
North Korea’s Naenara Web Browser: Weirder Than We Thought (2015) - gscott
https://www.whitehatsec.com/blog/north-koreas-naenara-web-browser-its-weirder-than-we-thought/
======
rdtsc
> They use the same tracking system Google uses to create unique keys, except
> they built their own. That means the microtime of installation is sent to
> the mothership every single time

Did everyone else know about this? I didn't. Interesting. I stopped using
Chrome and switched back to Firefox 3-4 years ago because Firefox got a
better, and was slightly worried Google would eventually do stuff like that.

~~~
bognition
I'd love an explanation on how these microtimestamps can be used to unmask
people

~~~
rdtsc
I'd never heard specifically of Chrome but in general I would imagine if they
record the time application was installed down to some microseconds and then
are able to see all requests tagged with that timestamp, and one of the
requests is linked to you signing in to GMail they can link the two.

Now in general they don't even need it, other browser fingerprints are working
pretty well:

[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
clock_tower
I tried to run that test in Firefox, but first NoScript mutinied, then uBlock
Origin threw out First Party Simulator as malvertising. Does that mean that
I'm safe, or do I still have to worry about server-to-server communications?

------
danirod
Shouldn't this be tagged as (2015)?

On the other side, it is interesting how close they have made recent versions
of Red Star OS to look like MacOS X. I guess they don't care a lot about
copyright infringement. Which is possibly related to the fact that Kim Jong Un
has had, at least in the past, access to an iMac [1].

[1] [http://www.businessinsider.com/brand-new-photo-confirms-
that...](http://www.businessinsider.com/brand-new-photo-confirms-that-kim-
jong-un-is-a-mac-user-2013-3)

~~~
forinti
I don't think there is copyright infringement in this case, as I doubt anyone
holds copyrights in North Korea.

~~~
maaarghk
This is not the case. DPRK is a member of the World Intellectual Property
Organisation [0] and has laws relating to IP [1]. It is perfectly possible to
register intellectual property there and plenty of multinational organisations
do so.

[0]
[http://www.wipo.int/treaties/en/ShowResults.jsp?country_id=9...](http://www.wipo.int/treaties/en/ShowResults.jsp?country_id=94C&treaty_id=101)

[1]
[http://www.wipo.int/wipolex/en/profile.jsp?code=KP](http://www.wipo.int/wipolex/en/profile.jsp?code=KP)

~~~
ivanca
I wonder if they apply the 3-generations jail sentence for copyright
infringement as well...

~~~
jakub_h
They just might, for copying western books, for example. ;)

~~~
RaleyField
That was in poor taste.

------
baby
This is super weird. And it seems obvious that most of these measures are in
place to spy on people. It also makes sense to treat the country like a small
company's network if they have so few clients.

The other thing I'm wondering, could they have been doing this to avoid
outsiders to access their network? If we try to access 10.something it will
try to reach an internal network and thus we won't be able to access their
ips. If we somehow manage to send the request to 10.something over the network
some node/server on the way will probably drop it.

~~~
niij
>some node/server on the way will probably drop it If you're familiar with how
routing works at all, you'd know it wouldn't even route outside your local
network. There are Millions of seperate 10.x.x.x networks.

~~~
baby
See how I phrased it: "If we __somehow manage to __send the request to
10.something over the network "

There are ways to send such packets outside of your local network.

------
kalleboo
I would presume all those URLs that point to the NK IP address are more likely
a result of the authors doing a (poor job of) a search/replace on
"mozilla.org" and "google.com" on the source code than NK actually supporting
all those features specifically/proxying google/safe browsing lists etc. 90%
of them are probably 404s. We're probably talking about an IT team with skills
on par with your average high school.

~~~
sn41
I doubt that. There is evidence that they have competent programmers. For
example, in this year's ICPC, the North Korean team came 30th. That's pretty
impressive, considering that they may not have access to all the regular
contest websites that people practice on:

[https://icpc.baylor.edu/scoreboard/](https://icpc.baylor.edu/scoreboard/)

~~~
pwdisswordfish
That doesn't actually prove very much. Successes in programming contests may
demonstrate you can hack your way around an algorithmic problem that you're
solving from scratch. Modifying a browser, an operating system and the
communication protocols they use to add robust surveillance capabilities
demands a different type of skill and resources: proficiency with an entire
stack of technologies and knowledge of good engineering practices. This
analysis seems to provide some evidence against the latter.

------
Animats
Is there some way to look at North Korea's network 10 IP space from the
outside? There are tools which let you look at the Internet from inside the
Great Firewall of China.[1] Is there one for North Korea?

[1] [http://www.websitepulse.com/help/testtools.china-
test.html](http://www.websitepulse.com/help/testtools.china-test.html)

~~~
percept
This had made the rounds a while back:

[http://nknetobserver.github.io/](http://nknetobserver.github.io/)

------
xiii1408
We don't need to reverse engineer a browser to get hints about how North
Korea's internet and intranet work, since people who've been there have given
talks about it.

