[Infowarrior] - Korean IT: the cost of monoculture

[Richard Forno]

the cost of monoculture
http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s

(I am still preparing for posts on my China trip, but I wanted to first
address the issue of monoculture as it is very relevant now.)

What would you say if I told you that there was a nation that was at the
forefront of technology, an early adopter of ecommerce, leading the world in
3G mobile adoption, in wireless broadband, in wired broadband adoption, as
well as in citizen-driven media. Sounds like an amazing place, right?
Technology utopia?

Wrong.

This nation is also a unique monoculture where 99.9% of all the computer
users are on Microsoft Windows. This nation is a place where Apple Macintosh
users cannot bank online, make any purchases online, or interact with any of
the nation's e-government sites online. In fact, Linux users, Mozilla
Firefox users and Opera users are also banned from any of these types of
transactions because all encrypted communications online in this nation must
be done with Active X controls.

I travelled to South Korea last fall to learn more about the South Korean
Internet market and came away disappointed and frankly stunned.

I met with leading businesses in the search market, the music download
market, the games market and all reported the same situation- a monoculture
of users using MS Windows. The S. Korean market is in a unique situation
where decisions made long ago have created a consumer monoculture which is
having unintended repercussions that are affecting anyone with a computer in
South Korea. It is a fascinating story because it is true.

The history goes back to 1998, when the 128 bit SSL protocol was still not
finalized (it was finalized by the IETF as RFC 2246 in Jan. '99.) South
Korean legislation did not allow 40 bit encryption for online transactions
and the demand for 128 bit encryption was so great that the South Korean
government funded (via the Korean Information Security Agency) a block
cipher called SEED. SEED is, of course, used nowhere else except South
Korea, because every other nation waited for the 128 bit SSL protocol to be
finalized and have standardized on that.

In the early years of SEED, users downloaded the SEED plugin to their IE or
Netscape browsers, either an Active X control or a NSplugin, which was then
tied to a certificate issued by a Korean government certificate authority.
(Can you see where this is going?) When Netscape lost the browser war, the
NSplugin fell out of use and for years, S. Korean users have only had an
Active X control with the SEED cipher to do their online banking or commerce
or government.

So we end up in 2007, 9 years after SEED was created for Korean users, and
one legacy of the fall of Netscape is that Korean computer/Internet users
only have an Active X control to do any encrypted communication online. So
in late 2006, a group of Korean computer/Internet users, Citizens Action
Network at Open Web Korea, having documented the problem with accessibilty
of sites via anything other than Microsoft IE, have decided to sue the
Korean government.

It gets worse.

Remember how Active X controls were and continue to be a significant vector
of viruses and malware because Microsoft originally architected Active X to
run by default instead of with a user action? Maliciously programmed
websites would be able to automatically install software on users' computers
just by visiting a web page in IE 6. In IE 7 and in Vista, Microsoft has
re-architected Active X controls in such a way to make them "more safe" by
requiring a user action for the control to run. This is obviously impacting
every web site and company that uses active X controls on their websites,
which include just about every website in Korea that handles any kind of
secure transaction. Every online bank, every governmental agency, every
ecommerce site. Without enough time to re-architect Korean websites, 3 S.
Korean governmental ministries, the Ministry of Information and
Communication, the Ministry of Government Administration and Home Affairs,
and the Financial Supervisory Service, warned S. Korean users that upgrading
to Vista would disable the user from making any secure transaction online.
Can you imagine spending thousands of dollars on a new machine (because the
requirements of Vista generally require new hardware) and a new OS from
Redmond only to be locked out of any secure transaction online? It's
Kafkaesque.

To add insult to injury, the monopolist who absolutely controls the Korean
market for computers won't delay the launch of Vista to alllow for Korean
websites to re-code their sites. "We've been testing Vista with banks and
other service providers since September, but we encountered more delays than
we expected. We plan to release the product as scheduled."

Absolutely incredible.

A related problem is that KISA and Microsoft announce "plans to work
together to improve computer security awareness" or "mark anniversary of
cooperation with renewed pledge" when in fact the situation in 2007 is no
better than it was in 2003 when KISA decided to "work with Microsoft." I
can't tell who is the fox and which is the henhouse, but either way, the two
should not be near each other.

Another part of the Korea story that I cannot comprehend are articles about
Linux in Korea. The Korean Army considering Linux. Kwangju City as "Linux
City." If the Korean Army or Kwangju city cannot do any encrypted
communications because their operating system of choice does not work with
Active X controls, I'm not sure if this is hype or confusion.

To get the most depth and perspective on this topic, from the people in
Korea who are suing the government, it's best to read the documents at Open
Web Korea.

This issue with the launch of Vista and IE 7 and the work of thousands and
thousands of web programmers in Korea who are feverishly working to
reprogram their sites to work with Microsoft's new standards - do they
realize that their efforts only bring them back to square 0 - there's no
more heterogeneity in the Korean Internet market post-Vista than pre. The
problem for Korean websites wasn't competition from MSN Korea, it was their
sole dependence on infrastructure from Microsoft.

Korea will only get beyond this problem by 1) applying Korean laws on open
standards to the certificate authorities, 2) reassigning new certificates
which work with open web standards to all Koreans, 3) reprogramming all
Korean websites to support 128 bit SSL which will allow for a heterogeneous
marketplace of operating systems and web browsers. This is a herculean task
and thus Korea stays hostage to Redmond.

Fascinating history. Unintended consequences and de-facto monopolies create
costs too high to calculate and must be borne without question.

If you enjoyed this article, please take a moment to digg it :)