Inside North Korea's Naenara Browser

msm1267 (2804139) writes with this excerpt from Threatpost Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness. The Naenara browser is part of the Red Star operating system used in North Korea and it's a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./ That address is not reachable from networks outside the DPRK.

"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space. You heard me; they're treating their entire country like some small to medium business might treat their corporate office," Hansen wrote in a blog post detailing his findings. "The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists."

The future of the internet, really

IPv6 will never take off, so in the end we'll be bridging national internets just like this one.

Re:The future of the internet, really

This. In an ironic twist, this just means that NK is ahead of rather than behind the times.

NAT is evil. But people are stupid. Therefore NAT continues to be used. The Kim thanatocracy is especially evil, therefore treats the whole country as if behind a NAT firewall. Which also happens to block most things to most people.

At least it doesn't use other people's IP addresses.

Re:The future of the internet, really

I'm wondering if DPRK uses multiple private networks. I've seen some insane NAT to NAT routing where there are multiple 10.x.x.x subnets, and it takes a lot of twists and turns so that a machine on one subnet can communicate with another 10.x.x.x machine via hostnames.

NAT may be a kludge, but it provides a layer of security. With IPv6, one scan of a network shows an attacker your entire inside network topology. Yes, you can firewall, but the bad guy can connect the dots. Add a layer of NAT on top of a decent firewall infrastructure, and the attacker might see machines communicate out, but they don't know if it comes from a box in finance, in development, or what segment it comes from.

Re:The future of the internet, really

[Rising+Ape]

IPv6 will never take off.

According to Google, it is. Slowly, admittedly, but about 5% of Google users now have IPv6.

Re:The future of the internet, really

[ArmoredDragon]

AFAIK all four of the major wireless providers support IPv6 (just tested and confirmed on my t-mobile galaxy note 4, and saw it working on a verizon phone earlier, meanwhile AT&T and Sprint say they support it.) The only way you wouldn't be using it at this point is if your phone doesn't support it, or you're on a small carrier that doesn't (though I would assume all MVNOs support it.)

However, strangely enough it seems that my phone defaults to using the V4 stack when hitting google specifically (typing 'what is my ip' in google shows a v4 address on google's page.) Pretty sure that the spec mandates that your browser always prefer v6 over v4, so I'm not sure what that's about.

On the other hand, not many cable ISPs support it. Though if it's any consolation, the largest cable ISP appears to support it.

Re:The future of the internet, really

[unixisc]

Ironically, things like this could accelerate the move to IPv6, since countries w/ computing needs larger than 17m can't use this solution.

But if they were doing it this way, why couldn't they just get UNIXWARE, and then put the entire country on an IPX network? That way, they'd have enough addresses for everyone, while being completely incompatible w/ the rest of the world, which would make the Pyongyang regime happy. I'm sure SCO would have been happy to get its debts settled by selling off UNIXWARE to North Korea, and then calling it a day.

Re:The future of the internet, really

[unixisc]

Precisely!!! It would take forever to scan a /64.

Not just that, in IPv6, an interface has several addresses, not just one. A link local addresses, a site unique address, and maybe several global unicast addresses. It's up to an organization on who needs to have external internet connectivity. So the entire network could be on fd00:db8:fab:cab::/64, and the few people in the organization that must have external internet connectivity can be assigned single global unicast addresses using DHCPv6.

Re:The future of the internet, really

[unixisc]

Could be a happy eyeballs thing - while the original spec does call for IPv6 being preferred, the happy eyeball spec calls for the network where results are first obtained to be used.

Re:The future of the internet, really

[Blaskowicz]

yea maybe it is a ton better that way, but no one can understand it. It would have been that much simpler if the protocol and addresses stayed the same but you went from four decimal numbers to six, i.e. an IP that looks like 252.167.24.8.112

It's the first time I just heard of "link local address", though I can sort of work up what that means, and also first time I learn that one NIC has multiple addresses though I read some many stuff about ipv6 mainly on slashdot.

Re:The future of the internet, really

[Rising+Ape]

I assume that's for the US, which seems ahead of the game despite having plenty of v4 addresses.

Here in the UK, none of the major ISPs have deployed v6 at all, and I don't think any of the mobile companies have either. I suppose they're just risk averse, as dealing with support calls for unexpected problems isn't cheap and their margins aren't huge.

Re:The future of the internet, really

[ArmoredDragon]

They shouldn't have any support issues to deal with when deploying IPv6. If end user hardware doesn't support it or isn't configured properly, then they will be completely unaware of and unaffected by its existence. That would only change when IPv4 becomes deprecated (my personal prediction is 2030.)

Now if the end users explicitly need IPv6, then they might have support issues to deal with (i.e. telling them how to configure it) but usually the only ones that would need to do that (at least, until IPv4 is deprecated) wouldn't be asking for help.

Re:The future of the internet, really

[Rising+Ape]

That should be true in theory, but the IPv6 hardware & software is nowhere near as well tested as the IPv4 equivalent, both in terms of home equipment and in the ISPs own networks. How often does this kind of thing work perfectly first time? And the staff don't have the same experience with it to fix problems when they do occur. Anything new is a risk, and since hardly any home customers are demanding IPv6 it might seem like it's a risk not worth taking until made absolutely necessary by v4 exhaustion.

That's not what *I* want, but from an ISP's perspective I can see how it would make sense to prepare & test their network for v6 steadily, slowly and thoroughly but not actually deploy it while they still have enough v4 addresses.

Re:The future of the internet, really

[Rising+Ape]

If end user hardware doesn't support it or isn't configured properly, then they will be completely unaware of and unaffected by its existence.

End user hardware generally does support it though - any vaguely modern computer, smartphone or tablet should automatically pick up and use an IPv6 address if available. So if the ISPs start supplying v6 it's essential that it works reliably, because the users' devices will try and use it. Broken v6 does affect connectivity, even if v4 still works fine. And even if the fault is with the users own equipment, you can bet they'll be complaining to the ISP.

Second post because I realised my first one doesn't directly address your point above.

Re:The future of the internet, really

[ArmoredDragon]

That should be true in theory, but the IPv6 hardware & software is nowhere near as well tested as the IPv4 equivalent, both in terms of home equipment and in the ISPs own networks.

It's true in fact. If the device doesn't support the v6 stack, then it just flat out ignores it; it may as well not even be there. After it gets passed to the CPE device at layer 2, the layer 3 doesn't know what to do with it, so it's simply discarded as if it were a corrupt IP datagram. Likewise it can't cause any trouble.

Re:The future of the internet, really

[ArmoredDragon]

End user hardware generally does support it though - any vaguely modern computer, smartphone or tablet should automatically pick up and use an IPv6 address if available.

Typically it never reaches that point. The CPE router either doesn't support it or isn't configured for it. That means the rest of the CPE network doesn't either.

Broken v6 does affect connectivity, even if v4 still works fine.

Incorrect. The v6 stack does path MTU discovery prior to creating a socket. If that fails, then as per IETF spec, the packet will try to fail over to v4. You can test this for yourself; IPv6 devices that have the stack enabled and functioning out of the box still autoconfigure a link local IPv6 address as part of NDP (DHCP is mostly deprecated in IPv6, and will rarely ever be used.) When the stack doesn't discover a default router at address ff02::2 then the stack assumes there is no v6 routing, and it fails over to v4.

Wow

I didn't think it was possible to make the Internet Explorer and Windows XP I'm forced to use at work seem like a privilege. Congrats, North Korea. You pulled it off.

Re:Wow

[stooo]

Nope, unfortunately, a big chunk of NK laptops are under windows too

See here for a much better insight than the article :
http://media.ccc.de/browse/con...

In Soviet Korea

[XxtraLarGe]

The internet browses YOU!

Re:In Soviet Korea

[znrt]

you're not getting it: corporations are already bigger than most governments, and no government whatsoever can function without them anymore.

What happened on

1976.1.11?

Re:What happened on

[war4peace]

http://www.historyorb.com/date...
or if you switch day and month: http://www.historyorb.com/date...

This is horrible

[Minwee]

This means that North Korea is VIOLATING RFC 1918! Forget all that other stuff, this must be stopped by any means necessary!

Re:This is horrible

[Tukz]

Well, they ARE using it for a private network....of sorts.

Re:This is horrible

[XxtraLarGe]

Well, they ARE using it for a private network....of sorts.

You can say that again!

Re:This is horrible

[RavenLrD20k]

That again!

Why did I need your permission, exactly?

Correct me if I'm wrong...

In other words, the U.S. government could make attackers coming from inside the DPRK a non-issue through a (relativey cheap for a national government) DDOS service?

Re:Correct me if I'm wrong...

[Shatrat]

Which seems like exactly what someone did. http://www.cnbc.com/id/1022920...

Re:Correct me if I'm wrong...

[Howitzer86]

People obsess over this idea that North Koreans must be hacking from within North Korea, and that there's no way they could realistically do it because their connection bandwidth is so puny. They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base. They likely have vast criminal connections. All they have to do is hire sympathetic South Korean hackers on the condition that they do their work under the North Korean banner. When all is said and done, the North Koreans come out looking like bad asses you don't want to mess with, when in reality they just farmed the work out using basic email, a courier, and a satellite phone.

We could break their internet access forever, with a never ending DDOS, and it wouldn't matter one bit.

Re:Correct me if I'm wrong...

[meta-monkey]

They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base.

And Kim and pals work hard to make sure people keep on forgetting it. These people are not stupid. They are as cunning as they are ruthless. They know they have no hope against military intervention, so the only way they can keep from being made to answer for their crimes against humanity is to craft their public image in such a way that they appear to be too silly to bother with. There is no political will to topple their murderous and brutal enterprise because when Westerners think "North Korea" they think "BEST KOREA" memes. Unicorn cave! "Fearless Leader" who bowls perfect 300 games and knows all karate and wins every Olympic event ever and claims they could invade and conquer America! Haha, those silly North Koreans!

Instead of thinking prison slave camps, mutilated dissidents, torture, forced amputations, forced abortions, brutal rape and murder. It is literally the worst place on earth. I'm against all war and killing, I'm a pacifist and a Catholic, but my God, if there ever were such a thing as a "just war" it would be the liberation of the North Korean people.

Their public image is intentional, it is crafted, it is some Sun Tzu bullshit and it works.

Re:Correct me if I'm wrong...

[dj245]

They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base.

And Kim and pals work hard to make sure people keep on forgetting it.

Do you personally know what Kim Jong Un has been up to? He has been in power only about 2 years and aside from propaganda photos, nobody knows really what he has being doing in that time, especially Westerners. Citizens of the DPRK don't even know how old he is. The only evidence giving a glimpse into his personal policies or beliefs is that he probably is quietly pushing reforms and experimenting with capitalism. He lived in Switzerland (probably) and has visited other capitalist countries. Turning a country around, especially one like North Korea, takes time. It is foolhardy to judge the man based on the almost nothing we know about him personally.

