
South Korea is stuck with Internet Explorer for online shopping - nichol4s
http://www.washingtonpost.com/world/asia_pacific/due-to-security-law-south-korea-is-stuck-with-internet-explorer-for-online-shopping/2013/11/03/ffd2528a-3eff-11e3-b028-de922d7a3f47_story.html
======
ddoolin
I've lived in Korea for quite a length of time and my wife is Korean...and I
concur that it's a nightmare. No Korean financial institution will let you log
into their interfaces on anything other than IE. Often the homepage would be
completely broken in anything other than IE anyway. This is true for most
sites, though those were easily avoidable. Banks and the like, not so much.

To perform financial transactions online in Korea, you would need a plethora
of software (often one from each party you would deal with) that revolved
around security certificates that were issued by the banks that would store a
hard copy of the certificate locally on your computer. Often it didn't work at
all, not even getting into the security implications of the system. Bank
hacking is so common in Korea, it's really disturbing. There is absolutely no
accountability where the attempts at security do exist.

Also, you need to use your Citizen Number (basically a Social Security Number)
to register for ANY service in Korea, even common websites. So everything you
do can be traced via that single number. For foreigners, registering for
common sites is usually impossible because our alien numbers are stored
wherever normal citizen numbers are, so unless the site has a separate process
for foreigners, you'd be out of luck. It's quite a mess. I can't say enough
bad things.

On the bright side, start ups like Vingle in Seoul are doing a lot of tip the
scales for the younger generation by only supporting modern browser versions
(IE8+, not the most modern, but definitely a step up from IE6, which has a
huge market share still, too), but it's a slow change.

~~~
lifthrasiir
> Also, you need to use your Citizen Number (basically a Social Security
> Number) to register for ANY service in Korea, even common websites.

Since 2011, websites cannot ask or store resident registration numbers (that's
the official name) for non-financial purposes. Sadly, it happened after a
major incident which exposed RRNs of more than 70% of Koreans. [1] It is a
common estimate that every Korean person have his/her RRN hacked at least
twice due to frequent incidents.

The Korean government endorses i-PIN nowadays, which is basically... uh...
redundant aliases to the unique RRN. This is obviously stupid, you can hack
i-PIN instead of RRN and you have the same credential. Well, at least i-PIN is
random. (RRN had very low entropy, and even shallow information about the
target may limit possible RRNs to only hundreds.)

[1]
[https://en.wikipedia.org/wiki/Resident_registration_number#O...](https://en.wikipedia.org/wiki/Resident_registration_number#Online_use)
for the 2011 incident.

~~~
beagle3
That's really f'd up.

Israel has an "ID number" system, which you use when interfacing with e.g.
health providers, or when applying to an academic institute. However, it is
not assumed to be secret, and any action that would require positive
identification will have it done with a physical government issued ID
(national ID card, national driver's license, or passport) - knowing the
number is not enough.

The system is far from perfect - there is a lot of information leakage, but
identity theft requires forgery of physical artifacts, and more often than not
- appearance in person - so it is not as common as e.g. in the US.

------
PakG1
It is strange that I think of this after reading this, but this seems to be
the dystopian future scenario that freaked out the DOJ due to Microsoft
bundling the IE browser with Windows. It is strange that this situation
actually came about, but due to reasons of law, not due to Microsoft's own
market clout.

~~~
patrickaljord
It isn't strange, most monopolies are born out of bad government policies, not
the market.

~~~
seanmcdirmid
> It isn't strange, most monopolies are born out of bad government policies,
> not the market.

Citation needed. There are government mandated monopolies but you can also
achieve a monopoly using purely free market tools and simply lock up all
supply and/or distribution via aggressive investments.

You seem to imply government-induced monopolies > free market monopolies, but
provide no evidence or even an argument that this is indeed true. You just
state it as a universally recognized fact, when that is obviously not the
case.

~~~
Mikeb85
> Citation needed.

Any real economist.

Inevitably, if any industry is profitable, competition will arise. Government
regulation (often through corruption) is the only mechanism which ensures a
lack of competition. This can be observed in any industry throughout the last
100 years.

You're right that companies can lock up the vast majority of a market by out-
competing others, but this generally doesn't last very long (typically a
decade or less).

