1 00:00:00,000 --> 00:00:09,534 *prerole music* 2 00:00:09,534 --> 00:00:15,929 Herald: North Korea; not only famous for chocolate but for being a surveillance state 3 00:00:15,929 --> 00:00:22,289 And as a good surveillance state, it has to have its own operation system. 4 00:00:22,289 --> 00:00:27,710 Because how will you do proper surveillance without your own operation system? 5 00:00:27,710 --> 00:00:35,550 Today, we get a brief introduction how Red Star OS is working. 6 00:00:35,550 --> 00:00:38,910 The introduction will have a specific focus on the custom code 7 00:00:38,910 --> 00:00:45,350 which was inserted for surveillance, and especially how to get around it. 8 00:00:45,350 --> 00:00:52,420 So please welcome Florian and Niklaus with a big round of applause. 9 00:00:52,420 --> 00:01:00,600 *Applause* 10 00:01:00,600 --> 00:01:03,230 Florian Grunow: Hey everybody, thanks for having us. 11 00:01:03,230 --> 00:01:08,070 We are going to give you a deep dive into Red Star OS. 12 00:01:08,070 --> 00:01:12,070 Actually, we were kind of surprised that there is not so much information 13 00:01:12,070 --> 00:01:17,850 on the net about really the core of Red Star and what is it doing. 14 00:01:17,850 --> 00:01:22,310 So we thought we would change this, and give you an insight in how 15 00:01:22,310 --> 00:01:26,500 this Operating System works, and by looking into the technical aspects 16 00:01:26,500 --> 00:01:33,700 of Red Star you can also draw conclusions about how development in North Korea 17 00:01:33,700 --> 00:01:38,200 is evolving and is, maybe, catching up. 18 00:01:38,200 --> 00:01:42,390 So what we're going to talk about is: First of all, a short introduction 19 00:01:42,390 --> 00:01:45,630 into the motivation; why are we doing this? We are going through 20 00:01:45,630 --> 00:01:49,720 the architecture of Red Star; we are going to show you the components in the core 21 00:01:49,720 --> 00:01:53,640 in the operating system itself; and then we will take a deep dive into 22 00:01:53,640 --> 00:01:57,440 the additional components, all of the programs that are coming from North Korea 23 00:01:57,440 --> 00:02:01,470 and are supplied with the ISO of Red Star OS. 24 00:02:01,470 --> 00:02:06,500 After that, we are going to give you a deep dive into the most interesting features 25 00:02:06,500 --> 00:02:13,290 of Red Star OS; and then we will be able to draw our own conclusions; 26 00:02:13,290 --> 00:02:16,069 and afterwards we will have time for questions, we hope. 27 00:02:16,069 --> 00:02:21,459 By the way, this picture on the left you can see here is actually one of the-- 28 00:02:21,459 --> 00:02:28,579 I think it's the screensaver right from Red Star OS. *Laughter* So, um, yeah. 29 00:02:28,579 --> 00:02:32,849 So before we begin, we need to do this disclaimer: 30 00:02:32,849 --> 00:02:37,959 For your information we have never visited DPRK, we have never been to North Korea. 31 00:02:37,959 --> 00:02:41,549 All we know about North Korea is from public sources, from the internet, 32 00:02:41,549 --> 00:02:47,450 from media, whatever. So what we are going to say about North Korea 33 00:02:47,450 --> 00:02:52,590 has to be speculation because we don't know exactly what happens in North Korea. 34 00:02:52,590 --> 00:02:58,370 Also, the ISOs that we have been analysing are found publicly available on 35 00:02:58,370 --> 00:03:02,499 the internet, [and] may be fake. We don't think that they are fake because 36 00:03:02,499 --> 00:03:09,340 Will Scott has shown last year on the 31C3 how Red Star looks, and everything that 37 00:03:09,340 --> 00:03:15,719 he has been showing is basically in the ISO, so we think it is legit. 38 00:03:15,719 --> 00:03:20,840 Remember that we are not going to make fun of anybody in this talk. We are not going 39 00:03:20,840 --> 00:03:24,319 to make fun of the developers, and we are certainly not going to make fun of 40 00:03:24,319 --> 00:03:30,040 the people in the DPRK, because we think that our presentation might have some 41 00:03:30,040 --> 00:03:36,120 funny aspects or something that makes you laugh - which is perfectly fine - but 42 00:03:36,120 --> 00:03:41,889 looking at Red Star in detail is kind of a surveillance mess, I would say, and 43 00:03:41,889 --> 00:03:48,449 it's a security or privacy nightmare. So keep these aspects in mind. 44 00:03:48,449 --> 00:03:51,849 Also, this talk is not going to focus about security. We're not going to talk 45 00:03:51,849 --> 00:03:56,010 about security. Many of the publications available on the internet are 46 00:03:56,010 --> 00:04:00,290 about security, and we're not going to focus on this in this presentation. 47 00:04:00,290 --> 00:04:06,849 So, why are we doing this? Red Star ISOs have been leaked some time ago; there is 48 00:04:06,849 --> 00:04:12,290 a version 2 hanging around the internet and there is obviously a version 3.0 49 00:04:12,290 --> 00:04:17,099 which has been leaked at the end of 2014, and we were quite surprised at the middle 50 00:04:17,099 --> 00:04:20,459 of the year that there is no in-depth analysis of this operating system. 51 00:04:20,459 --> 00:04:25,080 So most of the blogs and news articles are quite superficial that you can find out there, 52 00:04:25,080 --> 00:04:31,370 and this is kind of surprising because if there is some kind of state that 53 00:04:31,370 --> 00:04:35,680 doesn't put focus on transparency and free speech, and they are putting out an 54 00:04:35,680 --> 00:04:41,419 operating system, you kind of want to know how do they build their operating system. 55 00:04:41,419 --> 00:04:46,349 So that was one of the major aspects for us to look into it. The other aspect was 56 00:04:46,349 --> 00:04:50,580 to find out how is the state of software development in DPRK; 57 00:04:50,580 --> 00:04:58,519 how are they developing software? Do they have a well-thought architecture; 58 00:04:58,519 --> 00:05:04,229 are they thinking about what they are doing? How is the skill level of software 59 00:05:04,229 --> 00:05:08,669 development in North Korea? So these were the two aspects that 60 00:05:08,669 --> 00:05:10,370 we wanted to find out. 61 00:05:10,370 --> 00:05:15,189 So if you look at previous work, as I said there is mostly superficial stuff. 62 00:05:15,189 --> 00:05:22,659 There is some information that Red Star OS actually looks like Mac OSX, and we will 63 00:05:22,659 --> 00:05:27,129 go into this a little bit further. Then we have this talk from Will Scott 64 00:05:27,129 --> 00:05:31,439 last year at 31C3, who was talking about Computer Science in DPRK which was 65 00:05:31,439 --> 00:05:37,159 very very interesting, and gave a pretty good insight into what's happening in DPRK. 66 00:05:37,159 --> 00:05:44,349 And then we have a bunch of guys who looked into the browser of Red Star, 67 00:05:44,349 --> 00:05:46,319 which is also quite interesting. 68 00:05:46,319 --> 00:05:53,310 So what we are going to do now is-- I'm going to show you the custom basic 69 00:05:53,310 --> 00:05:58,180 components; I'm going to talk a little bit about integrity on the system; then I will 70 00:05:58,180 --> 00:06:04,610 hand over to Niklaus who will be looking into the core and surveillance features; 71 00:06:04,610 --> 00:06:08,319 and then as I said, we will have time for questions afterwards. 72 00:06:08,319 --> 00:06:13,340 So there are different leaked versions out there, as I said. We have a desktop and 73 00:06:13,340 --> 00:06:19,319 a server version of Red Star, so you can also use Red Star as a server, and it 74 00:06:19,319 --> 00:06:23,430 turns out that server version 3 is actually used on the internet right now. 75 00:06:23,430 --> 00:06:28,520 As you can see, there is a server header returned: "Red Star 3.0" 76 00:06:28,520 --> 00:06:32,750 This is an IP address of the server, and it is pointing into North Korea. 77 00:06:32,750 --> 00:06:37,379 So this is one of the few web sites that is publicly facing the internet from 78 00:06:37,379 --> 00:06:44,259 North Korea, and they are obviously using the server version 3.0. So 3.0 might 79 00:06:44,259 --> 00:06:48,500 actually be the latest version. There is another version, it's 2.0, 80 00:06:48,500 --> 00:06:53,550 which has also been leaked to the internet, and then there is supposedly something 81 00:06:53,550 --> 00:07:02,139 that looks like 2.5; we have found some South Korean documents that seem to be 82 00:07:02,139 --> 00:07:08,909 analysing the system quite superficially, and it looks like 2.5 actually resembles 83 00:07:08,909 --> 00:07:14,139 the look and feel of Windows XP. So you kind of see this evolution right now from 84 00:07:14,139 --> 00:07:19,319 2.5 XP going to 3.0 mimicking Mac OSX. 85 00:07:19,319 --> 00:07:24,499 Our talk will focus on the desktop version which is desktop 3.0 86 00:07:24,499 --> 00:07:28,770 If you look at the timeline, which is a guess - there's no documentation available 87 00:07:28,770 --> 00:07:35,400 on how they did it, obviously - if you look at the 3.0 version you see that it is 88 00:07:35,400 --> 00:07:41,780 based on Fedora 11 which came out in 2009. So our guess is they started developing 3.0 89 00:07:41,780 --> 00:07:48,029 in 2009 with this Fedora 11 release. The kernel that they are using is 2.6.38 90 00:07:48,029 --> 00:07:55,840 which came out with Fedora 15 in 2011. So it could be that the OS itself is 91 00:07:55,840 --> 00:08:00,759 a little bit older, the kernel is a little bit newer, and the latest package build 92 00:08:00,759 --> 00:08:05,150 dates that you can see in Red Star OS date to June 2013. 