Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Windows Operating Systems Software Security

Windows Security Through Annoyances? 401

Posted by timothy
from the must-have-started-as-a-joke dept.
techmuse writes "According to News.com, Microsoft's next version of Windows will let you know that you are looking at (supposedly) secure data by putting personalized text, such as the names of your dogs (a null list in my case), in window borders, and will also hide the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among people who need to be able to see the data in two partially overlapping windows at once."
This discussion has been archived. No new comments can be posted.

Windows Security Through Annoyances?

Comments Filter:
  • So...... (Score:4, Insightful)

    by PS-SCUD (601089) <peternormanscottNO@SPAMyahoo.com> on Thursday May 08, 2003 @07:12PM (#5915162) Journal
    How is that more secure than the little combination lock icon?
    • Re:So...... (Score:5, Informative)

      by seinman (463076) on Thursday May 08, 2003 @07:16PM (#5915193) Homepage Journal
      Because any website can pop up a fake window with a little GIF of a lock in the corner. But those dog names will be stored somewhere secure, that they can't access, so you know if you see them that your own computer is generating that data. Makes sense, although it'll be hard to explain and teach to the vast majority of computer users.
      • Re:So...... (Score:5, Insightful)

        by molo (94384) on Thursday May 08, 2003 @07:26PM (#5915259) Journal
        Maybe MS shouldn't let remote web pages control how my windows look. I *want* the status, button, and menu bars. Allowing remote pages to remove them is a bug IMO. Mozilla, yum.
      • Re:So...... (Score:5, Insightful)

        by Psx29 (538840) on Thursday May 08, 2003 @07:33PM (#5915298)
        What about public computer terminals though?
        • Re:So...... (Score:5, Funny)

          by los furtive (232491) <ChrisLamothe@NoSpaM.gmail.com> on Thursday May 08, 2003 @08:28PM (#5915592) Homepage

          What about public computer terminals though?

          No problem, it will be safely available everywhere from MS.Passport. What do you mean it isn't safe? [theregister.co.uk]

          • Re:So...... (Score:5, Funny)

            by Black Copter Control (464012) <samuel-local.bcgreen@com> on Thursday May 08, 2003 @08:42PM (#5915658) Homepage Journal
            It's not like the stuff on passport security is critical... It's only your email, your identifying information, your credit card number and ...... Well it's not like it's life-threatening...
            • Yeah! (Score:4, Interesting)

              by twitter (104583) on Thursday May 08, 2003 @11:00PM (#5916313) Homepage Journal
              It's not like the stuff on passport security is critical... It's only your email, your identifying information, your credit card number and ...... Well it's not like it's life-threatening...

              I've seen a lot of smart ass posts from people who say, "Big deal, I never put any of that information into my passport. It's just for hotmail." Because this "service" is supposed to work everywhere, is it possible vendors have filled in the missing information for you? After all, because my wife has a hotmail account she was given a passport she never asked for that contained all the information demanded by hotmail. She also makes web purchases from time to time. A participating vendor could have already loaded her and me by association. Someone tell me it's not so or how I can verify it without an M$ OS.

              "One name one login." how utterly M$. That shit won't work anywhere that has a clue. Are you going to take Microsoft's word that someone is who they claim they are and just let them romp around your systems?

      • Re:So...... (Score:5, Interesting)

        by RoLi (141856) on Thursday May 08, 2003 @07:34PM (#5915310)
        Because any website can pop up a fake window with a little GIF of a lock in the corner.

        How can a website possibly fake the lock-icon which happens to be on the toolbar?

        But those dog names will be stored somewhere secure, that they can't access, so you know if you see them that your own computer is generating that data.

        Actually I think it's either a desperate try to distract users from real security problems (like the millions of servers that get infected each year despite MS being only a minor player on SQL and webservers, or the even more desktops...) or it's a clever plan to complete the big database in Redmond with the last thing they don't know about you yet: The names of your dogs.

        So far, I haven't heard about any "websites faking lock icons and doing nasty stuff", but even though Apache is a much larger target, all big worms hit IIS.

        I think somebody at Redmond still treats security as a 100% pure PR-problem. Just do anything about security, no matter how stupid the idea is, as long as it's from Microsoft, there will always be simple minds that will say:

        Makes sense

        Mod parent up: +1 funny please.

        • Re:So...... (Score:5, Informative)

          by Scaebor (587064) on Thursday May 08, 2003 @07:44PM (#5915372)
          How can a website possibly fake the lock-icon which happens to be on the toolbar?

