Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Star Linux Adds Secret Watermarks To Files

Posted by timothy on from the but-it's-open-source dept.

An anonymous reader writes: ERNW security analyst Florian Grunow says that North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags. He particularizes that files including Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers. Red Star's development team seems to have created some quite interesting custom additions to Linux kernel and userspace, based on which Grunow has written a technical analysis.

61 of 100 comments (clear)

  1. "privacy of North Koreans" by xxxJonBoyxxx · · Score: 2, Insightful

    >> privacy of potential users (especially from North Korea) may be impacted

    I didn't know privacy was a thing in North Korea.

    1. Re:"privacy of North Koreans" by Penguinisto · · Score: 1

      I'm just hoping the NSA doesn't get any ideas.

      It does lead to a question, though - could someone in North Korea (with a sufficient level of ability) remove or obfuscate those, or is the source code even available to the typical user in NoKo?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    2. Re:"privacy of North Koreans" by gstoddart · · Score: 1

      Do you honestly think the dictatorship makes the source code for Red Star Linux available to its people?

      I'm sorry, but what part of dictatorship are you forgetting?

      This is the government approved version. That's all there is.

      --
      Lost at C:>. Found at C.
    3. Re:"privacy of North Koreans" by Archangel+Michael · · Score: 4, Interesting

      Yeah, I can see it now. NSA Linux, "Freedom Edition with Proprietary Patriot Act Protection!"

      And a Obama working with Boehner will get it done.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re:"privacy of North Koreans" by Adriax · · Score: 1

      I didn't know there were more than a dozen north koreans who could afford computers.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    5. Re:"privacy of North Koreans" by Lumpy · · Score: 1

      if details on the tags are revealed, then it will be trivial to write a patch that randomizes the tag making the government furious.

      --
      Do not look at laser with remaining good eye.
    6. Re:"privacy of North Koreans" by Anonymous Coward · · Score: 1

      I'd highly doubt the source is being made available. But yes, if they can implement this, someone with sufficient access and remove it. Many Linux users compile their own builds, as long as the source is available it can be tweaked.

      But why on earth would a repressive regime who created a custom linux distro specifically to track users, make that source code available to anyone?

      I suspect that a good programmer/admin would be able to not only detect this, but block it right in the OS. This is linux, there's very little being hidden from you unlike windows or MAC. I'd suspect it wouldn't take much to find the hook that calls the proceedure, and murder it, or replace the call to call something innocuous.

      So really though, this is tagging files with serial numbers, so it's only really going to be tracking and datamining whomever purchased the machine in the first place, provided they paid with credit or debit instead of cash.

      As well, if this system is adding information to a file, exactly how many times will it do this? Lets say I create a jpeg on my infected box and send it to your box also running this os. Your copy should have my information in it, does your OS also tag it? Does it append?

      How long of a history does it keep? How long before the file size starts to bloat? What exactly is the point of all of this? If they are building a custom os with backdoors for tracking, why even bother with tagging individual files with serial numbers that may or may not be traceable?

      From the Article:
      "When analysing the OS the first thing that came to our attention is that they have built an own kernel module named rtscan. There is a binary running that is named opprc and a few more binaries, one that seems to simulate/pretend to be some kind of 'virus scanner' and seems to share some code base with opprc,"

      Well there you go, kill or replace that binary, or simply remove the call or change it's destination, no more tagging.

    7. Re:"privacy of North Koreans" by rockmuelle · · Score: 3, Insightful

      That already exists. It's called SELinux: https://en.wikipedia.org/wiki/...

      -Chris

    8. Re: "privacy of North Koreans" by WindBourne · · Score: 1

      And yet, there is nothing in selinux remotely similar to redstar.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    9. Re: "privacy of North Koreans" by Varka · · Score: 1

      As far as you know.

    10. Re:"privacy of North Koreans" by barbariccow · · Score: 2

      But... It's GPL... and they're modifying it! And Distributing it!

    11. Re:"privacy of North Koreans" by Austerity+Empowers · · Score: 1

      The ones who can afford them are the ones most in need of monitoring.

