

South Korea Still Paying The Price For Embracing Internet Explorer A Decade Ago - jacobr
http://www.techdirt.com/articles/20120507/12295718818/south-korea-still-paying-price-embracing-internet-explorer-decade-ago.shtml

======
kqr2
From the comment section, Mike Linksvayer quotes:

<http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s>

    
    
      Why was SEED developed in the first place?
    
      South Korean legislation did not allow 40 bit encryption for
      online transactions (and Bill Clinton did not allow for the
      export of 128 bit encryption until December 1999) and the 
      demand for 128 bit encryption was so great that the South 
      Korean government funded (via the Korean Information 
      Security Agency) a block cipher called SEED.

~~~
Herring
How do you enforce a ban on encryption? Weren't the algorithms mostly open
source by 1999? Or why aren't other countries like Japan & Canada in the same
position?

~~~
derleth
> How do you enforce a ban on encryption?

By classifying it as a munition and using those laws. Which don't apply to
books like "Applied Cryptography" by Bruce Schneier, due to the First
Amendment. Even if they have source code printed in their appendices.

Oh, you mean _effectively_? Uh... I suppose we'll have to get back to you on
that.

~~~
stcredzero
_> How do you enforce a ban on encryption?

By classifying it as a munition...

Oh, you mean effectively? Uh..._

Back in the day, someone printed up a T-shirt that had a 4-line Perl script
that did RSA and so was a munition. (Later reduced to 3 lines.) There was a
barcode that contained the bits for the script, which you could use to
automatically read the program into a properly configured computer, so the
T-Shirt was indeed a munition under those regulations.

------
Tsagadai
It isn't just IE that is a problem. The encryption scheme developed by the
government is largely broken (due in no small part to IE and ActiveX
vulnerabilities). South Korean banks and other organisations are losing money
due to fraud and blackhat activity but there is next to nothing they can do
about it. It's really a huge mess. That and the government's encryption app is
closed source and not peer reviewed.

As always, the cause is that you are never smart enough to roll your own
encryption standard. Any time someone asks you to roll your own encryption
pinch yourself and smash your head on the desk, if you still want to code it
smash your head again.

~~~
w1ntermute
> As always, the cause is that you are never smart enough to roll your own
> encryption standard.

This is where Korea's rather boneheaded form of nationalism causes problems:

> "The Korean government took a great deal of pride in that breakthrough
> security technology," Kim said. "They wanted it to be widely used in Korea."

~~~
brazzy
> Korea's rather boneheaded form of nationalism

is there any other form?

~~~
corin_
He really meant national pride, and like any type of pride that can be
justified or foolish.

~~~
astrodust
At least it wasn't the sort of national pride where you want everyone in the
_world_ to use your national standard.

Remember the Clipper chip?

------
diminish
"As South Korea falls further and further behind in this regard, trapped in
its fossilized world of ActiveX, it may well come to be seen as warning to
other governments to adopt true open standards, if they want to avoid a
similar fate."

A warning to governments who put forms in ms office formats on their web
sites.

~~~
briandear
If I could up vote this twice I would. MS Office 'standards' are one of my
biggest complaints about tech implentations in both government and enterprise.
I would prefer PDFs or even just text files.

------
SagelyGuru
Governments ought to keep their noses out of the internet for the benefit of
all.

They have all the precedents and all the advice that they could ever want, all
pointing to the disastrous effects of centralisation and monopolies and yet
they keep pushing for them. I, for one, find it hard to sustain the belief
that these kinds of decisions are 'innocent mistakes'.

Unfortunately the more likely explanation is that they care a lot more about
their own power enhancement than about the general benefits of their subjects.
I don't even mean any particular government. This is endemic for them all.

Additionally, in the particular case of encryption, they are terrified that
someone might criticise them behind their backs and thus they keep trying to
control encryption.

~~~
aurelianito
Do you understand that "the government" funded the internet in the first
place?

Mandating standards is one of the things that a government should do. The
Korean government did a job with downsides in this case, but given that the
decision was taken in the nineties, it was not that bad.

At the time, the US government had embargoed all the cryptography with keys
that had more than 40 bits. What Koreans attempted was to workaround this
limitation.

~~~
SagelyGuru
Most relevant to this discussion is _www_ and that came out as a side effect
of physics research at _CERN_ , so it can hardly be described as an
intensional government funded program. The US government's _ARPANET_ plans
prior to _www_ never envisaged letting every Tom Dick and Harry do their
banking (or anything) online.