Re:Correct me if I'm wrong...

[farble1670]

that, and just because average joe citizen is forced to have a 10. address doesn't mean that there aren't other high bandwidth pipes reserved for close friends of the Dear Leader.

North Korean government is really an organized criminal syndicate with a huge military and slave labor base

that describes most governments.

Re:Correct me if I'm wrong...

[hitmark]

Or they have taken Nixon's mad man thesis to the logical endpoint...

Re:Translation pls.

Nobody will ever need more than 16 777 216 I.P. addresses.

signed,
Kim Jong-un
North Korea, Supreme leader

That's how I'd do it

If I were in charge of the network in a place like North Korea where it's heavily monitored and locked down, I'd run it like a big corporate LAN too, utilizing the 10.x.x.x block. The IP that every browser hits on load would be set up as an anycast address with nodes in datacenters near large groups of users (corporate campuses, or cities with lots of PCs in this case.)

The article also provides some good insight for those who aren't aware how malware can discretely provide security holes... using only one encryption key, allowing for easy man-in-the-middle attacks, as in this example.

Non-reachable yet still slashdotted

[rs1n]

I like how the summary posts the non-reachable IP address just so we can slashdot it anyway.

Re:Non-reachable yet still slashdotted

[steveo777]

Nothing stops you from creating your own host at 10.76.1.11. And then slashdotting the SOB

Why is this surprising?

[alistair1978]

DPRK has one network under central control, much like a large corporate entity... it's not like there is a choice of ISPs who have to link with each other! Anyways, the DPRK internet as used by the those DPRK citizens (still a very small percentage of the overall population) is completely airgapped from the public internet as we know it. Only a very very small number of elites have access to the 'real' internet...

Re:Why is this surprising?

DPRK has one network under central control, much like a large corporate entity... it's not like there is a choice of ISPs who have to link with each other!

Anyways, the DPRK internet as used by the those DPRK citizens (still a very small percentage of the overall population) is completely airgapped from the public internet as we know it. Only a very very small number of elites have access to the 'real' internet...

So the DPRK is using AOL's old business model? That is EVIL!

Conclusion goes too far?

[ByTor-2112]

Can you really generalize that all the internal network must be from the 10.0.0.0/8 block? What prevents those addresses from being used other than convention and router setup. Perhaps they are only for the internal government computers to make them completely invisible to outside networks.

Re:Conclusion goes too far?

> Can you really generalize that all the internal network must be from the 10.0.0.0/8 block?

Agreed, all this is evidence of is that they have, at minimum, a route for 10.76.1.0/24 at some point on their border routers.

There is nothing particularly "Magic" about 10.0.0.0/8 that would keep them from treating it as routable on their state owned infrastructure.

Re:Conclusion goes too far?

[steveo777]

I'm not too familiar with how things are run in NK. But I understand that the state controls all network equipment and is successfully able to prevent its citizens from using other OSes and equipment. So the generalization is likely very accurate.

It really wouldn't even take that much work to pull this off. The hardest part would be keeping broadcast domain separation. If that IP is non-routable it means that either the entire country is on one broadcast domain or they're pulling off some relatively complicated layer 2/3 network segregation (lots of enormous lookup tables, etc). I imagine communications would be very slow all around either way.

Re:Conclusion goes too far?

[whoever57]

Can you really generalize that all the internal network must be from the 10.0.0.0/8 block?

No. I think that this is a huge over-reach in terms of inferring how the North Korean Internet/LAN is set up. All they have to do in North Korea is to configure their routers to route the 10.0.0.0/8 addresses as they want, amongst the "real" IP addresses. Yes, it breaks RFCs, but does anyone in power in Nort Korea care about RFCs?

Re:Conclusion goes too far?

[tlhIngan]

It really wouldn't even take that much work to pull this off. The hardest part would be keeping broadcast domain separation. If that IP is non-routable it means that either the entire country is on one broadcast domain or they're pulling off some relatively complicated layer 2/3 network segregation (lots of enormous lookup tables, etc). I imagine communications would be very slow all around either way.

Most people don't reasonably expect that a broadcast on 10/8 would go to every machine - in practically every network I've seen, it's been segmented into subnets - 10.0.1.x/24 might be for general office, 10.0.2/24 might be for the developers, etc.

it's what people do for 192.168.*.x - 192.168.0.x is for servers behind the firewall, 192.168.1.x is for PCs, 192.168.2.x is VPN, etc.

I suppose the bigger thing is that they decided to use private IP space rather than setting up a set of colliding public IP addresses.

Re:Conclusion goes too far?

[gstoddart]

One of the funniest things I ever saw on a corporate network:

A manager had a bunch of machines in his office, and IT couldn't/wouldn't add any more network drops for him. So, he bought a little router. It turns out that the 192.168.* addresses it gave to his machine corresponded exactly to the ones the Exchange servers used, and something about the NAT crossed some signals.

Once they pieced together why email had stopped working, they immediately put a ban on those things, and immediately got him a switch which didn't do DHCP so he could have more networking in his office.

The whole time the developers were howling and thinking "really, that's the IP addresses they chose for critical infrastructure? The first one in the open pool?"

Everything defaults to starting at 192.168.0.1, which means if you're using it you might not like the results.

Re:Conclusion goes too far?

