Slashdot Mirror
Windows Security Through Annoyances?
techmuse writes "According to News.com,
Microsoft's next version of Windows will let you know that you are looking
at (supposedly) secure data by putting personalized text, such as the names
of your dogs (a null list in my case), in window borders, and will also hide
the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among
people who need to be able to see the data in two partially overlapping
windows at once."
How is that more secure than the little combination lock icon?
"Much work is lost, for the lack of a little more." -Edward H. Harriman
Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said
What kinds of attacks would those be? The over the shoulder snoop sort?
Instead of adding new and experimental UI features, why not use a feature found on nearly every OS and that most end users will recognize - in this case, the lock symbol that indicates whether you're on a secure site or not. Obviously such a symbol would need to be something sufficiently different, but this is a well established (despite being lacking any standard specification) UI element that would require nearly no new training by the end user.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Why does this sound like an april fools joke....
Only 'flamers' flame!
New Madlibs for Slashdot! Now you too can create Slashdot Stories with these fun, GNU Madlibs!
For example:
Windows ____________ through Annoyances~
or
It's a great new __________ but can it run _______?
And the all time favorite, In _______ the ________ ___________s onto you!
"We are the music makers, and we are the dreamers of dreams."
Graphics cards are a security problem, because they contain their own pool of memory.
MS could just drop support for all video cards that have their own memory in favor of ones with integrated or shared memory (a la i810 family). Then the OS can have direct control over every aspect of the cards memory because it actually resides in main memory.
So to use this new super-secure Windows I'll have to type in huge lists of information that is boring to me?
the window borders thing isn't a bad idea, but as for making content disappear in the background... "hullooo, earth to microsoft"
The article makes it sound like this is to prevent those web pages that make themselves full screen and look just like a desktop, but honestly how often is this tactic even used?
"Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said." /. crowd a favor. No more rushing to minimize a window when your boss walks by. Just make slashdot a 'secured' page and Alt-Tab anything else over top it. *POOF* it appears like you've been working all along!
Microsoft is finally doing the
[Fuck Beta]
o0t!
What's with article summary's on here lately? This one was so bad I actually had to read the article to find out what the hell he was talking about.
Is that 'Microsoft' secure or 'secure' secure?
Besides, I've always found that the little lock in the Mozilla window works fine.
That's not a soda... it's a caffeine delivery device!
Anyone else remember B2 operating environments, and some of the silliness involving assigning dedicated colors to the borders of windows to announce the sensitivity level of the data contained within?
I can't wait for Microsoft to rediscover that feature.. B2 systems were great from an engineering point of view, but as far as usability went, it was so much complexity that users tended to try to defeat the security measures placed on them.
Weapons of Mass Analysis
All I know is, I'm not buying Longhorn; I don't need MS holding my hand wherever I go. This seems like just another "feature" where something can go wrong...
The editors finally got tired of all the RTFA comments...
Hmm, okay, so let's say I make a Microsoft-ish spoof page with a border that has "king", "snoopy" or "brutus" all around, and half the visitors will recognise their page with their unique pooch's name on it, and will give me their credit card number in total confidence. Hmmm ....
Sounds like a crappy idea actually.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
They should constantly play the red alert sound from star trek at full volume whenever the secure window has focus.
They will also happily let you know which information they think you ought to keep secure I'm sure;-)
If brevity is the soul of wit, then how does one explain Twitter?
Summaries through obscurity.
Sure, it's all well and good to display sensitive information with a special border, but what if someone writes down what they see and then leaves it just lying around? Where's your special borders then?
The solution is obvious: don't display the data at all!
I've discovered this feature of windowed GUIs a long time ago - you cake take virtually any window, place it over your current window and POOF! the data vanishes, completely obsucred by the new window on top of it. Isn't it neat?
sic transit gloria mundi
While I agree that security should be easy, you can only dumb it down so much. If the entire knowledge that the user has is that a window is "secure", they are only getting a warm fuzzy feeling, not real security.
For real security, you need to know WHAT has been secured. Examples include:
Data was encrypted in transit.
Data is authenticated to come from XXX source, according to YYY certificate authority.
This window is protected from being viewed by PCAnywhere.
This data has DRM, and is protected from being copied to another computer.
Unless you tell the user WHAT the security is, they will make poor decisions about what to do with the data. Putting the name of their dog on the window doesn't provide that information.
I agree. Following those instructions would result in a lot of annoyances, such as: 1. A closed source operating system 2. Not even being able to run most MS-only software even though your entire computer is being used up by Microsoft. 3. Annoying command prompt 4. Inability to use most open source software 5. Difficult to impossible to connect to the internet. 6. Crashes more than even other windows versions. Reasons to do this: 1. Even more secure that Linux - ZERO REMOTE SECURITY HOLES! 2. Bragging rights 3. During a cable internet installation, give the installer a choice between Linux and Windows 3.1.
I read somewhere that a device could be built to read CRT screens through walls by picking up stray electrons or electromagnetic waves generated by it. I doubt anyone can secure that other than changing the LCD screen to a more 'secure' format.
Wait, does this count as a 'Snooping-over-back attack'?
Please direct all bug reports to
You call those annoyances? I call annoyances, opening a slashdot article and finding five topic icons going down the side of the screen.
A programmer is a machine for converting coffee into code.
