48:20.479
behaviour of the system. Concerning the
second question, there actually is not
00:48:20.479 --> 00:48:24.559
really outbound traffic. What it is doing
is on the local network it is talking a
00:48:24.559 --> 00:48:31.150
lot of NetBIOS stuff. So there is an
SNMP and an nmbdaemon running
00:48:31.150 --> 00:48:35.249
on the system and it's talking a
lot of NetBIOS. But this is basically
00:48:35.249 --> 00:48:39.119
everything we could find. We have even
left it running for like two days, to see
00:48:39.119 --> 00:48:43.410
if there is an outbound connection for one
day or something like that. We couldn't
00:48:43.410 --> 00:48:50.229
see anything like that. So the only stuff
that Red Star's talking to the network
00:48:50.229 --> 00:48:57.009
is like this Windows NetBIOS stuff, and if
you push the button on the update
00:48:57.009 --> 00:49:00.829
feature of the virus scanner, it's
actually trying to initiate an update
00:49:00.829 --> 00:49:06.029
process that goes to five hard-coded
IP addresses that are all local.
00:49:06.029 --> 00:49:12.039
So like 192.168.9 something, and
172 whatever. These are the only
00:49:12.039 --> 00:49:16.510
network connections that we could trigger,
or that we have observed so far.
00:49:16.510 --> 00:49:20.589
A1: Thank you.
Herald: The next question is also
00:49:20.589 --> 00:49:27.459
from this microphone.
Audience 2: Two questions:
00:49:27.459 --> 00:49:33.739
Might it be possible that when you install
the system it gets code from North Korea
00:49:33.739 --> 00:49:39.150
so you cannot find out if it's calling
home because you don't get the call?
00:49:39.150 --> 00:49:42.769
Florian: Could be. Our guess is actually
that there is far more stuff that you get
00:49:42.769 --> 00:49:49.999
when you pull up the operating system in
North Korea. One reason is the organ file
00:49:49.999 --> 00:49:53.719
that Niklaus mentioned that is missing on
the system with the additional crypto
00:49:53.719 --> 00:49:58.190
information that is used for the extended
watermarking that they are applying.
00:49:58.190 --> 00:50:01.539
We don't know where this file is coming
from, and from our perspective it totally
00:50:01.539 --> 00:50:06.150
makes sense to not distribute this file
on the ISO but to kind of give it as an--
00:50:06.150 --> 00:50:09.619
I don't know, somebody has to come to
your house to install the software and
00:50:09.619 --> 00:50:14.089
then he puts like this dedicated organ
file on your desktop that is specific
00:50:14.089 --> 00:50:18.670
to you, for example. That would totally
make sense because, as you know,
00:50:18.670 --> 00:50:21.299
stuff works a little bit different.
It's not like downloading an ISO
00:50:21.299 --> 00:50:25.130
and installing it, it's probably more
complex to get this onto your system
00:50:25.130 --> 00:50:29.390
if you want to use this. So there might
be more stuff that is pushed either
00:50:29.390 --> 00:50:34.660
via updates - only internal - and this
organ file and other stuff that can get
00:50:34.660 --> 00:50:39.170
to your computer-- We don't know if this
is possible or if something is happening
00:50:39.170 --> 00:50:44.910
with this feature.
A2: And the second question is if you look
00:50:44.910 --> 00:50:49.579
at it from the North Korean view, that's
like they had the problem. They are quite
00:50:49.579 --> 00:50:54.039
happy, have a nice state, everything's
working fine from what they see, and
00:50:54.039 --> 00:50:57.839
now people come from South Korea,
from Western countries, bring their USB
00:50:57.839 --> 00:51:03.289
sticks with Western propaganda that to
have stuff like this watermarking even
00:51:03.289 --> 00:51:08.180
if it is like evil. Like a natural reaction
from a closed system.
00:51:08.180 --> 00:51:11.589
Florian: So actually it totally makes
sense to develop the system in the
00:51:11.589 --> 00:51:16.430
way they developed it. It totally makes
sense, because it kind of reflects a
00:51:16.430 --> 00:51:23.369
little bit how the government is working.
Because integrity is not only a critical
00:51:23.369 --> 00:51:30.390
part not only for the operating system,
it's also a part for the state itself.
00:51:30.390 --> 00:51:34.190
Like shutting down everything, closing
off everything - that's, by the way,
00:51:34.190 --> 00:51:40.269
the screensaver - and closing down
everything also totally makes sense.
00:51:40.269 --> 00:51:44.459
And tracking stuff that is distributed
in the country or deleting unwanted stuff
00:51:44.459 --> 00:51:52.709
also makes sense. So what we think that
Red Star resembles this and matches
00:51:52.709 --> 00:51:57.959
how culture is in North Korea, actually.
00:51:57.959 --> 00:52:02.920
Herald: Okay, we also have two questions
of the IRC which I would like to shift in.
00:52:02.920 --> 00:52:08.779
Signal angel: Thank you. Okay, the first question
is if you have any theory on how and why
00:52:08.779 --> 00:52:17.209
the ISO got leaked.
00:52:17.209 --> 00:52:23.269
Florian: We don't know this, actually. 'Why?' is--
We don't think that it was somebody
00:52:23.269 --> 00:52:27.509
from North Korea, we think that it might
be a foreigner that got it.
00:52:27.509 --> 00:52:31.450
Like Will Scott told us last year that he
was able to get a copy of it and get it
00:52:31.450 --> 00:52:34.690
out of the country. There might
be others that are able.
00:52:34.690 --> 00:52:39.180
There is actually tourism in North Korea.
You can go there for your holidays.
