South Korea Begins To Deprecate ActiveX

jones_supa writes The reliance on proprietary technologies to deliver web services varies from country to country. South Korea's ActiveX problem has been in the news before. Yonhap brings us a short report that the government plans to finally start cleaning up this troublesome technology from public websites later this month, as Korea gears up to create a more friendly Internet environment. The country's online financial websites and shopping malls often use ActiveX to have their payments and identification programs securely downloaded to users' personal computers.

Re:

[rudy_wayne]

You;re thinking of North Korea.

Re: Didn't knew they even had computers

[spongman]

In the 80's, before China opened up, everything was 'made in korea'. Korea's huge industrial success was what lead, in part, to China's economical thaw.

Re:

[maestroX]

What about cheap N-Korean labour?

Re:

[RightwingNutjob]

Mandatory policies of being sent to re-education camp for speaking with foreign customers and suppliers tend to put a damper on any such advantage.

Re:

[jrumney]

They tried it for a while - N. Korea had a special zone just across the border where South Korean companies could send in managerial staff daily, but it turns out that such a scheme is not sustainable in the political climate that exists between the two Koreas. I don't think many South Korean companies are interested any more in having a factory that they can be closed down on a whim every time the supreme leader has a tantrum.

Re:

[zippthorne]

A decade ago South Korea had had a well-publicized StarCraft obsession for years. The fact that they are stuck on ActiveX is due to them being early adopters of internet banking and government activities. IIRC, a decade ago there were already articles and discussions about being South Korea being stuck on ActiveX...

Re:

[jrumney]

It was also due to the government's insistence that their homegrown encryption algorithms be used, combined with a delay in getting the algorithms registered as an official Cipher Suite for SSL/TLS, that led to them being implemented at the application layer rather than the transport layer.

Re:Didn't knew they even had computers

[Blaskowicz]

Two decades ago would be about when Hyundai cars were introduced to Europe. That is pretty significant, we don't hear of cars from Vietnam or even China (I believe China has a huge car industry, but it's not sold globally and we can't even cite one constructor from China whereas I know S.K. has Samsung, Kia, Hundyai and SsangYong. I forgot Daewoo cars)

A decade ago : South Korea known for being where most RAM is made, and then a ton of flash memory as well. We can't have our PC compatibles and shit without South Korea, in the same way we can't do without Taiwan for the motherboards or Thailand for the hard drives.

Re:

[Harlequin80]

The sell a shit tonne of cars here in Australia. Main brand is called "Great Wall"

Re:

[jrumney]

Daewoo cars are now mostly branded as Chevrolet (maybe still Opel or Vauxhill in Europe), even in Korea. They are responsible for most of the smaller car designs from GM (from the Cruze down).

Chery is the only Chinese manufacturer I've seen locally, though another poster commented that Great Wall is available in Australia, so different manufacturers may be targeting different markets.

Re:

[alvarogmj]

In South American countries we have recently (last 5 years or so) started receiving cars made in china, and there are A LOT of brands.
Many of their models are cheap knock-offs of known models by other manufacturers (see Chery QQ vs Chevrolet Spark, or BYD F3 vs Toyota Corolla), and all of them sell a lot cheaper than the other brands. Usually lacking in the safety side, but sadly on par with the cars made in Brazil or Argentina for our local markets. And in a country (Uruguay) where, due to taxes, a Honda C

Re:

[stoatwblr]

Two decades? Try four.

Back in the early 80s various friends at high school had various iterations of the Hyundai Pony and most were decade old beaters at that point.

You're not the only one who forgot Daewoo cars. They went bankrupt and are part of GM now - and that had a lot to do with the product failing crash tests worldwide.

China has such a big internal market that they're not exporting much. The market is big enough that VW, Fiat, Toyota, Nissan and Ford are all running major assembly lines in china put

Re:Didn't knew they even had computers

[jonbryce]

South Korea is a very advanced and prosperous country, with income levels broadly similar to the European average. They most certainly have computers.

Re:

[Sun]

Then where do Samsung phones come from?

Re: Didn't knew they even had computers

[Anonymous Coward]

China

Re:How are HTML5, CSS and JS not proprietary?

[TheReaperD]

The main difference that makes HTML5/JS/CSS "open" in this case is that any person or company can use the technology free of charge in any capacity without fear of a copyright claim or demands for payment. With ActiveX, only the end users who write scripts may use it free of charge. If you want to implement it in a browser or some other capacity, you have to sign a licence agreement with Microsoft or get sued. That's what "open" means in this case though I fully understand and agree with the FOSS community that this is not what "open" should mean but, I'll take it over the alternatives we have at the moment.