~~~
AnIrishDuck
> Any real economist.

Any real economist can cite many monoplies that arise through market forces
alone.

> Inevitably, if any industry is profitable, competition will arise.

This is not true. There are many different definitions of "profit", and there
are many cases where an industry that makes a real business profit will not
support a competitor that makes an economic profit. The obvious example is
markets with very large economies of scale [1].

> Government regulation (often through corruption) is the only mechanism which
> ensures a lack of competition. This can be observed in any industry
> throughout the last 100 years.

I'm interpreting this to mean "only through government intervention can we
ensure a lack of competition". Again, this is not true. Any party that can
make a massive capital investment (which already vastly reduces the pool of
competition) can enter a space and make any future entrance by a competitor
completely unprofitable.

To see an example of this, lets go a century back in time to the day of
Standard Oil. Standard Oil was notorious for leveraging its massive capital
advantage to destroy its competitors. It would enter a new market and lower
its prices (leveraging its massive war chest). Once its competitors left
business, it would raise prices again to screw over consumers. After many
people caught wind of this blatant market manipulation, it turned to deceptive
practices and things like tying agreements [2].

What government policy led to the dominant monopoly of Standard Oil?

> You're right that companies can lock up the vast majority of a market by
> out-competing others, but this generally doesn't last very long (typically a
> decade or less).

Standard Oil was supreme for over thirty years. If only we could invent a time
machine, to hear the gales of laughter from the businessmen of the day at the
notion that Rockefeller became the king of oil by "out-competing" others.

He became dominant through backroom deals and anti-competitive practices.
Government intervention was what finally ended the Standard Oil monopoly. It
was also likely the only thing (barring the death of Rockefeller or some kind
of market shift) that ever would.

1\.
[http://en.wikipedia.org/wiki/Economies_of_scale](http://en.wikipedia.org/wiki/Economies_of_scale)
2\.
[http://en.wikipedia.org/wiki/Standard_oil#Monopoly_charges_a...](http://en.wikipedia.org/wiki/Standard_oil#Monopoly_charges_and_anti-
trust_legislation)

~~~
Mikeb85
> He became dominant through backroom deals and anti-competitive practices.

Backroom deals AKA corruption. Corruption and regulation are two sides of the
same coin. Had the market been perfectly competitive (ie. state governments
not succumbing to corruption) the monopoly likely would not have formed and
lasted.

Your only example merely proves my point.

Try to find a monopoly that has arisen in an open market, free from government
'intervention' (either regulation OR corruption).

~~~
AnIrishDuck
It's clear from your response that you didn't read the cited link.

> Backroom deals AKA corruption. Corruption and regulation are two sides of
> the same coin.

You seem to labor under some obtuse notion that the state governments were the
subject of the backroom deals. Let me dispel that for you, by quoting from the
article cited that you apparently couldn't be bothered to read:

> In a seminal deal, in 1868, the Lake Shore Railroad, a part of the New York
> Central, gave Rockefeller's firm a going rate of one cent a gallon or forty-
> two cents a barrel, an effective 71 percent discount from its listed rates
> in return for a promise to ship at least 60 carloads of oil daily and to
> handle the loading and unloading on its own

> Rebates, preferences, and other discriminatory practices in favor of the
> combination by railroad companies; restraint and monopolization by control
> of pipe lines, and unfair practices against competing pipe lines; contracts
> with competitors in restraint of trade; unfair methods of competition, such
> as local price cutting at the points where necessary to suppress
> competition; [and] espionage of the business of competitors, the operation
> of bogus independent companies, and payment of rebates on oil, with the like
> intent.

> The general result of the investigation has been to disclose the existence
> of numerous and flagrant discriminations by the railroads in behalf of the
> Standard Oil Co. and its affiliated corporations. With comparatively few
> exceptions, mainly of other large concerns in California, the Standard has
> been the sole beneficiary of such discriminations. In almost every section
> of the country that company has been found to enjoy some unfair advantages
> over its competitors, and some of these discriminations affect enormous
> areas.

> Almost everywhere the rates from the shipping points used exclusively, or
> almost exclusively, by the Standard are relatively lower than the rates from
> the shipping points of its competitors. Rates have been made low to let the
> Standard into markets, or they have been made high to keep its competitors
> out of markets. Trifling differences in distances are made an excuse for
> large differences in rates favorable to the Standard Oil Co., while large
> differences in distances are ignored where they are against the Standard.
> Sometimes connecting roads prorate on oil—that is, make through rates which
> are lower than the combination of local rates; sometimes they refuse to
> prorate; but in either case the result of their policy is to favor the
> Standard Oil Co. Different methods are used in different places and under
> different conditions, but the net result is that from Maine to California
> the general arrangement of open rates on petroleum oil is such as to give
> the Standard an unreasonable advantage over its competitors

> The evidence is, in fact, absolutely conclusive that the Standard Oil Co.
> charges altogether excessive prices where it meets no competition, and
> particularly where there is little likelihood of competitors entering the
> field, and that, on the other hand, where competition is active, it
> frequently cuts prices to a point which leaves even the Standard little or
> no profit, and which more often leaves no profit to the competitor, whose
> costs are ordinarily somewhat higher

Note that the word "government" appears nowhere in any of these allegations.
All of these backroom deals existed with other market participants.

If you redefine "corruption" to mean "not involving the government whatsoever"
then your points are indeed true, but you are then proving the exact opposite
of your initial assertion that "only governments can create monopolies".

Anyway, it's not clear if you're a troll or ignorant at this point, and I
doubt that further effort to dispel your quaint notions will be worth my
invested time.

~~~
Mikeb85
Well first of all, I did glance at the article, and now concede I may have
been mistaken. However, there have been charges of government corruption vis à
vis Standard Oil.

[http://www.pagetutor.com/standard/chapter13_part1.html](http://www.pagetutor.com/standard/chapter13_part1.html)

The whole text.
[http://www.pagetutor.com/standard/toc.html](http://www.pagetutor.com/standard/toc.html)

It does seem as though they (mostly) legitimately competed, and given the
historic oil price throughout their reign (which fell drastically,
[http://www.pagetutor.com/standard/chapter16_part1.html](http://www.pagetutor.com/standard/chapter16_part1.html))
it doesn't seem as though they exercised monopoly power (at least not nation-
wide).

------
gkanai
I covered this on my blog in 2007:
[http://kanai.net/weblog/archive/2007/01/26/00h53m55s](http://kanai.net/weblog/archive/2007/01/26/00h53m55s)

My blog post was heavily covered in Boing Boing, Slashdot, Salon, etc. at the
time.

~~~
kippetlong
So nobody else is allowed to write about it ever again?

~~~
gkanai
Where did I say that? My point is that in the 7 years since 2007, effectively
nothing has changed.

~~~
kippetlong
"My blog post was heavily covered in Boing Boing, Slashdot, Salon, etc. at the
time."

