Hacker News new | past | comments | ask | show | jobs | submit login
RedStar OS 3.0: Remote Arbitrary Command Injection (myhackerhouse.com)
41 points by bane on Dec 4, 2016 | hide | past | web | favorite | 22 comments

The scrolling on that page is atrocious.

How are you viewing it

Firefox on macOS. It feels like the page is trying to do its own smooth scrolling in Javascript, on top of the browser's existing smooth scrolling or something.

Same here for Safari. Feels really awful.

Considering the source (of the OS, that is), it begs the question whether these bugs are accidental or deliberate.

Or, put another way - would using a fully patched and hardened Linux distro of some denomination or the other warrant a visit from the secret police, suggesting you revert to using Red Star for -ahem- patriotic and surveillance purposes?

That doesn't really make sense.

RedStar OS contains all the surveilance features North Korea could possibly want anyway [1].

Why would you need backdoors when you have a widely opened front door?

I would strongly assume that using RedStar is mandatory in NK.

[1] http://www.securityweek.com/north-koreas-red-star-os-governm...

True, but if I were of a sufficiently paranoid bent, I would appreciate having a toolkit full of exploits to use as news of other surveillance features spread.

Someone clever/subversive enough could feasibly create a samizdat Red Star distro which had most of the known surveillance features disabled, for instance.

Almost certainly accidental.

Consider the population of NK (not large — 24 million). Now consider that it's a closed society; access to foreign media and learning materials is going to be restricted. Now on top of that, consider that learning to program requires (a) learning an enemy language (danger! spy/defector warning klaxon!) and then access to lots of presumed-subversive foreign tracts that are sufficiently abstruse and arcane to give the state censors a really big headache ...

I bet that cuts down the developer pool a little, doesn't it? If you can only allow ideologically trustworthy people access to the material they need in order to learn to code, which you need in order to build a guaranteed ideologically sanitized sandbox OS in which you can raise your less-definitely-loyal future cadres of infowar warriors, then you don't have many developers and they are picked for their loyalty rather than their ability by managers who literally can't understand the hacker mindset. (Or even the ordinary working stiff business app developer mindset.)

So RedStar was probably thrown together in a hurry by a handful of amateur programmers/professional party cadres in an atmosphere of extreme mistrust and paranoia that rewards sweeping problems under the rug (where the big party bosses won't know to look for them). Hence it being a knock-off of Red Hat 3 from 1998 with added Hangul text handling, or something.

This. They're worried that if they let their dev's google everything their devs will defect.

I guess the browser calls system(3) on the arbitrary URI instead of directly exec'ing /usr/bin/nnrurlshow? How amusing.

What interests me is does they respect licenses of the open source stuff they use?

The DPRK does not respect the GPL, unsurprisingly.

Though they are a party to the Berne Convention, so they ought to.

No, it's all closed source. The binaries aren't publicly distributed either, they seem to be the result of leaks.

Makes me wonder what they thought they were going achieve. I'm assuming it's based on a Linux distribution?

I guess when your entire nation is a state controlled echo chamber it's easy to just think that criticism of your code is just jealousy of your achievements.

GPL'ed code is probably legal in this case, because they don't distribute publicly. It would be a decently easy case to make in an international IP court that distribution within North Korea is not a public release. However, if a North Korean citizen demanded the source code for Red Star, they may be obligated to provide it, lest they are in violation of the GPL.

where the hell can i get the redstarOS... i'd seriously love to install that for shits and giggles.

I have downloaded a copy from here.


Noob disclaimer: I'm the Jon Snow of HN. If this a dumb question, sorry :)

Would you say an offline VM should provide a kinda sorta safe test environment or should I really run this on some old metal? I really want to try it and a VM seems more comfortable to revert after messing shit up, but seeing as this is an operating system from a horrible totalitarian dictatorship, I fear publicly available versions might be leaked on purpose to get decadent Westerners like me to install, revel in my perceived superiority and then wind up as an unwilling proxy for Kim surfing Pornhub?

Maybe I should just try Justin Bieber Linux[0] instead ...

[0]: https://biebian.sourceforge.net/

Those builds are issued from utter hacking of the DPRK infrastructure. They aren't designed to be used on the public Internet at all, the dictatorship uses an intranet... You won't lose anything, Internet doesn't work OOTB

So. My bet is their using old insecure versions of Linux. Given that they don't have access to the wider internet how can security vulnerabilities be patched via downloading updates? It would be interesting if someone created a worm that spread among all redstar os users in North Korea, that downloads "dangerous" information from the outside world

while most people use 'intranet' , select people do have access to the 'real internet'. I am sure people working on redstar have access to internet.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact