I'll assume #1 isn't true since it would be stupid for those companies to do that for so little money.
#2 has interesting implications about trade embargoes. Unless everyone in the world participates, it seems like all an embargo does is add complexity and middle-men to the transaction. For example, if they legally acquired the software and hardware through a Chinese or Russian reseller, then all that happened was the Chinese or Russians took a cut.
#3 interestes me because what happens there? Ok, they are using clearly stolen software, now what? Are there any consequences?
The U.S. government is aware of this but for as long as their US companies are never directly selling to NK the sanction is enforced from the US's perspective. This including banks cannot do transaction (via multiple middlemen? yes sure! Money laundering, but the FBI will be looking at it).
If you're comfortable with it of course.
Here is their distribution center:
Carrying inventory valued at $200mm.
After I terminated my employment at Cisco Systems, some of my departmental coworkers started a consulting business to provide services related to the products that we used to work on, including maintenance services that duplicate and compete with professional services offered by Cisco itself.
I'm also earning a living as a thirdparty support provider, but not for Cisco products. All of my customers have been denied support by the original vendors for economic reasons (can't afford it) or corporate decisions to discontinue support. In addition to my own experience operating and reverse engineering the products I support, I have benefited from corporate leaks of documents and binaries as well as being passed material from paying customers.
I even generate licenses on my own for products that aren't sold anymore, without permission of the original vendors, but they know about it and haven't requested that I stop.
Therefore, I am certain that anyone subject to a government embargo would be able to procure these services from a third party or hire a local hacker to take care of these things.
"The country is said to have a fairly large internal domestic internet disconnected from the rest of the world. Most citizens with access to computers are only allowed to access this network, not the global computer network the rest of us connect to."
That is, absolutely, the official IP space is assigned to government and government-affiliated institutions. The rest of the local internet isn't in the Chinese address space, though; it's instead on a disconnected network with its own address space allocations, which may overlap with addresses in the rest of the world's IPv4 instance.
Also when Indian contractors were brought in to work on the pyramid hotel in Pyongyang I was told that they had a special network provided by NK government which curiously had full access to everything e.g. Facebook etc.
N Korea however has rather free movement of people/cargo with china, limited to govt official/cargo.
I'm pretty sure N Korea did it.
Anyone have an idea how much bandwidth NK has? How easy
would it be for a large botnet to DDoS the whole country?
Oh, yep. Sign me up to some of that illegal shit. /end sarcasm.
I genuinely find the suggestion to attack an entire countries internet infrastructure to be a poor idea, whoever they are.
But, sometimes theoretical questions have shaky moral ground, and more importantly, put stupid ideas in stupid people's heads.
Adam and Eve is probably the classic example.
Also, in this particular case, it seems that the people interested in that sort of thing could figure it out anyway. Obscurity isn't security.
Dan is a TV host who did a Variety Fair interview in which he was semi-pro drug legalisation.
> Dan: The validity of your read on what most of the country thinks notwithstanding, Stanley.... Actions are immoral. Opinions are not. And I won't apologize for mine. Discussion is good, and for those of us fortunate enough to be the subject of magazine articles, it may be our responsibility from time to time to try and raise the level of debate.
So I'm thinking not common. Anyone else seen or conspicuously not seen hits from NK?
Not sure why they would sweep the Internet themselves though. If they want to know what OS:es are used there's already statistics for that.
They're pretty much the reason Huawei et al are taken seriously in the networking hardware demographic -- a massive personnel, training, and IP transfer (legitimate or otherwise).
I don't know what came of that visit, but months later the VP nominated me to my manager for an internal award because of my assistance on that trip; I got a framed certificate and a monetary bonus (one of many I got from Cisco.)
As an American I'm rather ashamed to have participated in such.
Is there any information about the intranet in North Korea? Do they have a private class A network that everyone in the country is connected to with their own DNS servers, routers, etc which are unreachable from the rest of the internet?
The common people have access to the Kwangmyong, which is an IP network not physically connected to the Internet.
Also are there tools that take a list of services on ports and map it to likely hardware/OS?
