South Korea Begins To Deprecate ActiveX

jones_supa writes The reliance on proprietary technologies to deliver web services varies from country to country. South Korea's ActiveX problem has been in the news before. Yonhap brings us a short report that the government plans to finally start cleaning up this troublesome technology from public websites later this month, as Korea gears up to create a more friendly Internet environment. The country's online financial websites and shopping malls often use ActiveX to have their payments and identification programs securely downloaded to users' personal computers.

Didn't knew they even had computers

That country is pretty locked up as far as I know.

Re:Didn't knew they even had computers

[rudy_wayne]

You;re thinking of North Korea.

Re:Didn't knew they even had computers

[jonbryce]

South Korea is a very advanced and prosperous country, with income levels broadly similar to the European average. They most certainly have computers.

Re:Didn't knew they even had computers

He probably is. But a decade or two ago, before the South Korea's economical breakthrough, how many of us knew what kind of country South was either? Poor, rich? Many computers or not? How about a country like Mongolia today? Are good computers ubiquitous there? Not many people can give an answer off-the-shelf.

Just a meta-observation. :)

Re:Didn't knew they even had computers

They are researching RadioActiveX.

Re:Didn't knew they even had computers

[Sun]

Then where do Samsung phones come from?

Re: Didn't knew they even had computers

China

Re: Didn't knew they even had computers

It would be funny if it was true. They manufacture most of their phones, especially the high-end ones, locally in South-Korea.

Re: Didn't knew they even had computers

[spongman]

In the 80's, before China opened up, everything was 'made in korea'. Korea's huge industrial success was what lead, in part, to China's economical thaw.

Re: Didn't knew they even had computers

I don't know the proportions, but I do know that they have a lot of manufacturing in China.

Re:Didn't knew they even had computers

[zippthorne]

A decade ago South Korea had had a well-publicized StarCraft obsession for years. The fact that they are stuck on ActiveX is due to them being early adopters of internet banking and government activities. IIRC, a decade ago there were already articles and discussions about being South Korea being stuck on ActiveX...

Re:Didn't knew they even had computers

[Blaskowicz]

Two decades ago would be about when Hyundai cars were introduced to Europe. That is pretty significant, we don't hear of cars from Vietnam or even China (I believe China has a huge car industry, but it's not sold globally and we can't even cite one constructor from China whereas I know S.K. has Samsung, Kia, Hundyai and SsangYong. I forgot Daewoo cars)

A decade ago : South Korea known for being where most RAM is made, and then a ton of flash memory as well. We can't have our PC compatibles and shit without South Korea, in the same way we can't do without Taiwan for the motherboards or Thailand for the hard drives.

Re: Didn't knew they even had computers

[maestroX]

What about cheap N-Korean labour?

Re: Didn't knew they even had computers

[RightwingNutjob]

Mandatory policies of being sent to re-education camp for speaking with foreign customers and suppliers tend to put a damper on any such advantage.

Re:Didn't knew they even had computers

[Harlequin80]

The sell a shit tonne of cars here in Australia. Main brand is called "Great Wall"

Re: Didn't knew they even had computers

[jrumney]

They tried it for a while - N. Korea had a special zone just across the border where South Korean companies could send in managerial staff daily, but it turns out that such a scheme is not sustainable in the political climate that exists between the two Koreas. I don't think many South Korean companies are interested any more in having a factory that they can be closed down on a whim every time the supreme leader has a tantrum.

Re:Didn't knew they even had computers

[jrumney]

It was also due to the government's insistence that their homegrown encryption algorithms be used, combined with a delay in getting the algorithms registered as an official Cipher Suite for SSL/TLS, that led to them being implemented at the application layer rather than the transport layer.

Re:Didn't knew they even had computers

[jrumney]

Daewoo cars are now mostly branded as Chevrolet (maybe still Opel or Vauxhill in Europe), even in Korea. They are responsible for most of the smaller car designs from GM (from the Cruze down).

Chery is the only Chinese manufacturer I've seen locally, though another poster commented that Great Wall is available in Australia, so different manufacturers may be targeting different markets.

Re:Didn't knew they even had computers

how many of us knew what kind of country South was either? Poor, rich?

what the f... you really must be an american. aren't you?

Re:Didn't knew they even had computers

[stoatwblr]

Two decades? Try four.

Back in the early 80s various friends at high school had various iterations of the Hyundai Pony and most were decade old beaters at that point.

You're not the only one who forgot Daewoo cars. They went bankrupt and are part of GM now - and that had a lot to do with the product failing crash tests worldwide.

China has such a big internal market that they're not exporting much. The market is big enough that VW, Fiat, Toyota, Nissan and Ford are all running major assembly lines in china putting together CKD kits and exporting to the rest of SE asia in association with Chinese comglomerates.

Chery anf Geely are selling in Europe (and they got 5 star ENCAP ratings for their newest products - the days of "deathtraps" are long gone)
Several European makers are now wholly-owned subsidiaries of chinese companies (India owns a couple of brands too).

Re:Didn't knew they even had computers

[alvarogmj]

In South American countries we have recently (last 5 years or so) started receiving cars made in china, and there are A LOT of brands.
Many of their models are cheap knock-offs of known models by other manufacturers (see Chery QQ vs Chevrolet Spark, or BYD F3 vs Toyota Corolla), and all of them sell a lot cheaper than the other brands. Usually lacking in the safety side, but sadly on par with the cars made in Brazil or Argentina for our local markets. And in a country (Uruguay) where, due to taxes, a Honda Civic costs U$S 40.000, and a Chevrolet Spark costs U$S 15000, these brands are slowly eating the low-end with cheap (~ U$S 15000) sedans like the Lifan 620 or the BYD F3.

Some of the known brands around here: Lifan, Chery, Geely, Great Wall, JAC, BYD, FAW, Haima.

How are HTML5, CSS and JS not proprietary?

I keep hearing people say that ActiveX is "proprietary", and maybe it is. But then these same people say that HTML5 and JS and CSS are better because they're "open". I don't see how that's the case.

So Microsoft developing ActiveX makes it "proprietary". That's not different at all from how HTML5, JS and CSS have been developed. It's pretty much just Google, Mozilla, Apple and Opera (or people working for them) who have developed HTML5, JS and CSS. Even among those organizations, Google is clearly the heavyweight leading the show, with Apple only there because it has to be, and Mozilla and Opera trying as hard as they can not to be totally irrelevant.

The illusion of outside input may be there, but I don't think it actually exists. It's Google's way, or fuck off. As an outsider, I know I couldn't have had any meaningful impact on the HTML5, JS or CSS work. The same goes for pretty much every other outsider, too. So for us, there's no difference between a Microsoft-created web product and a Google-created web product. We don't have a say either way. All of these technologies are "proprietary" from our perspective. They're "open" in marketing only.

Re:How are HTML5, CSS and JS not proprietary?

[TheReaperD]

The main difference that makes HTML5/JS/CSS "open" in this case is that any person or company can use the technology free of charge in any capacity without fear of a copyright claim or demands for payment. With ActiveX, only the end users who write scripts may use it free of charge. If you want to implement it in a browser or some other capacity, you have to sign a licence agreement with Microsoft or get sued. That's what "open" means in this case though I fully understand and agree with the FOSS community that this is not what "open" should mean but, I'll take it over the alternatives we have at the moment.

Re:How are HTML5, CSS and JS not proprietary?

[CraigCruden]

"ActiveX is a software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly in the context of the World Wide Web. It was introduced in 1996 and is commonly used in its Windows operating system. In principle it is not dependent on Microsoft Windows, but in practice, most ActiveX controls require either Microsoft Windows or a Windows emulator. Most also require the client to be running on Intel x86 hardware, because they contain compiled code." HTML5 is a standards based format, so is CSS. JavaScript has been standardized in the ECMAScript language specification.

Re:How are HTML5, CSS and JS not proprietary?

Standardization processes involving a small number of organizations, each with restricted membership, coming up with specifications and standards without much, if any, outside influence and input really are proprietary in practice. That's exactly what the GP was pointing out. These standards aren't open. They're proprietary by the very nature of their limited-access development.

Re:How are HTML5, CSS and JS not proprietary?

[NotInHere]

With HTML, CSS and JS, you have a choice between well working open source implementations, that you can improve, and publish browser forks on your own. I mean, it was open source which eased google to make chrome the first place.

Re:How are HTML5, CSS and JS not proprietary?

[beelsebob]

Anyone can read the HTML5, CSS and Javascript specs, and implement them. Only Microsoft can read the ActiveX spec and implement it.

Re:How are HTML5, CSS and JS not proprietary?

If you want to implement it in a browser or some other capacity, you have to sign a licence agreement with Microsoft or get sued.

That's an outright lie.

Re:How are HTML5, CSS and JS not proprietary?

I guess that is pretty insightful, as far as total bullshit goes.

Re:How are HTML5, CSS and JS not proprietary?

[Just+Some+Guy]

But then these same people say that HTML5 and JS and CSS are better because they're "open".

I hate using non-open technologies like TCP/IP. They never once consulted me and now I have to go by their "standards" instead of what I want to do this week.

Re:How are HTML5, CSS and JS not proprietary?

COM and OLE are also open standards. They have been implemented on other platforms, but afaik no other browser has implemented them. HTML5 is more popular, that's about it.

Re:How are HTML5, CSS and JS not proprietary?

[MightyYar]

I don't see how that's the case.

Maybe you are trying to start some kind of pedantic discussion, but I don't really understand your argument. The reality is:
ActiveX: Works on MS Windows running IE.
HTML5/JS/CSS: Works on Android, IOS, MacOS, Linux, Solaris, the BSDs, Chrome, Windows, Windows Phone, etc.

You can play with definitions all you like, but you are not locking yourself into a single vendor like you do with ActiveX.

Re:How are HTML5, CSS and JS not proprietary?

ActiveX executes compiled binaries instead of scripts... but anyway, there is no proof that you have to sign a license agreement to make an ActiveX implementation. For example Konqueror received ActiveX support back in the day, although that was just a Wine-like wrapper. Probably the reason that no one has made a native ActiveX implementation for Linux is simply that ActiveX is very Windows-centric technology and expects many Windows APIs to be available.

Re:How are HTML5, CSS and JS not proprietary?

[BitZtream]

I've written many ActiveX controls, some for use in a browser, some not.

At no point was I required to sign or agree to a license to do so.

You can make ActiveX controls with any compiler that supports WIndows and will create DLLs with C++ calling conventions that match the MS style ... So pretty much all Of them.

ActiveX is no different than XPCOM ... Which is at the very core of Firefox, it's just a convention for generic, self describing plugins and is fully publicly documented.

The only insightful thing about your post is that slashdot has fallen to the point that this sort of ignorance is so commonplace that you got modded to +5

Re:How are HTML5, CSS and JS not proprietary?

I've written many ActiveX controls, some for use in a browser, some not.

At no point was I required to sign or agree to a license to do so.

With requiring a license he was talking about creating the ActiveX runtime environment for a web browser.

Re:How are HTML5, CSS and JS not proprietary?

It's not enough to support COM and OLE, you have to support all the Windows APIs that controls might want to use.

Re:How are HTML5, CSS and JS not proprietary?

[RightwingNutjob]

There's no such thing as complete freedom from lock-in. unless you're totally vertically integrated from the rare earth mines, up through the wafer fabs, all the way to the OS and the user software. Example: SpaceX, which does almost everything, including software, in house and doesn't have to march to the beat of somebody else's drum.

Back to software: you're locking yourself into something whenever you deploy anything. ActiveX makes you stuck on Microsoft. Java, though claimed to be multiplatform with compliant JVMs shipped by Oracle, IBM, and the FOSS community, really makes you stuck on whichever one you start developing on. HTML5/J5/CSS will make you stuck on whatever browser version you go with when you start. Hell, even "fully open source" systems like Linux make tweaks to the kernel API that render drivers obsolete (this has nothing to do with systemd, just normal tweaks and architecture changes that are generally a Good Thing for a healthy project). So if you ship drivers that compile with 2.6.23, you need to tweak your memory allocation for 2.6.24+, and other things for 2.6.39+, and so on and on.

Bottom line: you're "locked" to whatever you go with because when they make a change, you need to spend time and money catching up with them.

Re:How are HTML5, CSS and JS not proprietary?

[MightyYar]

There is a huge difference between being locked into a single vendor and being "locked in" to every major platform of the day.

Re:How are HTML5, CSS and JS not proprietary?

What you have said makes zero sense ... I hope you realise this?

Re:How are HTML5, CSS and JS not proprietary?

[disambiguated]

I've written many ActiveX controls, some for use in a browser, some not.

At no point was I required to sign or agree to a license to do so.

With requiring a license he was talking about creating the ActiveX runtime environment for a web browser.

No license is required for that either. All ActiveX is, at heart, is a hierarchy of C++ style interfaces (classes with nothing but pure virtual functions) rooted in a single interface (IUnknown), together with a handful of global C functions (e.g. CoCreateInstance). It can be supported on any platform as long as the C++ compiler implements virtual functions with a pointer to a vtable at the beginning of any object with virtual functions. That's every major compiler on every major platform. Actually you can do COM "manually" in plain old C too, so you can do COM anywhere with a C compiler. Put pointer to an array of pointers to functions (the vtable) at the beginning of a struct, if the functions have the proper signatures then the struct is a COM object.

I know this because I've also written many ActiveX and COM components, and ported COM/OLE/ActiveX code to Linux and OS/X. Generally the problem with implementing ActiveX on other platforms has nothing to do with ActiveX itself. The problem is that virtually all ActiveX components are written for Windows and make Win32 calls.

Re:How are HTML5, CSS and JS not proprietary?

[disambiguated]

That's only true if you want to run controls that were written for windows. If COM and OLE were supported on other platforms, then presumably people would write COM/OLE components for those platforms, and those would run fine on their platforms.

Back in the 90s, there were some other systems that supported COM/OLE (IBM and Sun Microsystems for example.)

CORBA is practically the same thing, and is available everywhere. The problem with CORBA is that is a typical design-by-committee mess. It ended up way too complicated, even compared to COM/OLE.

The problem that COM and CORBA both solved (or at least tried to solve) still exists, with no commonly accepted solution. The "standard" binary interface between components on every single platform is the C function. That's the only code that can be called directly from (almost) every language without creating "bindings". Not even C++ code from different compilers can be mixed in the same program, because C++ doesn't define the binary interface.

Something like COM or CORBA is still needed. If we had it, and it was universally available, you could expose more than just C functions at the binary level (without bindings or without recompiling everything).

Because of all the years of bad press, nobody is going to believe it, but COM was and is a good idea, and it's completely unencumbered by patents or licensing issues. Being able to combine components written in different languages (or even just different C++ compilers) is a good thing, and is too complicated without something like COM.

Re:How are HTML5, CSS and JS not proprietary?

Only Microsoft can read the ActiveX spec and implement it.

That's utterly false, as has been pointed out numerous times in the comments. All of the documentation is available and always was. It was never encumbered by patents or licensing issues. It can be (and has been) implemented on other platforms. It was just never very popular outside of Windows.

Re:How are HTML5, CSS and JS not proprietary?

[disambiguated]

The GP was right; for a right-wing nutjob he makes a lot of sense. I've been saying the same thing for years, nobody listens.

You're never really "locked in". All that is really meant by that is that there is a cost to moving away from some external dependency, and there is always a cost. Every external dependency a project takes on is "lock in." That includes the operating system, programming language, third party libraries, and everything else that isn't part of the project itself. You can try to minimize it with abstraction layers, but that has a cost too, and it is often paid unnecessarily when the dependency never needs to be removed or changed. Or you can also try to minimize it by using the good old advice to avoid nonstandard/non-portable extensions. But that has a cost too when the nonstandard extension does exactly what you need and it's expensive to do yourself. That's just wasted effort if you never actually end up needing to switch.

The only good advice is to choose your dependencies carefully and if necessary have an escape plan. (But don't spend too much effort on the escape plan unless there's a high likelihood you'll actually use it.)

Re:How are HTML5, CSS and JS not proprietary?

[MightyYar]

You are right that you are "locking in" a certain development environment. But that is only part of your application... you will have end-users actually putting your application to use. It is one thing to lock in your single development machine or handful of machines to a single vendor - quite another to lock in all of your users as well. It was all well and good to blow off the 5% of people back when smart phones and Macs were marginal 10 years ago. It is quite another to blow off 50% of people on alternate platforms... the calculus has changed.

Re:How are HTML5, CSS and JS not proprietary?

[stoatwblr]

"You can make ActiveX controls with any compiler that supports WIndows and will create DLLs with C++ calling conventions that match the MS style ... So pretty much all Of them."

All of them that run windows, maybe.

I've yet to see DLLs in OSX or Linux.

Re:How are HTML5, CSS and JS not proprietary?

[stoatwblr]

"The problem is that virtually all ActiveX components are written for Windows and make Win32 calls."

Inna nutshell - yup.

This is why I've sucessfully argued with UK govt regulators that web pages which rely on ActiveX are proprietary and discriminatory - as such they are prohibited under open government rules and it's relatively easy to order govt authorities (local/national/regional) to cease using them immediately (the threat of having their funding cut off for non-compliance is the kind of thing which gets attention)

It's even more fun when having been blown off by some council manager as a "kook", you can demand (and get) an apology and climbdown.

Re: How are HTML5, CSS and JS not proprietary?