FAIL FAIL FAIL
please, be aware, you suck.Can allow malicious web designers to gain access to confidential data as well as your prize winning doberman's name.
Expect your wife to receive hard copies of that 'questionable' pornography you enjoy so much from the van Eck'ing P.I. she hired (he looks like Tom Selleck :-)
Paranoia Strikes Deep
-boi
Because I do not own a dog.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Windows is so full of holes, there will probably be many ways to defeat this. First of all, the names of all of text to be put around the screen has to be stored on the hard drive. I don't think Windows is psychic yet, so it's there somewhere. If it's there, it can be stolen. It'll just give windows another day before their first security bulletin comes out.
Users will enter "normal" words in to be displayed around secure windows. If a copy of the file can be gotten, even if it's encrypted, it shouldn't be too hard to try a dictionary attack on it and crack the file quickly. It won't be that hard from there to put this text in the border.
Only 1/2 hour after it's posted on slashdot, and possible hacks are already being thought out. By the time this stuff actually comes out, it'll probably have already been cracked for quite some time.
It seems to me, if Microsoft wanted to increase the security of its OS, perhaps they should start by removing the cancel button on the password login...
Jesus loves you. He knows your sins, and he loves you anyway. He bled for you, he died for you, and he rose again from
Regardless of how much security this, in reality, will provide, it will provide a tremendous APPEARANCE of security.
Sure, it may work. It may even work well. But the important thing from a sales standpoint is that it will look very secure. And that sells better than actual security. Given their posturing over security in the past year, this is right in line.
best web host ever
How does vanishing data from a secure window when its not on top anymore makes the data substansially more secure? If anyone has allready hacked into that system it maybe safely assumed that he has access to memory... I agree it is safer in case you are watching porn and someone walks into the room...but in real business world people view confidential information when they know that there is no one to look upon their shoulders. IMHO this is just another gimmick ....."OH look I have a secure window!! I dont care if I open this strange looking attachment that came by email .....ZAP!!!"
You *might* disbelieve the article because it comes from news.com.com, but I personally find them to be the highest caliber of news organization.
Right up there with the LA Times, The National Enquirer, and the Weekly World News.
I currently have no clever signature witicism to add here.
Can't believe no one has commented on the example dog names: "...Buffy, Skip and Jack Daniels..."
I mean, this Petey Biddle has some WEIRD word association algorithm in his head or he has a fondness for boobs, vampires babes and booze.
On the other hand, don't we all?
Why not secure the interface so hackers CAN'T pop up a new window outside the client window area!!
Oh wait, that would deprive MS of ad revenue...
No no, much easier to put up a purty border of your kids middle hyphenated names because malicious hackers would never figure out where that configuration information is stored (regedit).
"Honey, why does Thomas-Clark's name keep appearing in the border of my window underneath this ad for a web cam?"
There are other options in finding out when you can get a FP, but I won't go into them. You see, no one can be told how to troll - you have to learn the art of trolling yourself.
...from Microsoft. Pay no attention to what's going on behind the software curtain, just watch something soothing and comfortable like pet names on your window borders and trust someone else to be your data security nanny. Just more dumbing down of computer users, if you ask me (Score:5, Pessimistic)
...and will also hide the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among people who need to be able to see the data in two partially overlapping windows at once.
Maybe it's just me, but I can't see how preventing the very thing you need could possibly be considered making it more usable... but then again I guess this *is* Microsoft we're talking about.
I browse Slashdot at +3, Funny
Oh, regardless, I expect "border with the names of your dogs" to become another cherished Slashdot meme, to be used out of context everywhere in futile attempts at humor. Right up there with "blue windscreens" and so on.
This IS a great thing, it's called a trusted path. This is a security concept that's been around for a long time, but isn't widely implemented. You may be familiar with another trusted path mechanism in windows, the log in screen. It requires you to hit CTRL-ALT-DELETE to login, this is done to prevent fake login programs from fooling users.
h tml
Shouldn't they be concentrating on other things, such as actual security vulnerabilities? Seems like they're trying to say "look we're paying attention to security!" without actually doing anything that is effective...
Trusted path mechanisms are a requirement to get the NSA B2 certification for an OS (see urls below), and it most definently is an effective security measure. This may not be terribly relevant to your average user, but to someone dealing with highly confidential information on a computer it is. This feature prevents a) fake windows/programs from giving out false information under the guise of a trusted program, b) fake windows/programs from getting a user to enter sensitive data by posing as a legitimate form for sensitive data entry.
http://www.radium.ncsc.mil/tpep/epl/epl-by-class.
http://www.astrolox.com/libraryc/orange.html
MS really don't have a clue when it gets to security...sigh... ;-)
Furthermore, I think that this could turn out to help security much more than some obscure feature. It is this low-level, "no shit sherlock" kind of basic security that is much more needed.
This is my digital signature. 10011011001
As i said earlier when you are watching porn in your cube and you dont want your boss to sneak up on you ......Will it work?
It is fundamentally possible to target the weakest link of any security system. If I cannot create a lookalike window, then I just have to trick Windows into doing that for me. For example, the mere fact that I have an SSL certificate does not mean that you are safe submitting your credit card to my site, although it means you know who I am and can contact me or my company if something happens. SSL requires, in order to be effective, a visible address, and a popup window with no address bar has no way of verifying the address for the customer ;-) So I already have a way of attacking this trust and at least making it hard for the user to track me down.
;-)
Tricks like these are not addressed by this approach which means that Microsoft still hasn't learned that con artists are probably the most likely to be able to get your confidential information
LedgerSMB: Open source Accounting/ERP
What kinds of attacks would those be? The over the shoulder snoop sort?
This is classic "protection". It will remind you that Bill Gates knows where you live and the names of your cats just in case you get funny ideas about infringing on copyrights or alternte software. "Yes sir, I'll pay the windoze tax. Thank you so much for all you do for me!"
Friends don't help friends install M$ junk.
Extra Credit:
How would you feel if your boss walked in and saw you reading Slashdot?
10 points: Perfectly comfortable. He's looking over my shoulder right now.
He wants to have everyone read slashdot.
5 points: Pretty comfortable, I think. In fact I've got half a mind to show it to him.
0 points: He was just here and boy, did I feel my neck turning red.
-10 points: Are you kidding? I'm reading this at home at 2 AM while I job-search.
Slightly Edited From Here
[Fuck Beta]
o0t!
If the browser knows that it is supposed to acquire a secure page or file (ssl), it could use PGP and the senders public key to verify that the message has not been compromised.
It's a good thing Microsoft still includes options to turn off all the new crap features (from hide file extensions to cant share "Program Files" directory.
I still wish they would just sum them up in one "I'm not retarded or anything like that." checkbox. With every new windows version it takes me longer and longer to find the switches to turn off the silly features.
Sindri Traustason.
This is pretty much what the US Government requires for developing UI's that display classified data. MS is going a little further, but it's all the same general idea: you have to know that what you're looking at is secured, and you cannot allow information displayed from one secure source to get to another one (including via the clipboard, screenshots, etc.)
You should patent it!
Wrong metaphor.
Look at any spy movie - classified material is in folders with red or black borders, the pages are marked, etc.
I've done the same with some SSL-aware custom JSP tags. If you browse to the page over an unencrypted channel you don't see the material at all (it's blocked at the server), if you have an SSL connection there's a thick black border, and if you have an authenticated and recognized SSL connection there's a thick red border. The actual appearance is controlled by CSS stylesheets, so it could easily faked... but that's not the point. What's important is that the symbol is obvious enough to be clearly seen even if partly obscured, while subtle enough that it doesn't get in the way.
In contrast, Microsoft's ideas are things that should be rejected out of hand by anyone with even a bit of security awareness. "Out of sight, out of mind" definitely applies here - if somebody sees a thick red or black border out of the corner of their eye they'll stop to lock the screen before walking away. But under Microsoft's oh-so-brilliant plan, there won't be any visual indication that they must lock their screen before dashing to the bathroom or to the coffee machine. Or joining a friend for lunch. Yet the confidential material will be available to anyone who cycles through the frames to see if there's anything interesting on the system.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Windows ____________ through Annoyances~
Yep, that will work, considering just about everything Microsoft does is annoying.
Make a form of your post, you can reuse it for any story. Come to think of it, I've seen too much of your all time favorites. You suck.
Friends don't help friends install M$ junk.
Maybe this has been mentioned and as usual I missed it.
I find myself thinking that if I were to decide to put all my important data in their vault, what might I do if they tell me I have to pay the $1000 upgrade fee for the next version of their software if I want to continue to have access to my data in their vault?
-----
Pretty Bad Privacy (PBP) Public Key
6
Ok. Let me get this straight. There are people in some African country that send out emails with schemes like, "We need to transfer 500 million dollars into a bank account but we need your help! Give us all of your private information, including your name, SSN, bank account numbers, etc., and we will open an account in your name to perform this transfer. To compensate you, we will give you 20% of the money." And people answer emails like that and give out their personal information. Or, someone sticks a sign on a bank drop box that reads, "Out of order. Leave deposits with guard." And obviously dresses like a guard and stands next to the drop box with a cart, collecting deposits. (As if a BOX can be out of order!!!!!) There are thousands of schemes like this... these two come from Frank Abagnale's book The Art of the Steal. He jacked millions of dollars himself, so he should know: People are unconscious! They don't think about security. Heck, America can't figure out how to secure its borders when thousands of years ago, China came up with a solution that can be seen from space. If people can't figure out how to secure a border, which is a physical thing that is well documented and understood by everyone (just look at a map), how the heck do you expect to secure computer networks when people don't understand (or want to understand) the complex computer internals that need to be understood in order to combat this problem?
Let me ask you a question... When was the last time you were rooted? On your desktop? Running Windows? I honestly doubt that anybody here has ever been compromised, even if running Windows 24x7 with an Internet connection and no firewall of any kind. You know why? Because most folks here understand what security means, at least conceptually, and wouldn't be stupid enough to enter their password (not that it secures anything under Windows) into some bogus window. Do you honestly think that putting your dog's name (or any other information, for that matter) into a window is going to solve any security problems for Joe Shmoe? NO WAY!
