Hacker News new | past | comments | ask | show | jobs | submit login
The Rise of North Korea's Hacking Army (newyorker.com)
235 points by mitchbob on April 22, 2021 | hide | past | favorite | 170 comments



Well of course, hacking is an activity that has by far the most leverage both criminally and militarily in the modern era.

For ~$1M you can successfully attack and completely compromise essentially any Fortune 500 company in the world.

For ~$1M you could target the current model year of any brand of car in the world and develop a remote attack to simultaneously target every car of that model year at rush-hour and engage the cruise control at maximum speed, engage the anti-lock braking to disable the brakes, and, if applicable, engage the autosteer to turn slightly into oncoming traffic as these researchers [1] demonstrated could be done 5 years ago on a budget of only $80k.

For ~$1M-10M you could likely target the most popular types of generators used in a power grid and at the very least deactivate if not disable their software governors and over-rev them to destroy them as demonstrated by the DoD 14 years ago [2] and as militarily deployed by Russia against Ukraine [3] which could result in the loss of power for months if sufficiently widespread.

At the very least our internet-connected stoves with remote turn-on [4] are safe since, as we all know, the software developers for stoves are the best minds of our generation so it would cost far more than the ~$1M to hack a Fortune 500 company to remotely turn on the gas at 2 AM in the morning and then the igniter at 3 AM with results like this: WARNING [5][6].

For less than the price of a tank any government can develop a weapons system that is comparable in power to a full scale nuclear first strike that you can deploy instantly in your enemy's territory. Not just that it can be tuned to any scale of destruction you want from an individual all the way up to full scale nuclear strike, and it can be done untraceably or, even better, you can pin it on one of your other enemies as the CIA had the capability to do [7]. Frankly, any government not feverishly developing such weapons systems given that they only cost a few measly million to develop for the immense capabilities they provide is either ignorant or fighting the last war. This is The Tool that a small nation can use to achieve parity with superpowers given their miniscule cost and immense leverage.

[1] https://www.wired.com/2016/08/jeep-hackers-return-high-speed...

[2] https://www.youtube.com/watch?v=7GSEchbDuB8

[3] https://en.wikipedia.org/wiki/December_2015_Ukraine_power_gr...

[4] https://www.geappliances.com/ge/connected-appliances/ranges-...

[5] https://www.youtube.com/watch?v=a2JPLMzQjkk

[6] https://www.youtube.com/watch?v=ZX9-puUjoDU

[7] https://en.wikipedia.org/wiki/Vault_7#UMBRAGE


Every one of these potential attacks would require a lot of things to go very right. It's easy to do X or Y under experimental conditions. The real world is far more chaotic and the odds of success are lower.

Further, none of these things would cause an enemy to capitulate. If an enemy shut off power or caused car crashes in several major cities at once, the US isn't going to just surrender or even think about it. They're going to strike back with the widest array of options for employing force that earth has ever seen. Every option you listed would be pin pricking a giant.

Cyber warfare is super cheap, but it's also orders of magnitude less effective than sustained aerial bombardment or a complete naval blockade. Another tool in the tool chest, but not something I would base my national defense on


The difference is that the US homeland isn't used to feeling repercussions for it's foreign policy and aggression abroad. The US populace most certainly isn't hardy enough to suffer through extended power, water and connectivity outages because of diplomatic failures. It's not about forcing a surrender, but more about making hostilities and aggression unpalatable to the citizenry.


It's historically rare for homeland "hardship" to be a fast path to victory. More likely it would induce a total war mentality and calls for reprisal attacks.

The British aisles hadn't seen war since the 1700s prior to WW1. Neither German strategic bombing in WW1 nor the much larger blitz in WW2 brought about surrender or capitulation.


Yes, this attacks are just the result of sanctions against those countries, we, over here in the US shouldn't be policing the world, if those countries want freedom they should rise up on their own, is hard, but have had happened in the past.


Hirohito and Hitler had similar thoughts about the US population. History tends to repeat itself


It rhymes. They taught Bin Laden how to provoke disproportionate retaliation to his own ends.


Nothing done by Hirohito or Hitler to the mainland US population compares to a sustained loss of power, fuel or communications.


Neither Hirohito nor Hitler managed to strike the US mainland.


Generally true but there were a few small attacks on the mainland. While they didn't produce much damage they did provoke significant responses, particularly the attack on Ellwood which was used to justify the internment of Japanese Americans.

https://en.wikipedia.org/wiki/Bombardment_of_Ellwood https://en.wikipedia.org/wiki/Fu-Go_balloon_bomb https://en.wikipedia.org/wiki/Attack_on_Orleans


Amazing how good the US was at covering up the fire bombs sent to the Pacific Northwest, the shelling of the west coast, etc.

Not that they were huge casualty incidents, just amazing that most people believe the myth even today.

https://en.m.wikipedia.org/wiki/American_Theater_(World_War_...


Well, I know about the few incidents. It's just that it wasn't really a strike, it was much moreso for show.


I mean, if Iran or North Korea directly and intentionally caused even a small forest fire today, no one would say its 'just for show,' but yeah I agree with you.


Like, in principle you're right. In practice, cyber attacks at the level of terror that is equivilent to a "full scale nuclear first strike" simply have not happened (yet).

I do believe that you might be making a bit of hyperbole with the scale of possible terror potentially possible for such small amounts of money. Some crazy mofo should have done this by now. You're telling me that ted kaczynski types don't exist for hacking?


No, the reasoning that it is easy enough for some crazy person to do so, but none have done so yet, therefore it is unlikely to be possible is deeply flawed. On 2001/09/11 hijackers flew Boeing 767s into buildings for the first time in history and killed thousands. Yet, Boeing 767s had been flying for 19 years by that point and there were planes equally good for such a task for 40-50 years. On 2016/07/14 in Nice a person drove a truck into a promenade killing 86 people. Yet, cargo trucks had been in operation for 100? years by that point. These ideas are obvious, easily achievable, available for decades, and require no particularly advanced knowledge or skills to plan, yet took literal decades to occur after the point at which they became feasible.

The capability to engage in a large scale cyber-physical attack is maybe 10-15 years old. Not even a generation has passed since it became technologically feasible. To put that into perspective, Ted Kaczynski started his attacks when he was 36. If at the very moment that it became possible an 18 year old "crazy mofo" also figured that out they would still not be as old as Ted Kaczynski was when he started.