We don't give a shit if JS is proprietary or not. Korea's web technologies and coding skills sucks, and they are using ActiveX everywhere, it makes your life miserable. You can't visit a website without IE, you have to install 100's of 'plugins' on your computer made by unknown companies... Basically, to go on internet you have to install possible spyware, malware, back door software... If you were a Hacker that's where you strike.
And the funniest part is that those limations are also on all government websites or banking.

If you go back 18 years

I'm pretty sure nearly every story posted on Slashdot about ActiveX had at least 50 responses that included the words "M$".

Re:If you go back 18 years

[jones_supa]

Heh! We can always go and see: Google Search: site:slashdot.org activex

Here's an ActiveX discussion in Slashdot from 10 years ago: Brian Hook on the ActiveX Experience

Re:If you go back 18 years

[nitehawk214]

10 years ago isn't long enough. Go back 15 and everyone that wasn't drinking the kool-aid already knew it was complete garbage, and yet Microsoft kept trying to force it down people's throats.

The Cost of Monoculture

[Zanadou]

Holy shit snacks, does that mean that one day I might be able to use Korean government or online banking website with Firefox???

Probably not, the country's extremely monocultural when it comes to computing tech. ("Not Invented Here" was one of the problems in the first place.) For example, nearly all the PCs there are Windows/Intel/nVidia combos... you really need to jump though hoops and/or be really specific when ordering computers to get anything else. And, only people at Daum and KAIST seem to even have any idea about Linux. Anything outside the Windows (IE6+)/Intel/nVidia mindset is not going to work.

Re:The Cost of Monoculture

[hjf]

Yes. We do some warranty stuff for LG. Their website is IE6-only (older versions on compatibility mode). It uses a SHITLOAD of ActiveX components for really, really dumb things. Like: Grid Views, Drop Down Views, etc. It's the typical "I'm used to a desktop app so I expect a web app to behave exactly like a desktop app, with pop-up windows and all other controls". This is endemic with MS developers.

Re:The Cost of Monoculture

[Dutch+Gun]

Extremely monocultural? As opposed to the US, where... what, if I recall correctly, Linux has a 1.5% desktop market share and Macs are around 5% or so? South Korea is certainly worse off, but honestly, it's a little hard to argue about a "monoculture" in South Korea when in reality it's only a few percentage points away from the rest of the world in terms of PC OSes.

Besides, more and more people are moving away from PCs to phones and phablets for day to day computing needs, and Samsung phones (and Android in general) are much popular than iOS over there. That article was written in 2007, before smartphones really took hold of the market like today. Is it still a monoculture if everyone has Windows computers but the vast majority use Linux-powered Android smartphones, and the rest are iOS phones?

At the very least, getting away from ActiveX is a good start, not just because it will help to eliminate the lock-in of Windows for PCs, but because it's a dead-end technology anyhow. Here's hoping they don't rewrite their web apps using Silverlight!

Re:The Cost of Monoculture

[RightwingNutjob]

Desktop share doesn't matter. Server share, supercomputer share, and embedded share matter. Why? Because that reflects the mindshare of the geeks and their bosses who pay for the stuff. That means it's not a hard sell to say a customer-facing stuff should be compatible with Mac and Linux, because it would be pretty silly to make software you can't test within its own box, even if you do need to test it with typical customer boxes and OSs before you release. Year windows dominates, but you still see billboards on the highways promising high paying tech jobs to people who can at least spell "Linux".

From a simpler era

[Baldrake]

I worked with ActiveX technology close to 15 years ago. It was a much simpler era, where there was little need to worry about platforms other than Windows+IE, and where most of us hadn't really caught on yet to how ruthless the hackers were going to become. And frankly there wasn't a whole lot of alternative for pushing real app functionality from the web in those days. Some people were using Java, which certainly wasn't any more secure, and eventually Flash began to gain traction. So it's not completely hard to understand how we got where we are.

Re:From a simpler era

[TheReaperD]

True, ActiveX was just one of several bad ideas that became "standards" during the web's explosive growth period. Others that came to mind were the blink tag, Flash (as you mentioned), Java (for the web, a terrible idea), and the abortion of a scripting language known as JavaScript. JavaScript is just the lesser of the evils of the technologies and no one has been able to push forward a replacement, though several have tried.

Re:From a simpler era

Explain to me why Java is a terrible idea for the "web", please. I use Java for all rich client side development, and it's a fuck of a lot nicer to write for - as well as faster and more reliable than Javascript, once you deal with all the stupid that Oracle and the browser vendors have implemented to make it hard to start up. Remember that Java is a tech which was running at reasonable speeds in the late '90s, while equivalent Javascript on a machine from that era would just leave you in a 99% CPU grind.