93 00:08:05,150 --> 00:08:11,789 So our educated guess is that Red Star came out in June 2013 or a little bit later, 94 00:08:11,789 --> 00:08:13,939 a few weeks later or months later. 95 00:08:13,939 --> 00:08:18,219 In December 2014 we had the public leak, so the ISOs have been leaked to the internet 96 00:08:18,219 --> 00:08:21,479 and are publicly available right now. 97 00:08:21,479 --> 00:08:26,449 If you look into the operating system, it's basically a fully-featured desktop system 98 00:08:26,449 --> 00:08:31,150 you might imagine. It's based on KDE and Fedora as I already said, and it tries 99 00:08:31,150 --> 00:08:36,230 to mimic the look and feel of Mac OSX. You have an e-mail client, a calendar, 100 00:08:36,230 --> 00:08:41,260 a word processor, you've got Quicktime and all of that stuff. You even have a disk 101 00:08:41,260 --> 00:08:45,850 encryption utility that Will Scott has shown last year. 102 00:08:45,850 --> 00:08:51,630 They implemented additional kernel modules and they touched a lot of kernel modules. 103 00:08:51,630 --> 00:08:55,180 They have this kernel module "rtscan" which Niklaus is going to say a little bit 104 00:08:55,180 --> 00:09:00,120 more about, they have this kernel module called "pilsung" - I was told this 105 00:09:00,120 --> 00:09:05,210 means "victory" in Korean - and that kind of is a kernel module that supplies 106 00:09:05,210 --> 00:09:12,280 AES encryption. So they implemented an own kernel module to supply something like AES. 107 00:09:12,280 --> 00:09:16,290 Then there is a kernel module called "kdm" which is the Korean Display Module, 108 00:09:16,290 --> 00:09:20,960 and "kimm"-- *muffled laughter* --which is not what it's like-- 109 00:09:20,960 --> 00:09:24,800 it's not looking-- *laughter* Well, I'll just go on. 110 00:09:24,800 --> 00:09:31,130 It basically just does something with Korean letters and displaying Korean 111 00:09:31,130 --> 00:09:35,250 letters on the screen. 112 00:09:35,250 --> 00:09:39,710 Red Star has been developed by the KCC, the Korean Computer Centre. 113 00:09:39,710 --> 00:09:46,720 It's quite interesting that since a few years ago they had an office in Berlin. 114 00:09:46,720 --> 00:09:50,750 I don't know what they did there, but they obviously had an office in Berlin 115 00:09:50,750 --> 00:09:55,320 maybe for knowledge sharing, whatever. If you look at the system hardening, 116 00:09:55,320 --> 00:09:58,480 it's quite interesting that they took care of system hardening. 117 00:09:58,480 --> 00:10:02,780 So they implemented SELinux rules with custom modules, they have IP tables 118 00:10:02,780 --> 00:10:06,860 rolled out immediately so you don't have to activate it or put your rules into it; 119 00:10:06,860 --> 00:10:11,640 the firewall is working. They even have Snort installed on the system. 120 00:10:11,640 --> 00:10:16,290 It's not running by default but they are kind of delivering it by default, and they 121 00:10:16,290 --> 00:10:21,590 have a lot of custom services that we are going to look into right now. 122 00:10:21,590 --> 00:10:25,880 Quite interesting is-- so why should North Korea mimic Mac OSX? 123 00:10:25,880 --> 00:10:30,150 That might be one reason right there: because this young fella sitting on the left 124 00:10:30,150 --> 00:10:35,900 is actually using an iMac right here. So this is one reason. 125 00:10:35,900 --> 00:10:40,700 So why should they implement their own operating system? There actually are 126 00:10:40,700 --> 00:10:48,210 so-called anthologies put out by the leader, and one anthology by Kim Jong-il says that 127 00:10:48,210 --> 00:10:54,220 - if you translate it correctly, and we try to - "in the process of programming, 128 00:10:54,220 --> 00:10:59,290 it is important to develop one in our own style," and with "one" he means programs 129 00:10:59,290 --> 00:11:05,990 and operating systems. So there is this clear guidance that North Korea should not 130 00:11:05,990 --> 00:11:11,620 rely on third-party Western operating system and programs, they should 131 00:11:11,620 --> 00:11:15,290 develop this stuff on their own. And by looking at the code and everything 132 00:11:15,290 --> 00:11:19,470 that we have by Red Star OS, this is exactly what they did. They touched 133 00:11:19,470 --> 00:11:24,260 nearly everything on the operating system, changed it a little bit, added custom code 134 00:11:24,260 --> 00:11:28,710 and so this is actually what they are doing right there. 135 00:11:28,710 --> 00:11:34,060 The custom applications that you have is a browser, which translates to "my country." 136 00:11:34,060 --> 00:11:40,470 You also have a crypto tool that Will Scott has shown last year which is called Bokem 137 00:11:40,470 --> 00:11:44,230 which if you translate it kind of translates to "sword." 138 00:11:44,230 --> 00:11:49,780 You have Sogwang Office which is an OpenOffice customised for North Korean use. 139 00:11:49,780 --> 00:11:53,920 A software manager; you have MusicScore which is an application you can compose 140 00:11:53,920 --> 00:11:59,270 music with. Then you have a program which is called "rootsetting" and it basically 141 00:11:59,270 --> 00:12:03,520 gives you root. So if you look into the documentation, it says you are not 142 00:12:03,520 --> 00:12:07,520 supposed to have root on the system for integrity reasons, but if you want to get 143 00:12:07,520 --> 00:12:12,940 root you can use this tool, so they're not hiding anything. So there are rumours 144 00:12:12,940 --> 00:12:16,110 on the net that say that you're not supposed to get root on the system 145 00:12:16,110 --> 00:12:21,370 because it's so locked down. This is not true obviously because there is software 146 00:12:21,370 --> 00:12:24,140 intended to give you administrative privileges. 147 00:12:24,140 --> 00:12:30,240 They even touched KDM, so the code base that they touched is really, really big. 148 00:12:30,240 --> 00:12:32,760 Nearly the whole operating system. 149 00:12:32,760 --> 00:12:38,250 We are now going to give you a demo. The first demo that we are doing, we are 150 00:12:38,250 --> 00:12:42,390 doing it right now, because we are actually doing this presentation 151 00:12:42,390 --> 00:12:55,080 in Red Star OS. *Laughter and applause* 152 00:12:55,080 --> 00:12:58,990 So what you see right here is basically Red Star OS. We're going to show 153 00:12:58,990 --> 00:13:03,480 some of the aspects to you. There are many many screenshots on the internet, some of you might already 154 00:13:03,480 --> 00:13:06,980 know how Red Star works, you might have experience yourself. 155 00:13:06,980 --> 00:13:09,600 We're just going over a few interesting issues. 156 00:13:09,600 --> 00:13:16,110 So as you have seen, there is a full-blown set of word processing, Powerpoint 157 00:13:16,110 --> 00:13:22,150 presentation stuff. I'm going to open up the browser-- pfft, whatever. *Laughter* 158 00:13:22,150 --> 00:13:31,240 --and going into the preferences just to give you a quick-- no. *Muted laughter* 159 00:13:31,240 --> 00:13:38,580 Oh. *Laughter* Yeah, to give you an insight on the Certificate Authorities that are 160 00:13:38,580 --> 00:13:43,720 implemented in this Firefox version - it's Firefox 3 - so you see there is not so many 161 00:13:43,720 --> 00:13:50,740 Certificate Authorities right here, and they all are I guess from North Korea. 162 00:13:50,740 --> 00:13:55,780 So the browser is totally created to not be used outside of North Korea, 163 00:13:55,780 --> 00:14:04,170 which you can see in the URL bar. There is an internal IP address 164 00:14:04,170 --> 00:14:08,630 which points into the network of North Korea, and all of the settings, 165 00:14:08,630 --> 00:14:11,940 proxy settings, hard-coded IP addresses, or whatever, all point into this 166 00:14:11,940 --> 00:14:16,070 internal infrastructure of North Korea. So this browser and the e-mail program 167 00:14:16,070 --> 00:14:19,380 was never intended to be used outside of North Korea. 168 00:14:19,380 --> 00:14:22,900 *Pfft* Okay. *Laughter* What else do we have? 169 00:14:22,900 --> 00:14:29,000 Okay, we have a Quicktime player. So speaking of Mac OSX, 170 00:14:29,000 --> 00:14:41,000 you all have seen this. Woo! Swoosh. Right? Okay, so that perfectly mimics Mac OSX. 171 00:14:41,000 --> 00:14:45,670 So let me try to find-- I'll try with aplay right here. 172 00:14:45,670 --> 00:14:51,800 So this is the shell. Quite interesting is that when we were looking through 173 00:14:51,800 --> 00:14:57,310 all of this stuff, there is a bunch of files that have a certain protection, 174 00:14:57,310 --> 00:15:00,420 and they seem to be pretty important for the system, and there is a 175 00:15:00,420 --> 00:15:06,630 wave file - an audio wave file - that actually is protected. 