Red Star Linux Adds Secret Watermarks To Files

An anonymous reader writes: ERNW security analyst Florian Grunow says that North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags. He particularizes that files including Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers. Red Star's development team seems to have created some quite interesting custom additions to Linux kernel and userspace, based on which Grunow has written a technical analysis.

"privacy of North Koreans"

[xxxJonBoyxxx]

>> privacy of potential users (especially from North Korea) may be impacted

I didn't know privacy was a thing in North Korea.

Re:

[Penguinisto]

I'm just hoping the NSA doesn't get any ideas.

It does lead to a question, though - could someone in North Korea (with a sufficient level of ability) remove or obfuscate those, or is the source code even available to the typical user in NoKo?

Re:

[gstoddart]

Do you honestly think the dictatorship makes the source code for Red Star Linux available to its people?

I'm sorry, but what part of dictatorship are you forgetting?

This is the government approved version. That's all there is.

Re:"privacy of North Koreans"

[Archangel Michael]

Yeah, I can see it now. NSA Linux, "Freedom Edition with Proprietary Patriot Act Protection!"

And a Obama working with Boehner will get it done.

Re:"privacy of North Koreans"

[rockmuelle]

That already exists. It's called SELinux: https://en.wikipedia.org/wiki/... [wikipedia.org]

-Chris

Re: "privacy of North Koreans"

[WindBourne]

And yet, there is nothing in selinux remotely similar to redstar.

Re:

[Varka]

As far as you know.

NSA SELinux open source, in mainline kernel 12 yrs

[perpenso]

As far as you know.

Actually we do know, we have the source code, have had it for about 15 years. Its been in the mainline Linux kernel for about 12 years. In case you haven't heard changes to the kernel get, uh, ... reviewed.

Re:

[Varka]

This is one of those eternal security arguments; without manually reviewing the code YOURSELF, and compiling the kernel from that manually reviewed code YOURSELF, it's "as far as you know." Maybe you do that, I don't know; I'm just aware that the security of my linux installs relies on a chain of trust, and even if that chain is 100% verifiable from source to binary, there's still no guarantee that there isn't an obfuscated back door or malicious code exploit that was overlooked.

Re:

[perpenso]

The kernel is heavily viewed, studied, etc. Its changes are reviewed, at multiple levels in a hierarchy. Its probably the one part of Linux where the many eyeballs notion is reality rather than myth.

Re:

[Tanktalus]

And yet, regressions and other bugs still get in. I'm a big fan of the many eyeballs theory, but there are limitations to it.

Re:

[perpenso]

And yet, regressions and other bugs still get in. I'm a big fan of the many eyeballs theory, but there are limitations to it.

Yes, but successful exploitation is a very different story. And such attempts are a bit unlikely when the code is publicly coming from the NSA. Anything coming from them will get extra scrutiny by some.

Re:

[stasike]

We have had source code for Bash for decades, and it got reviewed multiple times, yet, we got shellshock exploit. Who knows how long it was being exploited before discovery.

Re:

[barbariccow]

But... It's GPL... and they're modifying it! And Distributing it!

Re:

[macs4all]

Do you honestly think the dictatorship makes the source code for Red Star Linux available to its people?

I'm sorry, but what part of dictatorship are you forgetting?

This is the government approved version. That's all there is.

So, is this a violation of the GPL? Is NK even bound by the GPL?

If so, let's see how big the balls of the FSF REALLY are...

Re:

[shentino]

NK has sovereign immunity to US copyright law on its own soil.

Re:

[KGIII]

Someone should sue for violating the GPL. It would be damned amusing. I saw this download on a torrent site the other day, they had directions to change to English, I did not bother with it.

Re:

[Lumpy]

if details on the tags are revealed, then it will be trivial to write a patch that randomizes the tag making the government furious.

Re:

[Anonymous Coward]

I'd highly doubt the source is being made available. But yes, if they can implement this, someone with sufficient access and remove it. Many Linux users compile their own builds, as long as the source is available it can be tweaked.

But why on earth would a repressive regime who created a custom linux distro specifically to track users, make that source code available to anyone?

I suspect that a good programmer/admin would be able to not only detect this, but block it right in the OS. This is linux, there'

Re:

[Actually, I do RTFA]

Well there you go, kill or replace that binary, or simply remove the call or change it's destination, no more tagging.

You realize that only select few (very few) North Koreans can access the internet. Those are exclusively in the cyberwar wing, so they knew about this anyway or so senior they love the regime because they're helping to rule it. No one else is really going to know about the watermarking.

Re:

[Stan92057]

Just how would a normal non techie know if his version of Linux hasn't has stuff added by the say NSA? Unless your a coder you wouldn't know. How do people know the copy they download from so and so university hasn't been NSAed? Unless you download from the Official servers you can be getting anything right?

Re:

[Adriax]

I didn't know there were more than a dozen north koreans who could afford computers.

Re:

[Austerity Empowers]

The ones who can afford them are the ones most in need of monitoring.