    12. Re:"privacy of North Koreans" by macs4all · · Score: 1

      Do you honestly think the dictatorship makes the source code for Red Star Linux available to its people?

      I'm sorry, but what part of dictatorship are you forgetting?

      This is the government approved version. That's all there is.

      So, is this a violation of the GPL? Is NK even bound by the GPL?

      If so, let's see how big the balls of the FSF REALLY are...

    13. Re:"privacy of North Koreans" by Actually,+I+do+RTFA · · Score: 1

      Well there you go, kill or replace that binary, or simply remove the call or change it's destination, no more tagging.

      You realize that only select few (very few) North Koreans can access the internet. Those are exclusively in the cyberwar wing, so they knew about this anyway or so senior they love the regime because they're helping to rule it. No one else is really going to know about the watermarking.

      --
      Your ad here. Ask me how!
    14. Re:"privacy of North Koreans" by Stan92057 · · Score: 1

      Just how would a normal non techie know if his version of Linux hasn't has stuff added by the say NSA? Unless your a coder you wouldn't know. How do people know the copy they download from so and so university hasn't been NSAed? Unless you download from the Official servers you can be getting anything right?

      --
      Jack of all trades,master of none
    15. Re:"privacy of North Koreans" by penguinoid · · Score: 1

      I didn't know privacy was a thing in North Korea.

      Well not everywhere is as willing to give up their privacy as the US.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    16. Re:"privacy of North Koreans" by shentino · · Score: 1

      NK has sovereign immunity to US copyright law on its own soil.

    17. Re:"privacy of North Koreans" by psyclone · · Score: 1

      I don't think encryption would help here. Assume the user is still using Red Star Linux which in addition to watermarking, has tweaked the prngs so that all private keys (including symmetric keys and session keys) are created with a known set of values, thus making the user think they are secure but allows the government to still eavesdrop on all communication.

    18. Re:"privacy of North Koreans" by KGIII · · Score: 1

      Someone should sue for violating the GPL. It would be damned amusing. I saw this download on a torrent site the other day, they had directions to change to English, I did not bother with it.

      --
      "So long and thanks for all the fish."
  2. Is this any different than the US government? by AndyKron · · Score: 4, Insightful

    Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

    1. Re:Is this any different than the US government? by bluefoxlucid · · Score: 1

      Yes. People don't use ink-jet printers for child pornography; obviously, they just want to know what computers the child pornography has been bittorrented through.

      --
      Support my political activism on Patreon.
    2. Re:Is this any different than the US government? by Anonymous Coward · · Score: 1

      Or tracking/spying on every phone call, email and web site they visit?
      Face it, North Korea is poor, but its leaders and the 'free worlds' are all a sham, sure, you can 'vote', but only for those the power structure has approved of. Members of the US congress are vetted by big money, and remember, theres ONLY two parties, errr, make that ONE party
      the Republicratian party.

    3. Re:Is this any different than the US government? by Gravis+Zero · · Score: 2

      Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

      actually, yes it is! the point of the watermarks made on color printers is to make it easy to track down counterfeiters, specifically those printing USD. fun fact, North Korea loves to counterfeit $100 USD notes.

      --
      Anons need not reply. Questions end with a question mark.
    4. Re:Is this any different than the US government? by gstoddart · · Score: 2

      Sorry, but it has the net effect of making every printed document uniquely identifiable.

      Which means whatever pretense they used, they can now use it for anything else they damned well please.

      You can keep believing your government isn't trying to monitor and control everything you do. But you'd be wrong.

      Much like terror laws are being used to piggy back for the rest of law enforcement, despite assurances to the contrary, they can and will abuse any other technology which is made available to them.

      There's really no difference between one government spying on everybody and another. The only difference is in how much people believe there's a difference. But if they can get away with it, Western governments are just as likely to do it.

      --
      Lost at C:>. Found at C.
    5. Re: Is this any different than the US government? by WindBourne · · Score: 1

      If it is secret, than how do you know about it?

