Not sure where to write about it, it doesn't really fall into any known category so let it be here for now.

Apparently, North Korea state news agency has a website facing the external world here: http://www.vok.rep.kp/CBC/english.php

For the matter of web scraping I decided to download their audio reports for my own purposes. Turned out, every link to an audio or video is on kms:// protocol, an invention of Pyongyang labs. To play it one has to install a separate application that runs outside of the browser and intercepts kms links. KMS, I believe, stands for "korean media stream".

Example of a link:
kms://175.45.176.67/CBC_audio/CBC_Russian/RN13011501.aac
kms://175.45.176.67/CBC_audio/CBC_English/EN13011501.aac
etc.

Installer executable is infected with Trojan-Dropper.Win32.Daws.avdh, application itself - with Trojan.WIn32.Genome.ahxpo. Install it at your own risk.

KMS protocol is not described anywhere on the internet. No http proxy sees the requests that the provided app generates. So with a help of Wireshark I drilled into it to see what's going on. After a pair of SYN and ACK requests to 175.45.176.67 it actually initiates a RTSP session, or so it seems.

Request: DESCRIBE rtsp://175.45.176.67/CBC_audio/CBC_Russian/RN13011501.aac RTSP/2.0\r\n
Method: DESCRIBE
URL: rtsp://175.45.176.67/CBC_audio/CBC_Russian/RN13011501.aac
CSeq: 2\r\n
User-Agent: HMSPlayer (High-quality Multimedia Streaming Client v2.0)\r\n
Accept: application/sdp\r\n
\r\n
The next one:

Request: SETUP rtsp://192.168.245.20//krtdata/multimedia/CBC_audio/CBC_Russian/RN13011501.aac/track1 RTSP/2.0\r\n
Method: SETUP
URL: rtsp://192.168.245.20//krtdata/multimedia/CBC_audio/CBC_Russian/RN13011501.aac/track1
CSeq: 3\r\n
User-Agent: HMSPlayer (High-quality Multimedia Streaming Client v2.0)\r\n
Accept: application/sdp\r\n
And finally PLAY:

Request: PLAY rtsp://192.168.245.20//krtdata/multimedia/CBC_audio/CBC_Russian/RN13011501.aac/ RTSP/2.0\r\n
Method: PLAY
URL: rtsp://192.168.245.20//krtdata/multimedia/CBC_audio/CBC_Russian/RN13011501.aac/
CSeq: 4\r\n
User-Agent: HMSPlayer (High-quality Multimedia Streaming Client v2.0)\r\n
Seek-Mode: time\r\n
Session: E70A70AB
Range: npt=0.000-0.000\r\n
\r\n
RTSP 2.0 - quite progressive for such a reclusive country. However the protocol is marginal and I'm not sure it has any chance in the western world. Anyway. There are just no tools to pull RTSP 2.0 streams, and that's the problem.

aulismedia@moonbase:~/rtspdump$ php rtspdump.php -r rtsp://175.45.176.67/CBC_audio/CBC_Russian/RN13011501.aac -o saved.aac
RTSP protocol error: Server does not seem to agree with our intents on Describe
---Failing request:---
DESCRIBE rtsp://175.45.176.67/CBC_audio/CBC_Russian/RN13011501.aac RTSP/1.0
User-Agent: HMSPlayer (High-quality Multimedia Streaming Client v2.0)


---Response indicating failure:---
RTSP/2.0 400 Bad Request
Date: Wed, Jan 16 2013 05:35:09 GMT
Allow: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER, REDIRECT
Since all the existing tools are for RTSP 1 only, North Korean media is protected much better even than british Channel 4 which until today was wearing a crown of the hardest one. Public consumer software packages like mplayer or VLC can't handle Juche RTSP either. Pretty much they have taken a semi-forgotten draft of RTSP 2.0 and made something up based on it. Reasons behind such an unorthodox solution remain mystery.

I'm not going to discuss their server connection speeds, ranging from as low as 30kbps to 300-400 kbps at most, this is ok. But hardware-wise it is most likely a low-end box just as well, with relatively fresh installations of Apache, PHP, Python and perl but on CentOS. OpenSSL is also up ( https://www.vok.rep.kp/ ), however purchasing a SSL certificate is probably beyond their budget - certificate is self-signed and valid for "localhost.localdomain". Funny enough, Firefox warns you of "sec_error_untrusted_issuer" - untrusted issuer, which in case of DPRK is a double entendre.

If anyone reading this wants to join hands to get this cracked, contact @aulismedia in Twitter.


Cheers.