Re:

[psyclone]

I don't think encryption would help here. Assume the user is still using Red Star Linux which in addition to watermarking, has tweaked the prngs so that all private keys (including symmetric keys and session keys) are created with a known set of values, thus making the user think they are secure but allows the government to still eavesdrop on all communication.

Re:

[penguinoid]

I didn't know privacy was a thing in North Korea.

Well not everywhere is as willing to give up their privacy as the US.

Re:

[Geoffrey.landis]

Should we be surprised

no.

or otherwise care?

Yes.

custom kernel?

[red crab]

Is www.kernel.org accessible from North Korea? One can then pull the sources and compile a custom kernel omitting their "rtscan" module.

Re:

[Behrooz Amoozad]

Ken Thompson's C compiler [c2.com] is an interesting read on the subject:
http://programmers.stackexchan... [stackexchange.com]
http://www.reddit.com/comments... [reddit.com]
Basically, It's a compiler with a backdoor that injects it's source code when it's compiling itself. pretty interesting idea for 1984.

Re:custom kernel?

[gstoddart]

Seriously?

Most North Koreans don't have access to the internet. Most North Koreans don't know a damned thing about Linux. Most North Koreans don't know a damned thing about kernels or spying modules installed on their computers.

Do you really think people are going to compile a custom kernel to get around the brutal dictatorships surveillance and risk their lives for something they probably don't know exists?

Come on, guys, learn a little about North Korea before suggesting the populace just whips up a custom kernel to work around this.

Under a third generation pisspot dictator, the overwhelming majority of North Koreans will only know what they've been told. They're poor, starving, and isolated from much of the rest of the world.

And the suggestion is to go to kernel.org? Pathetic.

Re:

[PPH]

Most North Koreans don't have access to the internet.

This sort of thing is aimed at government employees who might become disaffected and begin working for some western intelligence agency. Your office PC watermarks every document on its way to the thumb drive (or floppy disk). In the event the media is intercepted on its way out of the country, they know whose desk to visit.

Re:

[Ramze]

My guess (and I admit, it's pure speculation) is that only a select few who created the OS have access to such sources -- that and perhaps NK sponsored hackers. Everyone else is restricted to the national intranet. Well, everyone else that is lucky enough to even see, much less use a computer in NK. The country has enough trouble providing food, much less electronics for its citizens.

Is this any different than the US government?

[AndyKron]

Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

Re:

[bluefoxlucid]

Yes. People don't use ink-jet printers for child pornography; obviously, they just want to know what computers the child pornography has been bittorrented through.

Re:

[macs4all]

Yes. People don't use ink-jet printers for child pornography; obviously, they just want to know what computers the child pornography has been bittorrented through.

IIRC, the watermarks (yellow dots) were mandated on COLOR printers as an anti-counterfeiting measure, not (for once) as a "Think of the Children!" anti-child-porn thing. The Feds were worried that color printers were getting good enough that people (other than the gummint) would be able to use them to print bogus money. Of course, anyone who has seen the output of pretty much any consumer-grade color printer knows that this is laughable; but this is the gummint we're talking about.

Re:

[ZombieBraintrust]

It isn't just consumer-grade gear that has it. I worked at a copy shop 10 years ago and the color copier could detect money.

Re:

[Anonymous Coward]

Or tracking/spying on every phone call, email and web site they visit?
Face it, North Korea is poor, but its leaders and the 'free worlds' are all a sham, sure, you can 'vote', but only for those the power structure has approved of. Members of the US congress are vetted by big money, and remember, theres ONLY two parties, errr, make that ONE party
the Republicratian party.

Re:

[Gravis Zero]

Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

actually, yes it is! the point of the watermarks made on color printers is to make it easy to track down counterfeiters, specifically those printing USD. fun fact, North Korea loves to counterfeit $100 USD notes.

Re:

[gstoddart]

Sorry, but it has the net effect of making every printed document uniquely identifiable.

Which means whatever pretense they used, they can now use it for anything else they damned well please.

You can keep believing your government isn't trying to monitor and control everything you do. But you'd be wrong.

Much like terror laws are being used to piggy back for the rest of law enforcement, despite assurances to the contrary, they can and will abuse any other technology which is made available to them.

There's re

Re:

[Gravis Zero]

it has the net effect of making every printed document uniquely identifiable.

wrong. it only applies to color printouts. the jillions of black and white text pages printed out are unaltered.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Is this any different than the US government?

[WindBourne]

If it is secret, than how do you know about it?

Re:

[westlake]

Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

1 It is not "our" government alone, but "all" governments whose currency can be plausibly counterfeited by a color laser printer that demand watermarks.

The geek living "off the books" needs a $20 bill which is generally trusted.

2 The laser printer is not an operating system that can tag all files sent and received.

Re:

[tekrat]

I've heard of this country that tortures people and then denies it, imprisons others without ever charging them of a crime, has a byzantine legal system where only the wealthy come out unscathed (hell, you can rape and murder if you are rich enough, and get away with it).

