My work brings me into regular contact with DPRK IT professionals, for example by [teaching open source sotware](<a href="https://izbicki.me/blog/teaching-open-source-in-north-korea.html" rel="nofollow">https://izbicki.me/blog/teaching-open-source-in-north-korea....</a>) or [teaching proper web design](<a href="https://izbicki.me/blog/fixing-north-korea-kcna-webpage.html" rel="nofollow">https://izbicki.me/blog/fixing-north-korea-kcna-webpage.html</a>). I make a lot of effort to respect sanctions, but documents like this are incredibly unhelpful. I've read through the document, and it seems completely devoid of actionable, DPRK-specific information that can help IT professionals avoid sanctions violations. For example, the document encourages websites to monitor for the following activity as "indications of DPRK IT workers who may be using their platforms":<p>• Multiple logins into one account from various IP addresses in a relatively short period of time,
especially if the IP addresses are associated with different countries;<p>• Developers are logging into multiple accounts on the same platform from one IP address;<p>• Developers are logged into their accounts continuously for one or more days at a time;<p>• Router port or other technical configurations associated with use of remote desktop sharing
software, such as port 3389 in the router used to access the account, particularly if usage of
remote desktop sharing software is not standard company practice;<p>• Developer accounts use a fraudulent client account to increase developer account ratings, but
both the client and developer accounts use the same PayPal account to transfer/withdraw
money (paying themselves with their own money);<p>• Frequent use of document templates for things such as bidding documents and project
communication methods, especially the same templates being used across different developer
accounts;<p>• Multiple developer accounts receiving high ratings from one client account in a short period,
with similar or identical documentation used to establish the developer accounts and/or the
client account;<p>• Extensive bidding on projects, and a low number of accepted project bids compared to the
number of projects bids on by a developer; and<p>• Frequent transfers of money through payment platforms, especially to PRC-based bank
accounts, and sometimes routed through one or more companies to disguise the ultimate
destination of the funds.<p>This list is so generic that I'm not sure what the point of it is. I think it would make sense to ban some of these practices from a general security perspective. But these practices would give way too many false positives if you were trying to use them to identify DPRK developers.<p>I'm honestly really confused about who the target audience is for publications like this. It can't be actual IT professionals due to the lack of actionable information. Is it journalists? Do we publish these things just to remind them that we don't like the DPRK?