          Due to the special "features" of IE, it is possible to eliminate the status bar (not task bar) where the lock icon usually resides. By then creating a page using frames it would then be possible to replicate the look of the status bar without much trouble at all, even including the text of the page loading sequence using something so simple as an animated gif.

          • How do you propose getting around the fact that you're missing an https:// moniker in the address bar?

            You don't need an IE "feature" to do this, you could accomplish it using a desktop app that looks like a browser. Or, heavens forbid, a simple XUL app for Mozilla. So how's IE "less secure" than anything else out there?

      • Re:So...... (Score:3, Insightful)

        by lightspawn (155347)
        Because any website can pop up a fake window with a little GIF of a lock in the corner

        Why not just prevent them from doing that, then?
      • Why not secure the interface so hackers CAN'T pop up a new window outside the client window area!!

        Oh wait, that would deprive MS of ad revenue...

        No no, much easier to put up a purty border of your kids middle hyphenated names because malicious hackers would never figure out where that configuration information is stored (regedit).

        "Honey, why does Thomas-Clark's name keep appearing in the border of my window underneath this ad for a web cam?"
      • by einhverfr (238914) <chris.travers@gmail . c om> on Thursday May 08, 2003 @08:03PM (#5915469) Homepage Journal
        It is fundamentally possible to target the weakest link of any security system. If I cannot create a lookalike window, then I just have to trick Windows into doing that for me. For example, the mere fact that I have an SSL certificate does not mean that you are safe submitting your credit card to my site, although it means you know who I am and can contact me or my company if something happens. SSL requires, in order to be effective, a visible address, and a popup window with no address bar has no way of verifying the address for the customer ;-) So I already have a way of attacking this trust and at least making it hard for the user to track me down.

        Tricks like these are not addressed by this approach which means that Microsoft still hasn't learned that con artists are probably the most likely to be able to get your confidential information ;-)
    • Re:So...... (Score:3, Insightful)

      by spectral (158121)
      Probably because it's personalized, it's harder to spoof the window. Password boxes using data that only the OS knows and personalized for that computer are better. At least, if all dialog boxes looked one way, then up came a popup that looked compeltely different, it's pretty damned obvious it's a fake, and you don't want to put sensitive stuff in it.
      • by bninja_penguin (613992) on Friday May 09, 2003 @02:00AM (#5916883)
        I've not read all the comments here, but I have read the article.
        So far, most of the comments are about a spoofed status bar or the boraders that look different on the secured windows versus the unsecured ones. Anybody whose done work as a bench tech for a company servicing the general public for any length of time has surely had the conversation about porn dialers that the customer never even knew they had installed. With Active X controls, JavaScript, Macros, CGI sripts, or whatever the .NET crap will allow, I think most commenters are missing the point. You don't have to spoof anything. I mean, there are snippets of code you can put into a normal HTML page that can format a drive for you if you're running Windows, and using IE. Sure, there's patches, but so what? there's updated virus defs all the time, and the by far most prevalent viruses are months, even years old. So, to get back on topic, in this type of environment, someone will think they are safe, because they see poochies name running around the window border, when, in actuality, they "somehow" had the equivilent of a porn dialer downloaded to their system, and, rather than dialing Lybia, it just tells Windows that anything it does is trusted, and the person is well and truly fucked, for they bought into the great lie that Microsoft is telling with it's Trustworthy Platform bullshit.
  • by Anonymous Coward on Thursday May 08, 2003 @07:13PM (#5915164)
    Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said

    What kinds of attacks would those be? The over the shoulder snoop sort?
  • by Masem (1171) on Thursday May 08, 2003 @07:13PM (#5915167)
    Instead of adding new and experimental UI features, why not use a feature found on nearly every OS and that most end users will recognize - in this case, the lock symbol that indicates whether you're on a secure site or not. Obviously such a symbol would need to be something sufficiently different, but this is a well established (despite being lacking any standard specification) UI element that would require nearly no new training by the end user.
    • Because a window, most likely a web popup wanting you to click "install", would incorporate the standard security graphic to make it look like a trusted security patch, or whatever. Sure, probably everyone here would see through the ploy, but your average Windows user may not.
    • Instead of adding new and experimental UI features, why not use a feature found on nearly every OS and that most end users will recognize - in this case, the lock symbol that indicates whether you're on a secure site or not. Obviously such a symbol would need to be something sufficiently different, but this is a well established (despite being lacking any standard specification) UI element that would require nearly no new training by the end user.