The way I see things is simple: Market security to corporations. Sell them computer security services in which their entire network is secured against attack, and more importantly, their data is backed up. But the home Joe Shmoe users... let them screw up their computers with the biggest security threats: All these stupid screensavers, cursors, sounds, graphics, clutter, junk, crap, downloads, viruses, MS Outlook, and all the crap they download and execute without thinking... When their computer crashes and they come crying to me, I'll continue saying what I've been saying for the past ten years, "Where are your backups? Oh, you didn't make any?! Well, the only way I can fix this computer is by blowing everything off and reinstalling. Oh, well... Maybe you should take it to [insert name of a computer repair shop that charges outrageous prices to reinstall Windows for you] and have them fix it. They understand these things better than I do."
If Microsoft really wanted to combat security problems, and I am 100% serious about what I am saying here, then they would forget all this B.S. and convince users to keep the clutter and the CRAP off their computers. Secondly, they would convince people to back up their data. Windows might suck, but I'm always more concerned about the mechan
Reminds me of the "boss key" some older games had, e.g., you're playing at work, see the boss coming, hit the boss key and something possibly work related fills the screen. This sounds about as effective.
... "what are you doing?" ... "errr, nothing, just reading /." ... You won't win, either she sees the porn or she believes your hiding emails from an online romance. No matter what, yer screwed.
E.g., wife/girlfriend/SO walks in the room, you scramble to hide a "secure" window
What changed under Obama? Nothing Good
Is it true? I heard that the next version of Media Player will have a custom graphic for each user. I will display images of your loved ones, pets and property being threatened. While everyone will have the same images of meat cleavers, assault weapons, pitchforks and firebrands all shaking to the beat. The pictures of pets and property, however, will be unique to each luser. If you pull up another company's media player or juke box, the music will dissapear. If you copy the music file or pull up a music sharing client, the pets will cry and the house will burn. Spyware will report you to the RIAA so that these visions can come true, cool!
Friends don't help friends install M$ junk.
Man, I can smell this from a mile and pheeeeeeew man, is it coming on strong.
So we see this M$ media blitz waving it's little flags and banners about their new security features which then prove to be UTTERLY USELESS, or an annoyance to attackers at most.
I mean it's not like BackOriface and a bevy of other trojans don't allow a freakin screen capture! So all one has to do is trojan+screencap and with a little photoshop majik viola: the secure window skin.
Wonder how long it will take trojan writers to create a tool to automate that on all your hosts?
*Point-Click-Spoof*
Like anyone on slashdot will have that problem.
Scanning through the comments on this article it is amazing how many Slashdot goers openly attack things like "Palladium" but haven't the first clue as to what it is, or what this article is refering to.
First, Palladium, this is a system where the hardware includes extra components built on PKI in order to add a layer of encryption and verification. The keys are stored in hardware and utilized via hardware. In addition to this will be a processor built specifically to work with PKI so that key bit size can be increased without slowing the system down. Secured data, memory, and peripherals will have to conform and be validated. The keyboard will send encrypted data over the wire, as will the videocard. This is to prevent hardware taps.
Like PKI, this system can only work when there is trust. By drawing the windows using data that is encrypted and stored behind a memory curtain the UI can be customized so that the user will know that the information is secured. We're not talking about secured over the Internet, we're talking about secured throughout the system. So a silly little lock is ineffective because anybody can write a program that displays a lock. Instead they're going to use data that is encrypted and stored so that it is not accessable to unsecured programs. It may be in a simple file, but it's PGP encrypted with a key 10x larger than what you're used to. That user specific information, that is unaccessable to the outside world, informs the user that the information is coming from the decryption of the nexus.
Now sit down so your head doesn't explode from TMI. Grasp the concepts of PKI for a second (yeah, reread the horrible man pages for gpg if you have to.) That's what this is. PGP on steroids.
I can't help but think that the only useful reason for putting "unique" data in a window border would be to provide key data for analog captures/etc. By having a personal "tag" in a visual border (and potentially audio), they are taking a step toward making viewers/players/etc [the only link between the analog and digital realm] prolific. They're hoping it will become 'the norm[al]' in a few years, and as such, it could ultimately lead to the end of the analog/digital loophole that currently exists in DRM.
I hope I explained this adequately...
Scary stuff, IMHO.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
That happens _all the time_. Boy, I'm glad somebody is doing something about this.
Wait, my doctors and accountants barely have time to use e-mail, much less, format html to send to me.
Regardless of how much security this, in reality, will provide, it will provide a tremendous APPEARANCE of security.
Especially if they plan to use those little nuts-and-bolts widgets in the corners and a brushed-steel background. Oh - and a strong, manly, etched font, too!
Tsuyoi Zo!
Cheers
Jim
-- My Weblog.
.. not browsers?
All this talk of securing the memory, link from keyboard to main box, graphics cards, yadda yadda yadda...does this seem a bit over-the-top to anybody? I mean, this all sounds like something that the government would use for electronic warfare countermeasures. How many businesses really need this type of security?
You can try to lock down the system all you want, but as long as there is a screen in use, security can be breeched by a device you can buy in nearly any corner drugstore.
It's called a camera.
If a user has physical access to the machine and access to the data contained therein, no amount of cut-and-paste security features or print prevention is going to stop a malicious, privledged user from whipping out the $5 disposable camera and taking old-fashioned pictures of the screen.
Proper code and secure configurations will prevent outside attacks from obtaining data; it's trusted users that will prevent inside attacks.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Enter Dogs Name:
FIDO
WARNING: Dogs name too short, should be 6-8 characters long and
use combination of numbers and UPPER and lowercase letters.
Enter Dogs Name:
FiDo1234
Dogs name accepted...
Burma?
No. You have the opposite problem.
Cthulhu Barata Nikto
The final version is probably not going to look anything like this, I'd bet... MS has a history of doping out ideas in a lot of different forms before settling on the final one. Remember all the interim betas of Windows 95?
Instead of your mother's maiden name, will you have to answer the question "Where do you want to go today?"
"Securing" the memory of graphics cards can only have one purpose - to provide a "trusted" environment for you to watch your dvds. The MPAA will then be able to trust you the thieving consumer with their intellectual property, because you will not be able to rip it or take screenshots of it because the memory will be off-limits. The same applies to ebooks, confidential documents, etc. I wonder if your sound card will be "secured" in a similar fashion? Nah - who could possibly have an interest in that...
Don't forget that all this "security" is for corporations so they can "trust" you will not steal their IP. All of the rest of this nonsense is smoke-and-mirrors to get the average idiot to accept the crippling of their computers...
This *Rex* Presentation *Shaggy* was *pooch* made *Bluey* with *Spot* MS-Publisher *hound* and *k-9* is *killer* 100% *Harvey* secure. /PHB, What the hell was that?!
Does this mean I'll have to change my dogs name every six weeks?
OK. I have just one question. If you are supposed to enter your pets' names so that they can be displayed on secure browser pages to convince you that the page really is secure, then what do you enter that is displayed on the page where you enter your pets' names so to convince you that the pet name entry form is secure and how do you tell if that page is secure?
'Hello Dave, you are looking at secure data. What are you reading about Dave?'
"Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said."
Yeah, your box will crash!
Wow, I should not post when knackered.
....you are terribly confused by relational databases, aren't you?
MS is trying to bolster the overall security for their OS (called NGSCB...rtfa for the acronym def). A noble cause, but one that will be very tough for them to completely achieve. The author is focusing only 1 small portion of NGSCB, which is securing the graphics subsystem. I'll do the author's job and list a few more relevant points:
1) NGSCB is an opt-in type of program. If the hardware doesn't support it, or the user doesn't want it, it will be disabled.
2) Only "trusted apps" will fall under the jurisdiction of the NGSCB. Things like Quicken or IE could fall into this category. They would then be protected by the OS so that other non-trusted apps can't get at the data generated by the trusted apps. So the majority of windows apps that you'd run on a day-to-day basis (games), would not be affected by this.
3) The "trusted graphics" portion of NGSCB really only applies *** IF EVERYTHING ELSE IN WINDOWS IS SECURED ***. The thought being that if everything in the Windows OS is secure, hackers will look for the next most vulnerable target outside of the OS...the graphics device. Two of the most obvious ways to exploit it would be by sniffing the graphical info stored in the framebuffer, or by mimmicing a "trusted" window and having the used just give the evil app the info it wants.
4) The "dogs names" window is just an example of something that MS is kicking around. What they want to do is add something unique that the user provides to the trusted windows. This way an end user will see an evil app trying to pretend it's a trusted app. The idea here is that it will be almost impossible for a hacker to generate a window that looks exactly like a trusted window (unless they hack the OS to find out the unique quality of the user's trusted window...for now assume that the new Windows NGSCB can't be hacked...**snicker**). In any case, I seriously doubt "dogs names" will be the unique identifier.
5) The "dissappearing data" is done for a reason. When another untrusted app takes control of the OS (by being the top window), it has access to the framebuffer. So it would be simple to start an app, position the window so it doesn't completely obscure the trusted app, then read the framebuffer. Whatever info you want is right there in a bitmap. It would be nice if there were a better way to protect the framebuffer when a trusted app is alive, but it may not be possible in Windows.
I may not agree with some of their logic/ideas in this area, but it's unfair to judge it on this article alone. If you want a little more info, try looking here. Then again, this is Slashdot...there doesn't need to be a real reason to bash MS...carry on...
My dog's names are "Teenage", "Slut", "Live", and "Webcams"....and I swear to GOD, it's the new Window's security mechanisms that are responsible for their appearance on all my window titles!
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
This will be added to my list of why I'm moving to Linux.
Why would this be an AF joke? Maybe this is pedantic of me, but let it go. It might've been funnier on 4/2 or 4/3 (or maybe even 4/4), but now it isn't. Fools day was well over a month ago. Shut up. Thank you.
In unrelated news, did anyone notice that Microsoft now powers all the computers at the Kennel Club of America?
Speak before you think
And another thing: why is that that whenver I've got moderator points, all the really good comments are already at +5 before I see them? I hate using the points just because I have them. Is it OK to let them die unused?
.nosig
Oh yeah, Microsoft's woderful remote hardware control tools, such as the plug and play deamon that listens to an open port. I'm sure everyone's seen it before, but I must post the results of such weakenesses. View the sum of stupid, Ha-Ha. Don't worry Microsoft has issued the uber patch, had the month long security hug and changed their security model to include M$ rooting you at will! Dancing pet names and total lack of control of files on your hard drive should make you feel so much more secure. Oh yeah!
Friends don't help friends install M$ junk.
Jee this sounds exactly like what happens when IE [and other programs] crash.
In windows, Microsoft spoofs your backend! It's one of those private details you have to turn over to qualify to use the eXTortion replacements, LongDong and UXB.
Senator Holling's wet dream computer landscape is only two years away and the industry did it to themselves? I hope "professional" versons of "home" equipment are available. This M$ kernel in BIOS thing is not acceptable to people who have real computing to do, news to write, presses to run, medical records to keep and other stuff that needs to work and should not be leaked to TIAA/M$/Disney/AOL Corp. I have to ask myself if I've got enough known good, non bugged hardware to outlast the comming dark age of computing.
Friends don't help friends install M$ junk.
All your personal, private stuff displayed on screen for nosey office people to snoop over your shoulder.
And by the way, what's to stop someone from putting a wedge(tap) between your pc and your monitor?? They could siphon off your display output to a $29 VCR 8 hours at a time if they wanted. Most PC's being jammed under desks would never be noticed if an inline video tap was dropped in.
All your privacy is totally down the toilet then.
With an 8hour videotape I can come in behind you and access EVERYTHING.
All your DATA are belong to us...
I've seen a lot of smart ass posts from people who say, "Big deal, I never put any of that information into my passport. It's just for hotmail." Because this "service" is supposed to work everywhere, is it possible vendors have filled in the missing information for you? After all, because my wife has a hotmail account she was given a passport she never asked for that contained all the information demanded by hotmail. She also makes web purchases from time to time. A participating vendor could have already loaded her and me by association. Someone tell me it's not so or how I can verify it without an M$ OS.
"One name one login." how utterly M$. That shit won't work anywhere that has a clue. Are you going to take Microsoft's word that someone is who they claim they are and just let them romp around your systems?
Friends don't help friends install M$ junk.
I wonder if the net nasties can tell which theme I'm running for Window Maker right now? I've never seen an unrequested window pop up on me for a while, but every now and then an advert shaped like an M$ error message will slip by saying things like, "warning your browser is unoptimized."
Friends don't help friends install M$ junk.
Is it just me, or is this article actually praising Microsoft? Hang the submitter! Sacrilegious! This is Slashdot, for god's sake; have you no morals?
-Dae
"Alle reden vom wetter. Wir nicht." - SDS Sozialistischer Deutscher Studentenbund.
j00 4r3 3n73r1ng l337 w0r1d.
Think about this for a minute:
The computer has to come with some text built in from the start. Let's say it will be "this is a secure window". Ok, great. Now think of the 99% of computer users out there. How many of them will actually bother to change that default text to something more original? 10%? 5%? 1%?
Now put yourself in the shoes of a typical computer user and think about this: you're out there surfing the web, when out of nowhere comes this window with the text "this is a secure window" running around the border all fancy-like. And what do you know, the window claims to be from a sysadmin, saying they need you to enter your password. How many average users would happily comply? 50%? 80%? 95%?
Great idea Uncle Bill, more zombies for me to command!
I installed Linux.
The more you want, the less you have.
Vapourware, my sinus's cleared up while reading the article.
They're trying to protect the idiots who can't figure out that the window that just popped up with no warning isn't an official document from "a person's doctor or accountant"?
And what kind of demon names animals "Buffy, Skip and Jack Daniels"?
More seriously, the more vocal Microsoft becomes about Palladium and its lovely beautiful wonderful security features, the more it drives me (and, I imagine, many others) far far away from them.
I actually like XP. I like playing games on XP. I even don't mind writing code while in XP. It does normal everyday functions almost as well as I'd like. As soon as XP gets replaced, though, I'm gone, and back to using Wine to play my games.
I suppose the best way to look at this is that it'll give a great boost to open source.
With that in mind: Go MS!
In systems like that, each window appears with a border that shows the security level, typically SECRET, UNCLASSIFIED, etc. Communication between programs and windows at different levels is prohibited, except in some very controlled ways. Appliations can't even detect that stuff at higher levels exists. NSA Secure Linux has the underlying security machinery for this, although nobody has written a secure window manager for it.
It sounds like Microsoft is adding the window decoration without the underlying machinery.
Sadly, the few systems with security like this are antiques.
from space:a ll.html
http://www.jpl.nasa.gov/radar/sircxsar/gw
Why not a "Security" LED on the system case, which is hard wired to the DRM chip? Make it green when the in-focus window is secure; flash it red if any security compromise is detected. Only way to hack it would be via a flaw in the DRM chip (in which case, the whole system is compromised anyway), or via physical access to the inside of the machine.
Sounds a lot better than scrolling dogs' names around the secure window...
I've not read all the comments here, but I have read the article. .NET crap will allow, I think most commenters are missing the point. You don't have to spoof anything. I mean, there are snippets of code you can put into a normal HTML page that can format a drive for you if you're running Windows, and using IE. Sure, there's patches, but so what? there's updated virus defs all the time, and the by far most prevalent viruses are months, even years old. So, to get back on topic, in this type of environment, someone will think they are safe, because they see poochies name running around the window border, when, in actuality, they "somehow" had the equivilent of a porn dialer downloaded to their system, and, rather than dialing Lybia, it just tells Windows that anything it does is trusted, and the person is well and truly fucked, for they bought into the great lie that Microsoft is telling with it's Trustworthy Platform bullshit.