Re:

[Anonymous Coward]

If you want to implement it in a browser or some other capacity, you have to sign a licence agreement with Microsoft or get sued.

That's an outright lie.

Re:

[Anonymous Coward]

I guess that is pretty insightful, as far as total bullshit goes.

Re:

[Anonymous Coward]

ActiveX executes compiled binaries instead of scripts... but anyway, there is no proof that you have to sign a license agreement to make an ActiveX implementation. For example Konqueror received ActiveX support [slashdot.org] back in the day, although that was just a Wine-like wrapper. Probably the reason that no one has made a native ActiveX implementation for Linux is simply that ActiveX is very Windows-centric technology and expects many Windows APIs to be available.

Re:

[BitZtream]

I've written many ActiveX controls, some for use in a browser, some not.

At no point was I required to sign or agree to a license to do so.

You can make ActiveX controls with any compiler that supports WIndows and will create DLLs with C++ calling conventions that match the MS style ... So pretty much all Of them.

ActiveX is no different than XPCOM ... Which is at the very core of Firefox, it's just a convention for generic, self describing plugins and is fully publicly documented.

The only insightful thing a

Re:

[Anonymous Coward]

I've written many ActiveX controls, some for use in a browser, some not.

At no point was I required to sign or agree to a license to do so.

With requiring a license he was talking about creating the ActiveX runtime environment for a web browser.

Re:

[disambiguated]

I've written many ActiveX controls, some for use in a browser, some not.

At no point was I required to sign or agree to a license to do so.

With requiring a license he was talking about creating the ActiveX runtime environment for a web browser.

No license is required for that either. All ActiveX is, at heart, is a hierarchy of C++ style interfaces (classes with nothing but pure virtual functions) rooted in a single interface (IUnknown), together with a handful of global C functions (e.g. CoCreateInstance). It can be supported on any platform as long as the C++ compiler implements virtual functions with a pointer to a vtable at the beginning of any object with virtual functions. That's every major compiler on every major platform. Actually you can

Re:

[stoatwblr]

"The problem is that virtually all ActiveX components are written for Windows and make Win32 calls."

Inna nutshell - yup.

This is why I've sucessfully argued with UK govt regulators that web pages which rely on ActiveX are proprietary and discriminatory - as such they are prohibited under open government rules and it's relatively easy to order govt authorities (local/national/regional) to cease using them immediately (the threat of having their funding cut off for non-compliance is the kind of thing which get

Re:

[stoatwblr]

"You can make ActiveX controls with any compiler that supports WIndows and will create DLLs with C++ calling conventions that match the MS style ... So pretty much all Of them."

All of them that run windows, maybe.

I've yet to see DLLs in OSX or Linux.

Re:How are HTML5, CSS and JS not proprietary?

[Craig Cruden]

"ActiveX is a software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly in the context of the World Wide Web. It was introduced in 1996 and is commonly used in its Windows operating system. In principle it is not dependent on Microsoft Windows, but in practice, most ActiveX controls require either Microsoft Windows or a Windows emulator. Most also require the client to be running on Intel x86 hardware, because they contain compiled code." HTML5 is a standards based format, so is CSS. JavaScript has been standardized in the ECMAScript language specification.

Re:

[NotInHere]

With HTML, CSS and JS, you have a choice between well working open source implementations, that you can improve, and publish browser forks on your own. I mean, it was open source which eased google to make chrome the first place.

Re:

[disambiguated]

That's only true if you want to run controls that were written for windows. If COM and OLE were supported on other platforms, then presumably people would write COM/OLE components for those platforms, and those would run fine on their platforms.

Back in the 90s, there were some other systems that supported COM/OLE (IBM and Sun Microsystems for example.)

CORBA [wikipedia.org] is practically the same thing, and is available everywhere. The problem with CORBA is that is a typical design-by-committee mess. It ended up way too co

Re:

[beelsebob]

Anyone can read the HTML5, CSS and Javascript specs, and implement them. Only Microsoft can read the ActiveX spec and implement it.

Re:

[Anonymous Coward]

Only Microsoft can read the ActiveX spec and implement it.

That's utterly false, as has been pointed out numerous times in the comments. All of the documentation is available and always was. It was never encumbered by patents or licensing issues. It can be (and has been) implemented on other platforms. It was just never very popular outside of Windows.