Ugly boasting.

~~~
talmand
Or effective means of making a point.

------
grownseed
I lived in South Korea for a while and this "security plugin" you have to
install for IE is an absolute nightmare. Some sites even ask you to install a
separate application to be able to perform transactions, only through IE of
course...

Truth be told, I never actually managed to buy anything online when I was
there. It's like everything was designed to keep me from buying. What didn't
help was that I was on Visitor status, meaning you don't get your national ID,
which is required on a vast number of SK sites. Without ID, you just become
some kind of virtual hobo.

It's a shame considering the amazing infrastructure there is over there.
Anyone who's ever visited SK websites will tell you how poorly put together
they are, both technically and visually. I've rarely seen such disparity
between the underlying infrastructure and its use anywhere else.

------
bane
An example of a premature optimization and what not following standards can
do.

Some more background
[http://en.wikipedia.org/wiki/SEED](http://en.wikipedia.org/wiki/SEED) and
[http://kanai.net/weblog/archive/2007/01/26/00h53m55s](http://kanai.net/weblog/archive/2007/01/26/00h53m55s)

There was some hope last presidential election cycle that this would become a
topic for the new administration to tackle [1], but that candidate (Ahn Cheol-
soo) lost the election and it seems to have fallen off the table for now.

1 -
[http://www.theregister.co.uk/2012/11/14/ahn_lab_internet_exp...](http://www.theregister.co.uk/2012/11/14/ahn_lab_internet_explorer_seed_replace_korea/)

------
ksk
Typical of most MS bashing articles - this article is troll-bait at best and
false at worst. Internet Explorer is not mandated by law.

What happened was, the US had banned export of 128bit encryption software. The
Korean government said screw that and created browser plugins - for BOTH
Netscape and IE - to use 128bit encryption for online transactions. Netscape
died and IE remained. I guess their implementation is proprietary enough that
nobody else has managed to implement it on other browsers.

~~~
huxley
The 128-bit export restriction ended 13 years ago, so the use of the home-
grown encryption standard has been a choice made by the Korean government and
corporations. Yes, the export restrictions were stupid, but there has been
plenty of time to switch over.

NPAPI is supported in most browsers, so the SEED implementation had to have
been pretty tied to Netscape Navigator/Communicator implementation as it
existed pre-Firefox

If the government implementations are the de facto standards and the Korean
government has only maintained an ActiveX version for the last 10 years, I
can't see how you can interpret it as anything other than an IE mandate.

~~~
ksk
>If the government implementations are the de facto standards and the Korean
government has only maintained an ActiveX version for the last 10 years, I
can't see how you can interpret it as anything other than an IE mandate.

Because the government is not mandating IE? The _public_ overwhelmingly used
IE over Netscape which caused the government to go "okay since nobody is using
netscape we're going to only maintain one plugin". I think its a pretty
important distinction to make. Anyway, we disagree. No biggie :)

~~~
guard-of-terra
Having to choose between dead Netscape and alive IE is a fake choice. May I
have my third choice please?

~~~
ksk
What they should really do is open source their plugin or at the very least
their spec.

------
viraptor
I'm really surprised that in the last 14 years noone wrote a compatibility
layer. It's definitely possible (see the comment about tablets) and embedding
crazy stuff from windows is nothing new in linux world (wine, ndiswrapper).

So what's the actual barrier to doing that? (also, why doesn't FF solve the
issue since
[https://bugzilla.mozilla.org/show_bug.cgi?id=478839](https://bugzilla.mozilla.org/show_bug.cgi?id=478839)
was fixed? - it looks like guys from KISA are actually cooperating to
implement the needed ciphers)

~~~
gkanai
Mozilla added SEED support to Gecko many years ago. Nothing has been done
since then (on the Korean side) to implement support beyond that.

~~~
viraptor
But what exactly is needed? What is stopping someone from writing a FF
extension that will capture all activex object tags and replace them with
something doing the same operations in FF's chrome?

Is the auth protocol completely unknown? Is the activex control obfuscated
more than is possible to reverse-engineer?

~~~
itsameta4
ActiveX is designed to hook directly into the Windows OS. That's what makes it
so dangerous, but useful in this case, since you can add a cert to the trusted
store.

Firefox is designed to be secure and sand-boxed, especially its plugin
architecture.

~~~
jlgreco
You don't need to replicate all of the functionality that activex has. You
just need to emulate the behaviour from the banks point of view of whatever
their particular activex does. Maybe the ActiveX rewrites a bunch of files
with admin privileges "for security", and then negotiates some sort of key
exchange... in that case just write JS that _says_ it did the shit that
requires admin privileges, then negotiates the key exchange).

So the question is, if you are willing to ignore their activex and run your
own custom JS instead, could these websites be made to work?

~~~
yongjik
A major online bookstore (www.aladdin.co.kr) actually tried that this year.
They teamed up with another startup company (Paygate) and allowed users to use
credit card with no plugins, on any browser. The few people who tried that
loved it.

And guess what happened?

Major credit card companies pulled out one by one, because they "cannot
ensure" that a page without Active-X is secure enough. Of course nobody's
pulling any strings, no government officials are receiving unknown gifts, and
nothing can be ever proved. So, there. You work for months to provide users
with modern browsing experience, and those banking powers-that-be just pull
the plug.

The whole system is corrupt beyond imagination.

Citation (sorry, in Korean):
[http://www.hankyung.com/news/app/newsview.php?aid=2013091203...](http://www.hankyung.com/news/app/newsview.php?aid=201309120399g)
[http://www.leejeonghwan.com/media/archives/002331.html](http://www.leejeonghwan.com/media/archives/002331.html)

~~~
viraptor
That's a solution from the provider's side though. I would have thought that
it's much easier to handle it from the client side really... just pretend you
did whatever verification was necessary and return the expected result.

Noone should be able to shut it down, because it's on the client side, rather
than the service provider, so the retailer shouldn't be blamed.

~~~
yongjik
No no no, it doesn't work that way. These banking websites don't expose a
well-defined API that you can emulate. Instead they force you to install a
bunch of ActiveX plugins (usually with administrative privilege) and you have
to just trust that they won't, say, read the whole content of your hard disk
and stream it to a third-party site.

A few years ago (when I was still in Korea), it was usually impossible to open
two different bank's pages at the same time: I'd assume that's still the case
now. As far as I know, the reason is that both banks will force you to install
"anti-hacking" plugins, which hooks directly into your Windows Kernel and
makes sure nobody _else_ snoops on what you type. Yes, these webpages try to
establish a direct connection between your keyboard and the website,
completely bypassing every layer. Now imagine the fun when _two_ such plugins
try to run at the same time.

And of course without these plugins you can't use the site. Hell, sometimes
these sites spontaneously break just because you're accessing it from the US,
because nobody had thought to test them from a client with ping time > 200ms.

Now try emulating that in client. (I don't know if I should laugh or weep.)

EDIT: Besides, if you seriously try to make a platform that can emulate these
"security" plugins, sooner or later you will be arrested for making tools to
circumvent security measures, and people will be reminded that they should
never install anything from "suspicious" sites. (But of course install
everything from banking sites.) As a bonus, some news media will claim you
were paid by North Korea, and many will believe that.

~~~
jessaustin
Thanks for the great explanations. It actually makes some sense that Koreans
are getting hacked all the time, since the binary rootkits they're required to
install have probably not seen the scrutiny that more open solutions have.
Secure systems used in the rest of the world get hacked because of weak
entropy or through timing attacks: fairly esoteric stuff. It wouldn't surprise
me if these ActiveX blobs have basic algorithmic errors. Do they crash quite a
bit?

~~~
yongjik
Sure, they crash (or do something funny) a lot of time, but that's the problem
with these ActiveX controls. If you buy anything from a Korean site you end up
with an unknown number of plugins downloaded from everywhere, so how do we
know if it's a bug in some plugin, a plugin already infected with virus, or
just some malware you downloaded accidentally? (The last one, because you have
to hit "OK" all the time: actually recent versions of Windows is being quite
reasonable and wants to warn you when you install binaries from random
websites, but this is exactly what Koreans are asked to do every day, so
Korean bank websites contain these helpful pages showing how to lower Windows'
"security level" and override the warnings.)