At these prices, cyber attacks are much cheaper than cruise missiles but too expensive for most criminals/terrorists without an explicit objective.

You'd expect state actors to use these attacks to achieve a particular goal, where the cyber attack option is weighed against the cruise missile option. Permanently destroying a power grid doesn't make a ton of sense for any reasonable objective other than total war.



I'm not sure where you are pulling these numbers from but my napkin math would go way differently. 1st question is how much does a security professional cost who is willing to do illegal stuff and knows how to do it properly. I'd say the number is around 300-500k$ a year. How many of these do you need? How do you find them? You need to pay quite a lot to someone with knowledge about how to find these people. How do you know your professionals will manage to find anything? You could waste millions this way and still come up with noting. In reality you are not the one who would be organizing this. You need to find someone who usually does this and pay him 3-10x the cost he has for running this. And you need to pay the guy who helped you find this guy. So I guess you end up at around 10-50mil$ to fund an operation like this with questionable outcome, together with the risk of exposing yourself or ending up in some undercover police plot and end up in jail. And whats the worst you can realistically do? Get private info about people which gets leaked all the time or turn smart lights on and off for many people at the same time?


Yes but think about a nation-state. They aren't looking to hire black-hat hackers and dodge the police, they're creating a military division that recruits and trains the hackers, and they are their own police. They'll be able to manage their talent flow to ensure they can execute operations properly.

With regards to potential impact, I'm afraid it's a little more serious than smart lights changing colour. One could disable power-plants, steal money, vandalize factories. I saw a DefCon talk where the guy stumbled onto a totally open control panel for a waste-water treatment plant.

With a little creativity and co-ordination, this can be a very effective form of war. See also the Israeli's (or someone) disrupting Iran's nuclear ambitions.


For US citizen it may be 300-500k, but for people from some other country 50k could be enough.


That's some seriously scary (and concerning) stuff. As a non technical person, what are some things I can do to protect my company against complex cyber adversaries?

Also, considering the destructive potential of those cyber weapons, are there any international laws surrounding the usage of them against civilian targets?


Defence in depth. It's not a buzzword anymore, but the principals hold up.

Basically, each component in your threat model should have no less than two controls to protect it. Assume that 'active' systems (antivirus etc) can and will fail. Passive measures are predictable and cost effective, but have limitations - a mixture of both is ideal.

Think of it like a well fortified house. You don't just stick a robotic machine gun on the roof and command it to shoot people it doesn't recognize - everybody knows from intuition that's a bad idea. Instead, you layer up your defences. Passive measures are a great start: a steel door, bars in the windows, bollards to keep vehicles away, etc. Then you layer active measures: lights and cameras, sensors in windows and doors, keycard access to different areas, etc. Anything more than that you need to develop your threat model; are you defending against bears or against a helicopter gunship? A moat won't protect you from a chopper, and radar guided anti-aircraft missiles won't be very effective against bears.


>As a non technical person, what are some things I can do to protect my company against complex cyber adversaries?

That usually comes down to - who are your adversaries? Parent implies that given enough money, high value targets can be compromised for less money than conventional military arsenal.

For an average individual, small company dealing with non-sensitive data - preventing non-targeted attacks is likely high priority e.g. Preventing your applications, data from getting compromised because its vulnerability was detected in the random scan of the attacker (or) your staff plugged in a flash drive with ransomware.

Some simple non-exhaustive preventive measures are - Operational Security(Training staffs to not click unwanted links, social engineering attacks(not to reveal too much about their work online, Better identity management etc.) Application Security(Ensuring security focused application development, keeping up-to date with the patches for libraries etc.), Collecting less customer data as possible(Ensuring customer privacy).


>what are some things I can do to protect my company against complex cyber adversaries?

Employ on site Red and Blue teams or pay externals for regular penetration tests and security audits that feed back results to your site/infra/dev-ops teams.

None of this is new but most businesses ignore them since it's seen as an expensive snake oil and most importantly, "it's never gonna happen to me".


> it's never gonna happen to me

Or they see that multiple Fortune 500 companies were affected by breaches and all of them are doing fine. So attitude can be - "it's inevitable, but we'll be OK anyway"


Don't connect anything critical to any network, directly or indirectly, except a dedicated one separate from the Internet if unavoidable.

Never browse the web, read e-mail or otherwise run any Internet client from any machine with data on it and instead use a separate machine or if unavoidable a VM on top of a reasonably secure hypervisor to run the browser.

Secure every single systems assuming that the network is compromised.

Restrict access data to only those who need it.

Avoid software written in C/C++ for anything security critical at all costs unless there is no alternative.

Only hire competent programmers and sysadmins.

Invest in proper physical security.


About the only commercially available solution that provides defense against attackers with more than $1-10M is a system that is inaccessible to a remote attacker. As a company this means complete physical disconnection of the systems you want to use in addition to a complete removal of all possible connectors except for a very limited set of explicitly enumerated entry points that you add back onto a system that is completely physically disconnected.

To evaluate the quality of your security, you should hire a red team, a team that emulates an attacker, to attempt to breach your security. If they are able to breach your systems then the key takeaway is that your security process is systemically incapable of defending against attackers with that level of budget and resources which is supported by the empirical evidence that a team with that level of budget and resources did, in fact, breach your systems. This is in contrast to the standard takeaway which is to just fix the specific defects discovered since obviously the only defects that exist are specifically in the areas that were probed. To actually remediate the problem you need a systemic overhaul otherwise you will just keep getting the same quality of output that is equally defective.

Unfortunately, the prevailing state of cybersecurity has no functional solutions to these problems once you get to attackers with a few million dollars outside of the heavy-handed and highly inconvenient solution of disconnection. For systems with safety standards, that is a cost that should be paid. For any other system, you need to evaluate if disconnection is worth it in the context that there is a 100% chance that anybody with a few million dollars can successfully completely compromise your systems. If you only consider direct harms such as monetary damages, disruption of business, stock price changes, it is highly unlikely to be worth it compared to getting insurance at this time as most attacks that do direct harm are still being done by financially unsophisticated attackers who are still underutilizing their blackmail potential by at least 10-100x, so it is almost always financially prudent to just eat the cost. As for indirect effects, it is up to you to consider if IP loss, reputation loss, leakage of confidential information, etc. at the cost of a few million dollars is worse than the negative effects of disconnecting.