Re:

[Just Some Guy]

But then these same people say that HTML5 and JS and CSS are better because they're "open".

I hate using non-open technologies like TCP/IP. They never once consulted me and now I have to go by their "standards" instead of what I want to do this week.

Re:

[MightyYar]

I don't see how that's the case.

Maybe you are trying to start some kind of pedantic discussion, but I don't really understand your argument. The reality is:
ActiveX: Works on MS Windows running IE.
HTML5/JS/CSS: Works on Android, IOS, MacOS, Linux, Solaris, the BSDs, Chrome, Windows, Windows Phone, etc.

You can play with definitions all you like, but you are not locking yourself into a single vendor like you do with ActiveX.

Re:

[RightwingNutjob]

There's no such thing as complete freedom from lock-in. unless you're totally vertically integrated from the rare earth mines, up through the wafer fabs, all the way to the OS and the user software. Example: SpaceX, which does almost everything, including software, in house and doesn't have to march to the beat of somebody else's drum.

Back to software: you're locking yourself into something whenever you deploy anything. ActiveX makes you stuck on Microsoft. Java, though claimed to be multiplatform with com

Re:

[MightyYar]

There is a huge difference between being locked into a single vendor and being "locked in" to every major platform of the day.

Re:

[disambiguated]

The GP was right; for a right-wing nutjob he makes a lot of sense. I've been saying the same thing for years, nobody listens.

You're never really "locked in". All that is really meant by that is that there is a cost to moving away from some external dependency, and there is always a cost. Every external dependency a project takes on is "lock in." That includes the operating system, programming language, third party libraries, and everything else that isn't part of the project itself. You can try to minimize

Re:

[MightyYar]

You are right that you are "locking in" a certain development environment. But that is only part of your application... you will have end-users actually putting your application to use. It is one thing to lock in your single development machine or handful of machines to a single vendor - quite another to lock in all of your users as well. It was all well and good to blow off the 5% of people back when smart phones and Macs were marginal 10 years ago. It is quite another to blow off 50% of people on alternat

If you go back 18 years

[Anonymous Coward]

I'm pretty sure nearly every story posted on Slashdot about ActiveX had at least 50 responses that included the words "M$".

Re:

[jones_supa]

Heh! We can always go and see: Google Search: site:slashdot.org activex [google.com]

Here's an ActiveX discussion in Slashdot from 10 years ago: Brian Hook on the ActiveX Experience [slashdot.org]

Re:

[nitehawk214]

10 years ago isn't long enough. Go back 15 and everyone that wasn't drinking the kool-aid already knew it was complete garbage, and yet Microsoft kept trying to force it down people's throats.

10 LET M$ = "Microsoft"

[tepples]

responses that included the words "M$"

"M$" looks like a string variable in old-skool line-numbered BASIC, and Microsoft started out publishing BASIC interpreters. Could "M$" mean "The company should have stuck to BASIC and not branched into microcomputer operating systems"?

Re:

[dbIII]

If they had stuck with Xenix we may not have ended bottom lip deep in a malware swamp listening for approaching speedboats.

Trick the user into elevating to install something

[tepples]

If they had stuck with Xenix we may not have ended bottom lip deep in a malware swamp

Could you explain how that might not have happened? Xenix (which became SCO OpenServer) was just Microsoft's port of AT&T UNIX to PCs. UNIX is just as vulnerable to malware as Windows: if you trick the user into elevating to install something, something will be installed.

Yes it's the elevating bit that would help

[dbIII]

Starting with a multiuser approach and being aware of a network that early on is likely to have made all of the difference.
Most of the shit is a legacy of having a single user non-networked environment for so long.
Currently it's a single click on an email to infect all the available network shares with cryptolocker - nothing about elevating to install something at all.

Re:

[tepples]

Even in a networked environment, if you can convince the owner of a home PC to download a binary package and elevate to install it, you 0wn his PC. Trusting your operating system's default repository doesn't help if a trojan poses as a type of desirable software that's often excluded from repos on licensing grounds [pineight.com], such as games or media players.

Modded down due to malware mention?

[dbIII]

Seriously guys - every time I give an example of malware on an MS platform I get modded down - grow a pair instead of living in denial.

Back to the above poster, yes it may still happen in environments where security was considered from day one but I'm convinced the years of no privelage separation at all has resulted in the scale of the current problem.

The Cost of Monoculture

[Zanadou]

Holy shit snacks, does that mean that one day I might be able to use Korean government or online banking website with Firefox???