Answers like, "The various implementations were insecure," are invalid - Javascript was an insecure mess for well over a decade, and only in the past few years the number of discovered holes is dropping off.

Re:From a simpler era

Java applets were sandboxed, they weren't able to access the local file system or to make network connections other than with the original download site. But Ed Felton and other researchers kept Sun busy by announcing security bugs.

ActiveX controls could do anything, were designed that way from the get-go. It was just native code compiled from C++ that could make arbitrary system calls. One of Microsoft's slogans in the '90s was "Making it easier" - for everyone, including hackers. The only defenses MS put in were code signing and giving the user an option to proceed with the download or not.

I remember Scott Cook, CEO of Intuit went apeshit after German researchers announced they'd pretty much taken over a PC with a very simple ActiveX control.

Re:From a simpler era

[BarbaraHudson]

My favorite was the tag. Worked a lot better than today's javascript-powered scrollers.

Re:From a simpler era

[youn]

Almost as awesome as the blink tag :p

Re:From a simpler era

[Baldrake]

Going from memory here, and things may have changed completely in the meantime. If your applet could live in the sandbox, then great. But many applications needed to get out of the sandbox. Remember this was long before cloud storage, so many apps required access to your file system, for example. Or apps might require access to your email client or your contact list. And so you'd sign your applet and have it ask for permission to access outside the sandbox, which in the end made it no different from ActiveX.

I'm sure you'll correct me if I'm remembering wrong. :-)

Re:From a simpler era

[kthreadd]

Everything that is a plugin is more or less unsuitable for the web, especially now when more (or even most) web traffic comes from mobile computers where plugins are sometimes not even possible to use.

Re:From a simpler era

Yeah you're right, I just looked up the Wikipedia page. They started with the right security model and then loosened it up to compete with IE and ActiveX. A mistake. Now both Java applets and ActiveX controls have bad reputations, although the Flash ActiveX player has been grandfathered.

Re:From a simpler era

[ADRA]

Javascript itself is a plugin. Any concept of distinction is flawed. Lets say in the panaea of worlds, Oracle gave Java tech and all its reference impl's away for free BSD styled. What if anything would be the harm of writing browser scripts in Java vs. Javascript vs. go vs. .net-whatever, etc.. if every single browser developer had access to native embeddable runtimes embedded into the tool?

Java already has a great sandboxing system that was unfortunately broken badly by their native/nsapi plugin layer, but allows for very fine grained control over what a hosted application can do and interact with. If it was free/open and had some developer support, they'd be a good contender for a second browser based language. There are plenty more languages/runtimes just as suitable for the task given time to develop a sensible language/runtime security fence for untrusted sources as well as the arduous task of fixing up all the broken framework security holes that are now left exposed to hackers, which is the main reason that ActiveX died so horribly. This also happens to be another vector for recent Java based exploits.)

Re:From a simpler era

[ADRA]

At least since the Java 1.4-ish era of security, depending on the security manager in place, you could retain complete sandbox mode while allowing for specific access to sensitive information (like fs access) on demand. it certainly is laborious having to continually prompt users to let them do things. I would've leaned more toward android like security bundling where you'd have to specifically 'install' the applet, but then it has some level of systems integration with a bundle of security permissions granted all up front (and rare sensitive ones granted on demand like I think IOS does it), but hell hindsight is 20/20. Oracle could still hypothetically do it, but with the boondoggle of JavaFX, who knows if there's anyone with creativity, 'balls', and buy-in left in the company to make it happen.

Re:From a simpler era

Java became de-facto monoculture, there is only one widely used implementation. Monocultures are inherently dangerous.

There are at least three popular JavaScript implementations, definitely not a monoculture.

Java allows developers to leave sandbox and work with files (which can become dangerous). In case of JavaScript there is no possibility to access files, so there is no temptation to surrender to users demands.

That said... until WebCrypto API and WebCrypto Key Discovery will be finalized and implemented, there is a place for a plugin technology that allow PKCS#11 and/or MS CAPI access from web apps (think about electronic signature).

Re:From a simpler era

[Shados]

The primary issue with java applets at the same (if you assumed a world where it was preinstalled and where version management didn't matter, bringing it in line with JavaScript), was complexity and startup time.

