Slashdot Mirror
Windows Security Through Annoyances?
techmuse writes "According to News.com,
Microsoft's next version of Windows will let you know that you are looking
at (supposedly) secure data by putting personalized text, such as the names
of your dogs (a null list in my case), in window borders, and will also hide
the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among
people who need to be able to see the data in two partially overlapping
windows at once."
Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said
What kinds of attacks would those be? The over the shoulder snoop sort?
So to use this new super-secure Windows I'll have to type in huge lists of information that is boring to me?
Because any website can pop up a fake window with a little GIF of a lock in the corner. But those dog names will be stored somewhere secure, that they can't access, so you know if you see them that your own computer is generating that data. Makes sense, although it'll be hard to explain and teach to the vast majority of computer users.
"Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said." /. crowd a favor. No more rushing to minimize a window when your boss walks by. Just make slashdot a 'secured' page and Alt-Tab anything else over top it. *POOF* it appears like you've been working all along!
Microsoft is finally doing the
[Fuck Beta]
o0t!
Humans are a security problem, because they contain their own pool of memory too. Let's get rid of them. Deleting a person's memory is easier than the video card's too: One click of the trigger is all it takes. Just Point and Click.
I'd have no clue how to wipe out my video card's memory. (No, shutting off the computer won't do it. I've seen plenty that when they turn back on, the last screen visible is there for a split second.)
Sure, it's all well and good to display sensitive information with a special border, but what if someone writes down what they see and then leaves it just lying around? Where's your special borders then?
The solution is obvious: don't display the data at all!
I've discovered this feature of windowed GUIs a long time ago - you cake take virtually any window, place it over your current window and POOF! the data vanishes, completely obsucred by the new window on top of it. Isn't it neat?
sic transit gloria mundi
Maybe MS shouldn't let remote web pages control how my windows look. I *want* the status, button, and menu bars. Allowing remote pages to remove them is a bug IMO. Mozilla, yum.
Using your sig line to advertise for friends is lame.
How can a website possibly fake the lock-icon which happens to be on the toolbar?
But those dog names will be stored somewhere secure, that they can't access, so you know if you see them that your own computer is generating that data.
Actually I think it's either a desperate try to distract users from real security problems (like the millions of servers that get infected each year despite MS being only a minor player on SQL and webservers, or the even more desktops...) or it's a clever plan to complete the big database in Redmond with the last thing they don't know about you yet: The names of your dogs.
So far, I haven't heard about any "websites faking lock icons and doing nasty stuff", but even though Apache is a much larger target, all big worms hit IIS.
I think somebody at Redmond still treats security as a 100% pure PR-problem. Just do anything about security, no matter how stupid the idea is, as long as it's from Microsoft, there will always be simple minds that will say:
Makes sense
Mod parent up: +1 funny please.
Regardless of how much security this, in reality, will provide, it will provide a tremendous APPEARANCE of security.
Sure, it may work. It may even work well. But the important thing from a sales standpoint is that it will look very secure. And that sells better than actual security. Given their posturing over security in the past year, this is right in line.
best web host ever
Due to the special "features" of IE, it is possible to eliminate the status bar (not task bar) where the lock icon usually resides. By then creating a page using frames it would then be possible to replicate the look of the status bar without much trouble at all, even including the text of the page loading sequence using something so simple as an animated gif.
"Hey brother Christian with your high and mighty errand / your actions speak so loud I can't hear a word you're saying"
No, what they're trying to do is this: provide a cryptographically-guaranteed path for data to the graphics card, that cannot be intercepted.
What this allows is secure playback of DRM-protected material, in such a way that it is impossible for the user to grab the data.
Once manufacturers jump on the bandwagon, you'll end up with a PC with "Palladium-enhanced" components, such as the DVD drive, hard drive, video card and sound card, where you are unable to do anything at all with data streams from sources (the HDD or DVD drive) to sinks (the video or sound card) that's not permitted by the supplier of that data. In other words, forget ripping your DVDs or CDs.
It is fundamentally possible to target the weakest link of any security system. If I cannot create a lookalike window, then I just have to trick Windows into doing that for me. For example, the mere fact that I have an SSL certificate does not mean that you are safe submitting your credit card to my site, although it means you know who I am and can contact me or my company if something happens. SSL requires, in order to be effective, a visible address, and a popup window with no address bar has no way of verifying the address for the customer ;-) So I already have a way of attacking this trust and at least making it hard for the user to track me down.
;-)
Tricks like these are not addressed by this approach which means that Microsoft still hasn't learned that con artists are probably the most likely to be able to get your confidential information
LedgerSMB: Open source Accounting/ERP
Reminds me of the "boss key" some older games had, e.g., you're playing at work, see the boss coming, hit the boss key and something possibly work related fills the screen. This sounds about as effective.
... "what are you doing?" ... "errr, nothing, just reading /." ... You won't win, either she sees the porn or she believes your hiding emails from an online romance. No matter what, yer screwed.
E.g., wife/girlfriend/SO walks in the room, you scramble to hide a "secure" window
What changed under Obama? Nothing Good
What about public computer terminals though?
No problem, it will be safely available everywhere from MS.Passport. What do you mean it isn't safe?
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
It's not like the stuff on passport security is critical... It's only your email, your identifying information, your credit card number and ...... Well it's not like it's life-threatening...
OS Software is like love: The best way to make it grow is to give it away.
Enter Dogs Name:
FIDO
WARNING: Dogs name too short, should be 6-8 characters long and
use combination of numbers and UPPER and lowercase letters.
Enter Dogs Name:
FiDo1234
Dogs name accepted...
Burma?
I've not read all the comments here, but I have read the article. .NET crap will allow, I think most commenters are missing the point. You don't have to spoof anything. I mean, there are snippets of code you can put into a normal HTML page that can format a drive for you if you're running Windows, and using IE. Sure, there's patches, but so what? there's updated virus defs all the time, and the by far most prevalent viruses are months, even years old. So, to get back on topic, in this type of environment, someone will think they are safe, because they see poochies name running around the window border, when, in actuality, they "somehow" had the equivilent of a porn dialer downloaded to their system, and, rather than dialing Lybia, it just tells Windows that anything it does is trusted, and the person is well and truly fucked, for they bought into the great lie that Microsoft is telling with it's Trustworthy Platform bullshit.
So far, most of the comments are about a spoofed status bar or the boraders that look different on the secured windows versus the unsecured ones. Anybody whose done work as a bench tech for a company servicing the general public for any length of time has surely had the conversation about porn dialers that the customer never even knew they had installed. With Active X controls, JavaScript, Macros, CGI sripts, or whatever the
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
"One name one login."
:) )
Eine Name, eine Login, ein Fuehrer!
(Just to ensure that the old adage becomes true, the one that says that when a discussion becomes longer the chance that a comparison to Nazis pop up becomes 100%