Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Censorship Government Mozilla Software

Inside North Korea's Naenara Browser 159

msm1267 (2804139) writes with this excerpt from Threatpost Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness. The Naenara browser is part of the Red Star operating system used in North Korea and it's a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./ That address is not reachable from networks outside the DPRK.

"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space. You heard me; they're treating their entire country like some small to medium business might treat their corporate office," Hansen wrote in a blog post detailing his findings. "The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists."
This discussion has been archived. No new comments can be posted.

Inside North Korea's Naenara Browser

Comments Filter:
  • by Anonymous Coward on Friday January 09, 2015 @10:54AM (#48775089)

    IPv6 will never take off, so in the end we'll be bridging national internets just like this one.

    • by Anonymous Coward

      This. In an ironic twist, this just means that NK is ahead of rather than behind the times.

      NAT is evil. But people are stupid. Therefore NAT continues to be used. The Kim thanatocracy is especially evil, therefore treats the whole country as if behind a NAT firewall. Which also happens to block most things to most people.

      At least it doesn't use other people's IP addresses.

      • Ironically, things like this could accelerate the move to IPv6, since countries w/ computing needs larger than 17m can't use this solution.

        But if they were doing it this way, why couldn't they just get UNIXWARE, and then put the entire country on an IPX network? That way, they'd have enough addresses for everyone, while being completely incompatible w/ the rest of the world, which would make the Pyongyang regime happy. I'm sure SCO would have been happy to get its debts settled by selling off UNIXWARE t

    • IPv6 will never take off.

      According to Google, it is [google.com]. Slowly, admittedly, but about 5% of Google users now have IPv6.

      • AFAIK all four of the major wireless providers support IPv6 (just tested and confirmed on my t-mobile galaxy note 4, and saw it working on a verizon phone earlier, meanwhile AT&T and Sprint say they support it.) The only way you wouldn't be using it at this point is if your phone doesn't support it, or you're on a small carrier that doesn't (though I would assume all MVNOs support it.)

        However, strangely enough it seems that my phone defaults to using the V4 stack when hitting google specifically (typing

        • Could be a happy eyeballs thing - while the original spec does call for IPv6 being preferred, the happy eyeball spec calls for the network where results are first obtained to be used.
        • I assume that's for the US, which seems ahead of the game despite having plenty of v4 addresses.

          Here in the UK, none of the major ISPs have deployed v6 at all, and I don't think any of the mobile companies have either. I suppose they're just risk averse, as dealing with support calls for unexpected problems isn't cheap and their margins aren't huge.

          • They shouldn't have any support issues to deal with when deploying IPv6. If end user hardware doesn't support it or isn't configured properly, then they will be completely unaware of and unaffected by its existence. That would only change when IPv4 becomes deprecated (my personal prediction is 2030.)

            Now if the end users explicitly need IPv6, then they might have support issues to deal with (i.e. telling them how to configure it) but usually the only ones that would need to do that (at least, until IPv4 is d

            • That should be true in theory, but the IPv6 hardware & software is nowhere near as well tested as the IPv4 equivalent, both in terms of home equipment and in the ISPs own networks. How often does this kind of thing work perfectly first time? And the staff don't have the same experience with it to fix problems when they do occur. Anything new is a risk, and since hardly any home customers are demanding IPv6 it might seem like it's a risk not worth taking until made absolutely necessary by v4 exhaustion.

              T

              • That should be true in theory, but the IPv6 hardware & software is nowhere near as well tested as the IPv4 equivalent, both in terms of home equipment and in the ISPs own networks.

                It's true in fact. If the device doesn't support the v6 stack, then it just flat out ignores it; it may as well not even be there. After it gets passed to the CPE device at layer 2, the layer 3 doesn't know what to do with it, so it's simply discarded as if it were a corrupt IP datagram. Likewise it can't cause any trouble.

            • If end user hardware doesn't support it or isn't configured properly, then they will be completely unaware of and unaffected by its existence.

              End user hardware generally does support it though - any vaguely modern computer, smartphone or tablet should automatically pick up and use an IPv6 address if available. So if the ISPs start supplying v6 it's essential that it works reliably, because the users' devices will try and use it. Broken v6 does affect connectivity, even if v4 still works fine. And even if the fault is with the users own equipment, you can bet they'll be complaining to the ISP.