[steveo777]

I'm a network engineer, so I'm fully aware of how one should be doing this sort of thing.

From the context of TFA the author went out of the way to mention that the IP is both non-routable and unreachable from non 10.0.0.0/8 addresses. I inferred from this that the author meant to say that internally the call to 10.76.1.11 would somehow be assumed to be on the same network of each host. I didn't find it that hard to believe because it can be done, and it's entirely possible that DPRK just doesn't have enough network nodes to really bring that sort of system to its (relative) knees.

Re:Conclusion goes too far?

[myrdos2]

Or perhaps every local network is required by law to have a government-approved server running at 10.76.1.11.

Re:Conclusion goes too far?

[steveo777]

I've got something close to that in my past...

Years ago I worked for a managed service provider with about 100 different companies all within one managed network. Part of the consumer contracts were that companies would buy their components, but would not have the power to manage them while under the contract. Also, they could only purchase approved hardware for their infrastructure (all Cisco).

Every once in a while we would get a call that people's interwebs were going super slow, or not working. In most cases they weren't allowed to have wireless, or the company wouldn't purchase new equipment for various reasons... whatever. Anyways some dude would bring in a router he got at best buy and plug it in. Usually I was able to spot it the minute someone called in with problems, email the user (if I could ID them directly), their supervisor, and maybe the CTO of the company that an unapproved device had been installed and blah blah blah. Then shut down their port until they called us to sheepishly appologize.

Better still we would get people calling in for help with their "home" wireless router. This wasn't something we supported but the service desk usually helped out to be nice. I'd overhear conversation queues and start investigating and find out that the customer was doing this from their cube. I'd shut them down and have an evil sysadmin laugh about it.

One time, though, someone got it right. They looked up their local networking and managed to configure their home router to mimic local DHCP. If they were really thinking hard, they would have set the range higher so there wouldn't be an overlap. After overhearing some service desk calls I quickly located our rogue DHCP client, shut it down, and started pushing out MAC filtering to our switches for that company (repeat offenders) for all the well-known consumer network equipment MAC addresses. So any time a D-Link, Linksys, what have you router was detected, the port would shut down for 2 minutes. I watched this happen the day after this incident as the dude walked around his office shutting down ports left and right. His supervisor had been informed that it wasn't allowed, but the dude was relentless.

Re:Conclusion goes too far?

[Zak3056]

If that IP is non-routable it means that either the entire country is on one broadcast domain or they're pulling off some relatively complicated layer 2/3 network segregation (lots of enormous lookup tables, etc). I imagine communications would be very slow all around either way.

I think that the submitter getting all "zOMG they're running the whole damn country on 10.0.0.0/8!!!!11one" is at best premature, but assuming that they were, I'm wondering why you'd believe it's organized as one flat network requiring any kind of magic to operate? There's plenty of room to subnet in that /8...

Re:Conclusion goes too far?

[steveo777]

As I mentioned in another post, the author went out of his way to state that it was non-routable and unreachable from the outside. It sounded like he was implying there was no subnetting (as you will always need a route to get from one subnet to another). I'm a network engineer so I know perfectly well how this should be set up. There are ways to use layer 3 switches to prevent broadcasts from going where they don't likely belong.

And, in another article discussion, I mentioned that I've redone a corporate network that was using a single class B subnet for their entire corporation. No subnetting, there was around 8,000 nodes all with /16 subnets (with an internal IP scheme using a public IP they didn't own). So people do boneheaded things all the time.

I've seen people who had resources to do things right (the company I mentioned spent $100k on network equipment due to poor performance, rather than redesigning their network properly, which is what I did). I've seen people somehow manage to set up striped RAID arrays on partitions of the same disk and complain about poor performance (still baffled how that got set up). So you can perhaps see why I can believe that PDRK can do such a crazy thing as use a flat class A.

Re:Conclusion goes too far?

[catmistake]

Can you really generalize that all the internal network must be from the 10.0.0.0/8 block? What prevents those addresses from being used other than convention and router setup. Perhaps they are only for the internal government computers to make them completely invisible to outside networks.

he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./

Its written poorly, but it sounds to me merely like the default site on the browser is set to http://10.76.1.11.../ so its possible whomever built that first instance is using a private network, used that internal address to test that his build worked, or is using an IP is not live, somehow left the default in there when it was distributed... or maybe all home routers in N.Korea have that as the internal IP address, and to make set up convenient, the browser just loads the home router's set up page at its internal address.. It is a massive leap to say all of N. Korea is a single private network just because the browser loads some arbitrary address. Its possible N. Korea is doing this, but this is not the kind of isolated evidence I would stake my life on, or bet money on.. I'd sooner believe TFA author made an error in judgement if he believes this absolute evidence of his theory simply because the browser loaded that IP first rather than www.getfirefox.com, www.mozilla.org, or whatever mozilla usually sets it to by default. If someone looked at your browser, and noticed when launched, it loads http://slashdot.org/ you really cannot make any conclusions from that, such as that you're a slashdot reader, because just because the browser tries to connect does not mean it can or will.

Re:Conclusion goes too far?

[linuxrocks123]

You sound a little like a control freak.

dd-wrt in client mode. And MAC spoofing. And fuck you ;)

Re:Conclusion goes too far?

[unixisc]

I wonder which IPv6 ranges they use, in case a network is IPv6 only?

Re:Conclusion goes too far?

