the cost of monoculture

(This is a repost of a post from my personal blog.)

What would you say if I told you that there was a nation that was at the forefront of technology, an early adopter of ecommerce, leading the world in 3G mobile adoption, in wireless broadband, in wired broadband adoption, as well as in citizen-driven media. Sounds like an amazing place, right? Technology utopia?

Wrong.

This nation is also a unique monoculture where 99.9% of all the computer users are on Microsoft Windows. This nation is a place where Apple Macintosh users cannot bank online, make any purchases online, or interact with any of the nation’s e-government sites online. In fact, Linux users, Mozilla Firefox users and Opera users are also banned from any of these types of transactions because all encrypted communications online in this nation must be done with Active X controls.

Where is this nation?

South Korea.

UPDATE: photo of Korean Hangul keyword search visualization seen at Naver’s lobby.

Naver_4004.JPG

I traveled to South Korea last fall to learn more about the South Korean Internet market and came away disappointed and frankly stunned.

I met with leading businesses in the search market, the music download market, the games market and all reported the same situation- a monoculture of users using MS Windows. The S. Korean market is in a unique situation where decisions made long ago have created a consumer monoculture which is having unintended repercussions that are affecting anyone with a computer in South Korea. It is a fascinating story because it is true.

The history goes back to 1998, when the 128 bit SSL protocol was still not finalized (it was finalized by the IETF as RFC 2246 in Jan. ’99.) South Korean legislation did not allow 40 bit encryption for online transactions (and Bill Clinton did not allow for the export of 128 bit encryption until December 1999) and the demand for 128 bit encryption was so great that the South Korean government funded (via the Korean Information Security Agency) a block cipher called SEED. SEED is, of course, used nowhere else except South Korea, because every other nation waited for the 128 bit SSL protocol to be finalized (and exported from the US) and have standardized on that.

In the early years of SEED, users downloaded the SEED plugin to their IE or Netscape browsers, either an Active X control or a NSplugin, which was then tied to a certificate issued by a Korean government certificate authority. (Can you see where this is going?) When Netscape lost the browser war, the NSplugin fell out of use and for years, S. Korean users have only had an Active X control with the SEED cipher to do their online banking or commerce or government.

So we end up in 2007, 9 years after SEED was created for Korean users, and one legacy of the fall of Netscape is that Korean computer/Internet users only have an Active X control to do any encrypted communication online. So in late 2006, a group of Korean computer/Internet users, Citizens Action Network at Open Web Korea, having documented the problem with accessibility of sites via anything other than Microsoft IE, have decided to sue the Korean government.

It gets worse.

Remember how Active X controls were and continue to be a significant vector of viruses and malware because Microsoft originally architected Active X to run by default instead of with a user action? Maliciously programmed websites would be able to automatically install software on users’ computers just by visiting a web page in IE 6. In IE 7 and in Vista, Microsoft has re-architected Active X controls in such a way to make them “more safe” by requiring a user action for the control to run. This is obviously impacting every web site and company that uses active X controls on their websites, which include just about every website in Korea that handles any kind of secure transaction. Every online bank, every governmental agency, every ecommerce site. Without enough time to re-architect Korean websites, 3 S. Korean governmental ministries, the Ministry of Information and Communication, the Ministry of Government Administration and Home Affairs, and the Financial Supervisory Service, warned S. Korean users that upgrading to Vista would disable the user from making any secure transaction online. Can you imagine spending thousands of dollars on a new machine (because the requirements of Vista generally require new hardware) and a new OS from Redmond only to be locked out of any secure transaction online? It’s Kafkaesque.

To add insult to injury, the monopolist who absolutely controls the Korean market for computers won’t delay the launch of Vista to alllow for Korean websites to re-code their sites. “We’ve been testing Vista with banks and other service providers since September, but we encountered more delays than we expected. We plan to release the product as scheduled.

Absolutely incredible.

A related problem is that KISA and Microsoft announce “plans to work together to improve computer security awareness” or “mark anniversary of cooperation with renewed pledge” when in fact the situation in 2007 is no better than it was in 2003 when KISA decided to “work with Microsoft.” I can’t tell who is the fox and which is the hen house, but either way, the two should not be near each other.

Another part of the Korea story that I cannot comprehend are articles about Linux in Korea. The Korean Army considering Linux. Kwangju City as “Linux City.” If the Korean Army or Kwangju city cannot do any encrypted communications because their operating system of choice does not work with Active X controls, I’m not sure if this is hype or confusion.

To get the most depth and perspective on this topic, from the people in Korea who are suing the government, it’s best to read the documents at Open Web Korea.

This issue with the launch of Vista and IE 7 and the work of thousands and thousands of web programmers in Korea who are feverishly working to reprogram their sites to work with Microsoft’s new standards – do they realize that their efforts only bring them back to square 0 – there’s no more heterogeneity in the Korean Internet market post-Vista than pre. The problem for Korean websites wasn’t competition from MSN Korea, it was their sole dependence on infrastructure from Microsoft.

Korea will only get beyond this problem by 1) applying Korean laws on open standards to the certificate authorities, 2) reassigning new certificates which work with open web standards to all Koreans, 3) reprogramming all Korean websites to support 128 bit SSL which will allow for a heterogeneous marketplace of operating systems and web browsers. This is a herculean task and thus Korea stays hostage to Redmond.

Fascinating history. Unintended consequences and de-facto monopolies create costs too high to calculate and must be borne without question.

RELATED READING: the seminal report “CyberInsecurity: The Cost of Monopoly,” and the related eWeek piece profiling Dan Geer, “IT Wrestles with Microsoft Monoculture Myopia” which goes over this same topic from a different but related perspective.

Via Anil Dash.

16 Responses to the cost of monoculture

  1. Instead of suing, wouldn’t it be more productive to just implement SEED as an addon to Firefox? I would think that demands for an alternative would be taken more seriously if there where an alternative.

  2. Anders, thank you for your comment. Unfortunately, implementing SEED in Firefox will not fix the problem. It is much more complex.

    Each Korean citizen is issued a nation ID number. This is embedded into the certificate issued by the Korean CA. Thus non-Koreans in Korea (such as US military in Korea) cannot make secure transactions like online banking or online commerce. The ‘package’ (including SEED, the national ID, and the Active-X cert.) that the CA’s distribute is Active-X based, and thus only works in Windows and IE.

  3. Well, there is a plugin for firefox which enables ActiveX, yes? Perhaps a modified version of this plugin which -only- operates for this specific product would be a good solution?

  4. crowder, adding support for Active-X in Firefox opens Mozilla up to a whole host of issues where there is little benefit and a lot of risk. It’s something we’ve certainly thought about but cannot recommend.

  5. Well, as I said, it wouldn’t be full ActiveX support. Instead it would be just enough support to handle this one plugin and nothing else… that seems a surmountable problem to me.

  6. Pingback: Brian’s Blog » Blog Archive » Kozilla

  7. Whatever happened with this?

  8. Pingback: sententia fredericiana » Von den Kosten einer Monokultur

  9. Enabling ActiveX support in Firefox, so missed the monoculture issue.

    ActiveX support in Firefox only works in Microsoft Windows, and presumably for these controls only in XP or earlier.

    My operating system of choice fixes all reported security issues, in all shipped applications, BEFORE they release a new version.

    MacOSX has never had a virus in the wild.

    Koreans presumably would like to be able to choose such an operating system for their online banking, rather than Microsoft’s “we fix them after they start being exploited” approach to security.

  10. “adding support for Active-X in Firefox opens Mozilla up to a whole host of issues where there is little benefit”
    Little benefit? I think your article does well enough to explain the huge problem; would solving this partly not be even a small benefit? I’d, and your article, would say so.

  11. Dan and Crowder this is not just a problem for Firefox, it essentially breaks every non Microsoft product on the planet.
    To re engineer every Browser on the planet to support one encryption system in one country would be throwing allot time and money at a problem with a relatively simple fix. just use the same superior open system as the rest of the world.
    Also you underestimate the legal and technical issues involved in building and maintaining your own version of a closed source product (Active X) that Microsoft owns.

  12. As someone living in Korea, I’ll bet you my best pair of socks that some Korean with money/influence has a family member who makes heaps of money off of keeping all control of people’s computers. That’s often how it works in Korea. If the current system were to change, someone with power would lose money. That cannot be allowed by those making the money.

  13. The real problem they have, even if Mozilla plugin is officially supported and legislation fixed, is that all Web developers will be surprised to know that their code is not working the same in different browsers. Sometimes it doesn’t work at all.
    They’ll need to deal with that, and fixing that might be a real pain.

  14. All you need to do to get ActiveX functionality in Firefox is to install IE Tab or Coral IE Tab which supports AdBlock Plus in the IE engine and can sync cookies between IE and Firefox.

    IE Tab download:
    https://addons.mozilla.org/en-US/firefox/addon/1419

    Coral IE Tab download:
    https://addons.mozilla.org/en-US/firefox/addon/10909

  15. Pingback: Where's Walden? » Correcting a few misconceptions

  16. Pingback: Mozilla in Asia » Blog Archive » the Security of Internet Banking in South Korea in 2010