              Second post because I realised my first one doesn't dir

              • End user hardware generally does support it though - any vaguely modern computer, smartphone or tablet should automatically pick up and use an IPv6 address if available.

                Typically it never reaches that point. The CPE router either doesn't support it or isn't configured for it. That means the rest of the CPE network doesn't either.

                Broken v6 does affect connectivity, even if v4 still works fine.

                Incorrect. The v6 stack does path MTU discovery prior to creating a socket. If that fails, then as per IETF spec, the packet will try to fail over to v4. You can test this for yourself; IPv6 devices that have the stack enabled and functioning out of the box still autoconfigure a link local IPv6 address as part of NDP (DHCP is mostly deprecated in I

  • Wow (Score:5, Funny)

    by Anonymous Coward on Friday January 09, 2015 @10:55AM (#48775101)

    I didn't think it was possible to make the Internet Explorer and Windows XP I'm forced to use at work seem like a privilege. Congrats, North Korea. You pulled it off.

  • by XxtraLarGe ( 551297 ) on Friday January 09, 2015 @10:57AM (#48775111) Journal
    The internet browses YOU!
  • by Anonymous Coward

    1976.1.11?

  • by Minwee ( 522556 ) <dcr@neverwhen.org> on Friday January 09, 2015 @10:58AM (#48775119) Homepage

    This means that North Korea is VIOLATING RFC 1918! Forget all that other stuff, this must be stopped by any means necessary!

  • by Anonymous Coward

    In other words, the U.S. government could make attackers coming from inside the DPRK a non-issue through a (relativey cheap for a national government) DDOS service?

    • by Shatrat ( 855151 )

      Which seems like exactly what someone did. http://www.cnbc.com/id/1022920... [cnbc.com]

    • by Howitzer86 ( 964585 ) on Friday January 09, 2015 @11:13AM (#48775275)

      People obsess over this idea that North Koreans must be hacking from within North Korea, and that there's no way they could realistically do it because their connection bandwidth is so puny. They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base. They likely have vast criminal connections. All they have to do is hire sympathetic South Korean hackers on the condition that they do their work under the North Korean banner. When all is said and done, the North Koreans come out looking like bad asses you don't want to mess with, when in reality they just farmed the work out using basic email, a courier, and a satellite phone.

      We could break their internet access forever, with a never ending DDOS, and it wouldn't matter one bit.

      • They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base.

        And Kim and pals work hard to make sure people keep on forgetting it. These people are not stupid. They are as cunning as they are ruthless. They know they have no hope against military intervention, so the only way they can keep from being made to answer for their crimes against humanity is to craft their public image in such a way that they appear to be too silly to bother with. There is no political will to topple their murderous and brutal enterprise because when Westerners think "North Korea" they thin

        • by dj245 ( 732906 ) on Friday January 09, 2015 @03:23PM (#48777639) Homepage

          They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base.

          And Kim and pals work hard to make sure people keep on forgetting it.

          Do you personally know what Kim Jong Un has been up to? He has been in power only about 2 years and aside from propaganda photos, nobody knows really what he has being doing in that time, especially Westerners. Citizens of the DPRK don't even know how old he is. The only evidence giving a glimpse into his personal policies or beliefs is that he probably is quietly pushing reforms and experimenting with capitalism [washingtonpost.com]. He lived in Switzerland (probably) and has visited other capitalist countries. Turning a country around, especially one like North Korea, takes time. It is foolhardy to judge the man based on the almost nothing we know about him personally.

        • by hitmark ( 640295 )

          Or they have taken Nixon's mad man thesis to the logical endpoint...

      • that, and just because average joe citizen is forced to have a 10. address doesn't mean that there aren't other high bandwidth pipes reserved for close friends of the Dear Leader.

        North Korean government is really an organized criminal syndicate with a huge military and slave labor base

        that describes most governments.

  • That's how I'd do it (Score:4, Interesting)

    by Anonymous Coward on Friday January 09, 2015 @11:05AM (#48775201)

    If I were in charge of the network in a place like North Korea where it's heavily monitored and locked down, I'd run it like a big corporate LAN too, utilizing the 10.x.x.x block. The IP that every browser hits on load would be set up as an anycast address with nodes in datacenters near large groups of users (corporate campuses, or cities with lots of PCs in this case.)

    The article also provides some good insight for those who aren't aware how malware can discretely provide security holes... using only one encryption key, allowing for easy man-in-the-middle attacks, as in this example.