[unixisc]

it's what people do for 192.168.*.x - 192.168.0.x is for servers behind the firewall, 192.168.1.x is for PCs, 192.168.2.x is VPN, etc.

I suppose the bigger thing is that they decided to use private IP space rather than setting up a set of colliding public IP addresses.

Just hope that they don't use Belkin routers in that office, since the default address of a Belkin router is 192.168.2.1

Re:Conclusion goes too far?

[oobayly]

Not really, he sounds like somebody who's realised that people will continue to flaunt the rules until there are consequences. He also sounds like he's decided that if people are going to ignore their supervisor about home routers, then you might as well fuck with them.

I do something similar in our office - we're essentially serviced offices, so underwriters bring in their own laptops. We don't block anything, apart from Bittorrent, not only because it's *my* name on our subnet whois, but also because it spams our firewall logs, which means tracing *actual* issues is a bitch. If I detect torrenting, I send out an email saying "someobody is torrenting, I don't know who it is yet, but rest assured, I will find you", their traffic then gets throttled to 128kb/s

Another time we had a guy who kept on setting up a static IP, after being told not to. My solution was to implement upside-down internet - transparent proxy that connection and flip all the images. Nowadays I'd be tempted to just inject "transform: rotate(180deg)" into the body tag's style.

Being a sysadmin doesn't mean you can't have fun.

Re:Conclusion goes too far?

[oobayly]

Come on, a WRT54g apparently supports up to 253 clients, they'd need at least two or three.

Re:Conclusion goes too far?

[hitmark]

The /8 part may be a stretch, but it would not surprise me if they run the nation on the 10.x.x.x range (or at least the public facing stuff).

they can still nest the B and C ranges inside that, and you have to know your stuff to reach the outside world via smuggled in equipment. And such attempts probably sticks out like a sore thumb to the uniforms operating the national firewall.

Re:Conclusion goes too far?

[hitmark]

Also likely makes it that much harder to use smuggled in hardware to reach the outside world.

Re:Conclusion goes too far?

[steveo777]

Upside-down internet is a lot of fun. And you're right. I'm not a control freak. We set up security rules and guidelines for a reason. Some of these places have stringent compliance needs for HIPPA, PCI, and other regulations that strictly forbid the behavior I mentioned. So, yeah, I'm fucking with him but I'm also not getting him fired, either. It's my ass on the line and as long as I can keep the situation under control it's not a big deal.

Re:Conclusion goes too far?

[linuxrocks123]

I don't know ... you could try to, you know, help him achieve his goals in a better way that doesn't violate the rules. Suggest setting up an isolated intranet for wireless. If you're in charge of the network, why would you not set up WiFi to begin with; that just sucks.

It seems to me you're making yourself part of the problem, rather than the solution, by just blocking people. You do that, of course people will try to get around you. And, if that guy wants wireless enough, he'll eventually look up how to do it in a way such that you don't catch him, and then you won't know about it or be able to manage it. Like I said earlier, it's not that hard to do. You don't even need dd-wrt really, just a stick that supports master mode. I've done this before, though I've never had reason to at an employer. It works just fine, and you'd never catch it.

Also, Cisco crap is way overpriced, why would you require people to buy just that to begin with. They probably charge like $300 for a $20 wireless router.

Re:Conclusion goes too far?

[steveo777]

I didn't see a reason to go into the details of this particular situation more than that which I found humorous and nerdy. I still don't. The situation was handled very professionally, as I handle all situations. But the professional part isn't as interesting in this context to me as perhaps it is to you.

If you find yourself in a situation like this and you circumvent the rules and get away with it, bully for you. If I'm your net admin and I find out about it, I'll make sure to type up a full report as to why some ass hat in accounting or something like that felt it was okay to skirt compliance and company policy so he could do whatever it is the company decided he's not supposed to do. And a week after that I'd be more than happy to submit your termination to my admins for processing. I'm more concerned about saving your company from the idiots and self righteous. Certainly DGAF about your comfort or position. You want something you ask the people that pay for it and I'd be happy to make that happen if your company decides it's something they want and can afford.

And you're right. Cisco is overpriced and over valued for the most part. But I wasn't the architect (or the owner, who had a major Cisco hard on), so it wasn't my call. Even if I was, I wouldn't be selling $60 consumer grade routers to companies with a 4 hour SLA on hardware knowing full-well that I'd have to send an agent out there 2-3 times a year to replace fried equipment and making my company look like morons. Some of them did that enough on their own...

Re:Conclusion goes too far?

[linuxrocks123]

But the professional part isn't as interesting in this context to me as perhaps it is to you.

Yeah, not going to be lectured by you, and not scared of you, either. I know enough to ignore you, and end-run around you, without violating the rules. For instance, I would have tethered my phone, not set up my own router. Although long-term I probably would have quit a company so dysfunctional it doesn't provide wireless its employees. Not for that, but because dysfunction in one area usually correlates with dysfunction everywhere.

And that was my point. You were part of a dysfunctional system in this case, and you don't appear to have been helping.

And if your home routers are frying 2-3 times a year, you should have your electricity checked or not keep them next to the radiator or something. I've never had a wireless router die on me even once.

not that weird

[jbmartin6]

The article seemed a bit overexcited to me. Is it really that surprising that they use 10.x space? It's not like Internet access is widely used in NK. And most of the other items were not what I would call weird, just what you would expect in a regime like this. Still, kudos to the author for doing this analysis.

