What happened was, the US had banned export of 128bit encryption software. The Korean government said screw that and created browser plugins - for BOTH Netscape and IE - to use 128bit encryption for online transactions. Netscape died and IE remained. I guess their implementation is proprietary enough that nobody else has managed to implement it on other browsers.
NPAPI is supported in most browsers, so the SEED implementation had to have been pretty tied to Netscape Navigator/Communicator implementation as it existed pre-Firefox
If the government implementations are the de facto standards and the Korean government has only maintained an ActiveX version for the last 10 years, I can't see how you can interpret it as anything other than an IE mandate.
Because the government is not mandating IE? The public overwhelmingly used IE over Netscape which caused the government to go "okay since nobody is using netscape we're going to only maintain one plugin". I think its a pretty important distinction to make. Anyway, we disagree. No biggie :)
Yes, it originated in the days when SSL was 40-bits, and yes there was once a Netscape plugin. However the world changed, and for the next decade the law remained the same. The spirit of the article is absolutely correct, despite minor discrepencies: Long after far superior alternatives were available, the law mandated the use of Internet Explorer, which is an inertia that carries the country today.
The law does not mandate IE. The government would have maintained both plugins if people would have continued to use netscape. They didn't.
1) Monopolies can and do happen in the absence of regulation. Indeed, it is frequently only through regulation or direct governmental action that competition can be encouraged. (The breakup of the AT&T monopoly comes to mind.)
2) The simple fact of the matter is that government and economic policy go hand-in-hand. Governments create the currency and enforce contracts. They also set the rules for the market. Without those rules -- laws -- markets descend quickly into chaos similar to what you see today in Somalia or Afghanistan: societies driven by tribal loyalties, inefficient, brutal, cruel, and repressive.
There are no monopolies in Somalia because there is no system in place for establishing corporate charters or enforcing contracts. This requires a strong government to serve as arbiter between disputing economic interests.
Citation needed. There are government mandated monopolies but you can also achieve a monopoly using purely free market tools and simply lock up all supply and/or distribution via aggressive investments.
You seem to imply government-induced monopolies > free market monopolies, but provide no evidence or even an argument that this is indeed true. You just state it as a universally recognized fact, when that is obviously not the case.
I'm quite sure Microsoft had something to do with the experts that consulted for the South Korean government when they arrived to this brilliant solution.
To perform financial transactions online in Korea, you would need a plethora of software (often one from each party you would deal with) that revolved around security certificates that were issued by the banks that would store a hard copy of the certificate locally on your computer. Often it didn't work at all, not even getting into the security implications of the system. Bank hacking is so common in Korea, it's really disturbing. There is absolutely no accountability where the attempts at security do exist.
Also, you need to use your Citizen Number (basically a Social Security Number) to register for ANY service in Korea, even common websites. So everything you do can be traced via that single number. For foreigners, registering for common sites is usually impossible because our alien numbers are stored wherever normal citizen numbers are, so unless the site has a separate process for foreigners, you'd be out of luck. It's quite a mess. I can't say enough bad things.
On the bright side, start ups like Vingle in Seoul are doing a lot of tip the scales for the younger generation by only supporting modern browser versions (IE8+, not the most modern, but definitely a step up from IE6, which has a huge market share still, too), but it's a slow change.
Since 2011, websites cannot ask or store resident registration numbers (that's the official name) for non-financial purposes. Sadly, it happened after a major incident which exposed RRNs of more than 70% of Koreans. [1] It is a common estimate that every Korean person have his/her RRN hacked at least twice due to frequent incidents.
The Korean government endorses i-PIN nowadays, which is basically... uh... redundant aliases to the unique RRN. This is obviously stupid, you can hack i-PIN instead of RRN and you have the same credential. Well, at least i-PIN is random. (RRN had very low entropy, and even shallow information about the target may limit possible RRNs to only hundreds.)
[1] https://en.wikipedia.org/wiki/Resident_registration_number#O... for the 2011 incident.
Israel has an "ID number" system, which you use when interfacing with e.g. health providers, or when applying to an academic institute. However, it is not assumed to be secret, and any action that would require positive identification will have it done with a physical government issued ID (national ID card, national driver's license, or passport) - knowing the number is not enough.
The system is far from perfect - there is a lot of information leakage, but identity theft requires forgery of physical artifacts, and more often than not - appearance in person - so it is not as common as e.g. in the US.
Just the birthday and sex will severely limit the RRN list, yep. I've once read that public trust in Korea is one of the lowest in the world, but I've found it to be completely the opposite. Public trust is so high that people seem completely oblivious to how insecure their system infrastructures can be.