176 00:15:06,630 --> 00:15:15,170 It's usr/lib/Warnning.wav; I don't know if we can hear this. 177 00:15:15,170 --> 00:15:19,000 I hope that your ears are not going to explode right now. I'll just try it. 178 00:15:19,000 --> 00:15:22,430 *Pig squealing* I'll try it again. 179 00:15:22,430 --> 00:15:25,870 *Pig squealing* You hear that? *Laughter* 180 00:15:25,870 --> 00:15:28,740 *Pig squealing* Does anybody know what this is? 181 00:15:28,740 --> 00:15:33,670 *Shouts of "pig" from audience* Pardon me? Pig, exactly. 182 00:15:33,670 --> 00:15:36,430 And where is it coming from? Does anybody know? 183 00:15:36,430 --> 00:15:39,970 That's stolen from Kaspersky antivirus, because in the older version of 184 00:15:39,970 --> 00:15:45,340 Kaspersky antivirus if you find a virus it actually will play this sound, and it's 185 00:15:45,340 --> 00:15:49,970 exactly the wav file from Kaspersky; we verified this by doing checksums, okay. 186 00:15:49,970 --> 00:16:03,310 *Laughter* So we have a copyright violation right here. *Laughter and applause* 187 00:16:03,310 --> 00:16:07,770 So what else do we have? I've been talking about this, you can create your own music. 188 00:16:07,770 --> 00:16:12,630 I'm not going to do this now because I'm not good at making music. 189 00:16:12,630 --> 00:16:16,300 What else do we have? We have the browser. Did we want to show-- ah yeah. 190 00:16:16,300 --> 00:16:20,570 I'm going to show you one more thing. I'm not going to show you the encryption 191 00:16:20,570 --> 00:16:28,980 tool because Will Scott has done this last year, but to give you an insight into 192 00:16:28,980 --> 00:16:33,970 the crypto tool, it's pretty interesting. If you look at the description of the bokem3, 193 00:16:33,970 --> 00:16:38,260 bokem is the tool that is used for disk encryption so it provides the user a tool 194 00:16:38,260 --> 00:16:42,470 to encrypt files or even the complete hard drive, and if you look into 195 00:16:42,470 --> 00:16:49,730 the description it says "this allows the user to store his/her privacy data with encrypted," 196 00:16:49,730 --> 00:16:56,420 which is quite nice. I mean, we didn't expect to have something like this 197 00:16:56,420 --> 00:17:04,000 in Red Star. So the user can at least try to encrypt files. 198 00:17:04,000 --> 00:17:08,750 Bokem is using out-of-the-box crypto that comes with the kernel. 199 00:17:08,750 --> 00:17:14,240 It also uses pilsung, which we don't know if there are any backdoors in it or not, 200 00:17:14,240 --> 00:17:19,849 so we have no idea if this is possible to decrypt with a master key or something. 201 00:17:19,849 --> 00:17:24,140 If you want to look into this, we would be happy if someone with big crypto 202 00:17:24,140 --> 00:17:32,750 experience would look into it. So let me get back to the presentation. 203 00:17:32,750 --> 00:17:39,440 Ah! One thing I need to show you is this red flag on the right corner, right here. 204 00:17:39,440 --> 00:17:46,410 If you look into this, and you translate - I didn't click the right one - if you are 205 00:17:46,410 --> 00:17:52,110 going to translate all of this, you will find that all of the strings and all of 206 00:17:52,110 --> 00:17:59,160 the text that you see right here, they seem to be an antivirus scanner. 207 00:17:59,160 --> 00:18:03,510 So they even implemented from scratch an antivirus scanner in Red Star OS. 208 00:18:03,510 --> 00:18:08,230 You can now select the folder or a file and say run a check on the file, 209 00:18:08,230 --> 00:18:13,050 and if the file is actually a malicious file - we will come to that part later, 210 00:18:13,050 --> 00:18:17,870 what "malicious" is - it will instantly be deleted from the hard drive. 211 00:18:17,870 --> 00:18:25,260 So this is an interesting feature, having a virus scanner in a Linux OS. 212 00:18:25,260 --> 00:18:28,570 Okay so let's look at the custom components. We have been 213 00:18:28,570 --> 00:18:32,290 looking into the user space a little bit, and all of the programs that come with it. 214 00:18:32,290 --> 00:18:37,400 There is far more stuff. Download the ISO, play around with it a little bit. 215 00:18:37,400 --> 00:18:41,610 First, change the language to English. You will obviously not get far 216 00:18:41,610 --> 00:18:46,260 if your Korean is bad. So change the language and 217 00:18:46,260 --> 00:18:48,030 play around with it a little bit. 218 00:18:48,030 --> 00:18:53,020 So Red Star Comes with interesting packages. 219 00:18:53,020 --> 00:18:56,620 They touched KDE as I said. They are getting out an integrity 220 00:18:56,620 --> 00:19:00,210 checker and a security daemon. There are signature packages right here 221 00:19:00,210 --> 00:19:05,840 which Niklaus is going to talk about a little bit, there are policies for selinux, 222 00:19:05,840 --> 00:19:11,280 and I'm going to talk about two of the integrity checking mechanisms that 223 00:19:11,280 --> 00:19:12,300 Red Star has. 224 00:19:12,300 --> 00:19:17,730 So by looking at Red Star, we saw that one thing was pretty important to them: 225 00:19:17,730 --> 00:19:22,710 They wanted to preserve the integrity of the system, and one way to do this 226 00:19:22,710 --> 00:19:27,140 is using this process right here, it's called "intcheck." 227 00:19:27,140 --> 00:19:32,280 It comes with an SQLite database with hashes of files on the system, 228 00:19:32,280 --> 00:19:36,920 like signatures for the system, and you can configure it from user space so 229 00:19:36,920 --> 00:19:40,770 it's not pretty hidden, it's pretty transparent to the user. 230 00:19:40,770 --> 00:19:44,660 I think there even comes a UI with it where you can configure everything, 231 00:19:44,660 --> 00:19:48,540 and it's run at boot. It checks the files and if it sees that the files have been 232 00:19:48,540 --> 00:19:52,350 manipulated or tampered with - if the checksum changes - then it will issue 233 00:19:52,350 --> 00:19:55,600 a warning to the user. So you get a small popup that says, 234 00:19:55,600 --> 00:20:00,380 "this file has been tampered with," the security or the integrity of the system 235 00:20:00,380 --> 00:20:05,950 is not where it should be. So that's pretty much what this thing does. 236 00:20:05,950 --> 00:20:11,270 securityd is kind of interesting, because securityd is also a process that is known 237 00:20:11,270 --> 00:20:18,090 to run under Mac OSX. I'm not a Mac user, and I think that Mac OSX with securityd 238 00:20:18,090 --> 00:20:21,440 is keeping track of certificates and stuff like that. 239 00:20:21,440 --> 00:20:26,910 So what they did is they reimplemented securityd for Linux, and they included 240 00:20:26,910 --> 00:20:32,900 various plugins. One interesting issue with securityd is it comes with a library 241 00:20:32,900 --> 00:20:37,260 that provides a function called validate_os(), and what this function does 242 00:20:37,260 --> 00:20:43,280 is it has a hard-coded list of files. You can see like our wav file right here, 243 00:20:43,280 --> 00:20:48,930 you can see configuration files, and autostart files for scnprc which is 244 00:20:48,930 --> 00:20:54,190 the antivirus scanner. So it checks if these files are untouched, and if 245 00:20:54,190 --> 00:20:59,020 these files have been tampered with it initiates a reboot instantly. 246 00:20:59,020 --> 00:21:03,500 So if you touch one of these files, your machine will reboot instantly. 247 00:21:03,500 --> 00:21:11,080 The same library is also used from KDM, so during the startup process when KDM is 248 00:21:11,080 --> 00:21:15,820 starting it is also doing an integrity check, and if it finds that one of these files has 249 00:21:15,820 --> 00:21:20,460 been tampered with it actually immediately issues a reboot, and the problem is 250 00:21:20,460 --> 00:21:24,000 that if you start tampering with the system you will end up in reboot loops 251 00:21:24,000 --> 00:21:29,809 all of the time if you're doing research, because once KDM is saying reboot 252 00:21:29,809 --> 00:21:33,450 the system, it's going to check it again if it's rebooted and sees that it's 253 00:21:33,450 --> 00:21:36,660 still tampered with and it reboots again, and again, and again, and then your 254 00:21:36,660 --> 00:21:40,000 system is basically dead. So what they tried to do with intcheck 255 00:21:40,000 --> 00:21:45,860 and securityd is try and protect certain files, conserve the integrity of these files, 256 00:21:45,860 --> 00:21:50,600 and if these files get tampered with they assume that it is better to have an 257 00:21:50,600 --> 00:21:55,280 operating system that you cannot work with any more than to still let it run or 258 00:21:55,280 --> 00:22:00,220 issue any warning. So integrity is one of the main aspects 259 00:22:00,220 --> 00:22:03,030 they were looking for in implementing Red Star. 260 00:22:03,030 --> 00:22:08,000 Okay, I will hand over to Niklaus and he will go into the guts and the 261 00:22:08,000 --> 00:22:12,500 surveillance features a little bit more. 262 00:22:12,500 --> 00:22:14,940 Niklaus Schiess: The most interesting feature-- package we found was this 263 00:22:14,940 --> 00:22:21,280 esig-cb package, which actually says in the description that it's an 264 00:22:21,280 --> 00:22:26,790 "electronic signature system," but we found that it is doing a lot of weird stuff. 