      The point of this new UI element is that it needs to be

    • Well first off, the tiny lock symbol at the bottom of the screen is a great idea in theory-- but like the need-oil-indicator in your car some people just don't notice it. Now, if you walked out to your car one morning to find it has changed colors and the dash said "please give me oil boss" then we would probably see less stranded blonde soccer moms mini vans on the side of the road. This is a good thing, personally I think it's cool-- it will just depend on its implementation. Hopefully it will not become
    • by coyote-san (38515) on Thursday May 08, 2003 @08:13PM (#5915522)
      Wrong metaphor.

      Look at any spy movie - classified material is in folders with red or black borders, the pages are marked, etc.

      I've done the same with some SSL-aware custom JSP tags. If you browse to the page over an unencrypted channel you don't see the material at all (it's blocked at the server), if you have an SSL connection there's a thick black border, and if you have an authenticated and recognized SSL connection there's a thick red border. The actual appearance is controlled by CSS stylesheets, so it could easily faked... but that's not the point. What's important is that the symbol is obvious enough to be clearly seen even if partly obscured, while subtle enough that it doesn't get in the way.

      In contrast, Microsoft's ideas are things that should be rejected out of hand by anyone with even a bit of security awareness. "Out of sight, out of mind" definitely applies here - if somebody sees a thick red or black border out of the corner of their eye they'll stop to lock the screen before walking away. But under Microsoft's oh-so-brilliant plan, there won't be any visual indication that they must lock their screen before dashing to the bathroom or to the coffee machine. Or joining a friend for lunch. Yet the confidential material will be available to anyone who cycles through the frames to see if there's anything interesting on the system.
  • by josepha48 (13953)
    ...security through stupidity...

    Why does this sound like an april fools joke....

  • by L0stb0Y (108220) on Thursday May 08, 2003 @07:13PM (#5915171) Journal
    New Madlibs for Slashdot! Now you too can create Slashdot Stories with these fun, GNU Madlibs!

    For example:

    Windows ____________ through Annoyances~

    or

    It's a great new __________ but can it run _______?

    And the all time favorite, In _______ the ________ ___________s onto you!

  • One problem solved (Score:3, Insightful)

    by El Cubano (631386) <robertoNO@SPAMconnexer.com> on Thursday May 08, 2003 @07:13PM (#5915173) Homepage
    From the article:

    Graphics cards are a security problem, because they contain their own pool of memory.

    MS could just drop support for all video cards that have their own memory in favor of ones with integrated or shared memory (a la i810 family). Then the OS can have direct control over every aspect of the cards memory because it actually resides in main memory.

    • by spectral (158121) on Thursday May 08, 2003 @07:24PM (#5915243)
      Humans are a security problem, because they contain their own pool of memory too. Let's get rid of them. Deleting a person's memory is easier than the video card's too: One click of the trigger is all it takes. Just Point and Click.

      I'd have no clue how to wipe out my video card's memory. (No, shutting off the computer won't do it. I've seen plenty that when they turn back on, the last screen visible is there for a split second.)
    • by cyberformer (257332) on Thursday May 08, 2003 @07:27PM (#5915264)
      This just about says it all. A security problem for whom?

      Ask any computer user, from a home web surfer to an IT manager, what they consider to be the worst security threats. My guess is they would list things like MS Outlook viruses, buffer overflows, ActiveX controls, spam and Gator. Would anyone but the MPAA mention graphics cards?
    • I don't quite understand this one. I can't say that I've ever heard of a virus or anything resembling a security issue that used video memory to pull off anything..

      Only a few things, like BO and the viruses/worms that installed VNC, did much of anything with reading the video, but at that point, they were well past getting control of the system.

      It sounds like M$ is trying to push a bunch of video hardware manufacturers out of the business too.. Not nice...
      • by BJH (11355) on Thursday May 08, 2003 @08:02PM (#5915463)
        No, what they're trying to do is this: provide a cryptographically-guaranteed path for data to the graphics card, that cannot be intercepted.

        What this allows is secure playback of DRM-protected material, in such a way that it is impossible for the user to grab the data.

        Once manufacturers jump on the bandwagon, you'll end up with a PC with "Palladium-enhanced" components, such as the DVD drive, hard drive, video card and sound card, where you are unable to do anything at all with data streams from sources (the HDD or DVD drive) to sinks (the video or sound card) that's not permitted by the supplier of that data. In other words, forget ripping your DVDs or CDs.
  • by toasted_calamari (670180) <(burningsquid) (at) (gmail.com)> on Thursday May 08, 2003 @07:13PM (#5915175) Homepage Journal
    Seems to me that putting a fancy border on the window doesn't make it impossible to spoof. the contents of the border are stored in a file somewhere, and presumably the file can be read. if the file can be read, its contents can be outputted into an insecure window. Of course, I am probably wrong...

    On the other hand, I dont think this will be as annoying as the story submitter claims.
    • by Chester K (145560) on Thursday May 08, 2003 @07:42PM (#5915362) Homepage
      the contents of the border are stored in a file somewhere, and presumably the file can be read.

      Under NGSCB, you won't necessarily have access to certain files on your system -- therein lies the security; it basically uses the data in that secure file as proof that "hey, if the OS lets me show you this, then I'm trustworthy!"
      • by bigberk (547360)

        Under NGSCB, you won't necessarily have access to certain files on your system -- therein lies the security; it basically uses the data in that secure file as proof that "hey, if the OS lets me show you this, then I'm trustworthy!

        You're absolutely right, NGSCB (a.k.a. Palladium) and Trusted Computing can result in data stored on your computer that is inaccessible by you - this isn't a userlevel/root issue, it's a hardware level protection. And some "trusted" authority with the appropriate key sitting so

    • by zurab (188064)
      On the other hand, I dont think this will be as annoying as the story submitter claims.

      It has a possibility to be. And much more. I'm sure at some point MS will introduce a "security option" to not open any "insecure" windows for locked down machines. This option will not be a default at first, users will have an choice to make themselves "secure". MSN shopping, Hotmail, MS Office, etc. will all be "secure" by default; other companies such as EBay, Yahoo!, Amazon, AOL/ICQ, EA, etc. will pay Microsoft mont
  • So to use this new super-secure Windows I'll have to type in huge lists of information that is boring to me?
  • by cubal (601223) <mattNO@SPAMproblemattic.net> on Thursday May 08, 2003 @07:16PM (#5915194) Homepage
    the window borders thing isn't a bad idea, but as for making content disappear in the background... "hullooo, earth to microsoft"
  • by Dajur (168872) on Thursday May 08, 2003 @07:16PM (#5915196)
    The article makes it sound like this is to prevent those web pages that make themselves full screen and look just like a desktop, but honestly how often is this tactic even used?
    • by seinman (463076) on Thursday May 08, 2003 @07:22PM (#5915231) Homepage Journal
      Not much now, because people aren't expecting everything to be so secure. In the future, when it's expected that what you're looking at is secure, attacks like this could be come more widespread.
      • Hopefully, in the future, people will be using browsers with halfway decent restraints for Javascript and other scripting languages.

        I use Opera and Firebird and neither would ever let this sort of stupid attack fly. In fact, in Firebird, you can specifically disable some forms of window-resizing/moving script.

        • I use Opera too, and agree that more needs to be done than having your pet's names displayed in secure windows. Don't forget that the vast majority of computer users are idiots, and since Microsoft software is on the vast majority of computers, they have to write their programs to work for the lowest common denominator.
    • The article makes it sound like this is to prevent those web pages that make themselves full screen and look just like a desktop, but honestly how often is this tactic even used?

      When it comes to security, you should account for all the possibilities for circumventing it, not just the most common ones.

      Though I have to wonder about the way they're going about doing all this. Windows already has a whole security infrastructure around the concept of desktops as securable objects, why not just use the existin
  • by TubeSteak (669689) on Thursday May 08, 2003 @07:17PM (#5915203) Journal
    "Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said."
    Microsoft is finally doing the /. crowd a favor. No more rushing to minimize a window when your boss walks by. Just make slashdot a 'secured' page and Alt-Tab anything else over top it. *POOF* it appears like you've been working all along!
  • by Lu Xun (615093) on Thursday May 08, 2003 @07:18PM (#5915208)
    Is that 'Microsoft' secure or 'secure' secure?

    Besides, I've always found that the little lock in the Mozilla window works fine.
  • It Could Be Worse (Score:5, Interesting)

    by swdunlop (103066) <swdunlopNO@SPAMgmail.com> on Thursday May 08, 2003 @07:19PM (#5915219) Homepage
    Anyone else remember B2 operating environments, and some of the silliness involving assigning dedicated colors to the borders of windows to announce the sensitivity level of the data contained within?