[https://www.youtube.com/watch?v=zuxlLLeKZZ8](https://www.youtube.com/watch?v=zuxlLLeKZZ8)

------
scyclow
Yes, yes, yes, but what is it's ES6 support like?

~~~
percept
Oh crap, you mean I have to support Naenara now, too?

(.00001% of the market)

------
gfo
It's an interesting point that they're using a Class A address space for the
country, but it's also North Korea... are we really expecting all of its
citizens to be on this?

Either way they'll probably run into issues down the road but I'm sure it's
working just fine for them right now. Of course, my knowledge of how
distributed their network infrastructure is across their country is lacking so
maybe it does cause issues for them?

~~~
digi_owl
It would not surprise me that any large office or such is using the B or C
ranges on top of the A range being national.

~~~
inopinatus
It would not surprise me that a large office is using the 10/8 range
internally and NATting to the national 10/8 range and suffering from horrible
ICMP misrouting issues.

~~~
Symbiote
A large office could easily use some allocated range, like 25/8 which is
allocated to the UK Ministry of Defence but not advertised on the public
Internet.

~~~
Laforet
You have to be careful though, last year a good number of companies was burned
when DoD started to route their previously unutilised class A block
11.0.0.0/8.

[https://news.ycombinator.com/item?id=10006534](https://news.ycombinator.com/item?id=10006534)

------
DashRattlesnake
> When I first saw an image of the browser I was awe-struck to see that it
> made a request to an adddress ([http://10.76.1.11/](http://10.76.1.11/))
> upon first run.

...

> Here’s where things start to go off the rails: what this means is that _all_
> of the DPRK’s national network is non-routable IP space. [emphasis mine]

That's quite an unsupported leap. He found some software that uses non-
routable IPs, that doesn't mean the entire country's network only uses them.

~~~
brianshaler
While the conclusions in the article may not stand on their own, I think he
may be implying the common usage of web browsers in the DPRK. Rather than
using DNS, users connect directly to 10.* IP addresses.

Here are a couple of pics I took of IP addresses printed on the walls in a
school's computer lab:

Portal: [http://i.imgur.com/MTYlNVo.jpg](http://i.imgur.com/MTYlNVo.jpg)

Bookmarks: [http://i.imgur.com/QWEooy5.jpg](http://i.imgur.com/QWEooy5.jpg)

~~~
duskwuff
Are you sure those are bookmarks in the second image and not some examples of
IP addresses? It seems unlikely that they'd be visiting addresses in all three
of the RFC1918 spaces.

~~~
inopinatus
Far from unlikely, I have seen government-operated metropolitan-scale networks
that allocated extravagantly in their early days and ended up using all of
RFC1918 space, being unable to renumber (because change in government systems
is Too Hard) and moving on to more esoteric non-globally-routable space.

For those intrigued as to what those addresses might've been, have a read of
Bill Manning's roll up of the special case IP allocations:
[https://tools.ietf.org/html/draft-manning-
dsua-08](https://tools.ietf.org/html/draft-manning-dsua-08)

------
Lich
If anyone's curious, Naenaera means "My country". So, literally, "My Country
Browser". Nae = me/my and naera = "country"

~~~
gfaure
It's _nara_ "country", not _naera_.

------
gambiting
I work for a large games publisher and using our in-game tracking we can see
some(usually just a few) connections from North Korea - I always wondered if
it's kids of rich NK elite playing on imported PS4s and Xbox Ones, and how
bizarre it must be to have something like a PS4 in such a closed country.

~~~
NietTim
How big of a chance is it that these IP's are labeled wrong in your system?

~~~
gambiting
Hard to tell. In a game with millions of users we literally have 5-6 profiles
created from north korean ips("star joint venture" appears as the isp) so I
guess it's plausible that just a handful of people have got imported consoles
there. At the same time, the sample size is so small it could be spoofed
maybe? I am not sure if there's any way to know for certain really.

Edit: it's also possible that people living in embassies in NK have consoles,
but I have no idea how they get internet there, probably not through the
national ISP.

------
meshko
|but the wifi URL for GEO still points to
|[https://www.google.com/loc/json](https://www.google.com/loc/json)

maybe it a cry for help? Someone "accidentally" left a single https request
there, hoping google will redirect North Korean requests to an open proxy
allowing them full access to the Web.

------
ikeboy
[https://archive.is/GRjr8](https://archive.is/GRjr8) if not loading

------
jandrese
I'm disappointed he didn't check the cert store on the browser. He seemed
shocked that they would allow HTTPS, but that's perfectly fine as long as
their proxy has a root cert installed so it can re-sign every HTTPS
transaction.

I would be shocked if the DPRK is not doing this.

It's also a potential security issue since many of those certificate re-
signing devices fail to verify the original certificates first, causing them
to happily re-sign traffic that was already MITMed and erase all of the
evidence.

~~~
jamestenglish
I believe the author did cover this in point 13:

In looking around at the certificates that they support, I was not surprised
to find that they accepted no other certificates as valid – only their own.
That means it would be trivial to man in the middle any outbound HTTPS
connection, so even if they do allow outbound access to Google’s JSON location
API it wouldn’t help, because the connection and contents can be monitored by
them.