  • by rs1n ( 1867908 ) on Friday January 09, 2015 @11:06AM (#48775207)
    I like how the summary posts the non-reachable IP address just so we can slashdot it anyway.
  • DPRK has one network under central control, much like a large corporate entity... it's not like there is a choice of ISPs who have to link with each other! Anyways, the DPRK internet as used by the those DPRK citizens (still a very small percentage of the overall population) is completely airgapped from the public internet as we know it. Only a very very small number of elites have access to the 'real' internet...
    • Re: (Score:3, Funny)

      by Anonymous Coward

      DPRK has one network under central control, much like a large corporate entity... it's not like there is a choice of ISPs who have to link with each other!

      Anyways, the DPRK internet as used by the those DPRK citizens (still a very small percentage of the overall population) is completely airgapped from the public internet as we know it. Only a very very small number of elites have access to the 'real' internet...

      So the DPRK is using AOL's old business model? That is EVIL!

  • by ByTor-2112 ( 313205 ) on Friday January 09, 2015 @11:10AM (#48775245)

    Can you really generalize that all the internal network must be from the 10.0.0.0/8 block? What prevents those addresses from being used other than convention and router setup. Perhaps they are only for the internal government computers to make them completely invisible to outside networks.

    • by Anonymous Coward

      > Can you really generalize that all the internal network must be from the 10.0.0.0/8 block?

      Agreed, all this is evidence of is that they have, at minimum, a route for 10.76.1.0/24 at some point on their border routers.

      There is nothing particularly "Magic" about 10.0.0.0/8 that would keep them from treating it as routable on their state owned infrastructure.

    • I'm not too familiar with how things are run in NK. But I understand that the state controls all network equipment and is successfully able to prevent its citizens from using other OSes and equipment. So the generalization is likely very accurate.

      It really wouldn't even take that much work to pull this off. The hardest part would be keeping broadcast domain separation. If that IP is non-routable it means that either the entire country is on one broadcast domain or they're pulling off some relatively com

      • by tlhIngan ( 30335 )

        It really wouldn't even take that much work to pull this off. The hardest part would be keeping broadcast domain separation. If that IP is non-routable it means that either the entire country is on one broadcast domain or they're pulling off some relatively complicated layer 2/3 network segregation (lots of enormous lookup tables, etc). I imagine communications would be very slow all around either way.

        Most people don't reasonably expect that a broadcast on 10/8 would go to every machine - in practically eve

        • by gstoddart ( 321705 ) on Friday January 09, 2015 @12:13PM (#48775877) Homepage

          One of the funniest things I ever saw on a corporate network:

          A manager had a bunch of machines in his office, and IT couldn't/wouldn't add any more network drops for him. So, he bought a little router. It turns out that the 192.168.* addresses it gave to his machine corresponded exactly to the ones the Exchange servers used, and something about the NAT crossed some signals.

          Once they pieced together why email had stopped working, they immediately put a ban on those things, and immediately got him a switch which didn't do DHCP so he could have more networking in his office.

          The whole time the developers were howling and thinking "really, that's the IP addresses they chose for critical infrastructure? The first one in the open pool?"

          Everything defaults to starting at 192.168.0.1, which means if you're using it you might not like the results.

          • I've got something close to that in my past...

            Years ago I worked for a managed service provider with about 100 different companies all within one managed network. Part of the consumer contracts were that companies would buy their components, but would not have the power to manage them while under the contract. Also, they could only purchase approved hardware for their infrastructure (all Cisco).

            Every once in a while we would get a call that people's interwebs were going super slow, or not working. In mos

            • You sound a little like a control freak.

              dd-wrt in client mode. And MAC spoofing. And fuck you ;)

              • Not really, he sounds like somebody who's realised that people will continue to flaunt the rules until there are consequences. He also sounds like he's decided that if people are going to ignore their supervisor about home routers, then you might as well fuck with them.

                I do something similar in our office - we're essentially serviced offices, so underwriters bring in their own laptops. We don't block anything, apart from Bittorrent, not only because it's *my* name on our subnet whois, but also because it sp

                • Upside-down internet is a lot of fun. And you're right. I'm not a control freak. We set up security rules and guidelines for a reason. Some of these places have stringent compliance needs for HIPPA, PCI, and other regulations that strictly forbid the behavior I mentioned. So, yeah, I'm fucking with him but I'm also not getting him fired, either. It's my ass on the line and as long as I can keep the situation under control it's not a big deal.

