Category Archives: security

The Economist on the Internet in China

Gady Epstein, who is the China Correspondent for The Economist  has put together a large 14-page special report on the Internet in China. I strongly recommend it.

Gady was also on this week’s Sinica Podcast talking about this special report, which I also strongly recommend: Gady Epstein on The Internet (in China)

Special report: China and the internet

China’s internet: A giant cage
The internet was expected to help democratise China. Instead, it has enabled the authoritarian state to get a firmer grip, says Gady Epstein. But for how long?

The machinery of control: Cat and mouse
How China makes sure its internet abides by the rules

Microblogs: Small beginnings
Microblogs are a potentially powerful force for change, but they have to tread carefully

The Great Firewall: The art of concealment
Chinese screening of online material from abroad is becoming ever more sophisticated

E-commerce: Ours, all ours
A wealth of internet businesses with Chinese characteristics

Cyber-hacking: Masters of the cyber-universe
China’s state-sponsored hackers are ubiquitous—and totally unabashed

Internet controls in other countries: To each their own
China’s model for controlling the internet is being adopted elsewhere

Assessing the effects: A curse disguised as a blessing?
The internet may be delaying the radical changes China needs

2012 update to the 2007 Cost of Monoculture in Korea

Back in 2007, I published the cost of monoculture, a blog post that was the first English-language explanation of the situation in South Korea where a series of independent decisions created a de facto monopoly for Microsoft Internet Explorer. The blog post was widely covered in 2007, in Salon, Slashdot, Boing Boing, etc.
Fast forward 5+ years to the late part of 2012 and basically nothing has changed. In fact, things are so bad in Korea that a candidate for the President of Korea, Ahn Cheol-soo, has taken the position that if he were voted in, he would abolish the laws that have locked Korea to Microsoft Internet Explorer.

Ahn Pledges To Wipe Out South Korea’s Outdated Internet Encryption Rule – Korea Real Time – WSJ

Internet Explorer becomes Korean election issue • The Register

Sure this candidate is from the IT/software field, but the fact that his platform has this position says that this is still a painful issue for most people in Korea today. It’s stunning that the Korean government has not proactively moved away from Active-X plugins when Microsoft themselves are deprecating this technology in Windows 8 and Internet Explorer 10.

 

browser competition in Korea in 2012

The Korea Times has a new article on the popularity of Google Chrome in Korea.

In Korea, though Internet Explorer is still overwhelming other top browsers such as Firefox, Safari and Maxthon, Chrome is beginning to emerge as a possible contender.

In April 2011, 91.93 percent of Korean users used Internet Explorer, while only 4.33 percent used Chrome. Some had never even heard of others browsers used overseas.

In April this year, Chrome accounted for 13.88 percent of domestic users, the only browser to reach the double digits to challenge Internet Explorer’s 78 percent.

Chrome gaining fast against Explorer

While it’s encouraging to see that browser competition in Korea is changing, I don’t understand this comment about “toolbars.”

Another downside of Internet Explorer, besides the need to agree to an authorized certificate for monetary transactions is the need to install toolbars. To access popular Web portals such as Naver or Daum, users are required to install provided toolbars, which are now considered cumbersome by those who have other new options open to them.

Chrome has the advantage of not needing tool bars, unlike Internet Explorer and Firefox, among others.

I don’t understand the requirement to download a toolbar in order to access a website. Is this a real requirement or just an attempt by the portal to push their toolbar onto the user? Maybe my Korean readers can help explain this?

 

QQ vs 360 – on the Chinese Internet users lose

There are many aspects of the Internet in China that make it unique (see Internet censorship in the People’s Republic of China, a page that is no doubt blocked from view in China.)

  • state censorship of non-Chinese content via the Great Firewall
  • internal (to China) censorship of content by Chinese Internet companies
  • self-censorship that is a hallmark of any regime that does not have free speech laws

These are but 3 of the many differences of the Internet in China vs. elsewhere.

Sadly, there are non-censorship related issues around commercial software vendors and their competitive practices that are terrible for Chinese Internet users.  The most recent battle on the Chinese Internet is between Tencent, who’s QQ brand has over 600 million users of their instant messaging service, and 360 an ‘anti-virus’ software company that has 300 million clients installed and is so aggressive as to cross the line (in my opinion) of marking legitimate software as “viruses” if they are competitive with any software that 360 also provides.

If I had to put this in Western terms, it would be as if Norton/Mcafee marked AOL Instant Messenger/Yahoo! IM/etc. as virus software.

360 vs QQ, Internet security company picks fight with China’s NO. 1 software giant
(the Japanese manga-style cartoons are a little disturbing)

EastSouthWestNorth has translations of key statements from QQ and a news report from MOP:

360 PK Tencent (10/31/2010) (MOP)

360 Is Hackerware (11/01/2010) (QQ.com)

China Tech News is reporting that China’s Ministry of Industry and Information Technology and Ministry of Public Security is now involved in this corporate dispute without any resolution to date.

Qihoo 360: Chinese Government Interferes In Tencent Internet Dispute

And today, Tencent (QQ) has issued an ultimatum to it’s 600 million users that users of QQ cannot use 360’s anti-virus software.

Tencent threatens its users with an ultimatum

China’s Internet users have so many challenges to deal with, from the state, to the companies that run Chinese Internet services, that corporate in-fighting between Chinese application providers (who are not even directly competing with each other) should be the last straw.

My opinion? If you are an Internet user in China, switch to Linux or Mac OS and get off Windows, because Chinese application providers only build for Windows and thus getting off Windows means getting rid of the need for Chinese applications altogether.  You won’t have these problems with open source software.

event video – The Emerging Threat to Online Trust

The video from the event on browser and certificates, held by the New America Foundation, The Emerging Threat to Online Trust, has been posted to Ustream (flash unfortunately.)

For those of us who know how browsers and certificates and trust works, you may not learn anything new, but I think it’s important to see how browsers and certificates are viewed by people outside of the certificate authorities or browser industries. Indeed Andrew McLaughlin, previously at Google, is now White House deputy CTO under Aneesh Chopra and spoke at the event.

I came away with the impression that it is exceedingly difficult to explain how browsers secure transactions.  Mozilla comes off better than most because of how open our processes are.  Still, browser security looks like sausage to me- you don’t really want to learn how they’re made.

The Role of Public Policy and Browser Certificates (Oct. 22, D.C.)

If I was in Washington D. C. I would try to make it to this event on Oct. 22 at the New America Foundation.

Center for Information Technology Policy – Emerging Threats to Online Trust: The Role of Public Policy and Browser Certificates

Emerging Threats to Online Trust: The Role of Public Policy and Browser Certificates

Additional relevant background in this post: Web Security Trust Models | Freedom to Tinker

quick update on Korea

Kim Tong-hyung, staff reporter for the Korea Times, is the only reporter providing English-language coverage of the news on the Microsoft monopoly in S. Korea.

I wanted to share two recent articles from Kim Tong-hyung, one covering the event that Mozilla’s Lucas Adamski attended at the end of April and another covering the “anti-virus” industry in Korea, which is one of the incumbent industries that would be significantly negatively affected if the Korean government moved away from the current PKI-based encryption architecture.

Experts Say Specific Tech Mandates Make [Korean] Internet Banking Vulnerable

“There is danger in relying on technology too much, and specific technology in that,” Schneier said, stressing that the government should be commanding “results,” rather than technologies, from banks and credit-card companies in their efforts to provide better user protection.

“Once a law mandates specific technologies such as protocol, applications or software, innovation stops. Companies know they will be okay as long as they do everything that the law says, and they will not figure out ways to make things more secure.

and

Lucas Adamski, who heads the software security team at Mozilla, which backs the Firefox Web browser, said online banking and e-commerce providers should consider redesigning their Web pages to support HTTPS, or HTTP Secure.