265 00:22:26,790 --> 00:22:30,570 This is actually one of the pictures which is included in the package, 266 00:22:30,570 --> 00:22:34,420 which is also protected. We don't know really why, but it says something like 267 00:22:34,420 --> 00:22:38,300 "this is our copyright;" and "don't break it;" 268 00:22:38,300 --> 00:22:41,020 and "don't copy it;" and stuff like that. 269 00:22:41,020 --> 00:22:45,559 But it's actually doing something really different. 270 00:22:45,559 --> 00:22:49,500 It includes several pretty interesting files. We have some configuration files, 271 00:22:49,500 --> 00:22:54,059 we have a kernel module, and we also have this redflag.bmp which is the 272 00:22:54,059 --> 00:22:57,820 picture you just saw, and we have the warning file, and we have some 273 00:22:57,820 --> 00:23:03,500 shared libraries, and we'll go now into details what these are actually doing. 274 00:23:03,500 --> 00:23:07,640 So the first thing we looked at was because there is a kernel module 275 00:23:07,640 --> 00:23:11,890 loaded by default, and we thought if you want to put some backdoors in it 276 00:23:11,890 --> 00:23:16,010 where would you want to put it? Right in the kernel module, probably. 277 00:23:16,010 --> 00:23:20,290 And what it does, it's actually just hooking several system calls which 278 00:23:20,290 --> 00:23:26,630 provides a device which is actually interfaced to the kernel so you have 279 00:23:26,630 --> 00:23:30,500 different services running on a system who are actually talking to this 280 00:23:30,500 --> 00:23:33,730 kernel module via this device, and it has some functionality like 281 00:23:33,730 --> 00:23:39,080 it can protect PIDs. So when you're protecting a specific process then 282 00:23:39,080 --> 00:23:42,429 even root cannot kill this process, which will be quite interesting 283 00:23:42,429 --> 00:23:47,990 in the next slides. It also provides functionality to on one side protect 284 00:23:47,990 --> 00:23:52,670 files, and on the other side to hide files. So protect means you cannot edit 285 00:23:52,670 --> 00:23:56,040 the file, and hide means you cannot even read the file. 286 00:23:56,040 --> 00:23:59,710 So even if you had root user, you can't even read those files. 287 00:23:59,710 --> 00:24:04,679 And on the right side is actually how the services are interacting with this 288 00:24:04,679 --> 00:24:10,840 kernel module, and this is one function which mostly protects and hides the files 289 00:24:10,840 --> 00:24:15,520 which we just saw, which are included in this esignature package. 290 00:24:15,520 --> 00:24:19,559 Then like Florian said, we have this virus scanner which at first glance 291 00:24:19,559 --> 00:24:25,200 at least looks like a virus scanner, and this is this "scnprc" process. 292 00:24:25,200 --> 00:24:29,030 It provides a GUI to the user so it's quite transparent so the user can see 293 00:24:29,030 --> 00:24:32,410 "okay, I have something that looks like a virus scanner, and I can also 294 00:24:32,410 --> 00:24:35,320 trigger some scans of different directories," 295 00:24:35,320 --> 00:24:40,760 and it's started by kdeinit. So there's this scnprc desktop file which is 296 00:24:40,760 --> 00:24:45,550 quite interesting because what you want to do is disable it, but you 297 00:24:45,550 --> 00:24:48,220 cannot actually edit these file. So as soon as you edit this file 298 00:24:48,220 --> 00:24:51,340 and save it, then the system will immediately reboot. 299 00:24:51,340 --> 00:24:54,479 So disabling it is not so easy. 300 00:24:54,479 --> 00:24:58,570 Like I already said, you have different ways of scanning. You can just click 301 00:24:58,570 --> 00:25:02,150 on a folder and say "scan this," but also if you for example plug in 302 00:25:02,150 --> 00:25:06,860 a USB stick into the system then it will automatically scan the files on the USB stick. 303 00:25:06,860 --> 00:25:11,610 And this scnprc service is actually loading the kernel module, and 304 00:25:11,610 --> 00:25:15,520 it starts another service which is called "opprc" which we are going to 305 00:25:15,520 --> 00:25:22,790 look in detail in a minute, and this is also quite interesting this next service. 306 00:25:22,790 --> 00:25:28,960 But the pattern matching, we looked into this a little bit and there's another 307 00:25:28,960 --> 00:25:34,730 package. So we have this esig-cb package and you have esic-cb-db package which 308 00:25:34,730 --> 00:25:40,100 actually just provides this one single "AnGae" file. As far as we know, 309 00:25:40,100 --> 00:25:44,520 it means "fog" in Korean. And this is basically a signature file, or how the 310 00:25:44,520 --> 00:25:49,809 code references it a pattern file. It's a file with a well-defined file format 311 00:25:49,809 --> 00:25:53,429 and it includes patterns which are loaded into memory, and as soon as 312 00:25:53,429 --> 00:25:57,380 you are scanning a file it just checks if these patterns are matching and as soon 313 00:25:57,380 --> 00:26:02,309 as the patterns are matched then it immediately deletes the file and it 314 00:26:02,309 --> 00:26:08,630 plays the warning, and this is one of the hidden files so even if you get root 315 00:26:08,630 --> 00:26:12,040 privilege on the system you are not able to actually read this file. 316 00:26:12,040 --> 00:26:15,540 So a user of the operating system won't be able to check "okay, what does it 317 00:26:15,540 --> 00:26:20,030 check and can I produce documents which won't be detected by this" 318 00:26:20,030 --> 00:26:23,010 because you cannot actually read this file. 319 00:26:23,010 --> 00:26:31,370 We took a look into this. Most likely our best guess is that these contain-- 320 00:26:31,370 --> 00:26:35,110 A lot of the files are little-endian so you always have to switch the bytes 321 00:26:35,110 --> 00:26:40,720 and we saw that it looks at least like they are UTF-16 strings with Korean, 322 00:26:40,720 --> 00:26:45,000 Chinese, and some other weird characters, and if we put these in Google Translate 323 00:26:45,000 --> 00:26:49,720 then there are actually some pretty weird and disturbing terms in those files. 324 00:26:49,720 --> 00:26:53,620 But we actually cannot confirm this. It looks like they are actually not 325 00:26:53,620 --> 00:26:57,910 scanning for malware in the system, so most likely they are checking documents 326 00:26:57,910 --> 00:27:02,020 and if those documents match those patterns then they are most likely-- 327 00:27:02,020 --> 00:27:05,460 for example, governments don't want these files to be distributed within the intranet 328 00:27:05,460 --> 00:27:07,850 of North Korea then it just deletes those files. 329 00:27:07,850 --> 00:27:12,200 But actually we cannot confirm this because we are not quite sure if you 330 00:27:12,200 --> 00:27:17,570 put those strings in Google Translate that they are actually real translations. 331 00:27:17,570 --> 00:27:22,809 But you can always update these pattern files, so on the one side is scnprc has a 332 00:27:22,809 --> 00:27:26,610 built-in update process where it just updates the file itself, or you can just 333 00:27:26,610 --> 00:27:30,340 when you are doing operating system update via your package manager 334 00:27:30,340 --> 00:27:35,809 and you update this esig-cb-db package and you also get a brand new file. 335 00:27:35,809 --> 00:27:40,830 The interesting part of this is that the developers decide what is malicious. 336 00:27:40,830 --> 00:27:46,110 So it's not necessarily that "malicious" means that it's malware, that it's 337 00:27:46,110 --> 00:27:52,179 bad for you, but somewhere the developers and officials will actually say, 338 00:27:52,179 --> 00:27:55,559 "okay, we don't want those files distributed, just delete them 339 00:27:55,559 --> 00:27:57,980 "because we think they are malicious." 340 00:27:57,980 --> 00:28:02,799 There is this other service which I was also talking about, this "opprc." 341 00:28:02,799 --> 00:28:06,260 This is more interesting than the virus scanning itself. 342 00:28:06,260 --> 00:28:10,179 It's running in the background, so actually a user will not see that there 343 00:28:10,179 --> 00:28:13,549 is actually another service running, you don't have any GUI or something like that, 344 00:28:13,549 --> 00:28:17,809 you cannot trick or something with this, and this is one of the protected PIDs. 345 00:28:17,809 --> 00:28:23,750 So scnprc for example you can just kill with root privileges, but this is a process 346 00:28:23,750 --> 00:28:27,710 no one can kill on the system, and this is quite interesting because 347 00:28:27,710 --> 00:28:32,240 you cannot unload the kernel module unless this service is killed, so they 348 00:28:32,240 --> 00:28:37,360 are actually protecting each other so that no one can stop the services at all. 349 00:28:37,360 --> 00:28:40,660 And this service shares a lot of code with the scnprc. 