North Korean operating system is a surveillance state's tour de force

[rmstock]

Security
North Korean operating system is a surveillance state's tour de force
Further digging unveils more privacy-destroying features in Red Star OS

29 Dec 2015 at 12:52, Alexander J Martin  60 Comments
http://www.theregister.co.uk/2015/12/29/north_korea_red_star_os/

  "32c3 Fresh light has been shed on North Korea's Red Star OS, which –
   we're told – silently tracks the exchange of files between computers.
   
   It was discovered in July that the software appends a fingerprint
   derived from the computer's hardware to files when they are opened.
   
   Further analysis of the Nork government's operating system, which is
   based on Fedora Linux, was revealed by security researchers Florian
   Grunow and Niklaus Schiess at the 32nd annual Chaos Communications
   Congress in Germany this week.
   
   Speaking to The Register ahead of their presentation titled "Lifting
   the Fog on Red Star OS," Grunow said he believed it was "quite
   important to look into an operating system that is built by a state"
   especially if that state is as secretive and repressive as North Korea.
   
   A new version of Red Star OS, 3.0, shows that the impoverished country
   was not completely technologically illiterate, the researchers said:
   the software has the look and feel of Apple's OS X along with an
   in-house email client, calendar app, word processor, media player, a
   slide presentation program – which Grunow and Schiess used to give
   their talk – and a disk encryption tool.
   
   Grunow said the Red Star developers "touched everything on the
   operating system," and strived to prevent someone from tampering with
   the code. One assumes said mechanisms are needed to stop people from
   disabling the file-tracking features. The operating system is standard
   issue to the few North Koreans who are allowed anywhere near a computer.
   
   "DPRK put a lot of effort into having control over the system," said
   Grunow, "and basically they wanted to build a resilient and secure
   system which could not be manipulated. They do this in a pretty
   transparent way: they inform the user if particular critical files have
   been changed, and if there are changes, the system will go into a
   reboot loop."
   
   "They did a pretty good job in building an architecture which is
   self-protecting," Schiess said. He added that Red Star OS includes an
   antivirus package that "actually contains a pattern-matching scanner
   that not even the root user can access. Tightly coupled with that is
   another background service that is watermarking files."

   Surveillance and censorship
   
   The antivirus scanner, scnprc, has a user interface, and cannot be
   disabled without provoking a system reboot. It has a particularly
   crucial file called /tmp/AnGae.dat. Apparently, "Angae" translates to
   "fog" in Korean.
   
   AnGae.dat contains UTF-16 strings of text in several different
   languages – phrases that, for example, translate into "strike with
   fists," "punishment," and "hungry". Any media files found by scnprc
   that contain any of the listed strings are automatically deleted.
   
   The watermarking service, opprc, runs in the background out of sight,
   unlike the antivirus.
   
   The researchers have now discovered that these watermarks can stack up
   inside a file – a new one is appended for each machine that handles the
   data – providing an audit trail for file distribution throughout the
   North Korean network. This would allow the authorities to trace the
   swapping of a file, perhaps containing sensitive information about the
   government, all the way back to its source, who along with their family
   will be in grave trouble if the transfer of information is
   unauthorized. "An oppressive state's wet dream," as Grunow described it.
   
   The researchers have confirmed .docx, .rtf, .png, and .jpg files are
   watermarked, and other types may be as well. ®

   Bootnote
   
   The researchers encourage others with an interest to visit their Github
   repo – particularly the home-brewed cryptography programs Bokem
   (meaning Sword) and Pilsung (Victory), which may be flawed.
   "