What’s your budget & what are you protecting?

Without that info, I think one of the only universal recommendations (whether you’re a trillion dollar FAANG or 2 person startup) is buy U2F keys for everyone* and enable them everywhere. Also try to know what assets you have, and patch everything regularly.

* yubico make great U2F keys which I recommend. Others such as google also make keys


> For ~$1M you could target the current model year of any brand of car in the world and develop a remote attack to simultaneously target every car of that model year at rush-hour and engage the cruise control at maximum speed, engage the anti-lock braking to disable the brakes, and, if applicable, engage the autosteer to turn slightly into oncoming traffic as these researchers [1] demonstrated could be done 5 years ago on a budget of only $80k.

If it were that easy, why hasn't a hack happened with a massive loss of life yet? Most big breaches involve credit card numbers or other personal info.


Fortunately, countries with "nuclear first strike" do not perform them liberally, due to the threat of mutual destruction.

Hopefully, the same thing also applies to cyberspace.


I don't think there is much to "cyber-destroy" in retaliation even with a country like China.

On other hand, you have much more countries constantly exerting overt aggression despite retaliation by Western countries being quite possible... but never coming for all reasons from co-opted politicians, and insiders, to power of their public image, to plain cowardice.


Note that all of these attacks are easily defendable and closable, unlike closing a border for attacking tanks. The only reason the attack vectors exist is the legacy of Microsoft Windows and not having competent enough embedded system programmers. Risks have been externalized in the name of short term shareholders profit. The only way to fix the situation is to have investors to suffer if their company inadequately deals with cyber security.


Windows or 150 other apps that run on Windows?


Where can I purchase this? you have an ebay or amazon link or something?


I'm Korean American; my dad is an elder at a big Korean American church. Several years ago a missionary came asking for donations of computers which he would take to North Korea to teach computer skills.

In any case, my dad called for a meeting of the church leadership and put a stop to it, but that was a big WTF moment. Is sending computer equipment and/or teaching North Koreans computer skills even legal from the US standpoint? I don't remember if said missionary was an American citizen or a South Korean one.

The same goes for a lot of aid that gets sent there. That people are suffering there is tragic, but it is so easy for aid to be diverted to primarily benefit the Kim dynasty and its closest circles while the majority of the country doesn't reap the benefits.


I understand your point, but the fear sounds overblown. North Korea isn't some isolated kingdom in the Andes - they have a long border with China, over which the US has no control.

If NK wants to raise a hacker army, I don't think the existence of some used computers donated by American churches would make a meaningful difference.

* That said, we also have to consider the danger of the US government deciding the donation is illegal, so ... (shrug)


In addition to the host country's potential concerns, donated computers often contain private data that the donator thinks has been deleted. If a country is known to have a hacker program, I certainly wouldn't want my computer going there even if they can buy factory grade ones.


"If a country is known to have a hacker program"

In other words, any modern country?

Drives should be zeroed before getting sent off anyways.


My knowledge of NK is fairly limited, but I genuinely don't see what help would computers do to NK. Do they have access to the internet? What good do computers do without an internet connection? Maybe you can play some games, maybe you can load some software like spreadsheets but that's assuming they have books to learn how to use it. Would it be for training so they can get some better jobs? Are there computer jobs?


I had a computer for 12 years before my first Internet connection. Actually didn't have a modem at all.

It was hugely influential in my development. I drew things, animated things, made music, wrote school papers and a neighborhood newsletter, made videos with wipes and title cards, wrote my first resume (at 15, hah), and of course played some games.

I give a tremendous amount of credit to having that in the home for my current computer literacy and career path.


Back in the old days we learned about computers without the internet.

You had mainly paper documentation. With 10 or so of the best tech manuals to read, and a bunch of old machines to network together, and a few CDs of useful software, the right person could easily become highly skilled.

And by definition hacking means working out things that aren't already known (by many at least) so the absence of say stackoverflow and the other joys of the internet wouldn't slow those guys down either.


>>What good do computers do without an internet connection?

I mean, computers have accelerated nearly every single industrial process they touched by few orders of magnitude, long before internet was a thing. They will be used exactly for the same purpose in NK still - operating machinery, operating poing of sale systems, keeping inventory, teaching.....also NK has intranet network, while the knowledge about it is limited, it's basically a very restricted and heavily filtered version of internet available to North Koreans.

There are accounts from people who have even tought computer science in NK:

https://www.vice.com/en/article/z4m8qx/how-to-teach-computer...

And general reports on what they use:

https://www.businessinsider.com/what-using-a-computer-in-nor...

So yeah, there are absolutely computer jobs in the country.


NK has a fairly good Internet connection through China.

Outside Internet is available to the elites.

And yes, they have zero impediment smuggling just anything through China. Anecdotes tell of latest RolceRoyces on streets of Pyongyang.


The economy of North Korea is an enigma, but despite decades of very poor planning, they do have industry. I'm sure they have jobs that need basic computer literacy.


It's actually possible that the NK hackers are taking blame on behalf of CCP. Would take too long to explain fully. Just imagine NK as a "blame proxy" for CCP when it comes to the edgiest operations


Sounds plausible, but is there any sort of evidence or indication that this is happening?


the same evidence thats used to blame everything else on the Russians.


There's a major IT/Business school in Pyongyang largely staffed and administered by U.S. based missionaries.

https://en.wikipedia.org/wiki/Pyongyang_University_of_Scienc...


There was the timber hauling truck converted into an ICBM launcher. With the deforestation apparently happening in North Korea it probably wasn't the best thing to sell them regardless.

https://www.reuters.com/article/us-northkorea-missiles-china...


I'm not sure what your point is. I can see you make two diametrically opposed arguments with that example:

A) Even seemingly harmless tools can be turned into dangerous weapons and they've done so before, so the best course of action is to not support them at all because they'll just turn around and try to hurt us.

B) Even seemingly harmless tools can be turned into dangerous weapons so there's no point in obsessing whether what we give them could be used for nefarious purposes as they'll just come up with a way to hurt us if they want to anyway.


C) Dont forget FOSS ;-)


> The malware consisted of rows of seemingly random letters and numbers flowing down a page, in pairs. In the margins were some recognizable English-language words—“Windows,” “everyone”—connected by cryptic punctuation. Choi could fluently and sensitively parse all this.