Could they not get a free VM and then download an image from modern.ie?
Boot Camp is of course free, but only permits rebooting a Mac into Windows. For $70 one could purchase VMware Fusion or Parallels Desktop, and run Windows side by side with OS X. The author of the Washington Post piece does not make this clear.
Calling Boot Camp a "secret weapon" suggests that most people aren't aware that Apple computers can run Windows. This may be true in the wider world, although any Apple employee in a retail store could inform customers otherwise.
Expecting a writer not focused on technology to discuss gratis tools like VirtualBox and modern.ie is probably asking too much (although these would be well within the reach of Hacker News readers).
I suppose in a sense it becomes a bit of a worry if you run too lightweight on the VM which after all will have to contain your banking credentials (sort of the opposite of firing up a VM when you're doing something that feels too sketchy to run on the main system).
I'm still confused about why the government needed to create any sort of web site since they are just marketing private insurance plans (which meet the ACA standards) and these companies have been and continue to market their insurance plans on their own web sites. And hasn't anyone in the federal government heard about 'independent insurance agents'? I guess not since they had to dream up a new job title of 'navigator'.
I do support some of the policy goals of ACA, but it seems like almost any other implementation would have been better than the convoluted-rube-goldbergish mechanisms created by the ACA.
The salesman was probably talking about Parallels Desktop or VMware Fusion. of course, one can just as easily use Virtualbox. Or if you only need IE, you can use a WINE layer like CrossOver.
My blog post was heavily covered in Boing Boing, Slashdot, Salon, etc. at the time.
So what's the actual barrier to doing that? (also, why doesn't FF solve the issue since https://bugzilla.mozilla.org/show_bug.cgi?id=478839 was fixed? - it looks like guys from KISA are actually cooperating to implement the needed ciphers)
Is the auth protocol completely unknown? Is the activex control obfuscated more than is possible to reverse-engineer?
It's worked extremely well. There are a couple competing systems. Some use smartchip ID cards, some use smartphone two factor auth, and others use a certificate file on the computer. The most popular system is run by a consortium of banks and uses a certificate file, and supports Windows, Mac and Ubuntu Linux through a browser plugin. Most government services like filing taxes, address change, student loans, etc support 3-4 different systems.
IE8, for example, is going to be around for a while. However, if enough developers stop supporting it now, the conversation will begin. Otherwise, it's gonna be 2020 and ie8 will still have significant market share.
Like I said, certain organizations will change when they absolutely have to. In South Korea's case, it's going to be costly so they are probably going to be the last.
However, as I've learned from doing tech support, I find hardcore gamers are more computer illiterate. They know enough about computers to turn them on and play their game, but because they play for so many hours they don't do anything else on the computer.
Basically you get a nation of computer illiterate users, who use Windows because they don't know any better. Most probably don't even know what Firefox or Chrome are.
Truth be told, I never actually managed to buy anything online when I was there. It's like everything was designed to keep me from buying. What didn't help was that I was on Visitor status, meaning you don't get your national ID, which is required on a vast number of SK sites. Without ID, you just become some kind of virtual hobo.
It's a shame considering the amazing infrastructure there is over there. Anyone who's ever visited SK websites will tell you how poorly put together they are, both technically and visually. I've rarely seen such disparity between the underlying infrastructure and its use anywhere else.
Some more background http://en.wikipedia.org/wiki/SEED and http://kanai.net/weblog/archive/2007/01/26/00h53m55s
There was some hope last presidential election cycle that this would become a topic for the new administration to tackle [1], but that candidate (Ahn Cheol-soo) lost the election and it seems to have fallen off the table for now.
1 - http://www.theregister.co.uk/2012/11/14/ahn_lab_internet_exp...
1. Technically, the law doesn't require that you use Internet Explorer. The law merely requires that you use a bunch of technologies, ranging from 128-bit encryption to government-issued client certificates to government-mandated antivirus to (craziest of all) an anti-keylogger utility. Conveniently, the spec was written with Windows & IE in mind, so it's very difficult to write alternative implementations for other platforms.
2. This is not a matter of being stuck with older versions of IE like many corporate intranets in the West. In fact, most banks in Korea work perfectly well in IE11 as long as you don't try to use the Modern UI (Metro) version. Because this is not so much about IE as it is about the WIN32 environment.
3. The proliferation of phones and tablets has motivated banks and payment gateways to write iOS and Android implementations of the spec. This was the first time anybody tried to implement the spec outside of Windows & IE. But once you have one alternative implementation, it's much easier to port it to other platforms like Mac, Linux, and FF/Chrome on Windows. This is happening slowly.
