
RedStar OS 3.0: Remote Arbitrary Command Injection - bane
https://www.myhackerhouse.com/redstar-os-3-0-remote-arbitrary-command-injection/
======
Sintendo
The scrolling on that page is atrocious.

~~~
kristopolous
How are you viewing it

~~~
Sintendo
Firefox on macOS. It feels like the page is trying to do its own smooth
scrolling in Javascript, on top of the browser's existing smooth scrolling or
something.

~~~
cygned
Same here for Safari. Feels really awful.

------
lb1lf
Considering the source (of the OS, that is), it begs the question whether
these bugs are accidental or deliberate.

Or, put another way - would using a fully patched and hardened Linux distro of
some denomination or the other warrant a visit from the secret police,
suggesting you revert to using Red Star for -ahem- patriotic and surveillance
purposes?

~~~
the_duke
That doesn't really make sense.

RedStar OS contains all the surveilance features North Korea could possibly
want anyway [1].

Why would you need backdoors when you have a widely opened front door?

I would strongly assume that using RedStar is mandatory in NK.

[1] [http://www.securityweek.com/north-koreas-red-star-os-
governm...](http://www.securityweek.com/north-koreas-red-star-os-government-
surveillance-its-best)

~~~
lb1lf
True, but if I were of a sufficiently paranoid bent, I would appreciate having
a toolkit full of exploits to use as news of other surveillance features
spread.

Someone clever/subversive enough could feasibly create a samizdat Red Star
distro which had most of the known surveillance features disabled, for
instance.

------
DblPlusUngood
I guess the browser calls system(3) on the arbitrary URI instead of directly
exec'ing /usr/bin/nnrurlshow? How amusing.

------
mhaehnel
What interests me is does they respect licenses of the open source stuff they
use?

~~~
reubensutton
No, it's all closed source. The binaries aren't publicly distributed either,
they seem to be the result of leaks.

~~~
chris_wot
Makes me wonder what they thought they were going achieve. I'm assuming it's
based on a Linux distribution?

I guess when your entire nation is a state controlled echo chamber it's easy
to just think that criticism of your code is just jealousy of your
achievements.

------
deeznut5
where the hell can i get the redstarOS... i'd seriously love to install that
for shits and giggles.

~~~
sdglhm
I have downloaded a copy from here.

[http://www.openingupnorthkorea.com/downloads-2](http://www.openingupnorthkorea.com/downloads-2)

~~~
Gruselbauer
Noob disclaimer: I'm the Jon Snow of HN. If this a dumb question, sorry :)

Would you say an offline VM should provide a kinda sorta safe test environment
or should I really run this on some old metal? I really want to try it and a
VM seems more comfortable to revert after messing shit up, but seeing as this
is an operating system from a horrible totalitarian dictatorship, I fear
publicly available versions might be leaked on purpose to get decadent
Westerners like me to install, revel in my perceived superiority and then wind
up as an unwilling proxy for Kim surfing Pornhub?

Maybe I should just try Justin Bieber Linux[0] instead ...

[0]: [https://biebian.sourceforge.net/](https://biebian.sourceforge.net/)

~~~
my123
Those builds are issued from utter hacking of the DPRK infrastructure. They
aren't designed to be used on the public Internet at all, the dictatorship
uses an intranet... You won't lose anything, Internet doesn't work OOTB

------
aussieguy123
So. My bet is their using old insecure versions of Linux. Given that they
don't have access to the wider internet how can security vulnerabilities be
patched via downloading updates? It would be interesting if someone created a
worm that spread among all redstar os users in North Korea, that downloads
"dangerous" information from the outside world

~~~
dominotw
while most people use 'intranet' , select people do have access to the 'real
internet'. I am sure people working on redstar have access to internet.