So...it was a hex dump?


Must be an advanced hacker tool if it shows in "margins". My hex dump shows it only in one margin. /s


The canonical (-C) output for BSD hexdump(1) formats data like this:

  00000000  54 68 65 20 71 75 69 63  6b 20 62 72 6f 77 6e 20 |The quick brown |
  00000010  66 6f 78 20 6a 75 6d 70  73 20 6f 76 65 72 20 74 |fox jumps over t|
  00000020  68 65 20 6c 61 7a 79 20  64 6f 67                |he lazy dog|
This is also a common default format for many hex editors.

The visual representation columns--which display all isgraph(3) ASCII values as their ASCII character, and every other 8-bit value as "."--could be interpreted by lay readers as a margin that decodes the octal and hexadecimal values which take up the 4/5ths of the 78-column display.


Ah yes, the hacker's secret cryptographical weapon!

(It certainly reads that way)


Interestingly, malware often hides these strings with different types of obfuscation.


in the face of sanctions, NK has to get creative. Sad that a generation of talented people is basically harvested by the gov for hacking and theft

"The process by which North Korean hackers are spotted and trained appears to be similar to the way Olympians were once cultivated in the former Soviet bloc. Martyn Williams, a fellow at the Stimson Center think tank who studies North Korea, explained that, whereas conventional warfare requires the expensive and onerous development of weaponry, a hacking program needs only intelligent people. And North Korea, despite lacking many other resources, “is not short of human capital."


"harvested for hacking and theft" in the same sense that any military "harvests people to turn them into killing machines"?

You could equally well frame it as "they are given a chance to do their patriotic duty", "they serve their country", "they are given an amazing job opportunity". Your wording isn't wrong, but it is an unusually harsh way to describe a military operation.


It's only bad when we don't like that country, I suppose.


I went to a talk by a couple of defectors, one of which was an embassy employee and they explained that they were always tasked with earning money through means like selling illegal alcohol etc. sanctions obviously make legal trade impossible with many countries.


From what I understood there is a huge flow of drugs like meth from NK into China. They are basically just a mafia state who will do anything for money.


[flagged]


Parent said nothing about the US. You have a valid point, but there are far better ways to make it than with this complete non-sequitur.


Yes, but.. it doesn't seem completely a complete non-sequitur.

Thoughts about whataboutism: When you say "Y is basically just a mafia state who will do anything for money", there seems an unspoken premise "My country X is not like that/is better than that." And to someone to whom X is not better than Y in that respect, the initial claim sounds like "Y is evil because they have two legs", when X has two legs also. It sounds ignorantly hypocritical. How else to point out "Uh, but you also have two legs, although you're acting like you don't."? The problem wasn't that the first claim wasn't true, but that it was spoken in a hypocritical way, saying one party is bad for a reason which applies equally to the other party. And to someone to whom both parties seem to have the bad condition, before they can hear or really respond to the "Y is bad" claim, you really have to deal with—justify—your own unspoken premise of "My own country X doesn't do the bad thing."

Just saying "But X also does the same bad thing!" gets accused of whataboutism, as here. "Parent said nothing about X". True, not explicitly, but X appeared in the unspoken premises. Which loom large if you think one or more of them false.

I'm not sure what the solution is. I guess maybe saying "I think you have an unspoken premise, which seems false to me, that your country X doesn't do the bad thing you are accusing Y of" at least has a milder tone.


North Korean defectors are paid by South Korean govt and US-funded orgs in order to push propaganda about North Korea.

https://www.theguardian.com/world/2015/oct/13/why-do-north-k...

https://www.pri.org/stories/2015-01-22/problem-north-korea-s...


It’s likely true that defectors (by reason they defected) have legitimate stories to tell and they are both paid & given a platform to tell their stories by governments. Giving someone a megaphone doesn’t make their story less true does it?


When you can make a living telling stories about how awful the country you defected from is, it probably makes sense to embellish at least a few of them. It's not like anyone's going to be able to tell the awful and true ones apart from the awful and untrue ones.


I once listened to an interview with the head of the Seoul office of the U.N. Office of High Commissioner for Human Rights, and if I remember correctly she said that they had to be careful to base their work on reports from defectors because they were aware that some reports might be exaggerated or made up.


Neither of those links support your claims.


Here is a video that contains some accusations of bribery of defectors and other shady business by NIS (Korean CIA) https://www.youtube.com/watch?v=ktE_3PrJZO0


I'm curious what the AsianBoss would make of the video. His interviews with defectors always seemed so genuine. https://www.youtube.com/user/askasianboss


Ah yes, Youtube. A trusted source of information.


"Youtube" itself is not a source of information. It is a site where people post videos. Journalists post videos on Youtube through BBC, Economist, Washington Post, Nightline/PBS, etc...

Does their posting content on Youtube make them less credible?

Judge the originator of the content, not who hosts it.

Might as well go "Ah yes, the internet. A trusted source of information."

That's how shallow your retort is.


Probably not the current SK government. The current president is liberal side - less pro-American and more pro-peace-talk. (Conservatives would even accuse him of being pro-China, though, to be honest, that's ridiculous.)

However, SK is a free capitalist country, and NK defectors need to eat, so some of them find gainful jobs telling conservative pundits what they want to hear.

Of course there's no doubt that NK is a horrible, horrible place, but still, sometimes you have to take some of these viewpoints with a grain of salt.


I think you are kind of overlooking that the situation is a bit more complicated than just some of the defectors telling conservative pundits what they want to hear. It seems to me from a little digging that detainment of former citizens of the North by the NIS is indeed a coercive process that happens long before the defector even has opportunity to speak to the pundits. How can this be simplified so much?


https://en.wikipedia.org/wiki/National_Security_Act_(South_K...

Defectors in South Korea are by law not allowed to talk positive about North Korea.


Regardless of whether the accusations about defectors being coerced to make North Korea sound worse are true, honestly this just sounds like an obvious consequence.

If you isolate a country economically by cutting off all legal ways for it to trade with the international community, it will have to rely on illegal ways.

