Category Archives: security

Chosun Ilbo op-ed on Korean Microsoft monoculture

A Chosun Ilbo columnist (a leading Korean news provider), Kim Ki-cheon, has an op-ed regarding the Microsoft monoculture in Korea:

Korea’s Internet Is Mired in a Microsoft Monoculture

Korea is at the cutting edge in technology, the state of the art in e-commerce, an early adopter of third-generation wired and wireless communication, broadband and personal media. Yet 99.9 percent of computer users are on Microsoft Windows. Mac users cannot bank or shop online, nor do these users have access to government websites. The same goes for users of Linux, the free user-generated OS, and those using Mozilla Firefox or Opera to browse the web.

The observation comes from an early 2007 entry on a Japanese blog, written shortly after the blogger’s disappointing visit to Korea. It is not an unfair assessment nor is it borne of jealousy. Korea’s Internet monoculture has been a subject of concern here for some time and remains an issue. In a recently published book, Kim Ki-chang, a professor at Koryo University, says that Korea’s Internet environment is so unsound that nothing like it can be found in any other country in the world.

What is the problem? For one thing, accessing many Korean websites requires jumping through hoops not found anywhere else in the world. This may mean installing unfamiliar software programs, one to ensure secure access, another to protect against keystroke tracking, another for personal firewall protection, and on top of that, an antivirus program, all to be able to do some banking online. Nowhere else are websites so complicated and inconvenient.

It is also a uniquely Korean peculiarity that the programs needed for access to secure websites are compatible only with Microsoft Internet Explorer. Many are based on the ActiveX framework from Microsoft. And while there exist other technologies that perform the same function, none are in use in Korea. As a result, web browsers such as Firefox used by over 20 percent of users worldwide have no presence here.

Not much new here that has not been covered by me in the past but it is news to me that Kim Keechang has published a book on this topic.

Korea Paying Price for Microsoft Monoculture

Last week the Korea Times had a long piece on the unique issues around browser security and encryption technologies in Korea, Korea Paying Price for Microsoft Monoculture, which did not reference my original article, the cost of monoculture, but is updating the issues I raised in early 2007.

A few choice quotes:

But the land of ubiquitous broadband, feature-happy “smart” phones and ultra-cool computing devices doubles as a crusty regime where Linux, Firefox, Chrome and Opera users can’t bank or purchase products online, and where Mac users buy Windows CDs to prevent their devices being reduced to fashion items.

The bizarre coexistence of advanced hardware and an outdated user environment is a result of the country’s overreliance on the technology of Microsoft, the U.S. software giant that owns the Korean computing experience like a fat kid does a cookie jar.

Critics say the country would end up paying dearly for allowing a Microsoft monoculture to take hold, with consumers deprived of the freedom to choose newer and better products and the Web industry seeing its innovation compromised.

(Anyone want to send me a Steve Ballmer with cookie jar photoshop masterpiece? :) )

The article goes on to cover a lot of the issues affecting web users in Korea and how many valiant efforts have gone into trying to affect change, most significantly the 3 lawsuits that Dr. Keechang Kim has brought against various Korean policy-making bodies, without success.

The newest effort of the open web community in Korea is openbank.or.kr, an effort to push/educate banking institutions in Korea to change their practices as many believe it is these consumer-facing services which are key to making real change happen for an open web in Korea.

Mozilla is committed to supporting the Koreans who are pushing for a competitive truly open web in Korea. If there is something that we should be doing in Korea to further support open web efforts, please do not hesitate to contact me or leave a comment with your thoughts.

I, for one, look forward to a day when anyone in Korea can use any modern browser on any major consumer computer operating system to bank, purchase goods/services online, trade stocks, etc. without the need for a browser plugin.

EVSSL user-interface in Safari 3.2

EVSSL in Safari 3.2

With the most recent update to Safari 3.2, Apple has added support in their user interface for extended validation SSL certificates, or EVSSL.

The problem with Safari 3.2′s implementation is that the UI is quite subtle, way in the upper-right hand corner. There’s no standard as to how to implement support for EV certs in browsers but clearly what Apple has done with Safari is mere compliance, not a thorough consideration of how best to show that information in the browser.

I’m biased but I clearly think Firefox 3.0′s implementation is better. No certificate mumbo-jumbo that no one outside of certificate authorities knows anything about.  Clear and obvious language that is readable and understandable by anyone who would use a browser on the Internet.

Firefox 3.0 EV SSL UI

Window Snyder on Mozilla security metrics

Robert Vamosi of CNet interviews Window Snyder, Mozilla’s chief security something-or-other, on security metrics at Mozilla and how we are trying to better understand security in an open-source project platform: At Mozilla, blowing the lid off security practices.

Window Snyder, Mozilla’s chief security something-or-other (her official title), wants to bring open source practices to the security community.

“At a lot of companies,” she told me recently, “there’s fear around security: you don’t want to talk about what you’re doing around security because one might deem it not enough–or might want to criticize it.” She said most companies have a lot of reasons to keep what you’re doing in security quite, but not Mozilla. “We benefit from being open; it’s the model for us and it’s been successful for us.”

I hadn’t seen this on Planet yet so wanted to make sure folks saw this article.

Malicious Websites and the Underground Economy on the Chinese Web

Although not directly relevant to Mozilla, this recent Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web on security in the Chinese Internet looks very interesting.  Amazing to see that gaming fuels the underground economy and that many of the transactions are done via Baidu and Taobao (which would be Google and eBay in the US.)

Ryan Naraine from ZDNet breaks out some of the key findings:

  • “The market price of a Trojan is between tens to thousands Renminbi (RMB), and a package of 0-day powerful Trojan generator and evasion service can be up to several ten thousands RMB. 10 RMB is as of November 2007 equivalent to $1.34 US dollar.”
  • “The administrators of certain personal websites attract visitors with the help of free goodies, e.g., free movies, music, software, or tools. These websites often betray their visitors: they sell the traffic (i.e., website visits) of their websites to Envelopes Stealers (people that buy traffic and malware) by hosting the Web-based Trojans. This means that innocent websites visitors are redirected via these malicious websites to other sites that then attack the victims. If the attack is successful, a piece of malware is installed on the victim’s machine.” The going rate: 40 to 60 RMB per 10,000 IP visits.
  • Gamers are the linchpin of China’s underground economy. These folks are the victims of virtual asset theft–powers in games and virtual money. Without their demand, hackers wouldn’t have much to sell.
  • Bulletin boards are the communications tool of choice. Specifically, Baidu’s bulletin board is popular with hackers. “One of the most prominent places for such markets within China is the Baidu Post Bar, the largest bulletin board community in China but with weak administration. Advertisements can be commonly found on several pertinent post bars at the site post.baidu.com. This system has a keyword-based structure, and there are no other entries to the post bar: if you do not know the keyword to search for, you will not find any malicious entries. The actors within the black market have their own, unique jargon, and thus it is hard for an outsider to find any information about this threat. The actual trading of virtual assets happens on public market places like Taobao. These very common online business platforms within the WWW are used by the cyber criminals to advertise and sell their goods. After a trade was successful and a Player has bought a virtual good, the money is sent commonly via Alipay.”

Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web