Even at the time of the embargo, there was PGP and it worked just fine. The
problem was, and is, the close relationship between the bankers (and other
monopolists) and the government(s), whereby the public is forced to use what
they mandate, rather than the other way round.

In a different world, it would not be technically difficult for people to
download an open source application a la GPG, generate and keep their own
private keys, and the governments, banks, and software monopolists working
with it, rather than against it. The banks could look up their customers'
public keys to establish secure communications and the big software producers
could make it easier to use. All it needs is some goodwill, sadly lacking as
it weakens centralised control.

~~~
aurelianito
I think that the problem was that nobody had experience with online banking
the last millennium. The sad thing is that Koreans kept the system after they
knew that it was a really bad idea, instead of evolving it into something
better.

Do I think that it would have been better if no government intervention had
occurred? I have no reason to believe that.

------
petepete

        A bylaw was created that said government Web sites must 
        accommodate at least three different Web browsers
    

They do; IE6, IE7 and IE8.

------
maayank
To a much lesser effect, I find it true in Israel as well. I recently bought
an iPad for my mom as she uses the computer just for browsing, emailing and
skype. Turns out that even now, two websites she frequents (a workers'
committee website and some state sponsored mutual fund website) are IE only
and in a way that they truly don't work otherwise.

~~~
brazzy
AFAIK Microsoft dominates in Israel because for the longest time their
products had (and maybe still have) the best support for RTL text.

~~~
maayank
In my experience this is still true... I still haven't found a word
processor/presentation software for Mac OS X (including Office 2011) that is
compatible with my university's word and ppt files.

Moreover, the ministry of education is a big costumer of MSFT, giving kids and
teenagers early exposure to MS tools (think the 90s, where not every kid had a
computer at home).

------
kristofferR
We have the same problem in Norway actually, just not nearly as bad. The
banking industry has standardized on a technology called BankID for
authentication, almost all banks use it.

The problem is that the tech sucks. It's based on two components:

* A keychain code generator (if you lose/forget it then you're screwed)

* A Java applet where you enter the code from the keychain code generator

So, if you either don't have your code generator device with you or are on
something without Java (like a smartphone or tablet), then you're screwed.

Thankfully the use of BankID isn't required by law so a few banks offer other
way more practical ways of authentication. My bank sends a random code to my
cell phone through SMS that I have to enter in a normal web form. Much simpler
and works everywhere.

------
jahewson
This is a great example of why governments should not pick the winners when it
comes to technology (or any other competitive endeavour).

~~~
timthorn
GSM being a great counter-example.

Although in general I agree with the premise you put forward, it shouldn't be
a principal applied without thought.

~~~
luriel
GSM is a pretty horrid standard, and it has plenty of security issues of its
own to the point that the title of a talk on GSM security at CCC was "SRSLY?":

<http://www.youtube.com/watch?v=9K4EDAF5OlM>

------
CWuestefeld
The article starts by saying

 _The problems of monopolies arising through network effects, and the negative
effects of the lock-in that results, are familiar enough._

But then it goes on to talk about the problems of a monopoly that was created
not by network effects, but because of governmental dictate.

The lesson here ought to be that government ought not to be so heavy-handed,
because it can't change its own regulations quickly enough to address the
naturally-changing business and technological environment.

~~~
rbanffy
> created not by network effects, but because of governmental dictate.

Let's assume Microsoft had nothing to do with convincing South Koran
government it would be a great idea to use a government dictate to further
their network effects.

The real lesson here is that governments should never get in bed with the
private sector and, when they do, both sides should be punished. Severely.

------
jeremi23
This was also the case in China when I was leaving there a year ago (and I
guess it still is). A lot of website were working on IE only, and even if it
worked on other platform to do a payment or access your bank account you
needed an activex.

~~~
ExpiredLink
> A lot of website were working on IE only

Oh, that's why Chinese sellers don't respond to complaints about their web
site not working in FF. They think you are a lunatic fringe.

------
scott_w
This is the (not-so) fun downside of government getting too engrossed in
business transactions.

Most "good" laws in this area would specify the desired outcome (secure online
transactions), and let people devise their own methods.

An analogy: this is like the Korean government mandating banks use a specific
model of vault door (Securico 2000), where the rest of the world merely state
"banks must ensure vaults are secured to a reasonable standard". If a fault
exists in the Securico 2000, most banks will (eventually) update, lest they be
sued for negligence in event of someone breaking into the bank and stealing
valuable property. Korean banks would be perfectly safe from legal recourse,
since they are following state law.

Of course, this is not unique to government-mandated technology. Monopoly
groups can cause the same distortion e.g. Verified by Visa.