Generalized trade sanctions have time and again proven to be ineffective because they are so indiscriminate. They're meant to work as a deterrent, not a punishment. But the deterrent works with the threat of disrupting the economy, which only works short-term as the existing supply chains come to a halt and businesses panic. If you sit the sanctions out long enough, the economy will have already collapsed and will rebuild itself under the new restrictions. Once the economy has adapted, the sanctions are no longer a deterrent, they're just how things are, and the promise of conditionally lifting the sanctions feels like a trap because it would require changes to the economy that would again make it vulnerable to those sanctions if they were reinstated.


Your heart just breaks for those kids competing in the IMO. Their peers from other nations are going to go to college, maybe stick with math but they have a million opportunities ahead of them to use their talents. Meanwhile these kids are getting conscripted into being crooks.

I really can’t imagine how bitter that would make me feel.


They're patriotically serving their country doing an intellectually challenging job.

If you compare it to what many intelligent individuals wind up getting stuck doing in other developing countries it's a pretty awesome opportunity.


> Meanwhile these kids are getting conscripted into being crooks

They're not crooks from their perspective. They're indoctrinated into hating the west, remember. As far as they're concerned they're likely to feel they're serving their nation and doing a good deed.


I don’t know - did every Soviet mathematician buy into their propaganda?


Very tangential, but the story of Jim Simons is interesting.

He was an American cryptographer who took a very public stance against the Vietnam War. Being forced to leave, he went and set up the world's most successful hedge fund, became a billionaire and led the nerdification of trading.

There are lots of really really interesting interviews with him on YouTube.


You can enjoy the intellectual challenge of what you do, while understanding that the political context of it is bullshit.


What?


Well, enough Americans do for the NSA and CIA to have plenty of highly intelligent math geeks on staff.

Or did you think the US doesn't do propaganda?


> Meanwhile these kids are getting conscripted into being crooks.

> I really can’t imagine how bitter that would make me feel.

That's how I feel about smart CS kids getting duped into working for the CIA or NSA, but I have less sympathy with those because they're coerced with cozy paychecks rather than the implied threat of literally being dragged in at gunpoint.


Any idea on CIA and NSA pay? FBI pay is garbage but no idea on the others


They are just regular US government agencies on the standard US government payscales.


> Sad that a generation of talented people is basically harvested by the gov for hacking and theft

What's wrong with that? Would it be better if they were harvested by corporations to just make far more questionable things?


Products and services are far more questionable than hacking and theft?



On every thread with a paywalled site, I appreciate the kindness you show by linking an archive copy.


I've been consistently impressed with the quality of the New Yorker's recent reporting on North Korea. I highly recommend this piece on Liberty In North Korea's Yale-educated Mexican founder, who is leading a militant, provisional North Korean government [1].

[1] -https://www.newyorker.com/magazine/2020/11/23/the-undergroun...


Some funny metaphors and descriptions in the article. Seems like the author is grasping a bit to make programming relatable.

"The coding and the analytical skills on display at such events were like the Force in the “Star Wars” movies: it could be used for the light side, or for the dark."

"He spoke about the Stuxnet code in the way that an art historian might discuss “The Night Watch”: it was “elegant,” “precise,” “sophisticated.”"

"The malware consisted of rows of seemingly random letters and numbers flowing down a page, in pairs. In the margins were some recognizable English-language words—“Windows,” “everyone”—connected by cryptic punctuation. Choi could fluently and sensitively parse all this."


At one point I noticed a lot of people from North Korea openly registered and active on Hacker Rank and I wondered how Hacker Rank was allowed to let them use their platform.


Don't you think it's just people can set their country to North Korea just for fun?


I am confident these were legit.


Genuine question, how were you sure? It doesn't seem like many communities have known NK participants


I didn’t find the profile because it said North Korea in the location field or because I was checking Hacker Rank. Sorry for not being more explicit.


You can set your country to anything. I changed mine to North Korean and I'm Canadian. This doesn't prove anything other than people like to meme.


Anybody on HackerRank could use the knowledge gained nefariously, why should North Koreans be specifically banned?


In my opinion: as long as NK blocks its average citizens from using the internet, we should block the "privileged" in NK from using the internet.


No, we shouldn't.

Among those "privileged" people are the ones who are actually capable of leading a revolution in North Korea, and will not be outspoken about it until they have a proper plan. I do not believe in imposing restrictions on them.


The reason we haven't bothered trying, I assume, is because we can very easily see what they _are_ doing if we don't block it, and if we do, they'll just go through China.


So you don't oppose internet access being blocked, you just want to be the one to control who's blocked? Or you are only in favor of blocking access to those who block others, so you're willing to sacrifice your access to block theirs?


These seems like some kinda paradox of intolerance. If they block all their citizens from using the wider internet we should absolutely block them.


If we block their citizens from the wider internet, we should be blocked too then.


This doesn’t make any sense. Are you saying they should block us? The point would be moot if they’re already blocked. Are you saying we should let their elites indulge in our media when their own citizens can’t? Because if so you’ve completely ignored my statement about the paradox of intolerance


I'm saying we shouldn't block people from the internet as punishment for blocking people from the internet, we are committing the crime we're punishing. I realize that there isn't an external power that could block US access like the US can do to North Korea, which is why my original post used "sacrifice."


Again, paradox of intolerance. This is the same as thinking we shouldn’t use violence against those who use violence to subdue others.


If you use violence to stop someone from using violence, you either reduced the amount of violence done or kept it the same. There can be some ethical uses there. The concept can be spread to some other areas, but only ones in which the intolerance could hamper the intolerant, which I don't think is the case here.

It's typically known as the "paradox of tolerance" by the way, your mistaken version didn't ring any bells, and I assumed you thought the argument ended in a logical paradox.


The same could apply to blocking. What's your problem?


I don’t think they should be. Those people are pawns though, not curious hackers. The Us govt decides what countries we sanction, not me.


The US cyber related sanctions do not seem to forbid educational resources from being accessed in North Korea, with a possible exception related to encryption.

>Those people are pawns though, not curious hackers

Anyone using the site for their government or private job would be then. Practicing for your employment does not mean you don't like your job.


This is an interesting workaround. The people I found were definitely overly part of a university which would explain the potential reason this might be a good technicality.


It's not a workaround. There are economic sanctions and an arms embargo, not a total ban on interaction.


Given that these hackers are acting maliciously on behalf of a violent dictator, it’s a workaround.


I didn't realize you had tracked the people registering on the service and successfully tied them to malicious acts. Is their nationality really important at that point?

