←back to thread

North Korean IT workers have infiltrated the Fortune 500

(www.yahoo.com)
145 points cwwc | 5 comments | 08 Apr 25 00:47 UTC | HN request time: 0.77s | source
Show context
throwaway_ab ◴[08 Apr 25 04:27 UTC] No.43618350[source]
A flagged post mentions this is racist and typical anti immigration rhetoric.

That's not true, there are only two types of North Korean people you'll meet, either those that have defected and escaped North Korea or those that are agents of the state of North Korea.

There are very few defectors in existence and once they escape they're given full South Korean citizenship. This article is not about those people.

The vast majority of North Koreans outside North Korea are not defectors, instead they are controlled state assets. There are no North Korean people outside the country that are free citizens. Every single North Korean authorised to leave the country is working directly for their government often to raise money for the regime, to steal IP, to infiltrate for some nefarious purpose.

Having one of these North Korean active assets in your company is extremely dangerous, your business is now at risk of leaks, theft, or worst something being modified like added vulnerabilities that could be exploited later in cyber attacks.

So no, this article is not racist at all and really has nothing to do with the recent political situation.

replies(8): >>43618407 #>>43618479 #>>43618767 #>>43618812 #>>43618892 #>>43618908 #>>43618920 #>>43619050 #
plsbenice34 ◴[08 Apr 25 05:01 UTC] No.43618479[source]
What about Australia in comparison? Australians can be legally compelled in secret courts to install backdoors in the companies in which they are employed, and gagged from telling the company itself or any journalists (see the Access and Assistance Bill). That doesn't cross the same 'agents of the state' line?
replies(9): >>43618499 #>>43618500 #>>43618504 #>>43618769 #>>43618819 #>>43618950 #>>43619582 #>>43621438 #>>43621557 #
1. skissane ◴[08 Apr 25 06:04 UTC] No.43618769[source]
> Australians can be legally compelled in secret courts to install backdoors in the companies in which they are employed, and gagged from telling the company itself or any journalists (see the Access and Assistance Bill).

My thoughts on this as an Australian software engineer: how could they possibly “order” me to “install a backdoor”? To change a production system, I need an issue in the issue tracker, I need a PR, I need a colleague to review and approve it-if I’m not allowed to call it “install backdoor at Australian government’s demand”, what am I going to call it? How am I suppose to justify it to the reviewer? How do I respond to their questions? How do I convince them to approve it? “I’m sorry I’m not allowed to tell you why this PR is needed” is not going to get it approved

And in the (I think highly implausible) event the government did order me to do such a thing-first I’d insist it was impossible (due to the kind of internal controls I’ve already mentioned), and if they wouldn’t accept that answer, then I’d resign rather than do it. I don’t think the law can stop you from quitting your job, and once you quit, you are no longer able to comply with any such orders.

It seems to me like one of these laws which has disturbing wording but is going to be very difficult for the authorities to utilise in practice.

(Disclaimer: of course I don’t speak for my employer, etc)

replies(2): >>43618992 #>>43619109 #
2. donnachangstein ◴[08 Apr 25 06:47 UTC] No.43618992[source]
Everyone was blaming the Chinese/Russians/Israelis for the xz backdoor.... maybe it was the bloody Australians the whole time and no one suspected it!
3. dmurray ◴[08 Apr 25 07:09 UTC] No.43619109[source]
I suppose you'd do it the same way any North Korean operative would. They'd offer you training on how to bypass the controls. They'd get you to exfiltrate the code and the product roadmap. They'd have someone more skilled suggest a plausible backdoor as part of an innocent change, like the xzutils one.

As for how they'd force you, just like any intelligence agency, they'd start with carrots. They'd offer you money, or the chance to feel you were serving your country (both are free to the Australian government, and likely more effective than a double ration of wheat). They'd have you do very innocent, justifiable things at first. They'd work their way up to higher demands. If you got cold feet, they'd tell you you were in too deep. They'd then consider the sticks. They'd threaten to expose your spying, or release some other compromat. They'd arrest you or a family member on a he-said-the-cops-said enemy-of-the-people crime like drugs, child pornography or terrorism, and make it clear that only your full cooperation would see a release.

Nobody thinks the Australian government relies on this kind of thing as much as NK, and the checks and balances of a democracy make it too expensive to do this at an industrial scale. But you'd be foolish if you thought the state doesn't have these capabilities, and the complete willingness to use them for matters of national security, and the ability to make it "legal", perhaps by pardoning people or not cooperating with any court.

replies(2): >>43623078 #>>43626600 #
4. SR2Z ◴[08 Apr 25 15:41 UTC] No.43623078[source]
The state always could go after your family, but it seems like some are much better at not doing that than others.

The state is a coercive institution, but seeing how Australia is a liberal democracy with a constitution I would want to see some actual proof of threatening families.

5. skissane ◴[08 Apr 25 21:21 UTC] No.43626600[source]
> I suppose you'd do it the same way any North Korean operative would.

What you are describing here is something any country could do – yes, it is conceivable that Australia's intelligence agencies could use bribery/harassment/threats/blackmail/etc to turn Australian citizens into unwilling spies – but the same is true of the UK, the US, France, Germany, whatever.

The thing that people are calling out Australia over, is a law which says a court can order someone to install a secret backdoor, and furthermore order them not to tell (almost) anyone about it. [0] And I'm sceptical that law could be used in the way you describe – e.g. "They'd offer you training on how to bypass the controls" – the law says a court can order you to install a backdoor – it doesn't say it can order you to attend a training course on how to "bypass controls".

Keep in mind, while proceedings are under seal, you are allowed to retain a lawyer, and your lawyer can make legal arguments before the judge, and can appeal the judge's rulings. IANAL, but would a judge rule that a power to order someone to install a backdoor extends to ordering them to attend a government-run training course on how to deceive their employer? Even if a judge did rule that way, would the appellate courts uphold the ruling?

Or, similarly – "They'd get you to exfiltrate the code and the product roadmap" – does a legal power to order someone to install a backdoor, extend to a legal power to order them to hand over generalised confidential information of their employer? Or similarly – "They'd have you do very innocent, justifiable things at first" – does a legal power to order someone to install a backdoor, extend to a legal power to order them to do "very innocent, justifiable things" which don't in themselves directly contribute to installing any backdoor?

And, as I said, if your lawyer can't talk the court out of it – resign. Will a judge hold that a judicial power to order to the installation of a backdoor extends to ordering a person not to resign their job?

Get a medical certificate saying you can't work. Get yourself admitted to a private psychiatric hospital on the grounds that the stress of this secret government order has caused you to have a nervous breakdown / panic episode / suicidal ideation / etc. (I think if I ever were issued such a secret government order, it really would have that kind of extreme detrimental impact on my mental health, I wouldn't be faking it.) I think a lot of psychologists/psychiatrists/etc would be very sympathetic to your plight. What's a judge supposed to do if they have a psychiatrist testifying that you are medically unfit to comply with the order, or return to the job which the order is associated with?

[0] You are explicitly allowed to tell your personal legal counsel.