Windows Security Through Annoyances?

techmuse writes "According to News.com, Microsoft's next version of Windows will let you know that you are looking at (supposedly) secure data by putting personalized text, such as the names of your dogs (a null list in my case), in window borders, and will also hide the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among people who need to be able to see the data in two partially overlapping windows at once."

Re:So......

[seinman]

Because any website can pop up a fake window with a little GIF of a lock in the corner. But those dog names will be stored somewhere secure, that they can't access, so you know if you see them that your own computer is generating that data. Makes sense, although it'll be hard to explain and teach to the vast majority of computer users.

Re:Prevent attacks?

[SClitheroe]

Over the shoulder snooping is certainly one way. A greater concern is an app that takes a screen capture of your desktop or the contents of certain windows, and sends it off to another machine.

I wonder how MS will handle cutting and pasting information between secure and insecure windows? Or even between secure windows, for that matter?

Re:So......

[Scaebor]

How can a website possibly fake the lock-icon which happens to be on the toolbar?

Due to the special "features" of IE, it is possible to eliminate the status bar (not task bar) where the lock icon usually resides. By then creating a page using frames it would then be possible to replicate the look of the status bar without much trouble at all, even including the text of the page loading sequence using something so simple as an animated gif.

Re:Why redefine a working metaphore?

[NearlyHeadless]

If the machine is compromised it could fake the dogs names too. Even if they are encrypted the key will be on your system. Obviously, if they have access via a trojan or something along those lines, than they could use the same code IE does to display the window.

Wrong. Part of Palladium/NGSCB, as well as Trusted Computing, is having a special chip to hold encryption/decryption keys. The whole point of this idea is to have information on this secure window that is only available via the keys in the chip. Any static icon (like a lock) can be faked. Showing your choice of data (like pet names) that indicate a trusted window is proof that the program is connected to the trusted chip.

Speaking of spoofing and different borders....

[bninja_penguin]

I've not read all the comments here, but I have read the article.
So far, most of the comments are about a spoofed status bar or the boraders that look different on the secured windows versus the unsecured ones. Anybody whose done work as a bench tech for a company servicing the general public for any length of time has surely had the conversation about porn dialers that the customer never even knew they had installed. With Active X controls, JavaScript, Macros, CGI sripts, or whatever the .NET crap will allow, I think most commenters are missing the point. You don't have to spoof anything. I mean, there are snippets of code you can put into a normal HTML page that can format a drive for you if you're running Windows, and using IE. Sure, there's patches, but so what? there's updated virus defs all the time, and the by far most prevalent viruses are months, even years old. So, to get back on topic, in this type of environment, someone will think they are safe, because they see poochies name running around the window border, when, in actuality, they "somehow" had the equivilent of a porn dialer downloaded to their system, and, rather than dialing Lybia, it just tells Windows that anything it does is trusted, and the person is well and truly fucked, for they bought into the great lie that Microsoft is telling with it's Trustworthy Platform bullshit.