So far, most of the comments are about a spoofed status bar or the boraders that look different on the secured windows versus the unsecured ones. Anybody whose done work as a bench tech for a company servicing the general public for any length of time has surely had the conversation about porn dialers that the customer never even knew they had installed. With Active X controls, JavaScript, Macros, CGI sripts, or whatever the
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
Boy, that's funny! Scariest thing I've read all day, but funny none the less...... They wouldn't really do that would they??? Suddenly, I don't feel so good....best sit down and let the fuzziness return....breathe rapidly in a paper bag....just let me die and get this shit over with...
...sound of crickets in still night air...
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
Actually, the rest of us poor souls who value our fair use rights will turn to a thriving black market for our content. Part of the black market will undoubtedly provide content that has had the involved DRM scheme stripped. We'll value that content - partly because it fits our belief in our rights, partly because it is all we'll be able to use.
This black market content may require considerable effort and expense to create. After all, it may require specialy modified hardware to defeat the DRM schemes being discussed today. Depending on the difficulty of such a hack, and the logistics of distributing information and hacked hardware (mostly due to the legal environment), it may mean that the only people who will invest in this hardware are the very dedicated and the professional.
The casual "warez" scene of today will loose ground to a new group. It will be replaced by an increasing number of illicit data peddlers who will require direct compensation for their own expenses.
And we will buy in to it because it will be the only market that will offer what we want.
I use Tcl/Tk like its my job, but to do nifty features for kiosk applications you end up making some REALLY funky calls to Dll's. Exotic things like turning the computer off. You are technically tricking the UI into thinking someone clicked "Start->Shutdown", but why do I have to do that through a GUI!
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
They will call it ... the net Condom.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Then when we get REALLY good, we integrate photon to neutrino decay that ensures that Gates' pearly whites can't gleam beyond the user's calibrated seating distance!
n/t
>>E.g., wife/girlfriend/SO walks in the room...either she sees the porn or she believes your hiding emails
>Like anyone on slashdot will have that problem.
He meant 'mother' but was pretending to be all grown-up and NaN (not a nerd)
Windows will automatically launch a BSOD when user is watching sensitive data.
This way the data keeps secure!
... the dog gets it!
And now for something completely different...
/. runs a story about cracked private keys.
What about a emulation that runs NGSCB? E.g. some kind of Wine or Bochs? You could easely compromise secured connections (and windows) because for the host OS they're running in normal, unprotected memory.
Even worse: What about a NGSCB client that pretends to be a real NGSCB-aware OS but is a fake in reality? You say asymmetric encryption? I say: Once these NGSCB-ready computers are out, it's only a matter of days until
Ripping requires pluging the DVD output into an capture card in another PC.
You'll loose a bit of quality, but you'll have a DRM free copy that will always be the same quality.
thank God the internet isn't a human right.
>and NaN (not a nerd)
If you weren't a nerd, you wouldn't know what a NaN was!
Won't this feature require close integration between the operating system and the browser?
could you please explain the "sold my kid" part again?
i really don't get it.
the computer is online
i am not at it
what a waste of ressources
...(the parent and the grandparent) have the right idea. The problem with doggy names is that after you see the same thing all the time, you stop seeing it. A long-established principle of sensory psychology.
What you want is distinctive borders, chosen by the user (or picked randomly for those who don't choose). Sort of a CSS-style security setting.
The only advantage of the MS system is that anyone who puts a random dog list on the border of a web page is putting up a sign that says, "I am a crook," as surely as someone who mutilates their fingerprints.
Eternal vigilance only works if you look in every direction.
Jeez, who comes up with these names? You'd think they did it on purpose so their DRM would be harder to complain about. "NGSCB" doesn't suggest anything about security; the first thing that comes to mind is No-Good SCumBags. At least "Palladium" has an appealing sound.
...that inconvenience makes any system less secure, because lazy people will do stupid things to alleviate the inconvenience. This seems like a step in the wrong direction.
WARNING: there is a trojan on your
Never tell anyone the names of your dogs!!!
Yeah, that was popular in the DOS days. Now we have ALT-TAB and ALT-F4 (in Windows and KDE at least!).
5) The "dissappearing data" is done for a reason. When another untrusted app takes control of the OS (by being the top window), it has access to the framebuffer. So it would be simple to start an app, position the window so it doesn't completely obscure the trusted app, then read the framebuffer. Whatever info you want is right there in a bitmap. It would be nice if there were a better way to protect the framebuffer when a trusted app is alive, but it may not be possible in Windows. So far the multitasking/multithreading on a windows desktop system? Back to the 80's?
21:08 9/5/2546
TOPIC: ENCRYPTION
would it help if i told you there is a sin(x) cos(x) combo that shows all prims at a multiple of 360 deg? thank you, thank you: i don't want the medal. those mathematiciens are MEGA nerds an never have time to shower.
and
i read somewhere a few years ago, that CRT screens emit a radiosignal, you can pick up
(you know analog-coil-resistor-condesor-hacking) and show it on a remote screen?
i think as long as they are using electrons for computing NOTHING is EVER going to be safe.
unless you live in a lead cage (no i don't believe faraday) in a cementblock about 2000m down the ocean.
has anybody heard about neutrinos lately?
-
good luck!
oh! if you want my respect, tell me how to make a fusion-reactor with two magnets, wood, stones and a spider!
Supposedly Secure would be a good name for a Microsoft product.