------
onion2k
This is why governments shouldn't be passing laws to 'protect' citizens online
- they'd manifestly bad at understanding change and worse at designing legal
systems that can cope with it.

~~~
acdha
You're half right: governments should prefer to dictate outcomes rather than
mechanisms. Telling banks how to code their databases is a losing game but
making them liable for losses due to weak security works quite effectively.

------
kijin
Some additional details that the article doesn't mention:

1\. Technically, the law doesn't require that you use Internet Explorer. The
law merely requires that you use a bunch of technologies, ranging from 128-bit
encryption to government-issued client certificates to government-mandated
antivirus to (craziest of all) an anti-keylogger utility. Conveniently, the
spec was written with Windows & IE in mind, so it's very difficult to write
alternative implementations for other platforms.

2\. This is not a matter of being stuck with older versions of IE like many
corporate intranets in the West. In fact, most banks in Korea work perfectly
well in IE11 as long as you don't try to use the Modern UI (Metro) version.
Because this is not so much about IE as it is about the WIN32 environment.

3\. The proliferation of phones and tablets has motivated banks and payment
gateways to write iOS and Android implementations of the spec. This was the
first time anybody tried to implement the spec outside of Windows & IE. But
once you have one alternative implementation, it's much easier to port it to
other platforms like Mac, Linux, and FF/Chrome on Windows. This is happening
slowly.

4\. Despite the appearance of these alternative implementations, the spec
itself is still very problematic. For example, the antivirus and anti-
keylogger requirements cannot be met unless the programs in question have root
privileges on your device. It feels insane when you browse to a bank's home
page in Linux and it tells you to download a bunch of apps and execute them as
root. And of course those apps are only designed for specific versions of
specific Linux distributions, so they break as soon as a new Ubuntu release
comes out. No thanks! Even in Windows, the Firefox & Chrome plugins are not
packaged as proper extensions, but as standalone programs that integrate
loosely with the browser like Flash and Java, Because you can't meet the spec
within the confines of a browser's sandbox.

5\. Okay so why not just run Windows in a VM? Actually that's exactly what I
do. But it's not a perfect solution. Some of the Korean "security" apps have
begun to detect when the user is in a VM, and refuse to work in a VM. There is
no technical reason for this policy, they just don't like people getting
around the rules. My bank refuses to whitelist my VM as a trusted device. I've
encountered at least one government agency that won't offer online services to
a VM. The last time I bought a bus ticket online, the e-ticket wouldn't print
because the printer port was virtualized and therefore could be used to
produce duplicates or whatever.

6\. Even mobile apps, which the article mentions, are very pesky about their
environment. The app for my bank won't run on my phone because it's rooted and
therefore can't be trusted. Fuck that shit. This affects everyone who uses
CyanogenMod. (What's even more ridiculous is that the same bank _requires_
root on my PC.)

7\. _Therefore, porting the spec to non-IE platforms and /or writing
compatibility layers is not the answer. The spec needs to be fixed, period. No
website should have the right to demand the use of any software other than a
standards-compliant web browser. No website should require root, or even want
to know anything about the environment (virtualized or not, rooted or not) in
which it is being visited, except what the browser exposes to it by default._

8\. Of course this isn't going to happen any time soon, because removing even
one of the requirements on the current spec will be seen as a decrease of
security, and nobody wants to take the blame the next time 10 million people
get their account information stolen. Wait a second, every Korean citizen has
had his or her personal information stolen multiple times in the last several
years anyway. All the banks and merchants have desensitized users to the point
that anytime any website ask them to install some app and run it as
Administrator, they do. All the security theater of the last 14 years has done
is to decrease the security of the entire country. It has also hurt the rest
of the Web. Because it's so much more convenient to write a Windows Forms app
than to write a website that works in both IE6 and IE11, lots of interactive
and media-heavy websites in Korea (especially gaming and file-sharing
websites) have become mere landing pages where you download the actual app.
After all, the banks are doing it, so why shouldn't everyone else do the same?

9\. One move in the right direction is that since this September, every large
(over ~$3000) online transaction requires two-factor authentication. They've
been handing out one-time password generators like candy lately. The ubiquity
of mobile phones also means that you can even choose to use three-factor
authentication (login + one-time password + SMS token) for certain types of
transactions. Hopefully this will eliminate the justification for the anti-
keylogger utility, since the passwords and SMS tokens can't be reused anyway.

[Edit] 10. Another positive development is that the Korean government has
finally begun to pay attention to accessibility on the Internet. At the
moment, among Korean web developers, accessibility is an even hotter topic
than standards compliance, because lack of accessibility can get you into
nasty lawsuits and hefty fines. Everyone's busy adding "alt" attributes to
<img> tags. But hopefully, in the long term, focusing on accessibility will
also bring people to care about standards compliance.

------
ebbv
Well that's a stupid law. Requiring people to use a specific product. That's
never a good idea. Now if you don't mind I need to go renew my car insurance
and sign up for health care.