Or are you just in favor of collective punishment against North Koreans, individual actions are irrelevant?


I'm speaking about nation states, not individuals, I am disappointed with the state of affairs there, and wish there was more we could do to stop the oppression.

I am not speaking in terms of a personal attack against oppressed North Koreans, and it's confusing that you appear to persist in turning this discussion into that.

I want hackers to learn more, I am not personally responsible for whether or not it is legal for a North Korean citizen to use a service offered by a US entity, and I do not have a strong opinion about whether it's OK to regulate that, it's not my speciality.

I was sharing an observation: people from North Korea are training their hacking skills using Hacker Rank. NK internet is strongly regulated, so those people must be using it for state sponsored purposes. Current trends for computing expertise in North Korea have been towards malicious acts by the government (not pointing fingers at individuals, I hope some of these NK hackers find a way to escape their oppression but I suspect they'll just be treated better than others so they'll continue to be oppressed next generation).

Please let me know what you think I'm saying that implies I am in favor of collective punishment against North Koreans based on my statements here so I can more accurately respond to your concern. I'd also love to hear why you have such a strong point of view on this subject, it may add color to help me understand your statements.


>I'm speaking about nation states, not individuals,

Your comments start with "I noticed a lot of people" and continues talking about the individuals.

>Please let me know what you think I'm saying that implies I am in favor of collective punishment against North Koreans based on my statements here

The part where you say a ban would be useless as they'd just circumvent it seems like saying a blanket ban is justified. Or where you wondered why Hacker Rank let them use their platform at all. I will say, I'm less sure that Hacker Rank wouldn't violate the economic restrictions now, visiting the site makes it look a lot more like job recruitment than I thought it was.

Beyond that, I'll paraphrase. For absolutely no reason, you assume that everyone using a computer in North Korea must be using it for hacking. Yet in the society you live in, can you name a single business that does not use some kind of software the tools at Hacker Rank helps improve?

They have plenty of use for the training outside of criminal hacking, and you saying it's a "workaround" for them to access educational resources ignores this.

>I'd also love to hear why you have such a strong point of view on this subject

I hate how people treat North Koreans as either mindless tools of the state or pitiable oppressed masses. None of your comments have acted like any of the people signing up are real humans expressing complex desires in their admittedly somewhat shitty situation. Imagine how you would feel to wake up suddenly blocked from the service because they decided they don't like where you're from.


>Your comments start with "I noticed a lot of people" and continues talking about the individuals.

Fair, but as I've now stated several times, that's not what I intend, so your continuing to read it that way is your choice.

>it seems like saying a blanket ban is justified.

How could an easily circumventable ban be what I am advocating for? That's absurd. I'm saying a ban would be pointless because if the goal is to keep them off the internet, it won't. In stating this I make no statement about the validity of an attempted ban in the first place. To be clear, I do not agree with banning people or countries from the Internet.

>Or where you wondered why Hacker Rank let them use their platform at all.

Yep! That's pretty much it. I know that Github, for example, has been made to limit access to Github where sanctioned. I thought that maybe such a thing would apply to other SaaS companies. I am not at all surprised they are on there, most startups aren't wrapped up in government level regulations. Github didn't seem to have a lot of trouble with this until Microsoft acquired them, as an example.

What surprised me maybe a little was that the profiles (I'm avoiding saying individual now) I found were very blatant so I doubt would have flown too far under the radar to anyone looking (government authorities) and would potentially have caused them to talk w/ Hacker Rank, given the nature of the site. Yes, it's basically a recruiting agency, but it's also a place to practice red team skills. This kind of information is available in MANY places, so I'm not even implicating Hacker Rank as being an accomplice in any way, just sincerely curious about how some North Korean hackers ended up on a US hacking site :)

>you assume that everyone using a computer in North Korea must be using it for hacking.

I mean, maybe? I'm not equipped to make that assertion. I think the profiles I saw were an indication that those profiles existed to practice hacking on behalf of the North Korean government. I don't think that's particularly controversial. I saved the names on the profiles I came across somewhere, and if they're reading this and feel wronged because that's not why they used Hacker Rank I'll buy them dinner if they reach out to me.

I do believe that computers and internet access are limited in North Korea, and that makes them a valuable commodity, one controlled by the North Korean government, and I expect them to use those resources in an economically viable way, so it is my intuition that running large scale red team trainings would be a great thing for them to be doing.

>They have plenty of use for the training outside of criminal hacking, and you saying it's a "workaround" for them to access educational resources ignores this.

I didn't know there was an educational exemption, and I very much appreciate your pointing it out to me. I used the word workaround because I still believe these profiles were created on behalf of work for the government of North Korea. This is a reasonable assumption, and you've provided no counter examples as to what kind of non-government run hacker culture exists in North Korea, if there is one, it must be fascinating and I'd love to learn more about it from you.

>They have plenty of use for the training outside of criminal hacking

Absolutely, these hackers are likely learning a defensive skill as well, and even if acting on behalf of the government of North Korea, I don't claim they don't deserve to develop these skills, never have.

>I hate how people treat North Koreans as either mindless tools of the state or pitiable oppressed masses. None of your comments have acted like any of the people signing up are real humans expressing complex desires in their admittedly somewhat shitty situation. Imagine how you would feel to wake up suddenly blocked from the service because they decided they don't like where you're from.

Thank you, this is much appreciated context. I apologize that the way I spoke diminished the individuals involved, that's clearly a theme here, but I think you should ask more questions before jumping into the many assumptions you've made, we could have had a lot more productive and interesting conversation if you stated your last paragraph in any of my other responses!

Thanks again for responding, and I'll keep this in my pocket when thinking and speaking of marginalized and oppressed people in the future.


I could nitpick some things, but by stating in no uncertain terms you don't agree with a blanket ban we mostly are in agreement. So just a bit confused now

>Yes, it's basically a recruiting agency, but it's also a place to practice red team skills

I've never used Hacker Rank, but the Wikipedia page does not make it seem like that's one of the focuses of the site. It says it "focuses on competitive programming challenges for both consumers and businesses, where developers compete by trying to program according to provided specifications." Which may explain much of our misunderstanding, I would not assume a member of the service was engaging in "hacking" at all.

I've somewhat wondered if there's a second Hacker Rank, but the first page of search results showed nothing.