      --
      I prefer the "u" in honour as it seems to be missing these days.
    6. Re:Is this any different than the US government? by westlake · · Score: 1

      Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

      1 It is not "our" government alone, but "all" governments whose currency can be plausibly counterfeited by a color laser printer that demand watermarks.

      The geek living "off the books" needs a $20 bill which is generally trusted.

      2 The laser printer is not an operating system that can tag all files sent and received.

    7. Re:Is this any different than the US government? by macs4all · · Score: 1

      Yes. People don't use ink-jet printers for child pornography; obviously, they just want to know what computers the child pornography has been bittorrented through.

      IIRC, the watermarks (yellow dots) were mandated on COLOR printers as an anti-counterfeiting measure, not (for once) as a "Think of the Children!" anti-child-porn thing. The Feds were worried that color printers were getting good enough that people (other than the gummint) would be able to use them to print bogus money. Of course, anyone who has seen the output of pretty much any consumer-grade color printer knows that this is laughable; but this is the gummint we're talking about.

    8. Re:Is this any different than the US government? by ZombieBraintrust · · Score: 1

      It isn't just consumer-grade gear that has it. I worked at a copy shop 10 years ago and the color copier could detect money.

    9. Re:Is this any different than the US government? by Gravis+Zero · · Score: 1

      it has the net effect of making every printed document uniquely identifiable.

      wrong. it only applies to color printouts. the jillions of black and white text pages printed out are unaltered.

      --
      Anons need not reply. Questions end with a question mark.
  3. Re:Who cares? by Geoffrey.landis · · Score: 1

    Should we be surprised

    no.

    or otherwise care?

    Yes.

    --
    http://www.geoffreylandis.com
  4. Re:custom kernel? by behrooz0az · · Score: 3, Insightful

    Ken Thompson's C compiler is an interesting read on the subject:
    http://programmers.stackexchan...
    http://www.reddit.com/comments...
    Basically, It's a compiler with a backdoor that injects it's source code when it's compiling itself. pretty interesting idea for 1984.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  5. Oh the horror by Blaskowicz · · Score: 3, Insightful

    Desktop software is really horrible these days. To preserve your freedoms, use Chrome OS or Android and organize your collaborations and activities over Facebook. Capitalist computing is much more trustworthy than that evil communist Linux thing.

    1. Re:Oh the horror by myowntrueself · · Score: 1

      Desktop software is really horrible these days. To preserve your freedoms, use Chrome OS or Android and organize your collaborations and activities over Facebook. Capitalist computing is much more trustworthy than that evil communist Linux thing.

      See sig.

      --
      In the free world the media isn't government run; the government is media run.
  6. Re:custom kernel? by gstoddart · · Score: 4, Insightful

    Seriously?

    Most North Koreans don't have access to the internet. Most North Koreans don't know a damned thing about Linux. Most North Koreans don't know a damned thing about kernels or spying modules installed on their computers.

    Do you really think people are going to compile a custom kernel to get around the brutal dictatorships surveillance and risk their lives for something they probably don't know exists?

    Come on, guys, learn a little about North Korea before suggesting the populace just whips up a custom kernel to work around this.

    Under a third generation pisspot dictator, the overwhelming majority of North Koreans will only know what they've been told. They're poor, starving, and isolated from much of the rest of the world.

    And the suggestion is to go to kernel.org? Pathetic.

    --
    Lost at C:>. Found at C.
  7. Re:custom kernel? by Ramze · · Score: 1

    My guess (and I admit, it's pure speculation) is that only a select few who created the OS have access to such sources -- that and perhaps NK sponsored hackers. Everyone else is restricted to the national intranet. Well, everyone else that is lucky enough to even see, much less use a computer in NK. The country has enough trouble providing food, much less electronics for its citizens.

  8. We are safe by Bandit2 · · Score: 1

    Luckily we are safe :) !\:&%4-n|S.#%'K5:G%M],%"&$ W78]E_EOF

  9. Does it make a difference? by Dcnjoe60 · · Score: 1

    Does it make a difference whether the software is doing this or your printer/copier does it? For a long, long time, laser printers and copiers have been doing the same thing to show where the document came from. Isn't this just the paperless version of what we've all been living with for a a very long time?