~~~
timdorr
But you can choose your insurance companies and plans. This would be like the
government mandating that you have to use Aetna for health insurance.

~~~
gwright
You can choose plans that adhere to the government standards. That is a lot
different than you can choose your plan, _period_.

I'm still confused about why the government needed to create any sort of web
site since they are just marketing private insurance plans (which meet the ACA
standards) and these companies have been and continue to market their
insurance plans on their own web sites. And hasn't anyone in the federal
government heard about 'independent insurance agents'? I guess not since they
had to dream up a new job title of 'navigator'.

I do support _some_ of the policy goals of ACA, but it seems like almost any
other implementation would have been better than the convoluted-rube-
goldbergish mechanisms created by the ACA.

------
talmand
Boot Camp is a secret weapon? It costs $70? I'm confused.

Could they not get a free VM and then download an image from modern.ie?

~~~
lifthrasiir
Many native "security" solutions required by websites, e.g. anti-keyloggers
and antiviruses, would block the VM. They also tend to trigger weird problems
in the VM, e.g. some of them makes the entire desktop fail to respond to any
events. (What?)

~~~
talmand
Out of curiosity, how would the security applications know that it was being
run on a VM? Why would they care? That suggests they believe no one has a
legitimate reason to run Windows in a VM.

~~~
cnvogel
On Detection:

There are a few things that leak presence of a virtual machine to running code
(even in userspace).

There are the easy signs, e.g. that the virtualbox guest kernel-modules or
utility programs for clipboard exchange are running. Or that your harddisk
controller has a PCI ID identifying it as a Oracle Virtualbox AHCI device.

But on a hardware-virtualized machine there are also numerous inconsistencies
to be observed which are not influencing the correct execution of "normal"
code, but leak the existance of the hypervisor to the guest OS (and sometimes
even to non-privileged user-code in the guest OS).

Google for "Red Pill VM detection", unfortunately currently
invisiblethings.org (the site of the author) seems to be unavailable.

------
aric
This is state-controlled economics (corporatism) at its usual finest.

------
eric5544
"But the back-and-forth was technologically complicated, and it came with a
catch: It required a piece of additional software, or “plugin,” known as
ActiveX — which is also made by Microsoft and worked in tandem only with
Internet Explorer."

That phrasing made me cringe and shows the lack of technical understanding of
the author of this article. ActiveX is a technology, not a piece of software
or a plugin in itself.

------
xrjn
$70 for bootcamp? For a company as technologically advanced as South Korea,
can't they just use refit or refind? Heck even a VM would do fine.

~~~
kijin
Last time I tried to access a South Korean government agency's website using a
Windows guest in VirtualBox, it recognized that I was using a VM and refused
to allow me to proceed. Same thing happened when I bought a bus ticket online
and tried to print the e-ticket. Apparently everyone thinks VMs are only good
for malicious activity.

------
eonil
Whole the source of problem is Korean majority is conservative. They don't
want to change anything. And want to force their belief of right. And that
belief in financial industry is current Korean online banking system. Korean
financial industry practically has no freedom to choose some security
solution, so even foreign banks - such as CitiBank - use that stupid system.

And the conservativeness of the Korean majority elected conservative major
party, and the party - of course - has no will to change it at all. And
actually they enforces old rules to keep their existing benefits.

So Korea has no hope to change this before replace major party. In last
president election, there was a candidate promised fixing this issue, but
finally defeated to candidate from conservative party.

And they need to wait all the old McCarthyists - who are main supporters of
conservative party - disappears.

------
mje__
Isn't this because the US wouldn't export crypto software that supported keys
> 40 bits to Korea in the 90s, forcing them to develop their own stronger
algorithms?

Anyway, it's so bad that my (technophobe) wife refuses to shop online anymore
because she is forced to use IE (and vastly prefers to use Chrome)

------
tenderLoins
I like to think of South Korea as a nation state, gripped by such fear-of-the-
other, that they'll agree to any irrational suggestions their military
advisors might make.

So then, 10 or 20 years ago, when the NSA needed a secret laboratory to
experiment in, where they could blunder away at trial and error, perhaps a
huge wind tunnel to test the aerodynamics of this bird, well South Korea
sounds pretty good. Let's see if the pentagon can get them to agree to a few
absurd pre-requisites and static global variables, while we bootstrap this
absolutely enourmous program we're shoe-horning into place.

------
Segmentation
An enormous amount of South Koreans play Starcraft and MOBAs (e.g. League of
Legends). Those are Windows games.

However, as I've learned from doing tech support, I find hardcore gamers are
more computer illiterate. They know enough about computers to turn them on and
play their game, but because they play for so many hours they don't do
anything else on the computer.

Basically you get a nation of computer illiterate users, who use Windows
because they don't know any better. Most probably don't even know what Firefox
or Chrome are.