> but I think you should ask more questions before jumping into the many assumptions you've made

Your first reply to me said "those people are pawns though, not curious hackers," I didn't think it was an assumption to think you actually thought that.


You are 100% right. I got Hacker Rank confused with Hacker One. Bone head move.

Looking back I may change a few things about what I said but better to just put it out there. I think using hacker rank to train algorithmic and programming skills is none the less (under my opinion that these skills are being developed for malicious purposes, which I think we agree could be defensive, or even just personal curiosity), and doesn’t change my surprise at finding the profiles, given my assumptions about the sanctions. Hopefully this somewhat closes the loop on our back and forth, and i appreciate, again, your willingness to talk this out :)

Edit to be clear: found profiles on hacker rank. Confused with hacker one because of age and time. Still curious about NK hackers training up algorithms, it’s fascinating. I owe you a big apology for the confusion. I also agree that it feels like we are in agreement on the important parts.


Hacker rank is an American company. US has sanctions against NK and they treat this very seriously. They could shut down hacker rank for not complying.


What sanctions block access to the internet? 448 seems to indicate HackerRank has no liability here

https://home.treasury.gov/policy-issues/financial-sanctions/...


I can't imagine they have a very strong compliance focus. What gave them away in particular, or where they just operating in the open?


Wide open.


Why wouldn't they allow it, though?


US businesses cannot offer services to several countries we have sanctions against.


Sanctions


And the lack of Internet in North Korea.


They have a few IP addresses that are pretty active.


Having that "security joke" enforced by the South called "ActiveX", North Korea had it really easy to collapse SK down a la Blaster/Sasser way.


This article missed the recent social engineering attack dprk carried out against cyber security researchers: https://portswigger.net/daily-swig/prominent-cybersecurity-r...

Their social engineering skills are impressive!


I wonder if any are active on hacker news. Seems like the backdoor potential of making contact with people deep inside some of the worlds significant tech companies is pretty good on here.


Maybe but it will be like Stephen Hawking hosting a party for time travelers.


You're gonna be shocked when you find out McCarthy was actually right about a bunch of infiltrators...


It's true. Folks should look up the Venona Project and the decrypted intercepts from that era. Far beyond Hall and Sachs spying at Los Alamos, there were indeed many spies throughout the government (it was the height of the Cold War, after all).

Similarly, although Nixon was famously paranoid, he was also right about the soviets fomenting and amplifying vietnam war discord, too.


If they are on here, is that the communists infiltrating the capitalists or the capitalists infiltrating the communists?


This is my favorite black swan event for Coinbase: NK decides to infiltrate and steal all the BTC.


Surely most of it is in cold wallets of some kind that can't be stolen that way - or has nothing been learned since Mt Gox?


Can't they just kidnap an employee or two and make them add backdoors?

It's not completely implausible given what happened to Otto Warmbier:

https://en.wikipedia.org/wiki/Otto_Warmbier

https://www.youtube.com/watch?v=-rZkdPXP6H4


No, because cold wallets are stored in a physical location without software interaction. They'd have to do what essentially amounts to a terrorist attack in order to break into that location, subdue all the guards, steal all the wallets, etc. Which would basically be a declaration of war if it could be linked back to a specific country.


and insured?


This kind of justification for the North Korean embargo is disgusting. The world is inflicting poverty upon this people to punish the government for the grave sin of not bowing to US hegemony.


Please don't take HN threads into flamewar. It's tedious, repetitive, inevitably turns nasty (see below) and does nothing to help.

We detached this subthread from https://news.ycombinator.com/item?id=26910229.


[flagged]


What's with astonishing praise for evil just for the sake of sticking it to the status quo?

Completely orthogonal to any US allies and their action, it is absolutely disingenius to dismiss the evils of Saddam's empire: https://www.youtube.com/watch?v=kLUktJbp2Ug. There is a large body of work around Saddam's regime, this YT clip isn't provided as an evidence, but to show how misplaced it is to say "Saddam did nothing wrong".

I find this an ongoing problem on HN. There are 2 counter acting forces A and B. Objectively, B is evil. But, HN equates A and B on the same level and demands equal criticism of both just by the virtue of the fact that A and B are up for a discussion. I am sure there is a list of biases being violated. It's similar to the debate between flat earth deniers and believers. If we host a debate between them, there is a perceived notion that both parties are on the same footing. The truth couldn't be far from that.


Generic tangents that get us to Saddam from the OP are not at all the point of this site. Please don't. Reductio ad Saddamum may not be full Godwin but it's way over the line.

We've asked you before to stop using HN for political flamewar. It's not only not what HN is for, it destroys what it is for. If you keep doing it we're going to have to ban you. Using multiple accounts to do this kind of thing is particularly not cool.

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...

https://news.ycombinator.com/newsguidelines.html


I apologize. It is difficult to tell when to refute praise of evil (Saddam, NK) and when to avoid starting a political flamewar. I'll just disengage since it leads to unpleasant toxicity, you're right.


The point is that Saddam was a hero when he was killing Iranians, but a villain when he invaded Kuwait. Saddam didn't actually change, his usefulness to us did. And a large part of the reason he was able to rule Iraq was because he was supported by the West.

Assuming the people you're arguing with are simple-minded flat-earthers who can't think that anything against America is bad because they think America is bad and two things can't be bad because they like to argue is causing you to hear the worst possible version of people's positions.


If you re-read my statement it doesn't justify or praise Saddam. "Saddam did nothing wrong" in the eyes of the US.. like Salman did nothing wrong that is worthy of punishment in the journalist murder case, from the US point of view.

It merely states that the US will happily create, fund and tolerate monsters, but the moment their are political enemies they suddenly become devil incarnate. Happily fund and arm bin-laden, and extreme fundamental ideologies and then turn around and claim the high moral ground. Today KSA can do no wrong and Iran can do nothing right. Tomorrow if KSA switches sides, then they will suddenly become evil tyrants that have regressive views and torture their people.

It's not A vs B is a flawed comparison. It's A makes B, both are evil and roll around happily in the mud. A then claims moral superiority and is called out on it's bullshit.


Not only that, but this breeds hate towards the US as well.

Because in the eyes of a poor individual civilian who had food to eat yesterday and didn't today due to some stupid embargo, the US is responsible for their hunger.


