Mozilla in Asia

Kim Tong-hyung, staff reporter for the Korea Times, is the only reporter providing English-language coverage of the news on the Microsoft monopoly in S. Korea.

I wanted to share two recent articles from Kim Tong-hyung, one covering the event that Mozilla’s Lucas Adamski attended at the end of April and another covering the “anti-virus” industry in Korea, which is one of the incumbent industries that would be significantly negatively affected if the Korean government moved away from the current PKI-based encryption architecture.

Experts Say Specific Tech Mandates Make [Korean] Internet Banking Vulnerable

“There is danger in relying on technology too much, and specific technology in that,” Schneier said, stressing that the government should be commanding “results,” rather than technologies, from banks and credit-card companies in their efforts to provide better user protection.

“Once a law mandates specific technologies such as protocol, applications or software, innovation stops. Companies know they will be okay as long as they do everything that the law says, and they will not figure out ways to make things more secure.

and

Lucas Adamski, who heads the software security team at Mozilla, which backs the Firefox Web browser, said online banking and e-commerce providers should consider redesigning their Web pages to support HTTPS, or HTTP Secure.

“Supporting HTTPS comes with many benefits. The server is authenticated to ensure the user is talking to the server they think are talking to, before any content is sent or received,” Adamski said.

“The browser will not normally send or receive any content from a Web site with an invalid or expired certificate or if the certificate does not match the server name. This means that there is no opportunity for a man-in-the-middle (MITM) injection attack to happen in the first place.”

Is AhnLab to blame for online banking mess?

Kim Kee-chang, a Korea University law professor who had led a series of unsuccessful lawsuits against the government over the overwhelming Active-X use, is absolutely merciless when describing the role of AhnLab and other anti-virus firms in the whole mess.

“Anti-virus firms are the only ones who are benefiting from the current Internet banking structure, which itself happens to be the biggest fraud of all. This system is all about creating an illusion of security that essentially does nothing other than allowing these software makers to make easy money off aging technology,” Kim said in a recent interview with The Korea Times.

“It’s depressing to see these so-called Internet technology experts sinking so low, sacrificing their morality to the last ounce in pursuit of profit. They have government officials in their pockets, as nobody ever accuses bureaucrats of having a bright understanding of technology,” he said, emphasizing that it was the anti-virus firms that chose plug-ins as the method to provide the required security programs to banks and computer users.

For those of you who have followed my blog, you know that it has been 3 years since I first reported on the fact that Korea does not use SSL for secure transactions over the Interent but instead a PKI mechanism that limits users to the Windows OS and Internet Explorer as a browser. Nothing fundamentally has changed but there are new pressures on the status quo that may break open South Korean for competition in the browser market in the future.

In fact, one of the new pressures on the status quo has been the popularity of the iPhone in South Korea, which wasn’t available officially until late 2009 due to a different Korean software middle-ware requirement, WIPI, which has since been deprecated. With WIPI dead and buried, Apple released the iPhone to great fanfare in the Korean market and Blackberry has also launched in the Korean market.

Another pressure on the status quo was a recent report out from 3 researchers (Hyoungshick Kim, Jun Ho Huh and Ross Anderson) from the University of Oxford’s Computing Laboratory, “On the Security of Internet Banking in South Korea.”

South Korean Internet banking systems have a unique way of enforcing security controls. Users are obliged to install proprietary security software – typically an ActiveX plugin that implements a bundle of protection mechanisms in the user’s browser. The banks and their software suppliers claim that this provides trustworthy user platforms. One side-effect is that almost everyone in Korea uses IE rather than other browsers.

We conducted a survey of bank customers who use both Korean and other banking services, and found that the Korean banks’ proprietary mechanisms impose significant usability penalties. Usability here is strongly correlated with compatability: Korean users have become stuck in an isolated backwater, and have not benefited from all the advances in mainstream browser and security technology. The proprietary mechanisms fail to provide a trustworthy platform; what’s more, alternative strategies based on trustworthy computing techniques are quite likely to suffer from the same usability problems. We conclude that transaction authentication may be the least bad of the available options.

The popularity of the iPhone (the press claims 500,000 units sold in the few months since it was released) resurfaced the issue that only Windows and IE can be used to make secure transactions with Korean Internet services. iPhone/Blackberry/Android users in Korea (not to mention Firefox/Opera/Safari/Chrome users) cannot bank online or purchase items online or do any secure transaction with the smartphone browser because Korean services only support the PKI mechanism that only works with Active-X in IE and Windows.

Dr. Keechang Kim of Korea University has been working tirelessly for many years to try to change the status quo in Korea around browsers and the reliance on a PKI mechanism that is tied to one platform. With concern being raised by different parts of the Korean government, including the Korean Communications Commission as well as the Office of the President of Korea, Keechang has gathered a very interesting panel of presentations for April 29th in Seoul.  The panelists will be addressing the (Korean) Financial Supervisory Service (FSS) which is the regulatory body in Korea that is currently mandating the PKI mechanism that is in place today (which requires Active-X, etc.)  Unless the FSS relaxes or changes their regulations, Korean banks cannot offer other mechanisms for Korean users to bank online, etc.  In short, unless the FSS changes their stance, nothing will change in Korea.