    1. Re:Does it make a difference? by gstoddart · · Score: 1

      Shhhh .... it's not fair to point out how "free" societies try to do the same fucking thing.

      It confuses the plebes who still think their own governments aren't actively trying to become fascists too.

      --
      Lost at C:>. Found at C.
    2. Re:Does it make a difference? by Darinbob · · Score: 1

      I use text format for everything. Pretty hard to add watermarks there without noticing.

    3. Re:Does it make a difference? by Dcnjoe60 · · Score: 1

      If you send it to a laser printer or copy it on a copier there are watermarks. Doesn't matter the format used. Unlike the old fashioned typewriters where law enforcement could match the document to the typewriter based on how individual keys hit, in the digital age they had to find some other way. So, every laser printer and copy machine prints a tiny watermark that can trace the document to the machine that produced it.

  10. No, it doesn't by kromozone · · Score: 4, Interesting

    Before: https://i.imgur.com/oOoWssF.pn...
    Open in Red Star 3.0: https://i.imgur.com/MiORhD3.jp...
    After: https://i.imgur.com/uqAvXC6.pn...

    The above uses an MS Word document created in Office 2011.

    I've tried jpg, docx created in MS Word, docx from LibreOffice, and numerous other random file formats copied onto my thumb drive - the MD5 remains exactly the same in every case.

    1. Re:No, it doesn't by barbariccow · · Score: 1

      Are you viewing the hex on RedSTAR OS as well? They may have "fixed" that problem, though TFA does seem to be claiming to use md5sum on the OS itself, so probably not likely. Also really they don't post any evidence supporting the notion that it is a hardware serial number inserted or anything. Maybe they had flash enabled, tried browsing the web, THEN performed this experiment?

    2. Re:No, it doesn't by Anonymous Coward · · Score: 1

      Nonsense. Unless each and every write operation finds an MD5 collision for each and every file, there is no way that the MD5 would remain the same after a watermark would be added.

    3. Re:No, it doesn't by kromozone · · Score: 1

      I'm viewing the hex on Mac OS X. I formatted a thumb drive, saved a newly created .docx file on it, ejected, connected to a Red Star 3.0 VM, opened the drive on Red Star, ejected and then connected back to OS X. The md5 and hex were exactly the same before and after. When I posted this to a thread on reddit the author came back to claim that the behavior didn't occur with .docx created in MS Word but did occur with .docx created in LibreOffice and with .jpg files. The .docx file I'd used in the first trial was created in MS Word so I repeated the process with a .docx from LibreOffice and a .jpeg file. Again the md5 and hex were exactly the same before and after connection to RS3.0.

    4. Re:No, it doesn't by penguinoid · · Score: 2

      Did you wait long enough for their "virus scanner" to run? Also, maybe you need to spoof it so it looks like your computer is in Korea.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    5. Re:No, it doesn't by psyclone · · Score: 2

      And you've verified you have the same kernel modules and binaries running described in TFA?

      Is there a slight chance if the VM can't access the hardware IDs needed to watermark, that it does not apply one? You have an old box you can run Red Star on natively?

  11. English as she is spoke by jeremyp · · Score: 3, Interesting

    He particularizes

    I don't know what makes me sadder: that he used that word or that it apparently is a word.

    --
    All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    1. Re:English as she is spoke by ScentCone · · Score: 2

      Well, all you have to do is come up with an enbiggened disincentivicationism to counterproduce the linguinistical resultifacts that meet your desirenessifity.

      --
      Don't disappoint your bird dog. Go to the range.
    2. Re:English as she is spoke by Deep+Esophagus · · Score: 2

      That was my first reactification, too, but apparently that word has been verbed since at least the 19th century.

    3. Re:English as she is spoke by glwtta · · Score: 2

      I don't know what makes me sadder: that he used that word or that it apparently is a word.

      I feel sadder for the poor fellow who apparently spontaneously disassociated into a cloud of particles.