350 00:28:40,660 --> 00:28:45,559 We just did some entropy checking and saw okay-- I will talk in a minute 351 00:28:45,559 --> 00:28:51,610 when we are comparing more of these files why we think that this looks 352 00:28:51,610 --> 00:28:55,020 pretty much the same, why they are sharing so much code, because 353 00:28:55,020 --> 00:28:58,710 we found something interesting with older versions of those services. 354 00:28:58,710 --> 00:29:03,600 But the most interesting thing this service is doing is it watermarks files. 355 00:29:03,600 --> 00:29:07,630 And now we are going to look deeper into what this watermarking means. 356 00:29:07,630 --> 00:29:11,850 So actually as soon as this system is started, it reads your hard disk serial 357 00:29:11,850 --> 00:29:15,660 and then scrambles it a little bit, and as soon as you are for example 358 00:29:15,660 --> 00:29:20,740 plugging a USB stick into your system then it will trigger a watermarking 359 00:29:20,740 --> 00:29:25,080 process where it takes the serial, takes a hard-coded DES key from 360 00:29:25,080 --> 00:29:28,850 the binary itself, and then encrypts it and then puts it into your file. 361 00:29:28,850 --> 00:29:35,049 And when you are converting this hex key into a decimal representation then you 362 00:29:35,049 --> 00:29:39,410 see that it is actually two dates. We actually cannot confirm what 363 00:29:39,410 --> 00:29:45,120 those two dates mean, but one of those matches Madonna's birth date, and 364 00:29:45,120 --> 00:29:51,010 there are rumours that some people in North Korea might really like Madonna. 365 00:29:51,010 --> 00:29:57,530 This is just speculation, but if you have a better conspiracy theory then just let us know. 366 00:29:57,530 --> 00:30:01,890 Because we found some pretty interesting stuff, but we cannot confirm this. 367 00:30:01,890 --> 00:30:07,420 So technically the watermarks have an ASCII EOF appended, which is most likely 368 00:30:07,420 --> 00:30:11,200 used by the code itself to parse the files and see if there's already 369 00:30:11,200 --> 00:30:15,690 a watermark in there, and for JPEG and AVI files, for example, it just 370 00:30:15,690 --> 00:30:20,330 appends this watermark to the end of the file, and when you have a DOCX for example 371 00:30:20,330 --> 00:30:24,000 it just appends it near the header where there are a bunch of null bytes, and then 372 00:30:24,000 --> 00:30:27,610 it just puts it in there. 373 00:30:27,610 --> 00:30:32,320 So the watermarking itself is as soon as you open a document file with Office then 374 00:30:32,320 --> 00:30:38,309 it will be watermarked, and actually they have code which watermarks files even if 375 00:30:38,309 --> 00:30:43,770 you don't open those files, but as soon as we saw this-- it's pretty buggy. 376 00:30:43,770 --> 00:30:48,350 It doesn't work every time, but they have code for this implemented, and mostly 377 00:30:48,350 --> 00:30:54,360 it works but sometimes it just fails. The supported types that we can confirm 378 00:30:54,360 --> 00:31:01,760 are DOCX files, image files like JPEG and PNG and AVI video files. But the code 379 00:31:01,760 --> 00:31:06,720 indicates there are several more file types available for watermarking, but 380 00:31:06,720 --> 00:31:11,380 we most likely didn't look into this. But the most interesting thing here 381 00:31:11,380 --> 00:31:16,860 is that only media files are affected. So they don't watermark any binaries 382 00:31:16,860 --> 00:31:22,950 or something like that, they are reducing their surface to files which could be used 383 00:31:22,950 --> 00:31:31,299 to carry information, which could be used to put out information for free speech 384 00:31:31,299 --> 00:31:36,250 purposes, and actually what we think is that this is not a security feature. 385 00:31:36,250 --> 00:31:40,580 So they are actually trying to watermark free speech in general, so that every time 386 00:31:40,580 --> 00:31:46,559 you have a document file, an image, or a video file, then they want to know who 387 00:31:46,559 --> 00:31:52,489 had this file and they watermark it so they can track the origin of the file. 388 00:31:52,489 --> 00:32:00,090 We have a short demo where you can see for example I have a USB stick. 389 00:32:00,090 --> 00:32:09,610 Let me put it in my system. 390 00:32:09,610 --> 00:32:15,130 There is a file on the USB stick which is a love letter from Kim, and it has 391 00:32:15,130 --> 00:32:21,380 a checksum which starts with "529", and as soon as I plug this into the system-- 392 00:32:21,380 --> 00:32:34,740 I hope that it will notice this. 393 00:32:34,740 --> 00:32:38,740 You can see okay, it recognised something like a USB stick on the system, but I won't 394 00:32:38,740 --> 00:32:55,220 open it, and I won't open any file on the USB stick. I just will eject it. 395 00:32:55,220 --> 00:33:03,360 I hope that it works. Will it actually open? 396 00:33:03,360 --> 00:33:07,410 This is what I meant, that it's kind of buggy, so it doesn't always work with 397 00:33:07,410 --> 00:33:12,720 the watermarking, but most likely if you open the file itself then it will work. 398 00:33:12,720 --> 00:33:17,520 I guess we didn't have the case that it doesn't work when you open it. [sic] 399 00:33:17,520 --> 00:33:28,690 --which then opens Office, and I close it again and-- just close this. 400 00:33:28,690 --> 00:33:33,860 Go back, and then hopefully if we mount this again then you can see it has 401 00:33:33,860 --> 00:33:39,250 been changed. So we didn't change anything in the file, it was just the operating system 402 00:33:39,250 --> 00:33:44,350 who's changing files, and this was initially the part where we started to 403 00:33:44,350 --> 00:33:47,570 look into this more deeply because we thought an operating system who is 404 00:33:47,570 --> 00:33:57,219 just changing files when you are plugging into the system is kind of annoying. 405 00:33:57,219 --> 00:34:00,690 Just to make this easier for you-- So what it actually does in the file, 406 00:34:00,690 --> 00:34:04,570 we have here the header of the file which is a document, a DOCX file, 407 00:34:04,570 --> 00:34:09,089 and it just added this string which is marked right here. This is actually 408 00:34:09,089 --> 00:34:13,649 the watermark it's putting in there. Opposite there you can see the plaintext 409 00:34:13,649 --> 00:34:17,679 which is actually encrypted and then put into the file, and the serial starts 410 00:34:17,679 --> 00:34:23,440 with "B48" so every time it puts the serial into the file, it prefixes it with 411 00:34:23,440 --> 00:34:24,978 "WM" 412 00:34:24,978 --> 00:34:29,998 we think stands for "watermark" probably, and you can see the EOF at the end of 413 00:34:29,998 --> 00:34:35,399 the file. This allows basically everyone who can access this file, who can 414 00:34:35,399 --> 00:34:40,679 decrypt this watermark which is actually encoded with the hard-coded key, 415 00:34:40,679 --> 00:34:45,989 so pretty much everyone who has access to this ISO can get this key and can 416 00:34:45,989 --> 00:34:51,319 decrypt this. And this allows you to really track back the origin of the file, 417 00:34:51,319 --> 00:34:54,190 where it came from. 418 00:34:54,190 --> 00:35:00,589 But there is a pretty funny example. So imagine you have this picture, and 419 00:35:00,589 --> 00:35:05,130 you are inside North Korea and you think "okay, this is pretty cool, and I want to 420 00:35:05,130 --> 00:35:09,160 distribute this to all of my friends." So you think "okay, they might be 421 00:35:09,160 --> 00:35:12,470 intercepting all of my e-mail and my browser communication," so you put it 422 00:35:12,470 --> 00:35:16,239 on a USB stick and give it to your friends so that you think, "okay, no-one actually 423 00:35:16,239 --> 00:35:22,759 on the internet can access this file" and you give it to someone else. 424 00:35:22,759 --> 00:35:26,680 Then at the beginning we have this situation, where this is the original file. 425 00:35:26,680 --> 00:35:31,900 This is the end of the JPEG file - which by definition always ends with an "FF D9" 426 00:35:31,900 --> 00:35:37,019 hexadecimal - and as soon as you give this to your friend and he plugs the USB stick 427 00:35:37,019 --> 00:35:42,019 into his computer which is running Red Star OS, then the file will actually 428 00:35:42,019 --> 00:35:45,799 change and it will look like this. So for JPEG files, as I said it just 429 00:35:45,799 --> 00:35:49,640 appends the watermark to the end of the file. So you can see the "FF D9," this 430 00:35:49,640 --> 00:35:53,890 is the actual end of the image file, and they're appending the watermark there, 431 00:35:53,890 --> 00:35:57,509 like you can see with the EOF. But where it gets interesting 432 00:35:57,509 --> 00:36:02,140 is when your friend is actually distributing the file to another friend. 