~~~
marcosdumay
I play (the old) Starcraft quite well on Linux.

------
derekp7
Is it easier to buy something out of a catalog over the phone? If that is
still an option, then one way around this law is to use a web site to set up
an order (fill your shopping cart, shipping details, etc). Then call the
vendor to finalize the order. Of course, this would add to the cost of online
purchases, since you'd have to pay for the person taking the call, but still
it might be a work around.

------
crisnoble
Non-paginated version: [http://www.washingtonpost.com/world/asia_pacific/due-
to-secu...](http://www.washingtonpost.com/world/asia_pacific/due-to-security-
law-south-korea-is-stuck-with-internet-explorer-for-online-
shopping/2013/11/03/ffd2528a-3eff-11e3-b028-de922d7a3f47_print.html)

------
bifrost
You'd think someone would sort out a way to setup the certs via some other
method. I think this is a great example of why legislators shouldn't be
allowed to make laws about things they don't understand, like the internet.

------
johng
Sounds like someone needs to educate Koreans on using VirtualBox and Modern.ie
images... both are free.

[http://www.modern.ie/en-us](http://www.modern.ie/en-us)

------
arunc
So are most of the Indian IT services companies. A friend of mine is still
using windows vista with IE7 cus some moron decides the outdated company
policies.

------
peteretep
Surely this impacts Apple's sales in Korea. Amazed they haven't invested more
in making a Mac technical solution for this.

~~~
lifthrasiir
Mac users did have successfully made one major bank to support Mac in 2004, by
pledging about 16 billion KRW (~15 million USD at that time). The situation
hasn't improved since then though.

------
thenerdfiles
This is exactly what I was saying about [made-for-prison] software being
unleashed on the public writ large:

> But those with Apple computers — for which IE isn’t available — have it
> harder. Some go to Internet cafes. Some rely on their office desktops. Some
> dash into hotel business centers. Some hold on to their old computers and
> boot them up when it’s time to make purchases. Still others depend on a
> secret weapon called Boot Camp, a software program that allows a Mac to run
> Windows.

Your bar code is your laptop.

------
melling
Who cares. Developers need to pull legacy browser support sooner. It's pretty
clear that certain people and organizations will wait until they absolutely
have to change before they will make the effort. Once it becomes inconvenient
enough they'll do whatever needs to get done. The effort can be justified in
business terms.

IE8, for example, is going to be around for a while. However, if enough
developers stop supporting it now, the conversation will begin. Otherwise,
it's gonna be 2020 and ie8 will still have significant market share.

~~~
gkanai
If you lived in S. Korea and had to be limited to using IE on Windows with
ActiveX controls for each site you wanted to transact with, you'd care. Did
you read the piece? The current system is the law.

~~~
melling
This is not a new story. It has been discussed for the last several years.

Like I said, certain organizations will change when they absolutely have to.
In South Korea's case, it's going to be costly so they are probably going to
be the last.

~~~
gkanai
Indeed. I was the first person to report this situation in English in 2007, so
I know this topic well.

