> They use the same tracking system Google uses to create unique keys, except they built their own. That means the microtime of installation is sent to the mothership every single time
Did everyone else know about this? I didn't. Interesting. I stopped using Chrome and switched back to Firefox 3-4 years ago because Firefox got a better, and was slightly worried Google would eventually do stuff like that.
I'd never heard specifically of Chrome but in general I would imagine if they record the time application was installed down to some microseconds and then are able to see all requests tagged with that timestamp, and one of the requests is linked to you signing in to GMail they can link the two.
Now in general they don't even need it, other browser fingerprints are working pretty well:
I tried to run that test in Firefox, but first NoScript mutinied, then uBlock Origin threw out First Party Simulator as malvertising. Does that mean that I'm safe, or do I still have to worry about server-to-server communications?
its been a while since i last visited this site but i noticed the only real thing that makes it easy for them in my case is my language settings. I preferred English language before my native language which must have been so odd that my browser is unique among all they have tested...
One simple example: you browse a bunch of stuff, and they are able to know these were from the same person due to the identifier. Then you log into, say, Gmail. Now they have information to deduce you are that person.
Not saying they necessarily do that, but if they are indeed able to associate the "installation ID" to every request made with the browser, they have the information to do this, if they decide to do so.
In Firefox the requests made to Google's safe browsing are sent using a completely separate cookie jar that is isolated from the rest of the browser, so that even if Google is tracking the requests to its safe browsing service it wouldn't be able to identify you on the basis of the unique cookie alone.
On the other side, it is interesting how close they have made recent versions of Red Star OS to look like MacOS X. I guess they don't care a lot about copyright infringement. Which is possibly related to the fact that Kim Jong Un has had, at least in the past, access to an iMac [1].
This is not the case. DPRK is a member of the World Intellectual Property Organisation [0] and has laws relating to IP [1]. It is perfectly possible to register intellectual property there and plenty of multinational organisations do so.
This is super weird. And it seems obvious that most of these measures are in place to spy on people. It also makes sense to treat the country like a small company's network if they have so few clients.
The other thing I'm wondering, could they have been doing this to avoid outsiders to access their network? If we try to access 10.something it will try to reach an internal network and thus we won't be able to access their ips. If we somehow manage to send the request to 10.something over the network some node/server on the way will probably drop it.
>some node/server on the way will probably drop it
If you're familiar with how routing works at all, you'd know it wouldn't even route outside your local network. There are Millions of seperate 10.x.x.x networks.
I would presume all those URLs that point to the NK IP address are more likely a result of the authors doing a (poor job of) a search/replace on "mozilla.org" and "google.com" on the source code than NK actually supporting all those features specifically/proxying google/safe browsing lists etc. 90% of them are probably 404s. We're probably talking about an IT team with skills on par with your average high school.
> We're probably talking about an IT team with skills on par with your average high school.
I don't think that's necessarily true, and it kinda seems like you're falling into the trap of believing your enemy to be a real-life cartoonish caricature.
North Korea is still a large nation, and while their resources are very limited, it's still a lot in absolute terms (as in, not compared to other nations).
> I don't think that's necessarily true, and it kinda seems like you're falling into the trap of believing your enemy to be a real-life cartoonish caricature.
On the contrary I think they're pretty normal and like anywhere IT gets no respect or resources
I doubt that. There is evidence that they have competent programmers. For example, in this year's ICPC, the North Korean team came 30th. That's pretty impressive, considering that they may not have access to all the regular contest websites that people practice on:
That doesn't actually prove very much. Successes in programming contests may demonstrate you can hack your way around an algorithmic problem that you're solving from scratch. Modifying a browser, an operating system and the communication protocols they use to add robust surveillance capabilities demands a different type of skill and resources: proficiency with an entire stack of technologies and knowledge of good engineering practices. This analysis seems to provide some evidence against the latter.
Is there some way to look at North Korea's network 10 IP space from the outside? There are tools which let you look at the Internet from inside the Great Firewall of China.[1] Is there one for North Korea?
We don't need to reverse engineer a browser to get hints about how North Korea's internet and intranet work, since people who've been there have given talks about it.
It's an interesting point that they're using a Class A address space for the country, but it's also North Korea... are we really expecting all of its citizens to be on this?
Either way they'll probably run into issues down the road but I'm sure it's working just fine for them right now. Of course, my knowledge of how distributed their network infrastructure is across their country is lacking so maybe it does cause issues for them?
It would not surprise me that a large office is using the 10/8 range internally and NATting to the national 10/8 range and suffering from horrible ICMP misrouting issues.
A large office could easily use some allocated range, like 25/8 which is allocated to the UK Ministry of Defence but not advertised on the public Internet.