433 00:36:02,140 --> 00:36:06,920 So what Red Star OS is actually doing, it appends also the watermark of your 434 00:36:06,920 --> 00:36:09,930 third friend. *Slight laughter* So what you then can do-- 435 00:36:09,930 --> 00:36:14,880 If you technically combine this together, then you can see not only where the file 436 00:36:14,880 --> 00:36:19,119 has its origins, but you can also track each and everyone who had this file 437 00:36:19,119 --> 00:36:24,499 and who distributed this file, and with this knowledge you might be able to 438 00:36:24,499 --> 00:36:29,079 construct something like this, where you can track the distribution of all of the 439 00:36:29,079 --> 00:36:33,150 media files which are distributed over the intranet in North Korea. 440 00:36:33,150 --> 00:36:37,049 You can see then in the centre we have this one really weird guy who is always 441 00:36:37,049 --> 00:36:41,769 distributing images that we don't like, and you can see also who gets these files 442 00:36:41,769 --> 00:36:45,299 and trace it back to all of the persons who ever had this file, and then you 443 00:36:45,299 --> 00:36:49,499 can just go home to him and then shut him down and take his computer. 444 00:36:49,499 --> 00:36:54,859 And we have actually not seen any functionality, but probably there is 445 00:36:54,859 --> 00:36:58,509 functionality in the system implemented where it always sends your hard disk 446 00:36:58,509 --> 00:37:04,569 serial to their servers, so the OS can probably be able to match your IP 447 00:37:04,569 --> 00:37:07,759 address to your hard disk serial, and then they don't even have to go to your 448 00:37:07,759 --> 00:37:12,599 home and get to your computer and check your hard disk serial, they just can do 449 00:37:12,599 --> 00:37:16,279 this remotely and can check all of the distribution of all malicious media files 450 00:37:16,279 --> 00:37:21,729 within the intranet of North Korea. 451 00:37:21,729 --> 00:37:27,210 What we thought is pretty hard for someone who doesn't have access to a system other 452 00:37:27,210 --> 00:37:31,700 than Red Star OS, who just has this one system, and tries to disable all of this 453 00:37:31,700 --> 00:37:35,210 malicious functionality like the virus scanning that can delete all of your files 454 00:37:35,210 --> 00:37:40,619 that someone else doesn't like, or the watermarking/the tracking of those files. 455 00:37:40,619 --> 00:37:44,569 And this is actually quite hard, because some of those services are depending 456 00:37:44,569 --> 00:37:49,470 on each other and can only be killed when the other service is not running. 457 00:37:49,470 --> 00:37:53,700 So what you actually have to do is you have to get root privileges, and then you 458 00:37:53,700 --> 00:37:58,239 have to kill those two integrity checking daemons which Florian was talking about 459 00:37:58,239 --> 00:38:02,819 so that it doesn't always reboot the system when you're changing anything. 460 00:38:02,819 --> 00:38:07,529 Then you can via ioctl calls to the kernel module, and say just "disable" because 461 00:38:07,529 --> 00:38:10,890 it has this nice feature where you can enable and disable it, and then you 462 00:38:10,890 --> 00:38:18,390 can kill scnprc, opprc, and the best thing you can do is-- 463 00:38:18,390 --> 00:38:23,609 Weirdly, the libos file is not protected by anyone, so you can just exchange 464 00:38:23,609 --> 00:38:27,700 this with a validate_os() function which always returns 1 which says everything 465 00:38:27,700 --> 00:38:31,559 is fine, and then at the end you can delete the desktop file which is used 466 00:38:31,559 --> 00:38:35,829 by KDE in it to start all of these processes, and then you are fine. 467 00:38:35,829 --> 00:38:38,880 And we don't think that actually anyone in North Korea who only has access 468 00:38:38,880 --> 00:38:43,779 to this one system-- It will be extremely hard to figure all of this out and 469 00:38:43,779 --> 00:38:48,599 to completely disable it. So they did a pretty good job in building an 470 00:38:48,599 --> 00:38:53,660 architecture which is quite self-protecting, and they put a lot of effort into it 471 00:38:53,660 --> 00:39:01,180 to just prevent you from disabling all of the malicious functionality. 472 00:39:01,180 --> 00:39:07,059 We also took a quick look on the second version of Red Star OS, just to compare 473 00:39:07,059 --> 00:39:12,519 some of those services, and there we can see there is quite an evolution from the 474 00:39:12,519 --> 00:39:19,390 older version to the current version. The thing which I was talking about, 475 00:39:19,390 --> 00:39:22,729 that the binaries are quite similar, is that in the older version they used 476 00:39:22,729 --> 00:39:27,200 a lot of shared libraries, and in the current version they statically linked 477 00:39:27,200 --> 00:39:32,859 a lot of code into the binaries themselves even if they don't use it, so the codebase 478 00:39:32,859 --> 00:39:38,609 looks quite the same. And the chain of starting the processes is a little bit 479 00:39:38,609 --> 00:39:44,109 different, so they put a lot in the init process which will be started at first 480 00:39:44,109 --> 00:39:48,779 and not like this depending-on-each-other infrastructure which they have in the 481 00:39:48,779 --> 00:39:52,880 current version. In the current version they also have a lot of problems with 482 00:39:52,880 --> 00:39:57,450 file privileges, so privilege escalations would be pretty easy, even if you don't 483 00:39:57,450 --> 00:40:02,920 have this root setting file. But also they have a lot of binaries that are just 484 00:40:02,920 --> 00:40:07,749 setting that everyone can read and write this interface to the kernel module, 485 00:40:07,749 --> 00:40:11,259 which basically allows you even as a non-root user to disable the kernel 486 00:40:11,259 --> 00:40:14,739 module, and then you can kill all of the binaries but you cannot actually delete 487 00:40:14,739 --> 00:40:19,499 something because it will then end up in the reboot loop. 488 00:40:19,499 --> 00:40:23,900 And when you are doing something malicious then the OS reboots, in the older version 489 00:40:23,900 --> 00:40:29,559 it just shuts down the system, so we thought this is a pretty interesting thing. 490 00:40:29,559 --> 00:40:34,630 And we think, and we saw, that there's a more advanced watermarking 491 00:40:34,630 --> 00:40:38,979 technique in there which is not just appending watermarks into the files 492 00:40:38,979 --> 00:40:43,130 but it looks like they are doing, for video and audio files at least, 493 00:40:43,130 --> 00:40:47,170 something like they are putting the watermarks as filters on the files. 494 00:40:47,170 --> 00:40:51,950 So this will be a little bit harder to actually see those watermarks 495 00:40:51,950 --> 00:40:55,380 and read those watermarks, because it is not so obvious like when you have 496 00:40:55,380 --> 00:40:58,869 this "EOF" string at the end which is always quite weird. 497 00:40:58,869 --> 00:41:03,799 But it uses this "/usr/lib/organ" file which is actually not present on the 498 00:41:03,799 --> 00:41:08,660 ISO we had. We're going to talk about this in the conclusion why we think 499 00:41:08,660 --> 00:41:12,359 this might not be there, but it's actually not available. It's referenced 500 00:41:12,359 --> 00:41:17,559 a lot in the code, but we actually haven't had this file and unfortunately 501 00:41:17,559 --> 00:41:21,880 we couldn't look into this more deeply. 502 00:41:21,880 --> 00:41:27,779 So what we didn't find were quite obvious backdoors which we thought would be 503 00:41:27,779 --> 00:41:34,819 in place, and that they would be pretty easy to spot. But we didn't see any of those. 504 00:41:34,819 --> 00:41:38,630 It doesn't mean that there are no backdoors, but we have some 505 00:41:38,630 --> 00:41:44,549 speculations for this, and one of these is that like we saw at the beginning of 506 00:41:44,549 --> 00:41:48,019 the talk that there are actually systems on the internet running this version 507 00:41:48,019 --> 00:41:52,210 of Red Star OS, so it would be pretty weird if they would backdoor a system 508 00:41:52,210 --> 00:41:57,509 and then put it on the internet. As far as someone gets the ISO file, 509 00:41:57,509 --> 00:42:03,559 and can look for backdoors and can find some of them, they would be actually 510 00:42:03,559 --> 00:42:07,440 able to exploit the system from the internet. 511 00:42:07,440 --> 00:42:12,630 Actually the system has a package manager and as we saw with the pattern file 512 00:42:12,630 --> 00:42:17,599 it has built-in update functionality and different services, so backdoors could 513 00:42:17,599 --> 00:42:22,339 just be loaded via updates because probably they thought 514 00:42:22,339 --> 00:42:27,219 "okay, these ISOs might be leaked into the outside world" and you just get 515 00:42:27,219 --> 00:42:33,019 an ISO, install it, update your system - which is only possible from within the 516 00:42:33,019 --> 00:42:39,170 intranet of North Korea, with hard coded internal IP addresses - so probably they 517 00:42:39,170 --> 00:42:43,420 thought "we only want our backdoors on the systems which are actually located 518 00:42:43,420 --> 00:42:47,690 within North Korea." 