Re:not that weird

[tobiasly]

The article seemed a bit overexcited to me. Is it really that surprising that they use 10.x space? It's not like Internet access is widely used in NK. And most of the other items were not what I would call weird, just what you would expect in a regime like this. Still, kudos to the author for doing this analysis.

Heh I was wondering that too.. I wouldn't call it "going off the rails", it's exactly what any of us would do to "solve" the problem of limiting and monitoring the internet access of millions of users.

Re:not that weird

[jbmartin6]

I wonder how many people in NK even have access to their national 'intranet' let alone the global Internet.

Re:not that weird

[itsenrique]

Only the "elite". At most top 30% would be my guess based on a few documentaries seen and wiki entries read. Probably more like ~10% or less (I mean power is really shitty unless you are in Pyongyang). As for how many can reach the public internet? Only their "cyber warriors" I believe. But if you make it to South Korea they have better broadband infrastructure and pricing than us from what I understand.

The Narnia Browser

[colordotmatrix]

Just wait until everyone in North Korea finds out that the animals in the rest of the world don't actually speak English!!!!

Re:The Narnia Browser

[wonkey_monkey]

Kim Il-Sung invented English in 1976 to stunt the intellectual development of the Western world.

Re:The Narnia Browser

[marcello_dl]

Close, but no cigar.
Hint: Apple Computer Inc. got founded April 1, 1976.

Re:The Narnia Browser

[marcello_dl]

Wait, all ducks in the world actually speak Engl... sorry I meant all English speaking people in the world actually speak like ducks.

Re:The Narnia Browser

[colordotmatrix]

Well, yes.....

Haven't you ever watched a Affack commercial????

:D

Re:The Narnia Browser

[colordotmatrix]

Well, yes...

Haven't you ever watched an Afflack commercial?

:D

Re:Slashdot classic?

[tbuddy]

opt out link

Re:Translation pls.

[EuclideanSilence]

There are some addresses on the internet that are only associated (except for misuse) with 1 device, these are "public IP".

There are some addresses on the internet that are intended to be associated with multiple devices, these are "private IP".

Private addresses can only be "seen" on a local network, so only one instance of a private address per local network. If you ask for a connection to a private address and the local network doesn't have it, your network won't make any connection for you (even though hypothetically there is several people in the world on other local networks with that address).

It's like being at a family reunion and asking for "John", and not getting a response because no one there is named John, even though a lot of people in the world share that name. On the other hand, if you ask for "Gilgamesh", well then people know to send you to ancient Sur, even though no one in your family is named "Gilgamesh". John is a private reusable identifier, Gilgamesh is a public unique identifier.

The consequence of this is that to run a service for which machines from outside of your local network can connect to, you have to associate the service with a public address. Due to North Korea being one gigantic "local network" (something that usualy only exists on the scale of homes and companies), no one in the world can request a connection to anyone in North Korea, unless a public address/port pair is preallocated to that person. NKoreans can still request connections to the rest of the world, assuming that the routers on the edge of their private network can remember all those connections. For a healthy country, remembering so much would be almost impossible, but for North Korea, it is a sign of how few people can make Internet connections to the rest of the world.

Re:Slashdot classic?

[SiChemist]

Scroll to the bottom of the page and select "Slashdot Classic". That's it. I had to do that this morning, too.

They missed a more likely possibility

[EuclideanSilence]

The entire country of North Korea is sitting on one class A network (16,777,216 addresses).

Possible but not likely. It is more likely that the country is split into many state run networks, all of which have a state owned machine with a 10.76.1.11 interface. It would provide more IP space, segregate the country into different Internet groups (in N Korea probably social classes), provide protection for some of those classes against DDOS worms infecting other classes, and make the "for your own good citizen" monitoring more tractable.

Re:Slashdot classic?

http://slashdot.org/?nobeta=1.

I don't waste time with setting preferences to opt in or out of whatever abomination they've come up with this time (last I checked, "classic" mode wasn't classic enough). I also treat it like a poll, in that they can see from the logs how often that URL is accessed versus the regular one.

Slightly jumping to conclusions

[wonkey_monkey]

When I first saw an image of the browser I was awe-struck to see that it made a request to an adddress (http://10.76.1.11/) upon first run.

This guy may want to tweak his astonishment threshold before going outside.

"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space.

Not necessarily. He might well be right, but it might it not just be that the address is actually routeable from within DPRK, and that the IP address was deliberately chosen so as not to be routeable from the outside world?

Re:Translation pls.

[Megol]

Hey I have written a TCP/IP stack* and don't remember the specifics anymore... Thinking that every technical person remembers every thing they ever touched is idiotic. Thinking every technical person knows details of everything is even more idiotic.

(* embedded stuff using good old SLIP)

Enlighten me

[Tetetrasaurus]

How does North Korea have anyone talented enough to write such software or carry out all these sophisticated attacks? Do they recruit educated people from the south or abroad with the promise of unlimited hookers, blow, cash, and total insulation from international laws? Be as black hat as you wanna be as long as you do this for us?

Re:Enlighten me

[turp182]

Probably via China. Then China has a nice little puppet that has much better tools and capabilities than we would otherwise expect.

Just a guess though.

That's a big "Hah, hah" to all IPv4 NAT Haters

[idontgno]

Clearly, you can NAT an entire nation! IT JUST WORKS!

(Of course, the fact that one of the most reclusive and oppressive nations in the world is using this isn't a shining endorsement, but still....)