“Supporting HTTPS comes with many benefits. The server is authenticated to ensure the user is talking to the server they think are talking to, before any content is sent or received,” Adamski said.

“The browser will not normally send or receive any content from a Web site with an invalid or expired certificate or if the certificate does not match the server name. This means that there is no opportunity for a man-in-the-middle (MITM) injection attack to happen in the first place.”

Is AhnLab to blame for online banking mess?

Kim Kee-chang, a Korea University law professor who had led a series of unsuccessful lawsuits against the government over the overwhelming Active-X use, is absolutely merciless when describing the role of AhnLab and other anti-virus firms in the whole mess.

“Anti-virus firms are the only ones who are benefiting from the current Internet banking structure, which itself happens to be the biggest fraud of all. This system is all about creating an illusion of security that essentially does nothing other than allowing these software makers to make easy money off aging technology,” Kim said in a recent interview with The Korea Times.

“It’s depressing to see these so-called Internet technology experts sinking so low, sacrificing their morality to the last ounce in pursuit of profit. They have government officials in their pockets, as nobody ever accuses bureaucrats of having a bright understanding of technology,” he said, emphasizing that it was the anti-virus firms that chose plug-ins as the method to provide the required security programs to banks and computer users.

the Security of Internet Banking in South Korea in 2010

For those of you who have followed my blog, you know that it has been 3 years since I first reported on the fact that Korea does not use SSL for secure transactions over the Interent but instead a PKI mechanism that limits users to the Windows OS and Internet Explorer as a browser. Nothing fundamentally has changed but there are new pressures on the status quo that may break open South Korean for competition in the browser market in the future.

In fact, one of the new pressures on the status quo has been the popularity of the iPhone in South Korea, which wasn’t available officially until late 2009 due to a different Korean software middle-ware requirement, WIPI, which has since been deprecated. With WIPI dead and buried, Apple released the iPhone to great fanfare in the Korean market and Blackberry has also launched in the Korean market.

Another pressure on the status quo was a recent report out from 3 researchers (Hyoungshick Kim, Jun Ho Huh and Ross Anderson) from the University of Oxford’s Computing Laboratory, “On the Security of Internet Banking in South Korea.

South Korean Internet banking systems have a unique way of enforcing security controls. Users are obliged to install proprietary security software – typically an ActiveX plugin that implements a bundle of protection mechanisms in the user’s browser. The banks and their software suppliers claim that this provides trustworthy user platforms. One side-effect is that almost everyone in Korea uses IE rather than other browsers.

We conducted a survey of bank customers who use both Korean and other banking services, and found that the Korean banks’ proprietary mechanisms impose significant usability penalties. Usability here is strongly correlated with compatability: Korean users have become stuck in an isolated backwater, and have not benefited from all the advances in mainstream browser and security technology. The proprietary mechanisms fail to provide a trustworthy platform; what’s more, alternative strategies based on trustworthy computing techniques are quite likely to suffer from the same usability problems. We conclude that transaction authentication may be the least bad of the available options.

The popularity of the iPhone (the press claims 500,000 units sold in the few months since it was released) resurfaced the issue that only Windows and IE can be used to make secure transactions with Korean Internet services. iPhone/Blackberry/Android users in Korea (not to mention Firefox/Opera/Safari/Chrome users) cannot bank online or purchase items online or do any secure transaction with the smartphone browser because Korean services only support the PKI mechanism that only works with Active-X in IE and Windows.

Dr. Keechang Kim of Korea University has been working tirelessly for many years to try to change the status quo in Korea around browsers and the reliance on a PKI mechanism that is tied to one platform. With concern being raised by different parts of the Korean government, including the Korean Communications Commission as well as the Office of the President of Korea, Keechang has gathered a very interesting panel of presentations for April 29th in Seoul.  The panelists will be addressing the (Korean) Financial Supervisory Service (FSS) which is the regulatory body in Korea that is currently mandating the PKI mechanism that is in place today (which requires Active-X, etc.)  Unless the FSS relaxes or changes their regulations, Korean banks cannot offer other mechanisms for Korean users to bank online, etc.  In short, unless the FSS changes their stance, nothing will change in Korea.

Security Issues of Online Banking & Payment in Korea” is an open public meeting (registration recommended) starting at 10 AM on April 29th at COEX Conference Hall E1 and will feature:

  • Bruce Schneier (Chief Security Technology Officer, BT) on “Security: What Works, What Doesn’t, and Why”
  • Hyoungshick Kim, Jun Ho Huh (Univ. of Oxford) “What’s the danger of mandating proprietary security solutions?”
  • Lucas Adamski (Dir. Security Engineering, Mozilla) on “Securing Browser Interactions”

Again this meeting is open to the public. Anyone is welcome to attend.

While I have no illusions that one meeting will get the key Korean government entities to do a 180 from their current stance, I do think this will be an important opportunity to bring external, Korean and non-Korean security expertise to Korea to discuss the current state of affairs and show that a PKI-based security architecture is only as secure as the computers that those certificates are used on.  If the computers are compromised, and at least one security services provider, Network Box, claims that S. Korea is the largest source for malware in the world, (Korea reigns as king of malware threats) then there is no way to be sure that the person in control of those personal certificates is the legitimate owner.

The deletion of the requirement for WIPI in Korean mobile phones opened the Korean market to the iPhone and the Blackberry and Android phones from outside of Korea.  Korean users of these new smartphones realized that they could not bank online, buy online, etc. and are now pressuring the Korean government to change the current laws which mandate a PKI-based mechanism that has been implemented with Active-X.  As the popularity of smartphones that cannot make use of the current PKI-based architecture for encryption/authentication grows in Korea, the pressure for the government to change their regulations will only mount.  The key question for Mozilla is whether the Korean government will open up to a point where Firefox and Fennec can be used in the future for secure transactions in Korea.

Thank you to Keechang and everyone in the OpenWeb.or.kr community for your tireless efforts to try to break open the Korean market. Thank you also to Channy Yun who has put aside his own schedule in order to participate and guide Lucas in Seoul.  There is still a long road to walk to an open, competitive market in S. Korea for browsers, but I am starting to see the light at the end of the tunnel.

US ISP redirects DNS in Firefox toolbar

Disturbing news from the US.

Windstream Communications, a large ISP based on the East Coast of the US, has been caught using DNS redirection of the search results from the Google Toolbar in Firefox. Users using the Google Toolbar in Firefox were served a Windstream search results page, not a Google search results page. I’m not clear how this could even be done but this should never ever happen.

Windstream Hijacking Firefox Google Toolbar Results – Users kick back, Windstream promises correction tonight

Once their customers started complaining, Windstream representatives posted at dslreports.com that

“I won’t go into the technical details, but this was not a desired result to modify the Firefox search field regardless of which search provider is used in the browser.”

Somehow I can’t give this company the benefit of the doubt.

Edit:

Firefox redirects to windstream communications search results when I do a Google search in the search bar. (Mozilla Firefox support forums)

and

How do I remove a web search redirect? (Google Web Search Help Forum)

TEDx Seoul – Korea Internet Galapagos

Changwon Kim, a friend of mine and a talented Internet entrepreneur who sold his blog service startup to Google in 2008 (and currently works at Google Korea), recently did a great presentation on the Korean Internet at TEDx Seoul. Changwon covers the fact that due to early broadband infrastructure and the geography of Korea, Korean companies were leading in innovations around virtual worlds, mobile Internet and social networks way before the global Internet brands that are world-wide today.  However, recently there has been less Korean innovation which has been concerning to technologists and entrepreneurs.

The video from his presentation is now online (in Windows Media) and covers some of the challenges facing the Korean Internet, including two mentions of the Microsoft browser monopoly in Korea.

TEDxSeoul Talks – [Changwon Kim] Korea Internet Galapagos