You have to be careful though, last year a good number of companies was burned when DoD started to route their previously unutilised class A block 11.0.0.0/8.
It's not a leap too far; it just needs a few data points to confirm with reasonable confidence.
The DPRK has exactly one known ISP (Star JV, AS131279) and (as far as I can tell from various looking glasses) they advertise exactly three /24s out of their 175.45.176.0/22 allocation, via exactly one Chinese transit provider (China169, AS4837 which is China Unicom's backbone).
We can also see from registries and generally poking around that 175.45.176/24 is used for authoritative nameservice (e.g. the DNS servers for .kp and reverse delegations for the Star JV /24s are here) and website hosting, which makes it very unlikely to be used for non-infrastructure host addresses. Being an old ISP lag I might also guess that there'll be an pair of NTP peers in there, an MTA, and separate source addresses for DNS resolvers (although I'd concede that with the DPRK no guess is reliable)
That leaves a total of 508 globally reachable IPv4 host addresses for the whole country. I suggest that this is insufficient even for the devices allocated to the relatively small group of individuals permitted to access the internet, from which it is not unreasonable to infer that everything else is in RFC1918 (or equivalent) space behind a proxy, which this article suggests is 10/8 or (my guess) most likely some structured sub-allocations thereof.
While the conclusions in the article may not stand on their own, I think he may be implying the common usage of web browsers in the DPRK. Rather than using DNS, users connect directly to 10.* IP addresses.
Here are a couple of pics I took of IP addresses printed on the walls in a school's computer lab:
Are you sure those are bookmarks in the second image and not some examples of IP addresses? It seems unlikely that they'd be visiting addresses in all three of the RFC1918 spaces.
Far from unlikely, I have seen government-operated metropolitan-scale networks that allocated extravagantly in their early days and ended up using all of RFC1918 space, being unable to renumber (because change in government systems is Too Hard) and moving on to more esoteric non-globally-routable space.
Actually it's not difficult to determine, this is not in the article, North Korea has VERY small allocations of publicly routable ipv4 space from APNIC. It used to be as small as a single /24. It's also possible they're using IP space from several of their upstream Chinese ISPs that they are dependent upon, in which case it would be much more difficult to determine than an IP is physically located in .KP rather than on the Chinese side of the border.
amusing about the new TLDs for their internal use, it looks like Donuts LLC (the company which runs a shitload of new GTLDs) and north korea have similar lines of thinking, but for very different reasons.
I work for a large games publisher and using our in-game tracking we can see some(usually just a few) connections from North Korea - I always wondered if it's kids of rich NK elite playing on imported PS4s and Xbox Ones, and how bizarre it must be to have something like a PS4 in such a closed country.
Hard to tell. In a game with millions of users we literally have 5-6 profiles created from north korean ips("star joint venture" appears as the isp) so I guess it's plausible that just a handful of people have got imported consoles there. At the same time, the sample size is so small it could be spoofed maybe? I am not sure if there's any way to know for certain really.
Edit: it's also possible that people living in embassies in NK have consoles, but I have no idea how they get internet there, probably not through the national ISP.
maybe it a cry for help? Someone "accidentally" left a single https request there, hoping google will redirect North Korean requests to an open proxy allowing them full access to the Web.
I'm disappointed he didn't check the cert store on the browser. He seemed shocked that they would allow HTTPS, but that's perfectly fine as long as their proxy has a root cert installed so it can re-sign every HTTPS transaction.
I would be shocked if the DPRK is not doing this.
It's also a potential security issue since many of those certificate re-signing devices fail to verify the original certificates first, causing them to happily re-sign traffic that was already MITMed and erase all of the evidence.
In looking around at the certificates that they support, I was not surprised to find that they accepted no other certificates as valid – only their own. That means it would be trivial to man in the middle any outbound HTTPS connection, so even if they do allow outbound access to Google’s JSON location API it wouldn’t help, because the connection and contents can be monitored by them.
Except that he did check the certs and they're doing exactly that.
13. In looking around at the certificates that they support, I was not surprised to find that they accepted no other certificates as valid – only their own. That means it would be trivial to man in the middle any outbound HTTPS connection, so even if they do allow outbound access to Google’s JSON location API it wouldn’t help, because the connection and contents can be monitored by them. Likewise, no other governments can man in the middle any connections that the North Koreans have (I’m saying that with a bit of tongue in cheek, because of course they can according to Wikileaks docs, but this probably makes the DPRK feel better — and more importantly they probably don’t know how to do it in the same way as the NSA does, so they have to rely on draconian Internet breaking concepts like this).
Did everyone else know about this? I didn't. Interesting. I stopped using Chrome and switched back to Firefox 3-4 years ago because Firefox got a better, and was slightly worried Google would eventually do stuff like that.