Re:That's a big "Hah, hah" to all IPv4 NAT Haters

[unixisc]

Only b'cos that nation has a population of 24 million. If the Chicoms wanted to NAT off China, they'd need to move to IPv6. Maybe they already have?

Re:Translation pls.

[some1into_ISP]

Network Address Translation, do you speak it?

Is this news?

[GameboyRMH]

The part about the whole DPRK essentially being on a single giant LAN that you can't reach from the outside. That's not news to me.

Re: Translation pls.

This isn't reddit. We don't kindly explain things to people, we tell them they're stupid and shove them off. Unless you are trying to turn slashdot into an image linking site about celebrities, I suggest you d

Re:Translation pls.

[TemporalBeing]

Can someone translate this for the people that do not understand network speak.

Network Addresses, known as IP Addresses, are allocated into several groupings, namely Public, Private, Multicast, Local, and non-usable.
The addresses are also allocated in blocks - A, B, and C - which has to do with how many addresses are available in the block purchased.

The Private group consists of addresses 10.a.b.c, 192.168.x.y, and 172.16.x.y. These are considered class A, B, and C respectively. These addresses are suppose to only be used on private networks - e.g in your home, office, etc - as such, networks are typically configured to now be able to route to them. So if your at location A 10.0.0.1 will be a different server specifically on their network than if you were at location B.

The Local group is similar and consists of 127.a.b.c, though typically only 127.0.0.1 is used. The big difference is that it will never route off the computer you are using.
The Multicast group is a special group reserved at the upper end of the IPv4 spectrum. It was suppose to be for things like Video distribution where you have one sender and many receivers so as to optimize the network by allowing everyone to listen to the same stream - kind of like a TV over-the-air broadcast. However, they've been reclaiming addresses from it for the Public group because the Internet is basically not configured to support Multicast functionality.

The Public group is pretty much everything else except the a special IP address in the 169.a.b.c range that is "do not use" range.

So essentially, North Korea is making the entire country look like your work office or home network. At least, that's the claim.

Re:Translation pls.

[TemporalBeing]

There are some addresses on the internet that are only associated (except for misuse) with 1 device, these are "public IP".

There are some addresses on the internet that are intended to be associated with multiple devices, these are "private IP".

That has nothing to do with it.

All IP addresses are only suppose to point to one device; though a device may have multiple IP addresses. The difference is whether or not they are publically visible and routeable.

There is nothing saying that North Korea didn't take a part of the 10.a.b.c range and define it as a public network within their country. So they are not necessarily segregating the whole country. Simply put - there is not enough information to substantiate whether the whole country is in a private range, or if they just utilized part of the private range for some country specific services, and made that range public within the country.

Re: Translation pls.

[jd2112]

My name is John Gilgamesh you insensitive clods.

Neener Neener browser?

[billstewart]

Or maybe the Internet doesn't browse at all.

Re: Translation pls.

[meta-monkey]

He should have told him to point his browser to http://127.0.0.1/ for an insightful article on non-routable IP addresses.

It's URL, not IP. And 10/8 is _routable.

[Moskit]

Another summary written by a clueless, not a nerd.

10/8 network is a perfectly routable IP range.

http://10.76.1.11./ is a URL, not an IP address.
It also has an extra dot before the closing slash.

"News for _nerds_", sure...

Re:It's URL, not IP. And 10/8 is _routable.

[catmistake]

Another summary written by a clueless, not a nerd.

10/8 network is a perfectly routable IP range.

http://10.76.1.11./ is a URL, not an IP address. It also has an extra dot before the closing slash.

"News for _nerds_", sure...

Good stuff! I hope you're kidding. That's not a URL, nor an extra dot before the trailing slash (see TFA) because most sentences in English end in a period. And if you can route to it, you're probably in N. Korea or running the same private network elsewhere.

Re:router?

[DiSKiLLeR]

Wow. Where to start with this post.

Maybe I don't understand how the internet work. so like, one router in North Korea handles all the connections? I guess other countries have more routers to connect to other countries?

North Korea does not just have 1 router. And most countries do not have 'more' routers. Countries have tens of thousands to hundreds of thousands of routers.

192.168.0.0/16 and 10.0.0.0/8 are private IP addresses. You can use the same private range as your neighbour and their neighbours neighbour.

As others have noted, North Korea probably has lots of small networks with a government mandated router listening on 10.76.1.11 on each one of those networks.

I don't see many articles and personal blogs from the people of North Korea. Maybe only the wealthy people can afford internet access?

Because nobody in North Korea posts articles or blogs. (I'd love to see one if there was.) The common North Korean citizen does not get internet access. If you're lucky enough to get internet access (you're of some high status) it is only the internal internet (or North Korean Intranet) not the outside internet. Only the supreme ruling elite get access to the outside Internet.

That is why you won't find articles or blog posts from people from within North Korea....

Re:Translation pls.

That's not true. Our great nation has at least one hundred times more computers than that.

signed,
Kim Jong-un
North Korea, Supreme leader

Re:Translation pls.

[ArcadeMan]

Gilgamesh and Enkidu, at Uruk.

Re:Translation pls.

[nabsltd]

made that range public within the country.

The word you (and others) are looking for is "route-able", not "public".

There are a lot of IANA-assigned (i.e., "public") IPs that aren't routable from all other arbitrary IP addresses, while many places have made private IPs routable for some or all of their network, just like North Korea has done.

Re:Translation pls.

[mythosaz]

Gilgamesh and Enkidu, at Uruk.

Darmok and Jalad at Tanagra.

