Windows Security Through Annoyances?

techmuse writes "According to News.com, Microsoft's next version of Windows will let you know that you are looking at (supposedly) secure data by putting personalized text, such as the names of your dogs (a null list in my case), in window borders, and will also hide the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among people who need to be able to see the data in two partially overlapping windows at once."

Re:So......

[seinman]

Because any website can pop up a fake window with a little GIF of a lock in the corner. But those dog names will be stored somewhere secure, that they can't access, so you know if you see them that your own computer is generating that data. Makes sense, although it'll be hard to explain and teach to the vast majority of computer users.

Re:One problem solved

[spectral]

The problem is that the memory in graphics cards aren't wrapped in to the security model. Therefore, anything with access to reading some memory from the video card (not too uncommon I'd imagine), can go and grab everything. Including the current screen contents.

Video cards therefore need to be modified to be secure and support access control on their memory, the way the CPU's privileged mode (and whatever hardware they're going to tack on to make palladium work 'better') allows the OS to control what can access certain parts of main memory.

USB: Handled by the OS. Easy to deal with. Monitors: would require hardware tapping, much harder to do (Especially remotely). Keyboards: Again, MOSTLY handled by the OS. (Windows passes most every key combination through hooks, except ctrl+alt+del. They'll probably change this so that if a secure window is on top, no hooks grab the data.)

Etc. etc. I don't argue that it's a bad idea (that there needs to be changes to the video card hardware to support this properly), it's just very poorly worded in the article.

I wonder if maybe the 3d support being used helps this? If you define everything as a texture, then you only need to secure certain textures (the secure ones), not the entire screen. Therefore things running unmanaged still work just fine. 2d accelerated blits might also do the trick, but probably not as well. (Do the 2d accel blits have a concept afterwards of what a window is, and therefore to hide a certain one? Probably not..)

Re:Prevent attacks?

[SClitheroe]

Over the shoulder snooping is certainly one way. A greater concern is an app that takes a screen capture of your desktop or the contents of certain windows, and sends it off to another machine.

I wonder how MS will handle cutting and pasting information between secure and insecure windows? Or even between secure windows, for that matter?

Re:CRT Monitors

[nolife]

That would be tempest monitoring [google.com].

Re:How will this help?

[Chester K]

the contents of the border are stored in a file somewhere, and presumably the file can be read.

Under NGSCB, you won't necessarily have access to certain files on your system -- therein lies the security; it basically uses the data in that secure file as proof that "hey, if the OS lets me show you this, then I'm trustworthy!"

Re:So......

[Scaebor]

How can a website possibly fake the lock-icon which happens to be on the toolbar?

Due to the special "features" of IE, it is possible to eliminate the status bar (not task bar) where the lock icon usually resides. By then creating a page using frames it would then be possible to replicate the look of the status bar without much trouble at all, even including the text of the page loading sequence using something so simple as an animated gif.

Re:Prevent attacks?

[IchBinEinPenguin]

The "start your DRM-enabled ebook reader, then your screenshot program so you can export the thing to LINUX' type of attacks.

Got back from WinHEC...this article is bullshit!!

[Anonymous Coward]

I had the great pleasure of getting trashed on Burbon street (oh yeah, and there was the conference thing, too). As an engineer who was in the room for these sessions, and has to deal with this stuff in the near future, let me tell you this article is quite misleading.

MS is trying to bolster the overall security for their OS (called NGSCB...rtfa for the acronym def). A noble cause, but one that will be very tough for them to completely achieve. The author is focusing only 1 small portion of NGSCB, which is securing the graphics subsystem. I'll do the author's job and list a few more relevant points:

1) NGSCB is an opt-in type of program. If the hardware doesn't support it, or the user doesn't want it, it will be disabled.

2) Only "trusted apps" will fall under the jurisdiction of the NGSCB. Things like Quicken or IE could fall into this category. They would then be protected by the OS so that other non-trusted apps can't get at the data generated by the trusted apps. So the majority of windows apps that you'd run on a day-to-day basis (games), would not be affected by this.

3) The "trusted graphics" portion of NGSCB really only applies *** IF EVERYTHING ELSE IN WINDOWS IS SECURED ***. The thought being that if everything in the Windows OS is secure, hackers will look for the next most vulnerable target outside of the OS...the graphics device. Two of the most obvious ways to exploit it would be by sniffing the graphical info stored in the framebuffer, or by mimmicing a "trusted" window and having the used just give the evil app the info it wants.