Probably not, the country's extremely monocultural when it comes to computing tech. ("Not Invented Here" [wikipedia.org] was one of the problems in the first place. [kanai.net]) For example, nearly all the PCs there are Windows/Intel/nVidia combos... you really need to jump though hoops and/or be really specific when ordering computers to get anything else. And, only people at Daum [daum.net] and KAIST [kaist.ac.kr] seem to even hav

Re:

[hjf]

Yes. We do some warranty stuff for LG. Their website is IE6-only (older versions on compatibility mode). It uses a SHITLOAD of ActiveX components for really, really dumb things. Like: Grid Views, Drop Down Views, etc. It's the typical "I'm used to a desktop app so I expect a web app to behave exactly like a desktop app, with pop-up windows and all other controls". This is endemic with MS developers.

Re:

[Dutch Gun]

Extremely monocultural? As opposed to the US, where... what, if I recall correctly, Linux has a 1.5% desktop market share and Macs are around 5% or so? South Korea is certainly worse off, but honestly, it's a little hard to argue about a "monoculture" in South Korea when in reality it's only a few percentage points away from the rest of the world in terms of PC OSes.

Besides, more and more people are moving away from PCs to phones and phablets for day to day computing needs, and Samsung phones (and Android

Re:

[RightwingNutjob]

Desktop share doesn't matter. Server share, supercomputer share, and embedded share matter. Why? Because that reflects the mindshare of the geeks and their bosses who pay for the stuff. That means it's not a hard sell to say a customer-facing stuff should be compatible with Mac and Linux, because it would be pretty silly to make software you can't test within its own box, even if you do need to test it with typical customer boxes and OSs before you release. Year windows dominates, but you still see billboar

From a simpler era

[Baldrake]

I worked with ActiveX technology close to 15 years ago. It was a much simpler era, where there was little need to worry about platforms other than Windows+IE, and where most of us hadn't really caught on yet to how ruthless the hackers were going to become. And frankly there wasn't a whole lot of alternative for pushing real app functionality from the web in those days. Some people were using Java, which certainly wasn't any more secure, and eventually Flash began to gain traction. So it's not completely hard to understand how we got where we are.

Re:

[TheReaperD]

True, ActiveX was just one of several bad ideas that became "standards" during the web's explosive growth period. Others that came to mind were the blink tag, Flash (as you mentioned), Java (for the web, a terrible idea), and the abortion of a scripting language known as JavaScript. JavaScript is just the lesser of the evils of the technologies and no one has been able to push forward a replacement, though several have tried.

Re:

[kthreadd]

Everything that is a plugin is more or less unsuitable for the web, especially now when more (or even most) web traffic comes from mobile computers where plugins are sometimes not even possible to use.

Re:

[ADRA]

Javascript itself is a plugin. Any concept of distinction is flawed. Lets say in the panaea of worlds, Oracle gave Java tech and all its reference impl's away for free BSD styled. What if anything would be the harm of writing browser scripts in Java vs. Javascript vs. go vs. .net-whatever, etc.. if every single browser developer had access to native embeddable runtimes embedded into the tool?

Java already has a great sandboxing system that was unfortunately broken badly by their native/nsapi plugin layer, bu

Re:

[Shados]

The primary issue with java applets at the same (if you assumed a world where it was preinstalled and where version management didn't matter, bringing it in line with JavaScript), was complexity and startup time.

Doing something simple took too much code, and it took forever for a page with it to start. It would have to go in a very different direction than where it was going to have been different.

Re:

[kthreadd]

Javascript itself is a plugin. Any concept of distinction is flawed. Lets say in the panaea of worlds, Oracle gave Java tech and all its reference impl's away for free BSD styled. What if anything would be the harm of writing browser scripts in Java vs. Javascript vs. go vs. .net-whatever, etc.. if every single browser developer had access to native embeddable runtimes embedded into the tool?

If it was built into every single browser then things would be different. But that doesn't matter right now because it's not. It doesn't matter how great of a technology it is if you can't run it on an iPhone.

Re:

[kthreadd]

Java became de-facto monoculture, there is only one widely used implementation.

You're talking about Android, right?

