STE WILLIAMS

North Korea’s national Red Star operating system is surely the strangest fork of Linux ever programmed.

Designed to be an ideologically pure and secure alternative to suspect western software, researchers have been pulling it apart with glee since the full install of version 3.0 leaked in early 2015.

What they found is odd: it boots up and closes down with a traditional Korean folk song. The installation serial number can be bypassed with any number. And it comes with a GUI so similar to the Mac, it’s a surprise that Tim Cook’s lawyers haven’t sent a cease and desist.

Naturally, it has security vulnerabilities, the latest example of which is a remotely exploitable flaw inside the OS’s bundled Firefox-derived browser, Naenara 3.5.

It’s a fairly serious flaw – a single malicious link would give an attacker complete control – although not the first discovered in Red Star. But to focus on the irony of serious security holes being found in an OS that was designed to escape the same problem in western software is to miss deeper paradoxes.

Exploiting the flaw would mean finding PCs running it inside the DPRK, but according to people who’ve visited the country, Windows 7 is probably as common. In a country where unsupervised PCs are extremely rare, Red Star might even have more users outside North Korea.

Neither the OS nor the browser seem to be updated that often, another problem for software with ambitions to maximum security.

But Red Star wasn’t built to keep the outside world out, nor even to counter the possibility that US-made operating systems have backdoors. Red Star is and always has been all about keeping the North Korea’s small population of PC users in.

Red Star’s browser is hardwired to access the country’s Kwangmyong Intranet, which hides the entire nation behind a single Class A IP address.  It’s as if everyone in the country is on the same network.

Everything the user can do on a Red Star PC is tracked in detail, often using technology adapted from western monitoring systems.  But, secure? That seems unlikely. As every teardown of it has mentioned, Red Star is full of errors.

Building operating systems and browsers takes non-stop effort and requires the involvement of lots of motivated developers. Nation states find that effort hard to keep going.

North Korea isn’t the only nation to have its own national operating system. China has something called Kylin, Iran’s is called Zamin while, more recently, Russia military has talked up Astra.

All are based on Linux and at least one, Turkey’s Pardus, has a following abroad. What do these countries have in common? Essentially, most of them don’t get on well with the US, which seems to be the point of the national OS idea.

Whatever North Korea and Iran think about the US, they fear internal dissent more and using permissive western software is seen as a high road to trouble.

The national OS offers an alternative, then, but one that is much about psychological separation as meaningful security.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qFZddya02PM/