4. Despite the appearance of these alternative implementations, the spec itself is still very problematic. For example, the antivirus and anti-keylogger requirements cannot be met unless the programs in question have root privileges on your device. It feels insane when you browse to a bank's home page in Linux and it tells you to download a bunch of apps and execute them as root. And of course those apps are only designed for specific versions of specific Linux distributions, so they break as soon as a new Ubuntu release comes out. No thanks! Even in Windows, the Firefox & Chrome plugins are not packaged as proper extensions, but as standalone programs that integrate loosely with the browser like Flash and Java, Because you can't meet the spec within the confines of a browser's sandbox.
5. Okay so why not just run Windows in a VM? Actually that's exactly what I do. But it's not a perfect solution. Some of the Korean "security" apps have begun to detect when the user is in a VM, and refuse to work in a VM. There is no technical reason for this policy, they just don't like people getting around the rules. My bank refuses to whitelist my VM as a trusted device. I've encountered at least one government agency that won't offer online services to a VM. The last time I bought a bus ticket online, the e-ticket wouldn't print because the printer port was virtualized and therefore could be used to produce duplicates or whatever.
6. Even mobile apps, which the article mentions, are very pesky about their environment. The app for my bank won't run on my phone because it's rooted and therefore can't be trusted. Fuck that shit. This affects everyone who uses CyanogenMod. (What's even more ridiculous is that the same bank requires root on my PC.)
7. Therefore, porting the spec to non-IE platforms and/or writing compatibility layers is not the answer. The spec needs to be fixed, period. No website should have the right to demand the use of any software other than a standards-compliant web browser. No website should require root, or even want to know anything about the environment (virtualized or not, rooted or not) in which it is being visited, except what the browser exposes to it by default.
8. Of course this isn't going to happen any time soon, because removing even one of the requirements on the current spec will be seen as a decrease of security, and nobody wants to take the blame the next time 10 million people get their account information stolen. Wait a second, every Korean citizen has had his or her personal information stolen multiple times in the last several years anyway. All the banks and merchants have desensitized users to the point that anytime any website ask them to install some app and run it as Administrator, they do. All the security theater of the last 14 years has done is to decrease the security of the entire country. It has also hurt the rest of the Web. Because it's so much more convenient to write a Windows Forms app than to write a website that works in both IE6 and IE11, lots of interactive and media-heavy websites in Korea (especially gaming and file-sharing websites) have become mere landing pages where you download the actual app. After all, the banks are doing it, so why shouldn't everyone else do the same?
9. One move in the right direction is that since this September, every large (over ~$3000) online transaction requires two-factor authentication. They've been handing out one-time password generators like candy lately. The ubiquity of mobile phones also means that you can even choose to use three-factor authentication (login + one-time password + SMS token) for certain types of transactions. Hopefully this will eliminate the justification for the anti-keylogger utility, since the passwords and SMS tokens can't be reused anyway.
[Edit] 10. Another positive development is that the Korean government has finally begun to pay attention to accessibility on the Internet. At the moment, among Korean web developers, accessibility is an even hotter topic than standards compliance, because lack of accessibility can get you into nasty lawsuits and hefty fines. Everyone's busy adding "alt" attributes to <img> tags. But hopefully, in the long term, focusing on accessibility will also bring people to care about standards compliance.
That phrasing made me cringe and shows the lack of technical understanding of the author of this article. ActiveX is a technology, not a piece of software or a plugin in itself.
And the conservativeness of the Korean majority elected conservative major party, and the party - of course - has no will to change it at all. And actually they enforces old rules to keep their existing benefits.
So Korea has no hope to change this before replace major party. In last president election, there was a candidate promised fixing this issue, but finally defeated to candidate from conservative party.
And they need to wait all the old McCarthyists - who are main supporters of conservative party - disappears.
Anyway, it's so bad that my (technophobe) wife refuses to shop online anymore because she is forced to use IE (and vastly prefers to use Chrome)
So then, 10 or 20 years ago, when the NSA needed a secret laboratory to experiment in, where they could blunder away at trial and error, perhaps a huge wind tunnel to test the aerodynamics of this bird, well South Korea sounds pretty good. Let's see if the pentagon can get them to agree to a few absurd pre-requisites and static global variables, while we bootstrap this absolutely enourmous program we're shoe-horning into place.
> But those with Apple computers — for which IE isn’t available — have it harder. Some go to Internet cafes. Some rely on their office desktops. Some dash into hotel business centers. Some hold on to their old computers and boot them up when it’s time to make purchases. Still others depend on a secret weapon called Boot Camp, a software program that allows a Mac to run Windows.
Your bar code is your laptop.