Re:

[RobinH]

To be fair, comparing ActiveX to Java is incorrect. The counterpart in the Java world of ActiveX is the "Java Applet" which, along with ActiveX, really needs to go away. Writing a self-hosted Java program is no different than a .NET program, and neither one are going away any time soon. JavaScript, however, only had one serious competitor: VBScript. JavaScript won. It's the best thing we have for rich client functionality, and it's not going away any time soon, even though, I think, HTML5 is going to a

Re:

[BarbaraHudson]

My favorite was the <marquee> tag. Worked a lot better than today's javascript-powered scrollers.

Re:

[youn]

Almost as awesome as the blink tag :p

Re:

[Baldrake]

Going from memory here, and things may have changed completely in the meantime. If your applet could live in the sandbox, then great. But many applications needed to get out of the sandbox. Remember this was long before cloud storage, so many apps required access to your file system, for example. Or apps might require access to your email client or your contact list. And so you'd sign your applet and have it ask for permission to access outside the sandbox, which in the end made it no different from ActiveX

Re:

[ADRA]

At least since the Java 1.4-ish era of security, depending on the security manager in place, you could retain complete sandbox mode while allowing for specific access to sensitive information (like fs access) on demand. it certainly is laborious having to continually prompt users to let them do things. I would've leaned more toward android like security bundling where you'd have to specifically 'install' the applet, but then it has some level of systems integration with a bundle of security permissions gran

Re:

[jrumney]

Printing was another reason to require a signed applet. It was possible to limit the extra capabilities granted to an applet - but it was a huge learning curve that most developers were not interested in, and chances are that the end user isn't going to notice, or understand the difference (since their brain will shut down [slashdot.org] when they see the security dialog) so in most cases, a signed applet was getting full access, just like an ActiveX control.

Re:

[Art3x]

It was a much simpler era, where there was little need to worry about platforms other than Windows+IE

You were part of the problem.

ActiveX

[Dan East]

In case anyone is wondering what ActiveX is, it's essentially a Windows program you download that runs natively on your computer. It gets to draw to the specified element in the browser, which makes it look like it's part of a webpage. There isn't (or wasn't) any kind of sandboxing or security once the ActiveX component was installed - it could do anything it wanted on your computer like any other Windows program, because that's essentially what it was. The only security was whether or not you installed the ActiveX component in the first place. If I remember correctly they are really just DLLs, and used Component Object Model for the standard in which the DLL exposes methods, etc.

Re:

[140Mandak262Jamuna]

It is aided and abetted by what are known as Browser Helper Objects, which are further code downloaded from the internet and run natively in your computer without any user intervention or even a notification. Thus the ActiveX dll is merely the entry way. Anything from anywhere gets to run anything on your computer through ActiveX and BHOs. In retrospect it looks like a very dumb idea. But back then, for PCs, the P as in Personal was the dominant part. No clear distinction between user, admin and the owner.

Re:

[tlhIngan]

And ActiveX got a severe makeover in IE7. So much so that practically everything broke. Which is why IE6 hung around so long.

Of course, you have admit that South Korea is FINALLY getting around to fixing it given IE7+ has been around for years now. I'm guessing Windows 7 and XP Mode support is getting harder to come by?

it's not ActiveX problem really

[Anonymous Coward]

In Korea it is required to use a government sponsored certificate for all online transactions, and the certificate is available only if you have an ActiveX supported computer. This sounds very stupid but it is true.

Now that Microsoft has abandoned ActiveX, the Korean government has to give up ActiveX. The plan is to rewrite the ActiveX code and future online customers need to download and install an .exe file for handling the certificate. The real problem is not ActiveX. The real problem is the Korean gover

Re:

[jonbryce]

So you can't do online banking on an iPad, or a Samsung Galaxy Tab?

Re:

[MichaelSmith]

Yes.

Supplemental Expert Report of Andrew Schulman

[DougPaulson]

'For example, “COM supports an undocumented feature called channel hooks. Well, they are semidocumented in the Win32 header files and in Don Box's ActiveX/COM column (MSJ, January 1998). Microsoft does not officially support channel hooks on either Windows NT 4.0 or Windows 2000 If you're still reading, then you've acknowledged that disclaimer and I can get into the details”' ref [sonic.net]

"Securely"

[facetube]

...is not the adverb I'd use when talking about ActiveX.

Koreans have weird ideas about security

[MichaelSmith]

Working in Korea once I needed to install a package with apt-get but the file came down empty. I asked around and it turns out that to download anything on the corporate network you had to install this active-x component which looks to see if a storage device is connected to USB. If a device is connected the download still won't work, but you can still make a local copy of the file, plug in the USB key, and copy the file that way, which is what we did on a windows box.

Half measures all over the place.