Doing something simple took too much code, and it took forever for a page with it to start. It would have to go in a very different direction than where it was going to have been different.

Re:From a simpler era

[kthreadd]

Javascript itself is a plugin. Any concept of distinction is flawed. Lets say in the panaea of worlds, Oracle gave Java tech and all its reference impl's away for free BSD styled. What if anything would be the harm of writing browser scripts in Java vs. Javascript vs. go vs. .net-whatever, etc.. if every single browser developer had access to native embeddable runtimes embedded into the tool?

If it was built into every single browser then things would be different. But that doesn't matter right now because it's not. It doesn't matter how great of a technology it is if you can't run it on an iPhone.

Re:From a simpler era

[kthreadd]

Java became de-facto monoculture, there is only one widely used implementation.

You're talking about Android, right?

Re:From a simpler era

[RobinH]

To be fair, comparing ActiveX to Java is incorrect. The counterpart in the Java world of ActiveX is the "Java Applet" which, along with ActiveX, really needs to go away. Writing a self-hosted Java program is no different than a .NET program, and neither one are going away any time soon. JavaScript, however, only had one serious competitor: VBScript. JavaScript won. It's the best thing we have for rich client functionality, and it's not going away any time soon, even though, I think, HTML5 is going to absorb some of the heavy lifting that JavaScript is doing. Going forward it should all be JavaScript and browser makers need to take JavaScript sandboxing seriously.

Re:From a simpler era

In case of JavaScript there is no possibility to access files

Netscape's original JavaScript implementation used the same security model as their Java runtime, and appropriately-privileged JavaScript code could use the Java library classes for file access. Some modern implementations allow file access via (XP)COM - sandboxed of course, but so is Java, and we all know that that isn't bullet-proof.

Re:From a simpler era

It was a much simpler era, where there was little need to worry about platforms other than Windows+IE, and where most of us hadn't really caught on yet to how ruthless the hackers were going to become.

I was living alongside you 15 years ago, but apparently we lived in different "eras" at the same time. The people who built the web all thought ActiveX was as short-sighted and reckless as it looks today. I guess South Korea didn't build the web.

Re: From a simpler era

And how many of those activex controls ran on OSX, iOS and Android?

Re:From a simpler era

[Art3x]

It was a much simpler era, where there was little need to worry about platforms other than Windows+IE

You were part of the problem.

Re: From a simpler era

15 years ago? The same number of pieces of software as Objective-C, Java, Flash, Javascript, etc. What exactly are you trying to ask?

Re:From a simpler era

[jrumney]

Printing was another reason to require a signed applet. It was possible to limit the extra capabilities granted to an applet - but it was a huge learning curve that most developers were not interested in, and chances are that the end user isn't going to notice, or understand the difference (since their brain will shut down when they see the security dialog) so in most cases, a signed applet was getting full access, just like an ActiveX control.

ActiveX

[Dan+East]

In case anyone is wondering what ActiveX is, it's essentially a Windows program you download that runs natively on your computer. It gets to draw to the specified element in the browser, which makes it look like it's part of a webpage. There isn't (or wasn't) any kind of sandboxing or security once the ActiveX component was installed - it could do anything it wanted on your computer like any other Windows program, because that's essentially what it was. The only security was whether or not you installed the ActiveX component in the first place. If I remember correctly they are really just DLLs, and used Component Object Model for the standard in which the DLL exposes methods, etc.

Re:ActiveX

[140Mandak262Jamuna]

It is aided and abetted by what are known as Browser Helper Objects, which are further code downloaded from the internet and run natively in your computer without any user intervention or even a notification. Thus the ActiveX dll is merely the entry way. Anything from anywhere gets to run anything on your computer through ActiveX and BHOs. In retrospect it looks like a very dumb idea. But back then, for PCs, the P as in Personal was the dominant part. No clear distinction between user, admin and the owner. No idea that there could be malicious players in the internet. Unix, on the other hand, grew up in universities. Many hundred users and every freshman wanted to hack the university computer. So it had very good security model. But unix did not get the cost amortization benefits that came Microsoft's way because businesses latched on to IBM-PC compatibility to be short cut for interoperability.

Re:ActiveX

[tlhIngan]

And ActiveX got a severe makeover in IE7. So much so that practically everything broke. Which is why IE6 hung around so long.

Of course, you have admit that South Korea is FINALLY getting around to fixing it given IE7+ has been around for years now. I'm guessing Windows 7 and XP Mode support is getting harder to come by?

fa6orz

obsessives and the something ccol Software lawyers

it's not ActiveX problem really

In Korea it is required to use a government sponsored certificate for all online transactions, and the certificate is available only if you have an ActiveX supported computer. This sounds very stupid but it is true.