I have been programming for a long time but somehow I missed out on this kind of networking knowledge. Are most people who know this stuff network engineers?
IP addresses are assigned by regional internet registries (RIR) like ARIN (for North America) and APNIC (for Asia-Pacific regions). Addresses are assigned in blocks like the /22 mentioned in the article.
These prefixes are then associated with Autonomous Systems, which participate in routing. You can view routing information on looking glass servers or by using a tool like Hurricane Electric's BGP toolkit: http://bgp.he.net .
For example, here's the data for Cloudflare's AS (which serves HN): http://bgp.he.net/AS13335 . You can look at the prefixes it serves and who they peer with.
You're missing `whois`. The wikipedia page is very informative.
If you give it an IP, it will give you "ownership" status of that particular IP, and then its containing netblocks ("outwards").
Example: (my favourite IP)
$ whois 18.104.22.168
% Information related to '22.214.171.124 - 126.96.36.199'
inetnum: 188.8.131.52 - 184.108.40.206
descr: Hetzner Online AG
descr: Datacenter 16
% Information related to '220.127.116.11/16AS24940'
source: RIPE # Filtered
With a domain, it looks up the domain registration information.
If you ever script around whois, be prepared for loads of surprises, such as:
* Structure & format variations per provider (can be different on a TLD level)
* Some TLDs may not provide that information in a whois format at all:
$ whois test.gr
This TLD has no whois server, but you can access the whois database at
I am interested in how the databases that 'whois' queries are populated... the Wikipedia page looks like it will have some good pointers.
> We produce daily snapshots which are available to the public. You can find these files at our FTP site at: ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz
> or split by object type at: ftp://ftp.ripe.net/ripe/dbase/split
> These daily snapshots exclude the object types: person, role, organisation and mntner. For data protection reasons, personal data is not available in bulk format. 
To avoid confusion, that isn't just Europe (whose Regional Internet Register is RIPE NCC) but contains other continents/RIR data.
As rid mentioned in his comment, this information comes from RIRs, who assign IP ranges to companies and other groups that request them. The WHOIS database is simply updated when an IP prefix is created or updated. When you make a WHOIS query, the RIR server is automatically contacted and the server simply returns a plaintext reply containing all the relevant information.
For example, ARIN (the North American registry) has a whois server for looking up data on IP addresses set up here: http://whois.arin.net
Nmap can scan and show the application and version based on various responses and req/response fingerprinting: http://nmap.org/book/vscan-examples.html
$ grep SSH /etc/services
ssh 22/tcp # SSH Remote Login Protocol
$ getent services ssh
- Using an IP, netrange and information regarding the network owner (contact and abuse info). Gathered from the Regional Internet Registry (RIR) databases.
- Using a domain, registrant info --if public, abuse details etc..
This isn't to say that nmap (and it's ilk) are not useful diagnostic tools. But I'd recommend you leave the scanning to infrastructure you either own or have the owners consent - at least for now while you're still learning the tools.
EDIT: where did I imply that this is about SONY? Have any of you who commented back on this, have actually checked the actual findings? They're yearly dated records, it seems very hard to believe that he only observed them prior to writing his piece.
P.S. - I do think it's a very good technical report, though I don't recall saying it's not.
We've known about these practices for years. The Abu Ghraib scandal was 11 fucking years ago. We've known about waterboarding and Guantanamo for years as well.
All of which is to say, I think if you believe that the U.S. government needs to create a false flag operation to bury the report, you are seriously out of touch with the political reality. Public apathy will bury it for them.
Also, note that when the next forensic analysis of some hack occurs, the scanning IPs have now "communicated with IPs associated with North Korea". So any future activity of your IPs may be attributed to NK, by the FBI/etc.
Hacking doesn't necessarily require sophistication.
> Hacking requires knowledge of the latest security vulnerabilities.
> It's impossible to develop good hackers on such a censored network.
Also no. I can imagine being on a heavily censored network being a prime breeding ground for great hackers. Either way, if I were a nation state sponsoring a hack I would presumably give uncensored access to my hack team.