“Security Issues of Online Banking & Payment in Korea” is an open public meeting (registration recommended) starting at 10 AM on April 29th at COEX Conference Hall E1 and will feature:

• Bruce Schneier (Chief Security Technology Officer, BT) on “Security: What Works, What Doesn’t, and Why”
• Hyoungshick Kim, Jun Ho Huh (Univ. of Oxford) “What’s the danger of mandating proprietary security solutions?”
• Lucas Adamski (Dir. Security Engineering, Mozilla) on “Securing Browser Interactions”

Again this meeting is open to the public. Anyone is welcome to attend.

While I have no illusions that one meeting will get the key Korean government entities to do a 180 from their current stance, I do think this will be an important opportunity to bring external, Korean and non-Korean security expertise to Korea to discuss the current state of affairs and show that a PKI-based security architecture is only as secure as the computers that those certificates are used on.  If the computers are compromised, and at least one security services provider, Network Box, claims that S. Korea is the largest source for malware in the world, (Korea reigns as king of malware threats) then there is no way to be sure that the person in control of those personal certificates is the legitimate owner.

The deletion of the requirement for WIPI in Korean mobile phones opened the Korean market to the iPhone and the Blackberry and Android phones from outside of Korea.  Korean users of these new smartphones realized that they could not bank online, buy online, etc. and are now pressuring the Korean government to change the current laws which mandate a PKI-based mechanism that has been implemented with Active-X.  As the popularity of smartphones that cannot make use of the current PKI-based architecture for encryption/authentication grows in Korea, the pressure for the government to change their regulations will only mount.  The key question for Mozilla is whether the Korean government will open up to a point where Firefox and Fennec can be used in the future for secure transactions in Korea.

Thank you to Keechang and everyone in the OpenWeb.or.kr community for your tireless efforts to try to break open the Korean market. Thank you also to Channy Yun who has put aside his own schedule in order to participate and guide Lucas in Seoul.  There is still a long road to walk to an open, competitive market in S. Korea for browsers, but I am starting to see the light at the end of the tunnel.

Channy Yun, Mozilla’s community leader in Korea and the Korean Firefox localization leader has been selected as a Mindtouch “Most Powerful Voice” in open source.  Congrats to Channy for his tireless efforts to push web standards, the open web, and promote open source in both Korea and the world.

Changwon Kim, a friend of mine and a talented Internet entrepreneur who sold his blog service startup to Google in 2008 (and currently works at Google Korea), recently did a great presentation on the Korean Internet at TEDx Seoul. Changwon covers the fact that due to early broadband infrastructure and the geography of Korea, Korean companies were leading in innovations around virtual worlds, mobile Internet and social networks way before the global Internet brands that are world-wide today.  However, recently there has been less Korean innovation which has been concerning to technologists and entrepreneurs.

The video from his presentation is now online (in Windows Media) and covers some of the challenges facing the Korean Internet, including two mentions of the Microsoft browser monopoly in Korea.

TEDxSeoul Talks – [Changwon Kim] Korea Internet Galapagos

This is a re-post from the Mozilla Blog:

It has come to our attention that there are reports on the popular Thai forum Blognone, มีบริษัทไหน โดนคนจาก Mozilla โทรข้ามประเทศมาเช็คยอดคนใช้ Firefox บ้างไหมครับ, and from Mr. Paiboon’s blog เมื่อมีฝรั่งแปลกหน้าโทรเข้า ออฟฟิศของผม !!, of someone called ‘Edison’ calling Internet businesses in Thailand and using the Mozilla Foundation name. These callers are asking about how many computers in the company are using Mozilla Firefox and are connected to the Internet. Mozilla has no representatives named Edison and no representatives in Thailand doing any telephone-based market surveys. If you receive a phone call from a ‘representative of the Mozilla Foundation’ they are not a representative of Mozilla Corporation or the Mozilla Foundation.

Mozilla has done web-based surveys from the Mozilla website and other websites and does market research via email, but not via phone in Thailand. If you receive a phone call in Thailand from someone saying that they are from Mozilla, please do not provide any information and take their name and number and send it to press at mozilla dot com for confirmation.

Thank you very much for your support of Mozilla and Firefox in Thailand.

On November 26th, the newest Mozilla community, Mozilla Philippines, which started only a few weeks earlier in the Philippines, celebrated the Five Years of Firefox at the Asian Institute of Management in Manila.