                  • I don't know ... you could try to, you know, help him achieve his goals in a better way that doesn't violate the rules. Suggest setting up an isolated intranet for wireless. If you're in charge of the network, why would you not set up WiFi to begin with; that just sucks.

                    It seems to me you're making yourself part of the problem, rather than the solution, by just blocking people. You do that, of course people will try to get around you. And, if that guy wants wireless enough, he'll eventually look up how

                    • I didn't see a reason to go into the details of this particular situation more than that which I found humorous and nerdy. I still don't. The situation was handled very professionally, as I handle all situations. But the professional part isn't as interesting in this context to me as perhaps it is to you.

                      If you find yourself in a situation like this and you circumvent the rules and get away with it, bully for you. If I'm your net admin and I find out about it, I'll make sure to type up a full report as

                    • But the professional part isn't as interesting in this context to me as perhaps it is to you.

                      Yeah, not going to be lectured by you, and not scared of you, either. I know enough to ignore you, and end-run around you, without violating the rules. For instance, I would have tethered my phone, not set up my own router. Although long-term I probably would have quit a company so dysfunctional it doesn't provide wireless its employees. Not for that, but because dysfunction in one area usually correlates with dysfunction everywhere.

                      And that was my point. You were part of a dysfunctional system in this

          • I wonder which IPv6 ranges they use, in case a network is IPv6 only?
        • I'm a network engineer, so I'm fully aware of how one should be doing this sort of thing.

          From the context of TFA the author went out of the way to mention that the IP is both non-routable and unreachable from non 10.0.0.0/8 addresses. I inferred from this that the author meant to say that internally the call to 10.76.1.11 would somehow be assumed to be on the same network of each host. I didn't find it that hard to believe because it can be done, and it's entirely possible that DPRK just doesn't have enou

        • it's what people do for 192.168.*.x - 192.168.0.x is for servers behind the firewall, 192.168.1.x is for PCs, 192.168.2.x is VPN, etc.

          I suppose the bigger thing is that they decided to use private IP space rather than setting up a set of colliding public IP addresses.

          Just hope that they don't use Belkin routers in that office, since the default address of a Belkin router is 192.168.2.1

      • by Zak3056 ( 69287 )

        If that IP is non-routable it means that either the entire country is on one broadcast domain or they're pulling off some relatively complicated layer 2/3 network segregation (lots of enormous lookup tables, etc). I imagine communications would be very slow all around either way.

        I think that the submitter getting all "zOMG they're running the whole damn country on 10.0.0.0/8!!!!11one" is at best premature, but assuming that they were, I'm wondering why you'd believe it's organized as one flat network requiring any kind of magic to operate? There's plenty of room to subnet in that /8...

        • As I mentioned in another post, the author went out of his way to state that it was non-routable and unreachable from the outside. It sounded like he was implying there was no subnetting (as you will always need a route to get from one subnet to another). I'm a network engineer so I know perfectly well how this should be set up. There are ways to use layer 3 switches to prevent broadcasts from going where they don't likely belong.

          And, in another article discussion, I mentioned that I've redone a corporat

    • Can you really generalize that all the internal network must be from the 10.0.0.0/8 block?

      No. I think that this is a huge over-reach in terms of inferring how the North Korean Internet/LAN is set up. All they have to do in North Korea is to configure their routers to route the 10.0.0.0/8 addresses as they want, amongst the "real" IP addresses. Yes, it breaks RFCs, but does anyone in power in Nort Korea care about RFCs?

      • by hitmark ( 640295 )

        Also likely makes it that much harder to use smuggled in hardware to reach the outside world.

    • by myrdos2 ( 989497 )
      Or perhaps every local network is required by law to have a government-approved server running at 10.76.1.11.
    • Can you really generalize that all the internal network must be from the 10.0.0.0/8 block? What prevents those addresses from being used other than convention and router setup. Perhaps they are only for the internal government computers to make them completely invisible to outside networks.

      he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./ [76.1.11]

      Its written poorly, but it sounds to me merely like the default site on the browser is set to http://10.76.1.11.../ [76.1.11] so its possible whomever built that first instance is using a private network, used that internal address to test that his build worked, or is using an IP is not live, somehow left the default in there when it was distributed... or maybe all home rout

    • by hitmark ( 640295 )

      The /8 part may be a stretch, but it would not surprise me if they run the nation on the 10.x.x.x range (or at least the public facing stuff).

      they can still nest the B and C ranges inside that, and you have to know your stuff to reach the outside world via smuggled in equipment. And such attempts probably sticks out like a sore thumb to the uniforms operating the national firewall.