519 00:42:47,690 --> 00:42:55,999 This is what we thought, that they thought the ISO might be leaked, which is what 520 00:42:55,999 --> 00:43:00,440 actually happened. Another problem is that, like Florian already said, they 521 00:43:00,440 --> 00:43:05,499 will touch a lot of code within the operating system and we didn't manage 522 00:43:05,499 --> 00:43:09,900 to check all of the code. We mostly focused on the watermarking and the 523 00:43:09,900 --> 00:43:14,969 virus scanning stuff, and there might be a lot of code that should be checked further. 524 00:43:14,969 --> 00:43:21,789 The conclusion also is that the system's quite self-protecting. They not only 525 00:43:21,789 --> 00:43:26,450 implemented several services for integrity checking themselves but also 526 00:43:26,450 --> 00:43:31,150 they configured and implemented selinux and something like that, to just protect 527 00:43:31,150 --> 00:43:35,450 the system and make it more secure. 528 00:43:35,450 --> 00:43:39,479 What we think is really bad is this virus scanning and watermarking, 529 00:43:39,479 --> 00:43:43,529 because it actually allows you to track not only the origin but the 530 00:43:43,529 --> 00:43:47,859 complete distribution within the network of those files, and combined with the 531 00:43:47,859 --> 00:43:53,379 virus scanner where the developers are able to actually say what files are really 532 00:43:53,379 --> 00:43:58,369 malicious and what shouldn't be distributed within the network, 533 00:43:58,369 --> 00:44:04,249 it just deletes those files. So these two combined are a really strong 534 00:44:04,249 --> 00:44:10,349 framework which can help you to track malicious people within your network. 535 00:44:10,349 --> 00:44:14,950 But some words about security: Like I said, they have a lot of problems with 536 00:44:14,950 --> 00:44:22,480 file permissions. There are actually some documents on the ISO of the server 537 00:44:22,480 --> 00:44:26,630 version of Red Star OS 3.0, and there are some user guides and administration 538 00:44:26,630 --> 00:44:30,180 guides which are quite interesting, and they talk a lot about how to make the 539 00:44:30,180 --> 00:44:34,960 system secure, how to run it secure, and why they are doing different kinds of 540 00:44:34,960 --> 00:44:42,089 stuff to save the integrity of the system. They have a huge chapter talking about 541 00:44:42,089 --> 00:44:46,569 file permissions, but they actually didn't manage to fix them themselves which 542 00:44:46,569 --> 00:44:52,279 is quite weird. And even their custom code uses basic memory corruption protection 543 00:44:52,279 --> 00:44:57,660 like stack cookies, and non-executable stacks which we saw that a lot of security 544 00:44:57,660 --> 00:45:02,999 vendors don't bother to use, so we thought this is quite funny. 545 00:45:02,999 --> 00:45:06,580 Some of their code is more secure than a lot of security appliances. 546 00:45:06,580 --> 00:45:09,219 *Slight laughter* 547 00:45:09,219 --> 00:45:12,569 Florian: So to wrap this up-- Am I going, can you hear me? Yes. 548 00:45:12,569 --> 00:45:18,869 Okay so to wrap this up, again we think - this is a guess - that primarily they try 549 00:45:18,869 --> 00:45:24,690 to protect and to save the integrity of the system, which totally makes 550 00:45:24,690 --> 00:45:28,960 sense if you're putting out an operating system from North Korea. 551 00:45:28,960 --> 00:45:32,150 The system was, in our opinion, definitely built for home computers, 552 00:45:32,150 --> 00:45:37,460 so it's not like industrial control or something else, it's definitely built 553 00:45:37,460 --> 00:45:43,099 for a home user because it mimics Mac OSX and gives you all of the tools. 554 00:45:43,099 --> 00:45:46,849 Maybe the reason why we didn't find backdoors is they actually know that 555 00:45:46,849 --> 00:45:51,390 backdoors are bullshit. Could be a reason, we don't know. 556 00:45:51,390 --> 00:45:55,829 If you want to look into Red Star OS and help us out, especially with the crypto, 557 00:45:55,829 --> 00:46:01,640 the pilsung kernel module which provides custom crypto, with a look into the kernel 558 00:46:01,640 --> 00:46:05,839 to see if there is something hidden there, if maybe there are backdoors there, 559 00:46:05,839 --> 00:46:09,390 take a look at our github. Please contribute if you find 560 00:46:09,390 --> 00:46:13,079 something, because we think that this message and all of this stuff has to 561 00:46:13,079 --> 00:46:17,849 be put out to the public, so it is a well-known fact that this operating 562 00:46:17,849 --> 00:46:25,269 system is actually abusing free software to actually make free speech harder 563 00:46:25,269 --> 00:46:28,509 in a country that is quite oppressed. 564 00:46:28,509 --> 00:46:33,940 So with this, we are at our end and we are going to take your questions now. 565 00:46:33,940 --> 00:46:46,010 *Applause* 566 00:46:46,010 --> 00:46:51,619 Herald: Thank you very much. We have about 15 minutes time for questions. 567 00:46:51,619 --> 00:46:54,690 If you want to ask a question, please come to the microphones. 568 00:46:54,690 --> 00:46:58,630 There are some on the right and some on the left aisle. 569 00:46:58,630 --> 00:47:03,859 If you for any reason can't come to the microphones, please raise your 570 00:47:03,859 --> 00:47:09,019 hand and I'll come to you with my microphone. 571 00:47:19,079 --> 00:47:28,349 Okay, please line up there. If you wanna leave now, please do this 572 00:47:28,349 --> 00:47:35,089 quietly through the front door. 573 00:47:35,089 --> 00:47:37,479 Florian: Could you raise your hand if you have questions and standing at 574 00:47:37,479 --> 00:47:39,639 the microphone? There are like three questions over there. 575 00:47:39,639 --> 00:47:42,030 Herald: Yeah, on the left one please. 576 00:47:42,030 --> 00:47:46,489 Audience 1: Hello? Yeah. So thank you very much, it was very interesting. 577 00:47:46,489 --> 00:47:55,019 I have two questions: Have you tried isolating the system in a chroot jail? 578 00:47:55,019 --> 00:48:00,410 And the second one is: Were there any outbound connections, like automatic 579 00:48:00,410 --> 00:48:02,509 outbound connections it made? 580 00:48:02,509 --> 00:48:06,609 Florian: Okay so for the first question, we did not try to run it in an isolated 581 00:48:06,609 --> 00:48:09,950 environment. We actually didn't-- Did we install it on a live system? 582 00:48:09,950 --> 00:48:12,459 I don't think so. Did we? Niklaus: Yeah. 583 00:48:12,459 --> 00:48:14,910 Florian: Yeah, okay. But we didn't do any observations that this changed the 584 00:48:14,910 --> 00:48:20,479 behaviour of the system. Concerning the second question, there actually is not 585 00:48:20,479 --> 00:48:24,559 really outbound traffic. What it is doing is on the local network it is talking a 586 00:48:24,559 --> 00:48:31,150 lot of NetBIOS stuff. So there is an SNMP and an nmbdaemon running 587 00:48:31,150 --> 00:48:35,249 on the system and it's talking a lot of NetBIOS. But this is basically 588 00:48:35,249 --> 00:48:39,119 everything we could find. We have even left it running for like two days, to see 589 00:48:39,119 --> 00:48:43,410 if there is an outbound connection for one day or something like that. We couldn't 590 00:48:43,410 --> 00:48:50,229 see anything like that. So the only stuff that Red Star's talking to the network 591 00:48:50,229 --> 00:48:57,009 is like this Windows NetBIOS stuff, and if you push the button on the update 592 00:48:57,009 --> 00:49:00,829 feature of the virus scanner, it's actually trying to initiate an update 593 00:49:00,829 --> 00:49:06,029 process that goes to five hard-coded IP addresses that are all local. 594 00:49:06,029 --> 00:49:12,039 So like 192.168.9 something, and 172 whatever. These are the only 595 00:49:12,039 --> 00:49:16,510 network connections that we could trigger, or that we have observed so far. 596 00:49:16,510 --> 00:49:20,589 A1: Thank you. Herald: The next question is also 597 00:49:20,589 --> 00:49:27,459 from this microphone. Audience 2: Two questions: 598 00:49:27,459 --> 00:49:33,739 Might it be possible that when you install the system it gets code from North Korea 599 00:49:33,739 --> 00:49:39,150 so you cannot find out if it's calling home because you don't get the call? 600 00:49:39,150 --> 00:49:42,769 Florian: Could be. Our guess is actually that there is far more stuff that you get 601 00:49:42,769 --> 00:49:49,999 when you pull up the operating system in North Korea. One reason is the organ file 602 00:49:49,999 --> 00:49:53,719 that Niklaus mentioned that is missing on the system with the additional crypto 603 00:49:53,719 --> 00:49:58,190 information that is used for the extended watermarking that they are applying. 