    I can't wait for Microsoft to rediscover that feature.. B2 systems were great from an engineering point of view, but as far as usability went, it was so much complexity that users tended to try to defeat the security measures placed on them.
  • by Azureflare (645778) on Thursday May 08, 2003 @07:19PM (#5915221)
    What the...What does this mean? Secure data will have different looking windows? Shouldn't they be concentrating on other things, such as actual security vulnerabilities? Seems like they're trying to say "look we're paying attention to security!" without actually doing anything that is effective...

    All I know is, I'm not buying Longhorn; I don't need MS holding my hand wherever I go. This seems like just another "feature" where something can go wrong...

    • by njyoder (164804)
      This IS a great thing, it's called a trusted path. This is a security concept that's been around for a long time, but isn't widely implemented. You may be familiar with another trusted path mechanism in windows, the log in screen. It requires you to hit CTRL-ALT-DELETE to login, this is done to prevent fake login programs from fooling users.

      Shouldn't they be concentrating on other things, such as actual security vulnerabilities? Seems like they're trying to say "look we're paying attention to security
    • by lpret (570480) <.lpret42. .at. .hotmail.com.> on Thursday May 08, 2003 @07:51PM (#5915417) Homepage Journal
      9 times out of 10 the only way to get information or whatnot is through social engineering. Kevin Mitnick is a prime example. For all of his uber-tech prowess, he still relies on fooling people into giving him access/information. Even his technical work has social aspects that are key to the success of the crack.

      Furthermore, I think that this could turn out to help security much more than some obscure feature. It is this low-level, "no shit sherlock" kind of basic security that is much more needed.

    • Seems like they're trying to say "look we're paying attention to security!"

      Exactly, everybody is buying into security.

      Microsoft on the other hand is "Window(s) Shopping".

      Ba-dum-ching!

      Ahem.
  • Not so secure (Score:3, Interesting)

    by Rosco P. Coltrane (209368) on Thursday May 08, 2003 @07:21PM (#5915228)
    The border of a secured page may contain information--such as the names of all the dogs that someone has ever owned

    Hmm, okay, so let's say I make a Microsoft-ish spoof page with a border that has "king", "snoopy" or "brutus" all around, and half the visitors will recognise their page with their unique pooch's name on it, and will give me their credit card number in total confidence. Hmmm ....

    Sounds like a crappy idea actually.

    • Re:Not so secure (Score:5, Insightful)

      by zurab (188064) on Thursday May 08, 2003 @08:52PM (#5915700)
      Hmm, okay, so let's say I make a Microsoft-ish spoof page with a border that has "king", "snoopy" or "brutus" all around, and half the visitors will recognise their page with their unique pooch's name on it, and will give me their credit card number in total confidence. Hmmm ....

      I was thinking that too. Then I read the article:

      "A hacker can create a spoof page with dogs' names running along the border but, in all likelihood, not one reading "Buffy, Skip and Jack Daniels--and in that order," Biddle said."

      True, but anyone could just create a similar-looking window, and just put words "Secure Window" instead of "Buffy, Skip and Jack Daniels". Guess which one will look to be secure and which one will not.

      Also, if this system is not clearly explained to non-savvy users (and I am guessing it will not be), then there will be other implications as well - such as people typing in their passwords, or realizing their pet name *is* their password, etc. I look forward to how they implement this and confuse users.
  • by Anonymous Coward on Thursday May 08, 2003 @07:22PM (#5915232)
    They should constantly play the red alert sound from star trek at full volume whenever the secure window has focus.
  • I also heard that, borrowing from George Lucas' anti-photocopying technique, windows will employ the famous red font on red background method of making your secure information safe.

    They will also happily let you know which information they think you ought to keep secure I'm sure;-)

  • by SpiffyMarc (590301) on Thursday May 08, 2003 @07:24PM (#5915248)
    Sure, it's all well and good to display sensitive information with a special border, but what if someone writes down what they see and then leaves it just lying around? Where's your special borders then?

    The solution is obvious: don't display the data at all!
  • by glwtta (532858) on Thursday May 08, 2003 @07:25PM (#5915250) Homepage
    Information on secured windows will vanish if another window is placed on top

    I've discovered this feature of windowed GUIs a long time ago - you cake take virtually any window, place it over your current window and POOF! the data vanishes, completely obsucred by the new window on top of it. Isn't it neat?

  • by subreality (157447) on Thursday May 08, 2003 @07:25PM (#5915253)
    While I agree that security should be easy, you can only dumb it down so much. If the entire knowledge that the user has is that a window is "secure", they are only getting a warm fuzzy feeling, not real security.

    For real security, you need to know WHAT has been secured. Examples include:

    Data was encrypted in transit.
    Data is authenticated to come from XXX source, according to YYY certificate authority.
    This window is protected from being viewed by PCAnywhere.
    This data has DRM, and is protected from being copied to another computer.

    Unless you tell the user WHAT the security is, they will make poor decisions about what to do with the data. Putting the name of their dog on the window doesn't provide that information.
    • But. The data is secured from *you*, the user of the computer, and surely you're not proposing they put that in the papers ? You are prevented from doing a number of things on your computer, and others are being allowed to do stuff on your computer (such as deleting your files for example).

      This is not security, this is anti-security.

      Remember 99,9% of the data on your computer is not your data, so it will be secured *from* you, even though you paid for it.

      This will have two effects : first, ms will be abl
  • by inertia@yahoo.com (156602) * on Thursday May 08, 2003 @07:32PM (#5915290) Homepage Journal
    You call those annoyances? I call annoyances, opening a slashdot article and finding five topic icons going down the side of the screen.
  • Neil Stephenson says (Score:2, Interesting)

    by poor_boi (548340)
    What about van Eck phreaking [techtarget.com]? Fido borders can't stop that. Of course its not a real very real threat, but it only takes once.

    Expect your wife to receive hard copies of that 'questionable' pornography you enjoy so much from the van Eck'ing P.I. she hired (he looks like Tom Selleck :-)

    Paranoia Strikes Deep
    -boi

  • Because I do not own a dog.
    • by hazem (472289)
      I knew it! Bill Gates hates cats, and this is the beginning of his scheme to eradicate them from the face of the earth.

      Come on, Fluffy! We're switching to Linux!
  • Regardless of how much security this, in reality, will provide, it will provide a tremendous APPEARANCE of security.

    Sure, it may work. It may even work well. But the important thing from a sales standpoint is that it will look very secure. And that sells better than actual security. Given their posturing over security in the past year, this is right in line.

  • by nirbasito (670818) <nirbasito@yahoo.com> on Thursday May 08, 2003 @07:39PM (#5915347)
    How does vanishing data from a secure window when its not on top anymore makes the data substansially more secure? If anyone has allready hacked into that system it maybe safely assumed that he has access to memory... I agree it is safer in case you are watching porn and someone walks into the room...but in real business world people view confidential information when they know that there is no one to look upon their shoulders. IMHO this is just another gimmick ....."OH look I have a secure window!! I dont care if I open this strange looking attachment that came by email .....ZAP!!!"
  • com.com (Score:5, Funny)

    by daVinci1980 (73174) on Thursday May 08, 2003 @07:40PM (#5915352) Homepage
    You *might* disbelieve the article because it comes from news.com.com, but I personally find them to be the highest caliber of news organization.

    Right up there with the LA Times [latimes.com], The National Enquirer [nationalenquirer.com], and the Weekly World News [weeklyworldnews.com].
  • More McSoftware... (Score:2, Insightful)

    by tds67 (670584)
    ...from Microsoft. Pay no attention to what's going on behind the software curtain, just watch something soothing and comfortable like pet names on your window borders and trust someone else to be your data security nanny. Just more dumbing down of computer users, if you ask me (Score:5, Pessimistic)
  • ...and will also hide the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among people who need to be able to see the data in two partially overlapping windows at once.

    Maybe it's just me, but I can't see how preventing the very thing you need could possibly be considered making it more usable... but then again I guess this *is* Microsoft we're talking about.
  • by Sindri (207695) on Thursday May 08, 2003 @08:09PM (#5915499) Homepage
    It's a good thing Microsoft still includes options to turn off all the new crap features (from hide file extensions to cant share "Program Files" directory.

    I still wish they would just sum them up in one "I'm not retarded or anything like that." checkbox. With every new windows version it takes me longer and longer to find the switches to turn off the silly features.
  • Hostage Data (Score:2, Interesting)

    by Slurms (144553)
    Maybe this has been mentioned and as usual I missed it.

    I find myself thinking that if I were to decide to put all my important data in their vault, what might I do if they tell me I have to pay the $1000 upgrade fee for the next version of their software if I want to continue to have access to my data in their vault?
    • by kfg (145172)
      Oh that's alright. Don't worry. I've already gained access to your information in their 'vault' and I'll sell it back to you for only $500. It's a bargain.

      And if you don't want it, that's ok, I've got *lots* of customers.

      KFG
  • Security? (Score:5, Interesting)

    by rice_burners_suck (243660) on Thursday May 08, 2003 @08:21PM (#5915555)
    Security, huh? From the company that can't avoid the temptation to put scripting capabilities into the darnedest things? And for whom? The users that don't know the difference between a DOS prompt and a BSOD? Who can't figure out how to copy a file to a floppy disk (in WINDOWS!!!) and need to pay someone to do it? (I swear to God, some lady telephoned me and offered to pay me $80 USD to copy a file to a floppy disk, couldn't tell me how large it was (I asked to see if it would even fit), and I had to convince her to find a nearby geek to show her how to do it because anybody who charges for that is a dirty thieving son of a bitch. But I said it in nicer words.)

    Ok. Let me get this straight. There are people in some African country that send out emails with schemes like, "We need to transfer 500 million dollars into a bank account but we need your help! Give us all of your private information, including your name, SSN, bank account numbers, etc., and we will open an account in your name to perform this transfer. To compensate you, we will give you 20% of the money." And people answer emails like that and give out their personal information. Or, someone sticks a sign on a bank drop box that reads, "Out of order. Leave deposits with guard." And obviously dresses like a guard and stands next to the drop box with a cart, collecting deposits. (As if a BOX can be out of order!!!!!) There are thousands of schemes like this... these two come from Frank Abagnale's book The Art of the Steal. He jacked millions of dollars himself, so he should know: People are unconscious! They don't think about security. Heck, America can't figure out how to secure its borders when thousands of years ago, China came up with a solution that can be seen from space. If people can't figure out how to secure a border, which is a physical thing that is well documented and understood by everyone (just look at a map), how the heck do you expect to secure computer networks when people don't understand (or want to understand) the complex computer internals that need to be understood in order to combat this problem?

    Let me ask you a question... When was the last time you were rooted? On your desktop? Running Windows? I honestly doubt that anybody here has ever been compromised, even if running Windows 24x7 with an Internet connection and no firewall of any kind. You know why? Because most folks here understand what security means, at least conceptually, and wouldn't be stupid enough to enter their password (not that it secures anything under Windows) into some bogus window. Do you honestly think that putting your dog's name (or any other information, for that matter) into a window is going to solve any security problems for Joe Shmoe? NO WAY!

    The way I see things is simple: Market security to corporations. Sell them computer security services in which their entire network is secured against attack, and more importantly, their data is backed up. But the home Joe Shmoe users... let them screw up their computers with the biggest security threats: All these stupid screensavers, cursors, sounds, graphics, clutter, junk, crap, downloads, viruses, MS Outlook, and all the crap they download and execute without thinking... When their computer crashes and they come crying to me, I'll continue saying what I've been saying for the past ten years, "Where are your backups? Oh, you didn't make any?! Well, the only way I can fix this computer is by blowing everything off and reinstalling. Oh, well... Maybe you should take it to [insert name of a computer repair shop that charges outrageous prices to reinstall Windows for you] and have them fix it. They understand these things better than I do."

    If Microsoft really wanted to combat security problems, and I am 100% serious about what I am saying here, then they would forget all this B.S. and convince users to keep the clutter and the CRAP off their computers. Secondly, they would convince people to back up their data. Windows might suck, but I'm always more concerned about the mechan

    • This post is golden. You hit the mark right on the money. If a company wants to focus on security, they should focus on training, physical security, then your IT infrastructure. The first two are your biggest holes. Make it paramount, like a bank does.

      Do banks look forward to this Microsoft ideal world? No. Because money talks, insurance is expensive, and they lock it down very hard. It's not perfect, but why go with a company with security on the backburner for the first 20 years of it's existence?
  • by bergeron76 (176351) * on Thursday May 08, 2003 @08:44PM (#5915666)
    I can't help but think that the only useful reason for putting "unique" data in a window border would be to provide key data for analog captures/etc. By having a personal "tag" in a visual border (and potentially audio), they are taking a step toward making viewers/players/etc [the only link between the analog and digital realm] prolific. They're hoping it will become 'the norm[al]' in a few years, and as such, it could ultimately lead to the end of the analog/digital loophole that currently exists in DRM.

    I hope I explained this adequately...

    Scary stuff, IMHO.

  • by rat7307 (218353) on Thursday May 08, 2003 @09:23PM (#5915843) Homepage
    Enter Dogs Name:
    FIDO

    WARNING: Dogs name too short, should be 6-8 characters long and
    use combination of numbers and UPPER and lowercase letters.


    Enter Dogs Name:
    FiDo1234

    Dogs name accepted...
  • by Anonymous Coward on Thursday May 08, 2003 @10:17PM (#5916101)
    I had the great pleasure of getting trashed on Burbon street (oh yeah, and there was the conference thing, too). As an engineer who was in the room for these sessions, and has to deal with this stuff in the near future, let me tell you this article is quite misleading.

    MS is trying to bolster the overall security for their OS (called NGSCB...rtfa for the acronym def). A noble cause, but one that will be very tough for them to completely achieve. The author is focusing only 1 small portion of NGSCB, which is securing the graphics subsystem. I'll do the author's job and list a few more relevant points:

    1) NGSCB is an opt-in type of program. If the hardware doesn't support it, or the user doesn't want it, it will be disabled.

    2) Only "trusted apps" will fall under the jurisdiction of the NGSCB. Things like Quicken or IE could fall into this category. They would then be protected by the OS so that other non-trusted apps can't get at the data generated by the trusted apps. So the majority of windows apps that you'd run on a day-to-day basis (games), would not be affected by this.

    3) The "trusted graphics" portion of NGSCB really only applies *** IF EVERYTHING ELSE IN WINDOWS IS SECURED ***. The thought being that if everything in the Windows OS is secure, hackers will look for the next most vulnerable target outside of the OS...the graphics device. Two of the most obvious ways to exploit it would be by sniffing the graphical info stored in the framebuffer, or by mimmicing a "trusted" window and having the used just give the evil app the info it wants.

    4) The "dogs names" window is just an example of something that MS is kicking around. What they want to do is add something unique that the user provides to the trusted windows. This way an end user will see an evil app trying to pretend it's a trusted app. The idea here is that it will be almost impossible for a hacker to generate a window that looks exactly like a trusted window (unless they hack the OS to find out the unique quality of the user's trusted window...for now assume that the new Windows NGSCB can't be hacked...**snicker**). In any case, I seriously doubt "dogs names" will be the unique identifier.

    5) The "dissappearing data" is done for a reason. When another untrusted app takes control of the OS (by being the top window), it has access to the framebuffer. So it would be simple to start an app, position the window so it doesn't completely obscure the trusted app, then read the framebuffer. Whatever info you want is right there in a bitmap. It would be nice if there were a better way to protect the framebuffer when a trusted app is alive, but it may not be possible in Windows.

    I may not agree with some of their logic/ideas in this area, but it's unfair to judge it on this article alone. If you want a little more info, try looking here [microsoft.com]. Then again, this is Slashdot...there doesn't need to be a real reason to bash MS...carry on...

  • dog names? (Score:5, Funny)

    by carpe_noctem (457178) on Thursday May 08, 2003 @10:18PM (#5916110) Homepage Journal
    My dog's names are "Teenage", "Slut", "Live", and "Webcams"....and I swear to GOD, it's the new Window's security mechanisms that are responsible for their appearance on all my window titles!
  • by Animats (122034) on Friday May 09, 2003 @01:14AM (#5916788) Homepage
    There are multilevel secure systems used by DoD that look sort of like this. But they have real security machinery behind the scenes.

    In systems like that, each window appears with a border that shows the security level, typically SECRET, UNCLASSIFIED, etc. Communication between programs and windows at different levels is prohibited, except in some very controlled ways. Appliations can't even detect that stuff at higher levels exists. NSA Secure Linux has the underlying security machinery for this, although nobody has written a secure window manager for it.

    It sounds like Microsoft is adding the window decoration without the underlying machinery.

    Sadly, the few systems with security like this are antiques.

  • by borgdows (599861) on Friday May 09, 2003 @04:34AM (#5917218)
    Windows will automatically launch a BSOD when user is watching sensitive data.
    This way the data keeps secure!

  • by geoff lane (93738) on Friday May 09, 2003 @04:45AM (#5917256)
    ... the dog gets it!

"The way of the world is to praise dead saints and prosecute live ones." -- Nathaniel Howe

Working...