  • The article seemed a bit overexcited to me. Is it really that surprising that they use 10.x space? It's not like Internet access is widely used in NK. And most of the other items were not what I would call weird, just what you would expect in a regime like this. Still, kudos to the author for doing this analysis.
    • The article seemed a bit overexcited to me. Is it really that surprising that they use 10.x space? It's not like Internet access is widely used in NK. And most of the other items were not what I would call weird, just what you would expect in a regime like this. Still, kudos to the author for doing this analysis.

      Heh I was wondering that too.. I wouldn't call it "going off the rails", it's exactly what any of us would do to "solve" the problem of limiting and monitoring the internet access of millions of users.

      • I wonder how many people in NK even have access to their national 'intranet' let alone the global Internet.
        • Only the "elite". At most top 30% would be my guess based on a few documentaries seen and wiki entries read. Probably more like ~10% or less (I mean power is really shitty unless you are in Pyongyang). As for how many can reach the public internet? Only their "cyber warriors" I believe. But if you make it to South Korea they have better broadband infrastructure and pricing than us from what I understand.
  • Just wait until everyone in North Korea finds out that the animals in the rest of the world don't actually speak English!!!!

  • The entire country of North Korea is sitting on one class A network (16,777,216 addresses).

    Possible but not likely. It is more likely that the country is split into many state run networks, all of which have a state owned machine with a 10.76.1.11 interface. It would provide more IP space, segregate the country into different Internet groups (in N Korea probably social classes), provide protection for some of those classes against DDOS worms infecting other classes, and make the "for your own good citizen" monitoring more tractable.

  • by wonkey_monkey ( 2592601 ) on Friday January 09, 2015 @11:41AM (#48775521) Homepage

    When I first saw an image of the browser I was awe-struck to see that it made a request to an adddress (http://10.76.1.11/) upon first run.

    This guy may want to tweak his astonishment threshold before going outside.

    "Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space.

    Not necessarily. He might well be right, but it might it not just be that the address is actually routeable from within DPRK, and that the IP address was deliberately chosen so as not to be routeable from the outside world?

  • Clearly, you can NAT an entire nation! IT JUST WORKS!

    (Of course, the fact that one of the most reclusive and oppressive nations in the world is using this isn't a shining endorsement, but still....)

    • Clearly, you can NAT an entire nation! IT JUST WORKS!

      (Of course, the fact that one of the most reclusive and oppressive nations in the world is using this isn't a shining endorsement, but still....)

      Sure, but your big NK router only has 64K ports per external IP address. It will probably croak well before it has 64K NAT sessions going, though.

    • Only b'cos that nation has a population of 24 million. If the Chicoms wanted to NAT off China, they'd need to move to IPv6. Maybe they already have?
  • The part about the whole DPRK essentially being on a single giant LAN that you can't reach from the outside. That's not news to me.

  • by Moskit ( 32486 ) on Friday January 09, 2015 @02:29PM (#48777231)

    Another summary written by a clueless, not a nerd.

    10/8 network is a perfectly routable IP range.

    http://10.76.1.11./ [76.1.11] is a URL, not an IP address.
    It also has an extra dot before the closing slash.

    "News for _nerds_", sure...

    • Another summary written by a clueless, not a nerd.

      10/8 network is a perfectly routable IP range.

      http://10.76.1.11./ [76.1.11] is a URL, not an IP address. It also has an extra dot before the closing slash.

      "News for _nerds_", sure...

      Good stuff! I hope you're kidding. That's not a URL, nor an extra dot before the trailing slash (see TFA) because most sentences in English end in a period. And if you can route to it, you're probably in N. Korea or running the same private network elsewhere.

  • Plenty of people get RFC 1918 or RFC 6598 instead of public addresses from their ISP. I would guess that the majority of internet connections in the world are given private space.

    It is not common in the US because the US is still drowning in IP addresses, and a lot of the customers are using cable or DSL. In Europe you will often be behind CGN when you use a mobile ISP, and in Asia you will likely be behind CGN no matter how you connect.

    Welcome to 2015.

    (Of course most ISP's do not hand out browsers at all,

  • It's a censornet.

Going the speed of light is bad for your age.

Working...