00:52:39.180 --> 00:52:45.349
So I guess that if you put a little bit
of effort into it, it's possible to get
00:52:45.349 --> 00:52:49.049
nearly anything out of the country if
you want to try to take the risk.
00:52:49.049 --> 00:52:53.759
But we don't know who leaked the version
and we don't know why it actually was leaked.
00:52:53.759 --> 00:52:58.099
Niklaus: There are actually rumours that
it was a Russian student who was studying
00:52:58.099 --> 00:53:01.920
in North Korea, and he bought this on the
street and just brought it out of the country
00:53:01.920 --> 00:53:05.630
and put it on his blog, but we cannot
confirm that this is actually true.
00:53:05.630 --> 00:53:11.789
Signal angel: Okay, thanks. And the second question
is if there has been any attempt at the
00:53:11.789 --> 00:53:14.749
custom kernel modules yet, like
reverse engineering or something.
00:53:14.749 --> 00:53:19.589
Florian: Well we reverse engineered rtscan
which is pretty simple because it just
00:53:19.589 --> 00:53:25.719
hooks a few function calls, that's it.
We have taken a look at the
00:53:25.719 --> 00:53:30.670
Korean Display Module on a first glance.
It seems to do what it is supposed to do,
00:53:30.670 --> 00:53:35.589
having something to do with display
management, but we didn't take a look
00:53:35.589 --> 00:53:38.799
at all of the kernel modules, all the rest
of the remaining kernel modules,
00:53:38.799 --> 00:53:43.999
because the code base is so massive
that we actually need you guys to
00:53:43.999 --> 00:53:49.089
help us out a little bit.
00:53:49.089 --> 00:53:52.749
Herald: Next question from the mic please.
Audience 3: Yes, I have another question.
00:53:52.749 --> 00:53:56.469
You said that most of the software is
based of other open source software
00:53:56.469 --> 00:54:01.150
for which you don't have the source code,
and it didn't come with the ISO, so it's
00:54:01.150 --> 00:54:03.269
pretty much a massive violation of
open source licenses.
00:54:03.269 --> 00:54:05.979
Florian: Yep, absolutely.
A3: So my question would be:
00:54:05.979 --> 00:54:12.229
Could you get an inside on what other
packages are available, or from the
00:54:12.229 --> 00:54:14.450
package manager, and what
other packages are there?
00:54:14.450 --> 00:54:20.180
Florian: Actually, there is a DVD which
also was leaked. I think that it was for
00:54:20.180 --> 00:54:25.959
Red Star 2. I'm not sure if it is also
for the latest version, but there is
00:54:25.959 --> 00:54:32.239
a CD with additional software and you
have stuff like Apache, MYSQL-- pfff
00:54:32.239 --> 00:54:35.930
I don't know. All of the stuff you
basically need to run a full-blown
00:54:35.930 --> 00:54:40.589
operating system on Linux. So there is
additional software out there, you can
00:54:40.589 --> 00:54:47.529
download the DVD and install this
software on the machine.
00:54:47.529 --> 00:54:52.640
If you go through the RPM descriptions
you will see that for some of the
00:54:52.640 --> 00:55:00.989
software they even wrote-- They kind of
used a description for the license which
00:55:00.989 --> 00:55:05.130
says "KCC" which is the Korean Computer
Centre. And sometimes they use GPL,
00:55:05.130 --> 00:55:09.250
and sometimes they use GNU, and yeah.
So massive violations.
00:55:09.250 --> 00:55:12.239
A3: Did you ask them for the source code?
Laughter
00:55:12.239 --> 00:55:16.119
Florian: Actually, we think that there is
an internal git in North Korea where you
00:55:16.119 --> 00:55:20.910
can just check out everything, so...
We suppose it is this way because it's
00:55:20.910 --> 00:55:30.259
open source, right? By the way,
open source. Laughter
00:55:30.259 --> 00:55:35.440
Herald: Very nice. One more question
from here? Are you having a question?
00:55:35.440 --> 00:55:38.079
No, okay then we have one more
question from the internet.
00:55:38.079 --> 00:55:42.449
IRC: Yes, the question is if there is a
possibility to fake the watermarks
00:55:42.449 --> 00:55:46.529
to get some innocent North Korean
into trouble. Quiet laughter
00:55:46.529 --> 00:55:50.619
Florian: Yeah, no problem because the
key's hard coded. You could, like--
00:55:50.619 --> 00:55:57.229
You know how to scramble the hardware ID
or the disk serial, and you could perfectly
00:55:57.229 --> 00:56:01.690
forge documents. That would be not a
problem. Not a problem at all.
00:56:01.690 --> 00:56:07.209
You just need the serial number, basically.
A3: Okay, and I've just got another question
00:56:07.209 --> 00:56:11.279
that is: Does the warning.wav
have a watermark?
00:56:11.279 --> 00:56:14.809
Florian: Umm...
Niklaus: No, actually it has the exact
00:56:14.809 --> 00:56:19.729
same checksum as the original file.
Florian: Actually we didn't check if it--
00:56:19.729 --> 00:56:23.890
No, so it does not have a watermark
because as Niklaus said, it's the same
00:56:23.890 --> 00:56:27.739
checksum as the Kaspersky one.
A3: Okay, thanks.
00:56:27.739 --> 00:56:32.910
Herald: Okay, thank you very much.
Please give Florian and Niklaus another
00:56:32.910 --> 00:56:36.489
big round of applause for an amazing talk.
Florian: Thank you.
00:56:36.489 --> 00:56:40.093
Applause
00:56:40.093 --> 00:56:46.054
postroll music
00:56:46.054 --> 00:56:52.000
subtitles created by c3subtitles.de
Join, and help us!