Now that Microsoft has abandoned ActiveX, the Korean government has to give up ActiveX. The plan is to rewrite the ActiveX code and future online customers need to download and install an .exe file for handling the certificate. The real problem is not ActiveX. The real problem is the Korean government sponsored certificate. It is required by law for all online transactions in Korea. The government sponsored certificate is a lucrative business for corrupted bureaucrats and companies and they don't have any intention to abolish it.

         

Re:it's not ActiveX problem really

[jonbryce]

So you can't do online banking on an iPad, or a Samsung Galaxy Tab?

Re:it's not ActiveX problem really

[MichaelSmith]

Yes.

Re:it's not ActiveX problem really

Just lock those corrupt bureaucrats in a room with an electric fan, and they'll change their tune real quick.

Re:it's not ActiveX problem really

A mobile device is a different story because you have to register the device with your real name and your national identification number. Unregistered device you can't do online banking in Korea.

ActiveX is for personal computers and so far people with Mac or Linux can't do any online shopping in Korea.

Supplemental Expert Report of Andrew Schulman

[DougPaulson]

'For example, “COM supports an undocumented feature called channel hooks. Well, they are semidocumented in the Win32 header files and in Don Box's ActiveX/COM column (MSJ, January 1998). Microsoft does not officially support channel hooks on either Windows NT 4.0 or Windows 2000 If you're still reading, then you've acknowledged that disclaimer and I can get into the details”' ref

"Securely"

[facetube]

...is not the adverb I'd use when talking about ActiveX.

Koreans have weird ideas about security

[MichaelSmith]

Working in Korea once I needed to install a package with apt-get but the file came down empty. I asked around and it turns out that to download anything on the corporate network you had to install this active-x component which looks to see if a storage device is connected to USB. If a device is connected the download still won't work, but you can still make a local copy of the file, plug in the USB key, and copy the file that way, which is what we did on a windows box.

Half measures all over the place.

10 LET M$ = "Microsoft"

[tepples]

responses that included the words "M$"

"M$" looks like a string variable in old-skool line-numbered BASIC, and Microsoft started out publishing BASIC interpreters. Could "M$" mean "The company should have stuck to BASIC and not branched into microcomputer operating systems"?

Re:10 LET M$ = "Microsoft"

[dbIII]

If they had stuck with Xenix we may not have ended bottom lip deep in a malware swamp listening for approaching speedboats.

Trick the user into elevating to install something

[tepples]

If they had stuck with Xenix we may not have ended bottom lip deep in a malware swamp

Could you explain how that might not have happened? Xenix (which became SCO OpenServer) was just Microsoft's port of AT&T UNIX to PCs. UNIX is just as vulnerable to malware as Windows: if you trick the user into elevating to install something, something will be installed.

Yes it's the elevating bit that would help

[dbIII]

Starting with a multiuser approach and being aware of a network that early on is likely to have made all of the difference.
Most of the shit is a legacy of having a single user non-networked environment for so long.
Currently it's a single click on an email to infect all the available network shares with cryptolocker - nothing about elevating to install something at all.

Re:Yes it's the elevating bit that would help

[tepples]

Even in a networked environment, if you can convince the owner of a home PC to download a binary package and elevate to install it, you 0wn his PC. Trusting your operating system's default repository doesn't help if a trojan poses as a type of desirable software that's often excluded from repos on licensing grounds, such as games or media players.

Remembering ActiveX and IE6

I worked at a very large computer company many years back. It was great that they let me wipe Windows completely off my company-loaned laptop and install Linux on it instead. However, I then had to use the company's internal travel website to book a business trip. The internal travel website used ActiveX and required Internet Explorer 6. I complained that this company which touted open standards externally should also use open standards internally instead of the ActiveX and Internet Explorer crap. My complaint was ignored and I either installed IE6 via wine or else I used a coworker's Windows laptop to book the trip.

I don't work there anymore, but to the people at that company who relied on dead-end proprietary web technology to design their internal travel website,
I told you so!

Modded down due to malware mention?

[dbIII]

Seriously guys - every time I give an example of malware on an MS platform I get modded down - grow a pair instead of living in denial.

Back to the above poster, yes it may still happen in environments where security was considered from day one but I'm convinced the years of no privelage separation at all has resulted in the scale of the current problem.