Everything came together very quickly with organization driven by Regnard Raquedan, our new community leader, as well as the Filipino Campus Reps, (Ren-Ren Gabas, Allan Caeg, and Joell Lapitan among many others) who have been very active.  Sherwin Sowy of Globe Labs (a division of Globe Telecom) was kind enough to help with sponsorship and showed off a Firefox Addon that university students had recently developed which enabled the sending of web content (text or images) via SMS/MMS.

If you would like to join the new community that is growing in the Philippines to support Mozilla and Firefox, please join the Philippine Mozilla community list.

Five Years of Firefox in Manila Done!

Other blog posts on the event can be found here:

Five Years of Firefox in Manila Done! – Mozilla Philippines

Five Years of Firefox in Manila Done!

Five Years of Firefox in Manila! – a set on Flickr (Photos courtesy of Aja Lapus & Joell Lapitan)

Mozilla Firefox Turns Five

5 Years of Firefox in Manila, a Report

Happy 5th Birthday Mozilla Firefox!

2009-11-21 Five Years of Firefox in Manila – a set on Flickr:

Two pieces of news regarding web browsers in China, unfortunately neither of them good news.

China Tech News is reporting that Kingsoft, a software security package, and 360 Browser, which purports to be a more secure browser from Qihoo, are no longer working together as they had claimed to do earlier this year.

Browser War: China’s 360, Kingsoft Cease Tech Security Cooperation

While I haven’t been to the mainland recently (since 2007 in fact) I think a lot of the problems around software security and piracy are still par for the course.  That two “security” software vendors can’t work together just means that the user loses.  Kingsoft also claimed to be working with Maxthon earlier this year, Kingsoft, Maxthon To Jointly Develop Secure Browser- we’ll see if that ends up a better partnership than with Qihoo.

Then there is more ominous news from the BBC and The Register regarding the fact that Opera has forced all users of Opera Mini in China to use the Chinese language Mini. This comes with a new proxy server that is filtering access to websites like Facebook and Twitter, which used to be accessible.

Opera web browser ‘censors’ Chinese content

Opera plugs hole in Great Firewall of China

In fact Twitter users in China were complaining of this a few days before the BBC article was posted. There’s a lot to dislike about this outside of the fact that it looks like Opera is working with the Chinese government to filter the web for Chinese users. It also means that if you are an expatriate in China, and you’re more comfortable with an English interface for your web browser, you can’t use Opera Mini in English in China.

This is a sad day for the open web in China.

Poramate at Kapook has organized a Firefox 5th anniversary party in Bangkok, Thailand on Nov. 26th at GreenSpace by Greyhound, Central World. If you’re in Bangkok, this is the place to be on the 26th!

Firefox 5th Anniversary @ #CODEFAIL Party Bangkok Thailand

A Chosun Ilbo columnist (a leading Korean news provider), Kim Ki-cheon, has an op-ed regarding the Microsoft monoculture in Korea:

Korea’s Internet Is Mired in a Microsoft Monoculture

Korea is at the cutting edge in technology, the state of the art in e-commerce, an early adopter of third-generation wired and wireless communication, broadband and personal media. Yet 99.9 percent of computer users are on Microsoft Windows. Mac users cannot bank or shop online, nor do these users have access to government websites. The same goes for users of Linux, the free user-generated OS, and those using Mozilla Firefox or Opera to browse the web.

The observation comes from an early 2007 entry on a Japanese blog, written shortly after the blogger’s disappointing visit to Korea. It is not an unfair assessment nor is it borne of jealousy. Korea’s Internet monoculture has been a subject of concern here for some time and remains an issue. In a recently published book, Kim Ki-chang, a professor at Koryo University, says that Korea’s Internet environment is so unsound that nothing like it can be found in any other country in the world.

What is the problem? For one thing, accessing many Korean websites requires jumping through hoops not found anywhere else in the world. This may mean installing unfamiliar software programs, one to ensure secure access, another to protect against keystroke tracking, another for personal firewall protection, and on top of that, an antivirus program, all to be able to do some banking online. Nowhere else are websites so complicated and inconvenient.

It is also a uniquely Korean peculiarity that the programs needed for access to secure websites are compatible only with Microsoft Internet Explorer. Many are based on the ActiveX framework from Microsoft. And while there exist other technologies that perform the same function, none are in use in Korea. As a result, web browsers such as Firefox used by over 20 percent of users worldwide have no presence here.

Not much new here that has not been covered by me in the past but it is news to me that Kim Keechang has published a book on this topic.

Just a quick note to let you know that the 2009 Firefox Developers Conference in Tokyo will be on Sunday, Nov. 8th

Firefox Developers Conference 2009 – アドオンで Web の未来を切り開く！

The theme of this year’s developer conference is Add-ons, including Jetpack. The event is free but registration is required. Mozilla’s Aza Raskin and Chris Blizzard’s keynotes will be in English, but the rest of the presentations will be in Japanese.

If you would like to attend but do not read/write Japanese, please leave a comment here and I can help get you registered.  Hope to see you there!

UPDATE: for review, also take a look at the Firefox Developer Conference Summer 2007.