~~~
_delirium
Downside to government getting involved in business transactions _poorly_ , at
least.

Denmark has quasi-standardized on a two-factor online security solution,
NemID, which works fairly well, and is now used for login to most government
services and most banks. Previous to the government getting involved, there
were some truly horrid ActiveX and Java plugin solutions in use at most banks.
The actual technology is developed by a private company, though; it was
selected for implementation by the government, but not developed in-house.

~~~
driax
But let us not forget that it took the Danish Government two tries to get it
right.

First they tried to push digital signatures on everyone, with the idea that
people should use their personal certificate to login to banks and government
systems. However the banks would have none of it, because of the bad user
interface (ever tried to use client-side certificates in _any_ browser).

They then adopted a system that was a mix of systems already in use by a
number of banks. Key-cards to be distributed by snail-mail and entered trough
a Java plugin. Why they didn't go for a Javascript solutions is sad, but I
would guess that some banks (such as Danske Bank) would have trouble
adjusting.

So the lesson is probably that (some) governments are good at standardizing
already (good) practices.

PS: Also note that some Companies (like Telmore, one of the largest online
shops), who offered the old system (client-side certificates), won't use the
new because of the absurd cost associated. (They have to pay per registered
user, not by how much each user is using the system)

------
OSButler
I had to install 4 different programs, which are constantly running in the
background, just to be able to use online banking for my Korean account.

From a users perspective this is really bad, since you have no idea if the
installed programs are valid and what they actually do.

In addition to that I once tried using my bank's online banking app for the
iPhone. It took me quite a while to figure out why it wasn't working, because
you cannot actually use it without going to the bank and receiving a valid
encryption key for your access.

Then there's online purchases in South Korea, which are of course most of the
time limited to IE only again as well. It also often requires having a South
Korean cellphone number, since activation codes are sent via text message
instead of email.

Setting up an account for a website service also means providing a Korean ID
number, due to their online access policies. Overall it took me the course of
a day simply trying to order something from outside Korea and then failing at
the last step due to the site not accepting foreign credit cards.

Overall the online experience for South Korean sites is extremely bad. If
you're not using a Windows PC there, then you're out of luck without using VMs
or a separate Windows partition on it.

------
ralfd
As a long time Mac user I never encountered ActiveX. Or at least I don't
remember anymore. Is this still in use at major websites apart from korea? And
what is ActiveX exactly: Something to execute code like Java or JavaScript?

~~~
doc4t
ActiveX is (among other things) used to run JScript in the browser. JScript
can be viewed as a super set of JavaScript and will allow you to interact with
the file system and such.

~~~
arethuza
I've seen code (and still have the mental scars) that used VBScript on the
client to open a database connection directly from the web client to the DB
server - including the database username and password _in_ the client code
(this was, of course "sa").

~~~
mgkimsal
well, at least they didn't have to provide a password. embedding a password in
the client code would have been _insecure_! ;)

------
donpark
Given that, Ahn Chul-soo, one of the two candidates with most public support
in the upcoming Presidential election is founder of an anti-virus software
company, I think days of 'Paying the Price' will end soon and abruptly.

I don't think it matters if he wins or loses. He can catapult this issue up
high enough to trigger another governmental [over-re]action to undo the damage
done.

~~~
rbanffy
> Given that, Ahn Chul-soo, one of the two candidates with most public support
> in the upcoming Presidential election is founder of an anti-virus software
> company, I think days of 'Paying the Price' will end soon and abruptly.

Are you kidding?! A Windows monoculture is on the basis of his businesses.

------
dean
" _...businesses, too, are hamstrung when it comes to innovation._ "

Maybe. At least for the particular case of an online purchase from a South
Korean vendor. But when you look at a company like Samsung Electronics, which
is "the world's-largest IT producer" according to Wikipedia, and makes very
popular Android devices, I'm not too concerned about innovation in South
Korea.

------
majmun
In addition south korea is one of the most pwned countries on the internet.
(based on latest antivirus vendors reports. )

------
Eduard
Here is a link to recent and current usage share of browser in South Korea.
I'm really surprised! <http://gs.statcounter.com/#browser-KR-
monthly-200807-201205>