604 00:49:58,190 --> 00:50:01,539 We don't know where this file is coming from, and from our perspective it totally 605 00:50:01,539 --> 00:50:06,150 makes sense to not distribute this file on the ISO but to kind of give it as an-- 606 00:50:06,150 --> 00:50:09,619 I don't know, somebody has to come to your house to install the software and 607 00:50:09,619 --> 00:50:14,089 then he puts like this dedicated organ file on your desktop that is specific 608 00:50:14,089 --> 00:50:18,670 to you, for example. That would totally make sense because, as you know, 609 00:50:18,670 --> 00:50:21,299 stuff works a little bit different. It's not like downloading an ISO 610 00:50:21,299 --> 00:50:25,130 and installing it, it's probably more complex to get this onto your system 611 00:50:25,130 --> 00:50:29,390 if you want to use this. So there might be more stuff that is pushed either 612 00:50:29,390 --> 00:50:34,660 via updates - only internal - and this organ file and other stuff that can get 613 00:50:34,660 --> 00:50:39,170 to your computer-- We don't know if this is possible or if something is happening 614 00:50:39,170 --> 00:50:44,910 with this feature. A2: And the second question is if you look 615 00:50:44,910 --> 00:50:49,579 at it from the North Korean view, that's like they had the problem. They are quite 616 00:50:49,579 --> 00:50:54,039 happy, have a nice state, everything's working fine from what they see, and 617 00:50:54,039 --> 00:50:57,839 now people come from South Korea, from Western countries, bring their USB 618 00:50:57,839 --> 00:51:03,289 sticks with Western propaganda that to have stuff like this watermarking even 619 00:51:03,289 --> 00:51:08,180 if it is like evil. Like a natural reaction from a closed system. 620 00:51:08,180 --> 00:51:11,589 Florian: So actually it totally makes sense to develop the system in the 621 00:51:11,589 --> 00:51:16,430 way they developed it. It totally makes sense, because it kind of reflects a 622 00:51:16,430 --> 00:51:23,369 little bit how the government is working. Because integrity is not only a critical 623 00:51:23,369 --> 00:51:30,390 part not only for the operating system, it's also a part for the state itself. 624 00:51:30,390 --> 00:51:34,190 Like shutting down everything, closing off everything - that's, by the way, 625 00:51:34,190 --> 00:51:40,269 the screensaver - and closing down everything also totally makes sense. 626 00:51:40,269 --> 00:51:44,459 And tracking stuff that is distributed in the country or deleting unwanted stuff 627 00:51:44,459 --> 00:51:52,709 also makes sense. So what we think that Red Star resembles this and matches 628 00:51:52,709 --> 00:51:57,959 how culture is in North Korea, actually. 629 00:51:57,959 --> 00:52:02,920 Herald: Okay, we also have two questions of the IRC which I would like to shift in. 630 00:52:02,920 --> 00:52:08,779 Signal angel: Thank you. Okay, the first question is if you have any theory on how and why 631 00:52:08,779 --> 00:52:17,209 the ISO got leaked. 632 00:52:17,209 --> 00:52:23,269 Florian: We don't know this, actually. 'Why?' is-- We don't think that it was somebody 633 00:52:23,269 --> 00:52:27,509 from North Korea, we think that it might be a foreigner that got it. 634 00:52:27,509 --> 00:52:31,450 Like Will Scott told us last year that he was able to get a copy of it and get it 635 00:52:31,450 --> 00:52:34,690 out of the country. There might be others that are able. 636 00:52:34,690 --> 00:52:39,180 There is actually tourism in North Korea. You can go there for your holidays. 637 00:52:39,180 --> 00:52:45,349 So I guess that if you put a little bit of effort into it, it's possible to get 638 00:52:45,349 --> 00:52:49,049 nearly anything out of the country if you want to try to take the risk. 639 00:52:49,049 --> 00:52:53,759 But we don't know who leaked the version and we don't know why it actually was leaked. 640 00:52:53,759 --> 00:52:58,099 Niklaus: There are actually rumours that it was a Russian student who was studying 641 00:52:58,099 --> 00:53:01,920 in North Korea, and he bought this on the street and just brought it out of the country 642 00:53:01,920 --> 00:53:05,630 and put it on his blog, but we cannot confirm that this is actually true. 643 00:53:05,630 --> 00:53:11,789 Signal angel: Okay, thanks. And the second question is if there has been any attempt at the 644 00:53:11,789 --> 00:53:14,749 custom kernel modules yet, like reverse engineering or something. 645 00:53:14,749 --> 00:53:19,589 Florian: Well we reverse engineered rtscan which is pretty simple because it just 646 00:53:19,589 --> 00:53:25,719 hooks a few function calls, that's it. We have taken a look at the 647 00:53:25,719 --> 00:53:30,670 Korean Display Module on a first glance. It seems to do what it is supposed to do, 648 00:53:30,670 --> 00:53:35,589 having something to do with display management, but we didn't take a look 649 00:53:35,589 --> 00:53:38,799 at all of the kernel modules, all the rest of the remaining kernel modules, 650 00:53:38,799 --> 00:53:43,999 because the code base is so massive that we actually need you guys to 651 00:53:43,999 --> 00:53:49,089 help us out a little bit. 652 00:53:49,089 --> 00:53:52,749 Herald: Next question from the mic please. Audience 3: Yes, I have another question. 653 00:53:52,749 --> 00:53:56,469 You said that most of the software is based of other open source software 654 00:53:56,469 --> 00:54:01,150 for which you don't have the source code, and it didn't come with the ISO, so it's 655 00:54:01,150 --> 00:54:03,269 pretty much a massive violation of open source licenses. 656 00:54:03,269 --> 00:54:05,979 Florian: Yep, absolutely. A3: So my question would be: 657 00:54:05,979 --> 00:54:12,229 Could you get an inside on what other packages are available, or from the 658 00:54:12,229 --> 00:54:14,450 package manager, and what other packages are there? 659 00:54:14,450 --> 00:54:20,180 Florian: Actually, there is a DVD which also was leaked. I think that it was for 660 00:54:20,180 --> 00:54:25,959 Red Star 2. I'm not sure if it is also for the latest version, but there is 661 00:54:25,959 --> 00:54:32,239 a CD with additional software and you have stuff like Apache, MYSQL-- *pfff* 662 00:54:32,239 --> 00:54:35,930 I don't know. All of the stuff you basically need to run a full-blown 663 00:54:35,930 --> 00:54:40,589 operating system on Linux. So there is additional software out there, you can 664 00:54:40,589 --> 00:54:47,529 download the DVD and install this software on the machine. 665 00:54:47,529 --> 00:54:52,640 If you go through the RPM descriptions you will see that for some of the 666 00:54:52,640 --> 00:55:00,989 software they even wrote-- They kind of used a description for the license which 667 00:55:00,989 --> 00:55:05,130 says "KCC" which is the Korean Computer Centre. And sometimes they use GPL, 668 00:55:05,130 --> 00:55:09,250 and sometimes they use GNU, and yeah. So massive violations. 669 00:55:09,250 --> 00:55:12,239 A3: Did you ask them for the source code? *Laughter* 670 00:55:12,239 --> 00:55:16,119 Florian: Actually, we think that there is an internal git in North Korea where you 671 00:55:16,119 --> 00:55:20,910 can just check out everything, so... We suppose it is this way because it's 672 00:55:20,910 --> 00:55:30,259 open source, right? By the way, open source. *Laughter* 673 00:55:30,259 --> 00:55:35,440 Herald: Very nice. One more question from here? Are you having a question? 674 00:55:35,440 --> 00:55:38,079 No, okay then we have one more question from the internet. 675 00:55:38,079 --> 00:55:42,449 IRC: Yes, the question is if there is a possibility to fake the watermarks 676 00:55:42,449 --> 00:55:46,529 to get some innocent North Korean into trouble. *Quiet laughter* 677 00:55:46,529 --> 00:55:50,619 Florian: Yeah, no problem because the key's hard coded. You could, like-- 678 00:55:50,619 --> 00:55:57,229 You know how to scramble the hardware ID or the disk serial, and you could perfectly 679 00:55:57,229 --> 00:56:01,690 forge documents. That would be not a problem. Not a problem at all. 680 00:56:01,690 --> 00:56:07,209 You just need the serial number, basically. A3: Okay, and I've just got another question 681 00:56:07,209 --> 00:56:11,279 that is: Does the warning.wav have a watermark? 682 00:56:11,279 --> 00:56:14,809 Florian: Umm... Niklaus: No, actually it has the exact 683 00:56:14,809 --> 00:56:19,729 same checksum as the original file. Florian: Actually we didn't check if it-- 684 00:56:19,729 --> 00:56:23,890 No, so it does not have a watermark because as Niklaus said, it's the same 685 00:56:23,890 --> 00:56:27,739 checksum as the Kaspersky one. A3: Okay, thanks. 686 00:56:27,739 --> 00:56:32,910 Herald: Okay, thank you very much. Please give Florian and Niklaus another 687 00:56:32,910 --> 00:56:36,489 big round of applause for an amazing talk. Florian: Thank you. 688 00:56:36,489 --> 00:56:40,093 *Applause* 689 00:56:40,093 --> 00:56:50,683 *postrol music*