      --
      sic transit gloria mundi
  12. I'm okay w/ watermarks, but not secrecy by Anonymous Coward · · Score: 1

    Okay, I know this is North Korea we are talking about, but non-secret watermarks can be useful in some "overlord" situations.

    Back before cell-phone cameras became common, I worked for a company where every photocopier put a visible, human-readable watermark. They also banned cameras without a permit from corporate security. It was never stated outright but I'm sure this was either to deter industrial espionage or to comply with a contractual obligation that they take such steps.

    1. Re:I'm okay w/ watermarks, but not secrecy by AHuxley · · Score: 1

      The US and UK became very interested in the photocopier aspect when the UK found a photocopier without a counter or security in an area with its security document vaults. An individual had been using it to make all the copies wanted of secure documents and walking out with the clean copies.
      The US and UK then upgraded and further restricted photocopier access policy with counters, educated security staff and by installing cameras in the photocopier units to record what was been copied and by what person.
      Very old ideas that had to be rushed out to solve unexpected wider problems.
      The tracking of digital files worked in the same way. Baited access to plain text databases to see how staff would respond and what they searched or did not attempt to search.

      --
      Domestic spying is now "Benign Information Gathering"
  13. Re:custom kernel? by PPH · · Score: 2

    Most North Koreans don't have access to the internet.

    This sort of thing is aimed at government employees who might become disaffected and begin working for some western intelligence agency. Your office PC watermarks every document on its way to the thumb drive (or floppy disk). In the event the media is intercepted on its way out of the country, they know whose desk to visit.

    --
    Have gnu, will travel.
  14. NSA SELinux open source, in mainline kernel 12 yrs by perpenso · · Score: 4, Informative

    As far as you know.

    Actually we do know, we have the source code, have had it for about 15 years. Its been in the mainline Linux kernel for about 12 years. In case you haven't heard changes to the kernel get, uh, ... reviewed.

  15. Re:NSA SELinux open source, in mainline kernel 12 by Varka · · Score: 1

    This is one of those eternal security arguments; without manually reviewing the code YOURSELF, and compiling the kernel from that manually reviewed code YOURSELF, it's "as far as you know." Maybe you do that, I don't know; I'm just aware that the security of my linux installs relies on a chain of trust, and even if that chain is 100% verifiable from source to binary, there's still no guarantee that there isn't an obfuscated back door or malicious code exploit that was overlooked.

  16. Re:NSA SELinux open source, in mainline kernel 12 by perpenso · · Score: 1

    The kernel is heavily viewed, studied, etc. Its changes are reviewed, at multiple levels in a hierarchy. Its probably the one part of Linux where the many eyeballs notion is reality rather than myth.

  17. Re:North Korea may not be the worst country by tekrat · · Score: 1

    I've heard of this country that tortures people and then denies it, imprisons others without ever charging them of a crime, has a byzantine legal system where only the wealthy come out unscathed (hell, you can rape and murder if you are rich enough, and get away with it).

    This country also has classes of people based on skin color, sexual orientation and other factors, yet is ruled by a party or parties that claim they represent all their people; in reality they represent none. Corruption is rampant, politicians routinely earn gifts of millions; but because these corrupt people have classified it as "legal", you can't even call it corruption there.

    Trust me, you want to stay away from that place.

    --
    If telephones are outlawed, then only outlaws will have telephones.
  18. Re:NSA SELinux open source, in mainline kernel 12 by Tanktalus · · Score: 1

    And yet, regressions and other bugs still get in. I'm a big fan of the many eyeballs theory, but there are limitations to it.

  19. Re:NSA SELinux open source, in mainline kernel 12 by perpenso · · Score: 1

    And yet, regressions and other bugs still get in. I'm a big fan of the many eyeballs theory, but there are limitations to it.

    Yes, but successful exploitation is a very different story. And such attempts are a bit unlikely when the code is publicly coming from the NSA. Anything coming from them will get extra scrutiny by some.

  20. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  21. Re:NSA SELinux open source, in mainline kernel 12 by stasike · · Score: 1

    We have had source code for Bash for decades, and it got reviewed multiple times, yet, we got shellshock exploit. Who knows how long it was being exploited before discovery.