Re:Translation pls.

[TemporalBeing]

made that range public within the country.

The word you (and others) are looking for is "route-able", not "public".

There are a lot of IANA-assigned (i.e., "public") IPs that aren't routable from all other arbitrary IP addresses, while many places have made private IPs routable for some or all of their network, just like North Korea has done.

Typically the "public" IP is considered "route-able"; but regardless, I was trying to stay within the bounds of the OP's request of:

translate this for the people that do not understand network speak.

The term "route-able" would be considered "network speak"; thus I avoided it.

Re:Translation pls.

[bigfinger76]

You mixed up some private/non-routable networks: 10.x.x.x - class A 172.16.x.x - 172.31.x.x - class B 192.168.x.x - class C

It is just Carrier Grade NAT

[amorsen]

Plenty of people get RFC 1918 or RFC 6598 instead of public addresses from their ISP. I would guess that the majority of internet connections in the world are given private space.

It is not common in the US because the US is still drowning in IP addresses, and a lot of the customers are using cable or DSL. In Europe you will often be behind CGN when you use a mobile ISP, and in Asia you will likely be behind CGN no matter how you connect.

Welcome to 2015.

(Of course most ISP's do not hand out browsers at all, much less browsers which are remote controlled from a server somewhere. It is hardly a surprise that North Korea does.)

Fully monitored

[MrKaos]

It's a censornet.

Re: Translation pls.

[jrumney]

You really shouldn't link so brazenly to hackers' command-and-control servers on a public forum like this. Someone might get hurt.

Re:Translation pls.

[unixisc]

Okay, in that case, no one will need more than 17,891,327 addresses (the total number of private Class A, B AND C addresses put together)

Re: Translation pls.

[unixisc]

Actually, w/ all that IPv4 address shortage, what's the function of all addresses from 127.0.0.2 to 127.255.255.254? Why would any network need 16,580,608 loopback addresses?

NK NAT

[bromoseltzer]

Clearly, you can NAT an entire nation! IT JUST WORKS!

(Of course, the fact that one of the most reclusive and oppressive nations in the world is using this isn't a shining endorsement, but still....)

Sure, but your big NK router only has 64K ports per external IP address. It will probably croak well before it has 64K NAT sessions going, though.

IPv6's multiple addresses

[unixisc]

Even if your idea had been done, it would have grown from 32 bits to 36. But that aside, even if it had grown from 32 bits to 33, you'd still have a completely incompatible protocol, even if they preserved NAT and everything else already there in IPv4, since your IPv4 header would have changed. Which would have required all networking gear worldwide to be redone.

The 128 bit representation - if you want, you could have represented an address of 2001:db8:fab:cad::1 in decimals as 8193.3512.4011.3245.0.0.0.1. While this particular address might not look ugly, one could have addresses like 8193.3512.42674.13579.59867.27384.57365.37485. Which would be about as ugly as hex. One advantage of hex - you are automatically clamped at ffff within a segment, as opposed to remembering not to exceed 65535 for any block, which would be somewhat more complicated than remembering not to exceed 255.

It shouldn't be that difficult for network admins to understand: as for the average Billy Joe Blow, he'd have trouble even understanding subnet masks, NAT, Class C addressing and so on. Link Local addresses are addresses that belong to a link, and which don't need a network - you can connect 2 computers via an ethernet cable, and the addresses they'll use to communicate w/ each other would be the link local addresses. Node local is loopback address, this time, instead of reserving all of 127.x.x.x, they've just assigned 1 address ::1 to it. The site unique addresses are the equivalent of private addresses that one would use behind a NAT (in IPv4, concepts like link-local and site unique addresses are all conflated, due to the limited addresses). However, instead of the 192.168.1.176 that a lot of computers might get, this one is likely to be a unique address since it's randomly assigned from 112 bits: as a result, overlapping 2 VPNs is less likely to have conflicting addresses than in IPv4.

Re:IPv6's multiple addresses

[Blaskowicz]

Thanks (though, it is a 48 bit address I was proposing here).

I now somehow understand why an interface on a desktop has a fe80: address even though there's nothing ipv6 compatible to talk to it. I suppose one useful use case is between a VM guest and its host.

Really, the concept of a 192.168.0.x was useful to a Joe Blow I believe. Had a home network in the early 00s with one modem (first dialup, then ethernet DSL modem which you would use from one PC by faking dialup), no DHCP. Knowledge of 192.168.x.x IP was useful for setting up the network, then for multiplayer games, then to reach Windows shares when the discovery did not work (and using ping to troubleshoot it).
Sure, real Joe Blows plug cable in or enter the "wifi key" and never do anything else but there was a time for "mid range users" (those that install and tweak Windows drivers, etc.) to know about local IPs.

FINALLY CONFIRMED: Sony Hack

[mauri]

So the Sony Hack came from IP address 10.76.1.11.
That will be the final and uncontrovertible PROOF that North Korea did it!

Re:Translation pls.

[some1into_ISP]

That's not how it works... that's not how any of this works!

Re:Translation pls.

[omfgnosis]

Technology isn't neutral. And some technologies are not positive. And some otherwise-positive technologies can be abused in ways or on scales which couldn't be achieved in their absence. Any so-called "nerd" or enthusiast of technology who is not also cautious of technological advancements and their uses is a zealot.

If technological zealotry is indeed a waning trend on Slashdot, so much the better.

Re:Translation pls.

[badkarmadayaccount]

Tangra.