This country also has classes of people based on skin color, sexual orientation and other factors, yet is ruled by a party or parties that claim they represent all their people; in reality they represent none. Corruption is rampant, politic

Oh the horror

[Blaskowicz]

Desktop software is really horrible these days. To preserve your freedoms, use Chrome OS or Android and organize your collaborations and activities over Facebook. Capitalist computing is much more trustworthy than that evil communist Linux thing.

Re:

[myowntrueself]

Desktop software is really horrible these days. To preserve your freedoms, use Chrome OS or Android and organize your collaborations and activities over Facebook. Capitalist computing is much more trustworthy than that evil communist Linux thing.

See sig.

We are safe

[Bandit2]

Luckily we are safe :) !\:&%4-n|S.#%'K5:G%M],%"&$ W78]E_EOF

Does it make a difference?

[Dcnjoe60]

Does it make a difference whether the software is doing this or your printer/copier does it? For a long, long time, laser printers and copiers have been doing the same thing to show where the document came from. Isn't this just the paperless version of what we've all been living with for a a very long time?

Re:

[gstoddart]

Shhhh .... it's not fair to point out how "free" societies try to do the same fucking thing.

It confuses the plebes who still think their own governments aren't actively trying to become fascists too.

Re:

[Darinbob]

I use text format for everything. Pretty hard to add watermarks there without noticing.

Re:

[Dcnjoe60]

If you send it to a laser printer or copy it on a copier there are watermarks. Doesn't matter the format used. Unlike the old fashioned typewriters where law enforcement could match the document to the typewriter based on how individual keys hit, in the digital age they had to find some other way. So, every laser printer and copy machine prints a tiny watermark that can trace the document to the machine that produced it.

No, it doesn't

[kromozone]

Before: https://i.imgur.com/oOoWssF.pn... [imgur.com]
Open in Red Star 3.0: https://i.imgur.com/MiORhD3.jp... [imgur.com]
After: https://i.imgur.com/uqAvXC6.pn... [imgur.com]

The above uses an MS Word document created in Office 2011.

I've tried jpg, docx created in MS Word, docx from LibreOffice, and numerous other random file formats copied onto my thumb drive - the MD5 remains exactly the same in every case.

Re:

[Anonymous Coward]

Nonsense. Unless each and every write operation finds an MD5 collision for each and every file, there is no way that the MD5 would remain the same after a watermark would be added.

Re:

[barbariccow]

Are you viewing the hex on RedSTAR OS as well? They may have "fixed" that problem, though TFA does seem to be claiming to use md5sum on the OS itself, so probably not likely. Also really they don't post any evidence supporting the notion that it is a hardware serial number inserted or anything. Maybe they had flash enabled, tried browsing the web, THEN performed this experiment?

Re:

[kromozone]

I'm viewing the hex on Mac OS X. I formatted a thumb drive, saved a newly created .docx file on it, ejected, connected to a Red Star 3.0 VM, opened the drive on Red Star, ejected and then connected back to OS X. The md5 and hex were exactly the same before and after. When I posted this to a thread on reddit the author came back to claim that the behavior didn't occur with .docx created in MS Word but did occur with .docx created in LibreOffice and with .jpg files. The .docx file I'd used in the first trial

Re:

[psyclone]

And you've verified you have the same kernel modules and binaries running described in TFA?

Is there a slight chance if the VM can't access the hardware IDs needed to watermark, that it does not apply one? You have an old box you can run Red Star on natively?

Re:

[penguinoid]

Did you wait long enough for their "virus scanner" to run? Also, maybe you need to spoof it so it looks like your computer is in Korea.

English as she is spoke

[jeremyp]

He particularizes

I don't know what makes me sadder: that he used that word or that it apparently is a word.

Re:

[ScentCone]

Well, all you have to do is come up with an enbiggened disincentivicationism to counterproduce the linguinistical resultifacts that meet your desirenessifity.

Re:

[Deep Esophagus]

That was my first reactification, too, but apparently that word has been verbed since at least the 19th century. [reference.com]

Re:

[glwtta]

I don't know what makes me sadder: that he used that word or that it apparently is a word.

I feel sadder for the poor fellow who apparently spontaneously disassociated into a cloud of particles.

I'm okay w/ watermarks, but not secrecy

[Anonymous Coward]

Okay, I know this is North Korea we are talking about, but non-secret watermarks can be useful in some "overlord" situations.

Back before cell-phone cameras became common, I worked for a company where every photocopier put a visible, human-readable watermark. They also banned cameras without a permit from corporate security. It was never stated outright but I'm sure this was either to deter industrial espionage or to comply with a contractual obligation that they take such steps.

Re:

[AHuxley]

The US and UK became very interested in the photocopier aspect when the UK found a photocopier without a counter or security in an area with its security document vaults. An individual had been using it to make all the copies wanted of secure documents and walking out with the clean copies.
The US and UK then upgraded and further restricted photocopier access policy with counters, educated security staff and by installing cameras in the photocopier units to record what was been copied and by what person.
V