4) The "dogs names" window is just an example of something that MS is kicking around. What they want to do is add something unique that the user provides to the trusted windows. This way an end user will see an evil app trying to pretend it's a trusted app. The idea here is that it will be almost impossible for a hacker to generate a window that looks exactly like a trusted window (unless they hack the OS to find out the unique quality of the user's trusted window...for now assume that the new Windows NGSCB can't be hacked...**snicker**). In any case, I seriously doubt "dogs names" will be the unique identifier.

5) The "dissappearing data" is done for a reason. When another untrusted app takes control of the OS (by being the top window), it has access to the framebuffer. So it would be simple to start an app, position the window so it doesn't completely obscure the trusted app, then read the framebuffer. Whatever info you want is right there in a bitmap. It would be nice if there were a better way to protect the framebuffer when a trusted app is alive, but it may not be possible in Windows.

I may not agree with some of their logic/ideas in this area, but it's unfair to judge it on this article alone. If you want a little more info, try looking here [microsoft.com]. Then again, this is Slashdot...there doesn't need to be a real reason to bash MS...carry on...

Re:How will this help?

[bigberk]

Under NGSCB, you won't necessarily have access to certain files on your system -- therein lies the security; it basically uses the data in that secure file as proof that "hey, if the OS lets me show you this, then I'm trustworthy!

You're absolutely right, NGSCB (a.k.a. Palladium) and Trusted Computing can result in data stored on your computer that is inaccessible by you - this isn't a userlevel/root issue, it's a hardware level protection. And some "trusted" authority with the appropriate key sitting somewhere in the US may have the key.

Re:Why redefine a working metaphore?

[NearlyHeadless]

If the machine is compromised it could fake the dogs names too. Even if they are encrypted the key will be on your system. Obviously, if they have access via a trojan or something along those lines, than they could use the same code IE does to display the window.

Wrong. Part of Palladium/NGSCB, as well as Trusted Computing, is having a special chip to hold encryption/decryption keys. The whole point of this idea is to have information on this secure window that is only available via the keys in the chip. Any static icon (like a lock) can be faked. Showing your choice of data (like pet names) that indicate a trusted window is proof that the program is connected to the trusted chip.

This is fake multilevel security

[Animats]

There are multilevel secure systems used by DoD that look sort of like this. But they have real security machinery behind the scenes.

In systems like that, each window appears with a border that shows the security level, typically SECRET, UNCLASSIFIED, etc. Communication between programs and windows at different levels is prohibited, except in some very controlled ways. Appliations can't even detect that stuff at higher levels exists. NSA Secure Linux has the underlying security machinery for this, although nobody has written a secure window manager for it.

It sounds like Microsoft is adding the window decoration without the underlying machinery.

Sadly, the few systems with security like this are antiques.

Speaking of spoofing and different borders....

[bninja_penguin]

I've not read all the comments here, but I have read the article.
So far, most of the comments are about a spoofed status bar or the boraders that look different on the secured windows versus the unsecured ones. Anybody whose done work as a bench tech for a company servicing the general public for any length of time has surely had the conversation about porn dialers that the customer never even knew they had installed. With Active X controls, JavaScript, Macros, CGI sripts, or whatever the .NET crap will allow, I think most commenters are missing the point. You don't have to spoof anything. I mean, there are snippets of code you can put into a normal HTML page that can format a drive for you if you're running Windows, and using IE. Sure, there's patches, but so what? there's updated virus defs all the time, and the by far most prevalent viruses are months, even years old. So, to get back on topic, in this type of environment, someone will think they are safe, because they see poochies name running around the window border, when, in actuality, they "somehow" had the equivilent of a porn dialer downloaded to their system, and, rather than dialing Lybia, it just tells Windows that anything it does is trusted, and the person is well and truly fucked, for they bought into the great lie that Microsoft is telling with it's Trustworthy Platform bullshit.

Re:Great Wall of China

[Anonymous Coward]

um, that's by radar.

seriously, the wall is long but not wide. why can't you see highways, wide buildings, roads, etc.? answer: you can't