So, add this to the list of things I'm not supposed to tell anyone:
* My Social Security number
* My mother's maiden name
* My date of birth
* My password(s)
* The names of any pet I've had before.
Hey -- does this mean I'm going to have to hunt down my past roommates and have them sign a non-disclosure agreement?
GMFTatsuin
My favourite quote from the article:
Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material.
So the new user interface paradigm is noticing the 'absence' of visual data? This guy's been reading too much Sartre.
Mike van Lammeren
It will challenge your head, your brain, and your mind.
What are you on ?
I want it too
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
That's...
:) You're right about Name however, I could have remembered that.
ein Name, ein Login, ein Fuehrer
Where do kids learn German grammar these days?
In high school, or at least, in the Dutch equivalent of that. However, I don't think that even the best schools would have taught me the gender of "Login".
Assume the wall is 6m wide, viewed from an altitude of 200km. The subtended angle is arctan (6/2E5) = arctan 3E-5 = .00172 degrees = 0.103 arc-min = 6.2 arc-seconds. Small, but a visible width given adequate contrast--such as a shadow from bright morning or afternoon sun. Low sun angles also make the shadow much wider, thus more prominent. You can see it from space--not all the time, but it can be seen.
During the past decade, computers and the Internet have transformed the way we work, learn, communicate and are entertained. Yet some of technology's potential to do even more has not been fully realized, because of concerns about illegal use of digital information, about confidentiality and about privacy. For example, e-commerce in music and movies has been slowed, because artists and publishers have been concerned about protecting their copyrighted works from illegal use. More broadly, businesses don't exchange digital information with customers and partners as freely as they might, because they fear it could fall into the wrong hands.
These concerns reflect the increasing need of all businesses and many individual computer users to share a wide range of digital information, yet still control who can use it and how - what we at Microsoft call "rights management."
We have been working on a number of emerging rights management technologies that will help protect many kinds of digital content, and open new avenues for its secure and controlled use. These technologies are already helping encourage owners of book, music and film content to explore new e-commerce business models that will provide consumers with more convenient access and greater variety. Rights management will also help protect the privacy and confidentiality of consumers' personal data, such as medical and financial records. And in a broad range of businesses, effective rights management will help improve the efficiency of information flows, enhancing productivity and the quality of services across the entire economy.
This email, which you're receiving as a subscriber to executive emails from Microsoft, offers some insights into how we are working to develop these technologies, and how they will bring these crucial benefits to business and consumers.
WHAT IS RIGHTS MANAGEMENT?
Rights management refers to technologies that protect digital content after it is shared or distributed. Specifically, rights management technologies enable a content owner to stipulate a set of rules, or policy rights, that govern how the content may be used, by whom, for how long, etc. The protection, achieved by encrypting the content, may be provided by software or embedded in the hardware device itself - or some combination of the two.
At Microsoft we began experimenting with such protection for our software as early as the mid-1980s. We learned that no rights management system, no matter how secure, will succeed in the marketplace unless it is both easy to use and flexible. Different levels and kinds of protection are required for an individual's medical records, an attorney's confidential client memo, a recording company's master audio recording, an amateur photographer's images, and a publisher's new bestseller. And because no system can ever be 100 percent secure, protection needs to be easy to update, to address inevitable system breaches.
Microsoft has invested more than $250 million to date in rights management technologies, and we have substantial ongoing efforts to enable a new generation of rights management that will protect a broad range of personal and commercial digital content. We also work closely with many industry partners to advance the development and deployment of rights management systems. We actively participate in several cross-industry initiatives, including efforts to develop industry standards that help ensure the effectiveness, wide availability and interoperability of rights management solutions and the content they protect.
While there is still much work to do, content owners and authors today can choose from an array of flexible solutions tailored to meet customers' specific requirements, cost constraints and business models.
DIGITAL RIGHTS MANAGEMENT
Microsoft's flagship technology for managing the rights to media content is Windows Media Digital Rights Management (DRM), which delivers music, video and other media content online in a secure format. R
Evironment, education, experience. Grow up in New Orleans. Spend 15 years in higher education. Keep reading, living, looking and most of all questioning it all and it's amazing what you might think of. Try not to addle yourself with alcohol too much and never fry those brain cells with "drugs". I like being physically fit, but it's just not happening right now.
If you like editplus, you might like KDE's kwrite.
Friends don't help friends install M$ junk.
Or WindowsKey-M. This minimizes all open windows.
This new security feature that M$ is planning to set up is one of the application scenarios that TCPA is illustrating. But since TCPA got such a bad reputation from the Community noone has bothered to work on the same concept for an Open Source platform.
Now M$ is using the technology to its own advantage and TCPA did not dissapear as many people thought.
Now M$ is ahead in the game and since there is no alternative people will either have to use M$ or not make use of the feature. Which in my opinion, some of the TCPA applications are pretty cool.
People took the wrong approach as far as TCPA is concerned. Instead they should push for an alternative Open Source solution. And then vendors and companies would follow as well.
YHBT. YHL. ELBOW.
But what is the probablility that a car travelling at 200km/h will tunnel through said wall and emerge through the other side unharmed? Assume the car is a point particle to make the math easy. Show all work. Helpful wave functions can be found on the other side of the page.
(hint: it's small but greater than zero)