That's gonna be true regardless of what happens, the NK regime isn't exactly going easy on the propaganda.


We've been relentlessly attacking them for well over half a century, starting by killing a large portion of the population. I don't think we get to pretend the answer to "what if we stop attacking them" is obvious.


NK invaded SK, not the other way around. Defending an ally from their aggression is a very strange thing to call "relentlessly attacking them". Also after the Korean War, not really sure I would classify much else as "relentlessly attacking" either.


[flagged]


Please don't take HN threads further into political or nationalistic flamewar. They're tedious, usually nasty, and not what we want here.

https://news.ycombinator.com/newsguidelines.html

We detached this subthread from https://news.ycombinator.com/item?id=26910467.


> So no---don't give them anything other than food, and medicine.

And miss an opportunity to infiltrate them with BIOS-level malware? That'd be a shame.


> They have missles pointed at South Korea, and the USA.

Did you miss the entire section of the previous century we refer to as the "Cold War"? the US and the Soviet Union kept missiles pointed at each other to deter each other from open war. South Korea and the US are doing routine military "exercises" near the North Korean border (just as NATO did near the Soviet Union's border). There's no reason to believe North Korea could ever destroy the entire US and come out alive, but making sure that if the US (or South Korea) decides to invade them it'll be as unpleasant as possible seems like a good survival strategy when even your closest ally, China, is unlikely to back you up in a war against the US.

> The dictator teaches his people Americans are evil, and must be destroyed.

Hyperbole aside, please read up a bit on the history of the Korean War. The US actively involved itself against the wishes of the UN and went on to commit more war crimes than either of the two Koreas. You can't fault North Korea for thinking of the US as evil after that.

> The dictatorship is actively teaching citizens hacking skills

In the same sense that the US government is actively teaching citizens military skills, sure. It's called military training and every country that maintains a standing army has it. There's no reason to paint this as nefarious by implying North Korea is mass enrolling janitors, teachers, basket weavers and rice farmers in "military black hat hacking 101" on udemy. Especially when this thing exists: https://en.wikipedia.org/wiki/America's_Army

> aimed at ruining American lives.

Citation needed. If what you mean is disrupting US infrastructure and harming its economy and military operations, then that's not unusual or particularly nefarious, even if you might disagree with it because you're on the receiving end. Remember when "someone" (speculated to be Israel and/or the US) sabotaged nuclear power plants in Iran?

> teaches his people Americans are evil, and must be destroyed

Just because I feel like I need to go back to this point: international media frequently portrays North Koreans as gullible mud farmers who believe their dear leader can teleport and landed a man on the sun. Throughout the early 2000s a common refrain in the US when talking about why Middle Eastern countries disliked the US was "they hate us for our freedoms". Remember when we had news articles for months about "Freedom Toast" and "Freedom Fries" because Americans were upset about France refusing to participate in the US's illegal military invasion? The president literally described several countries as an "axis of evil" and used religious language to describe the US and its justification for war.

If you take a step back and acknowledge the humanity of both peoples and that both of your governments engage in propaganda, it should become apparent that your entire argument can be summed up as "they have a different form of government, treat a larger share of their own population badly than we do and have conflicting geopolitical interests", which fine, but just cut out the moral grandstanding next time.


I upvoted your post for making valuable points. But why call yourself "hnbad"?


The fact that a well reasoned argument, which looks like it is being downvoted should answer that question.


Because orangesitebad was taken.

EDIT: This got downvoted (at least twice) but it's an honest response and explaining the reasoning behind either name seems redundant given the context of your question.

BTW, every one of my comments on this article has spent more time downvoted (i.e. less than 1 point) than upvoted although some fluctuate a lot. If you think this is about tone, phrasing, attitude or anything other than content, you're kidding yourself.

This isn't my first rodeo. I abandoned my old account a few years ago and took a hiatus until earlier this year with a fresh start. HN is an ideological echo chamber but sadly it's important because it's frequented by a significant amount of wealthy tech influencers (or "thought leaders" if you prefer that term) and VCs.


I mean... You have genocide'd your way across the world since the 40s, dear leader may have a point.


Please cite US involvement in a genocide since the 40s. Kind of an odd timeline to pick considering other US histories



The 2003 invasion of Iraq has killed 500,000 civilians.

The sanctions on Cuba over the past 70 years have curtailed their access to food and medical equipment.

Beat policemen in America can have a "bad day" and execute someone they feel "threatened" by with near impunity. They happen to feel threatened by people with extra melanin more often than not.

In the 1940s, the start of the epoch you specified, we put Japanese in camps. You can just imagine what would have happened if there was a mainland invasion of the country.

Are those genocidal enough for you?


the genocide of indigenous people in the US is ongoing to this day.

as mentioned by other commenters, the Indonesian genocide of '65-'66 was enthusiastically supported (watch The Act of Killing), along with numerous examples in Latin America. I know a few Salvadoran friends had family members who were murdered by the US-trained Atlacatl death squad. of course most were done in the name of anti-communism and are therefore sacrosanct in the American mythology.

and since we're on a thread about North Korea I would be remiss if I didn't also point out that the US killed hundreds of thousands of civilians in the Korean war, and one of our top generals at the time was a rabid advocate for genocide via nuclear attacks.


Its hard to narrow down my picks but ill go with the big 3.

500k Iraqis

2000k Vietnamizes

300k Afghanis

This is ignoring any "indirect" involvement in many, many coups in south America.

I honestly think the world would be safer if you fucked off for 50 years or so. Find a pet project closer to home you're interested in, those Mexican kids won't put themselves in cages after all.


Between a country that attacked numerous others with few interruptions during the last 70 years and another one that didn’t attack any other since its last war (technically not over), who is the real rogue state? Who has more nuclear weapons that any other state? Who has military bases and make use of them on almost everyday continent?

North Korea is being bullied for ideological reasons that lost meaning with the end of cold war. The solution is more integration in the international community, not more bulling that profit only a few politicians of one country.

> The dictator teaches his people Americans are evil, and must be destroyed.

Americans teach that North Korea is an evil country that must be destroyed. Your comment is a perfect example of this education.



>>North Korea is being bullied for ideological reasons

If by "ideological reasons" you mean "human rights".


The pressing question is how do we rescue Tea Girl from North Korea?

https://www.youtube.com/watch?v=RF2gswLeuPQ




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: