
North Korea’s Naenara Web Browser: It’s Weirder Than We Thought - ivank
https://blog.whitehatsec.com/north-koreas-naenara-web-browser-its-weirder-than-we-thought/
======
hosay123

        They use the same tracking system Google uses to create unique keys, except
        they built their own. That means the microtime of installation is sent to
        the mothership every single time someone pulls down the anti-phishing and
        anti-malware lists (from 10.76.1.11) in the browser. This microtime is
        easily enough information to decloak people, which is presumably the same
        reason Google built it into the browser.
    

Anyone know what mechanism this refers to?

~~~
pilif
They are talking about the Safe Browsing API. I don't see where this is
sending microtimes though:

[https://developers.google.com/safe-
browsing/developers_guide...](https://developers.google.com/safe-
browsing/developers_guide_v3)

Also, I kind of dislike the alarmist tone of this paragraph. Saying that
google's anti malware blacklist (used by all browsers out there aside of IE)
is a secret plan to de-anonymize people by using a microtime of a request
timestamp seems... far fetched.

~~~
crdoconnor
>Saying that google's anti malware blacklist (used by all browsers out there
aside of IE) is a secret plan to de-anonymize people by using a microtime of a
request timestamp seems... far fetched.

Uh, not really. Tracking users is at the heart of their business model.

~~~
blfr
How so? I thought they mostly make money from the information you provide:
search keywords.

Do they actually manage to make significant profit on retargeting or some
other ad technique that requires tracking? What can they do beyond tracking?

~~~
vidarh
It's not about knowing who you are, but knowing that you're the same user that
searched for "villas in france" when you're later browsing another site and
they have an ad that fits.

I actually worked on a vacation rental site for some time, and as a result of
queries I did for research, I ended up "only" seeing ads for one of the major
companies in the sector for weeks on end.

But there is of course potential for abuse if someone gets hold of that data.

~~~
blfr
I have a general idea of how it works or could work, which is why I gave the
example of retargeting. But is there proof they actually do it and it's "at
the heart of their business model"?

There was recently an article on using HSTS as a sort of super cookie. Yet it
doesn't seem to actually be in use[1].

There is a lot of rumour around Google. For example that they use Google
Analytics data for ranking. Yet it rarely comes with any proof.

[1]
[https://news.ycombinator.com/item?id=8831148](https://news.ycombinator.com/item?id=8831148)

------
benbristow
Site seems dead from my end. Archive.org link:
[https://web.archive.org/web/20150108223420/https://blog.whit...](https://web.archive.org/web/20150108223420/https://blog.whitehatsec.com/north-
koreas-naenara-web-browser-its-weirder-than-we-thought/)

~~~
ifdefdebug
Same here. Thanks for link.

------
ritonlajoie
cache
[http://webcache.googleusercontent.com/search?q=cache:4-YCKBV...](http://webcache.googleusercontent.com/search?q=cache:4-YCKBVsvtQJ:https://blog.whitehatsec.com/north-
koreas-naenara-web-browser-its-weirder-than-we-
thought/+&cd=1&hl=fr&ct=clnk&gl=fr&lr=lang_en%7Clang_fr)

~~~
danielweber
Their website is also getting hammered for
[https://github.com/WhiteHatSecurity/Aviator/issues/24](https://github.com/WhiteHatSecurity/Aviator/issues/24)

------
kapsel
Do we actually know much about the North Korean "intranet"?

I spent two weeks traveling around in North Korea in August 2012. One of our
visits were in a military museum that had computers available (actually
running RedStar OS!), containing some CD/DVD with MOV files (as far as I
remember) and some other things.

I remember the machine having a 10.x IP address but it was definitely not able
to access any internet, but I wonder if it was connected to their actual
intranet, or if they simply had some local network there.

~~~
crdoconnor
I managed to glean a little from my visit, but not that much:

* They apparently have something resembling a dating website.

* They can download computer games (my tour guide complained that his son spent too much time playing them).

~~~
bduerst
Was that sincere or was it part of the show?

I haven't been, but from what I've read/seen the tours are almost like an
orchestrated front aimed at changing foreigners' perspectives.

~~~
crdoconnor
>Was that sincere or was it part of the show?

I'm certain that part was sincere. There is a certain level of naive honesty
among most of the North Koreans (similar to that of sheltered fundamentalist
Christians). I could clearly detect this by seeing that some of them naively
did or said the "wrong" thing a few too many times whereas others were clearly
much more canny. The canny ones lied all the fucking time and probably knew
they were lying. The naive ones let slip a few gems.

The 'dating' website is probably more like a website for arranging arranged
marriages, incidentally. Just in case you were wondering.

>I haven't been, but from what I've read/seen the tours are almost like an
orchestrated front aimed at changing foreigners' perspectives.

The tour is orchestrated and it is clearly partly aimed at changing
foreigners' perspectives, but the parts which are just for show and the
kernels of honest truth are actually pretty easy to distinguish.

Sometimes propaganda is embarrassingly terrible (e.g. just taking the number
of actual US casualties in the Korean war and doubling it. _facepalm_ ).

I'm sure the years before I went were even more blatant and terrible,
actually. I didn't see any fake shops like in the interview but I suspect they
may have existed in the years prior to my visit. I think they probably figured
out that that was an abysmal idea.

The North Koreans have very unsophisticated domestic propaganda compared to
western domestic propaganda. They are NOT good at it. Getting better, but
still terrible.

Interestingly, western propaganda about North Korea is equally facile. The
isolation makes it easy for outright lies to be believed on both sides I
guess. Provided you haven't experienced both.

Also there are certain things both sides refuse to talk about that the other
side talks a lot about - propaganda that serves a purpose that is based in
truth. North Korea doesn't talk about prison camps but every American knows
about them. America doesn't talk about atrocities committed by GIs in the
Korean war, but North Koreans schooled on them much like we are schooled on
Nazi atrocities.

Weirdly, North Korea was pretty open about the famine in the 90s. I expected
them to gloss over it. Western media glosses over the fact that it actually
ended, of course.

------
pilif
This article is full of inaccuracies, alarmist FUD and sensationalism. If I
could downvote an article, I would this one.

 _> I was always under the impression they were just pretending that they
owned large blocks of public IP space from a networking perspective, blocking
everything and selectively turning on outbound traffic via access control
lists. Apparently not_

It was always public knowledge that NK has more or less one publicly routed
/22\. That's far removed from "large blocks of public IP space".

 _> This microtime is easily enough information to decloak people, which is
presumably the same reason Google built it into the browser_

I doubt that was Google's intention behind the Safe Browsing API
([https://developers.google.com/safe-
browsing/developers_guide...](https://developers.google.com/safe-
browsing/developers_guide_v3))

 _> So every time the browser fails for some reason they get information about
it. Useful for debugging and also for finding exploits in Firefox, without
necessarily giving that information back to Mozilla – a U.S. company_

Or if could be that most of the users of the browser in question do not in
fact have full internet access and thus no reports would be sent anyways.
Also, FF 3.6 is long out of support, so by getting access to these crash
reports, the people behind Naenara get a chance at fixing issues (I'm not
saying they do or don't, but getting the crash reports directly is the only
way for remaining crashes to actually be fixed)

 _>. Could the mothership be acting as a proxy? Is that how people are
actually visiting the Internet – through a big proxy server?_

very likely, but not because of the way the URL for the startpage is
formatted. That's just a convenience thing I guess where they ran wget or any
other crawler against the original site and then they could just prepend their
internal server to to URL and keep the patch to Firefox minimal.

 _> it’s still very odd that they haven’t bothered using HTTPS internally_

They just don't care if "normal" people could potentially sniff each other
calendars. If the government wants access to the calendar, they just look the
data up I guess and because this is all a big intranet, the traffic doesn't
cross any non-goverment-owned routers anyways.

 _> This one blew my mind. Either it’s a mistake or a bizarre quirk of the way
DPRK’s network works but the wifi URL for GEO still points to
[https://www.google.com/loc/json*](https://www.google.com/loc/json*)

Likely none of the sites the browser is actually able to visit actually use
the geolocation API, so they just forgot to change the URL. It's an
interesting bug, but far removed from mind-blowing IMHO.

_>That’s actually a good security measure, but given how old this browser is,
I doubt they use it often, and therefore it’s probably not designed to protect
the user, but rather allow the government to quickly install malware should
they feel the need. Wonderful.*

I'm sure they have other methods of installing malware that then would run as
a privileged account, not the unprivileged user account running Firefox itself
(their OS doesn't officially allow root access as we've seen in yesterdays
article).

 _> It is odd that they can do all of this off of one IP address. Perhaps they
have some load balancing but ultimately running anything off of one IP address
for a whole country is bad for many reasons._

when you have fewer than 10000 total users, that doesn't seem like such a bad
idea - it's certainly convenient.

~~~
dec0dedab0de
_> I was always under the impression they were just pretending that they owned
large blocks of public IP space from a networking perspective, blocking
everything and selectively turning on outbound traffic via access control
lists. Apparently not

It was always public knowledge that NK has more or less one publicly routed
/22\. That's far removed from "large blocks of public IP space"._

I think they meant that they were routing most IP addresses back to servers
they control, even though they didn't officially "own" them.

------
DonHopkins
Gateway To Net Ten

Mark Lottor

[Original words and music by Jimmy Page and Robert Plant]

There's a hacker who's sure all that's coax is fast and he's buying a gateway
to net ten. When he gets it he'll know if the ports are all closed with a SYN
he can get what he sent for.

Ooh ooh ooh ooh, ooh ooh ooh ooh and he's buying a gateway to net ten.

There's an RFC on the wall but he wants to be sure cause you know sometimes
words have two meanings. In a note on the page there's a warning that says
sometimes all of our code is broken.

Don't ya know, it makes me wonder.

There's an error I get when I send to the net and my packets are lost and
retransmitting. In my logs I have seen loops of mail thru the machine, and the
screams of those who are hacking.

Oooh, it makes me wonder.

And it's whispered that soon if we all fix and tune then the packets will
reach their destinations. And a new day will dawn for hosts that stay long and
the telnets will echo quite faster.

Ohhhhh, it makes me wonder.

If there's a bustle in your cisco, don't be alarmed now it's just a quick ping
for the NIC machine. Yes there are two paths you can route by, but in the long
haul there's still time to change the protocol.

Yowwww, it makes me wonder.

Your host is loaded and it will slow in case you don't know, the unix's are
asking you to join them. Dear hacker, do you see the overflow, and did you
know your gateway is still under development.

And as we wind out more coax, and gateways slower than our hosts, There goes a
message we all know, it updates routes and wants to show how everything still
turns quite slow. And if you listen very hard, the bits will come to you at
last. When all are ones and ones are all, to be a rubout and not a null.

And he's buying a gateway to net ten...

~~~
Mahn
This comment would have gone places in reddit :)

------
hultner
I were surprised first time I heard that they even got an computer network for
their people. I would love to see the inside of a North Koreans developers
mind, do they know about the outside world?

~~~
gambiting
Apparently North Korean Universities have access to the real internet, but
there is only a dozen or so computers connected to it, and for every computer
there is a government official sitting in a room next door seeing what the
person using the computer is seeing....and probably taking notes. So
researchers can visit any sites they like...but as soon as you start reading
something anti-NK you are very likely to get arrested.

~~~
kabouseng
Sorry but I have to ask, where do you get this from? Have you personally
experienced this or are you simply repeating the party line?

Not to be negative or discredit you, but you use word like "apparently"
"probably" and "very likely" which is immediate indicators of hearsay or fear
mongering.

Not that I have any idea what NK is like, never been there. But I do live in a
country that suffers from huge misconceptions about the conditions here,
hearsay and fear mongering. The entitlement to judge other absolutely astounds
me sometimes, not to be applied to you yourself off course.

~~~
runlevel1
Will Scott, an American grad student who recently taught CS at Pyongyang
University, described it as such in this talk:
[https://www.youtube.com/watch?v=zuxlLLeKZZ8](https://www.youtube.com/watch?v=zuxlLLeKZZ8)

It's pretty interesting.

~~~
kabouseng
Thank you that was interesting.

Had the OP shared a link such as this I would probably not have responded, and
I didn't quite get the following vibe from the talk:

"and for every computer there is a government official sitting in a room next
door seeing what the person using the computer is seeing....and probably
taking notes."

------
wtracy

      This one blew my mind. Either it’s a mistake or a bizarre quirk of the way DPRK’s network works but the wifi URL for GEO still points to https://www.google.com/loc/json*
    

Maybe they just don't have Wi-Fi.

------
smaili
Does anyone have a sample User Agent? I'd be very curious if anyone has tried
doing some regex's on some request logs to see if they got any page hits from
North Korea :)

~~~
lars_francke
It's right there in the article:

Mozilla/5.0 (X11; U; Linux i686; ko-KP; rv: 19.1br) Gecko/20130508
Fedora/1.9.1-2.5.rs3.0 NaenaraBrowser/3.5b4

~~~
S4M
There are the IP's from North Korea available as well, it was discussed couple
of time ago on HN[0]. I think checking by IP is more reliable than checking
the browser: Red Star OS is not the only OS in North Korea and someone could
use Naenara Browser from the outside as well...

[0]
[https://news.ycombinator.com/item?id=8777226](https://news.ycombinator.com/item?id=8777226)

