Windows Security Through Annoyances? 401
techmuse writes "According to News.com,
Microsoft's next version of Windows will let you know that you are looking
at (supposedly) secure data by putting personalized text, such as the names
of your dogs (a null list in my case), in window borders, and will also hide
the data unless the window has no others on top of it. That should make it very usable, and speed adoption of security features -- especially among
people who need to be able to see the data in two partially overlapping
windows at once."
So...... (Score:4, Insightful)
One problem solved (Score:3, Insightful)
Graphics cards are a security problem, because they contain their own pool of memory.
MS could just drop support for all video cards that have their own memory in favor of ones with integrated or shared memory (a la i810 family). Then the OS can have direct control over every aspect of the cards memory because it actually resides in main memory.
How will this help? (Score:4, Insightful)
On the other hand, I dont think this will be as annoying as the story submitter claims.
a half good idea... (Score:3, Insightful)
Re:So...... (Score:3, Insightful)
Wow this is...So...Great....? (Score:4, Insightful)
All I know is, I'm not buying Longhorn; I don't need MS holding my hand wherever I go. This seems like just another "feature" where something can go wrong...
Re:Is this type of attack really that prevalent (Score:5, Insightful)
But what does "Security" mean? (Score:5, Insightful)
For real security, you need to know WHAT has been secured. Examples include:
Data was encrypted in transit.
Data is authenticated to come from XXX source, according to YYY certificate authority.
This window is protected from being viewed by PCAnywhere.
This data has DRM, and is protected from being copied to another computer.
Unless you tell the user WHAT the security is, they will make poor decisions about what to do with the data. Putting the name of their dog on the window doesn't provide that information.
Re:So...... (Score:5, Insightful)
Re:One problem solved (Score:5, Insightful)
Ask any computer user, from a home web surfer to an IT manager, what they consider to be the worst security threats. My guess is they would list things like MS Outlook viruses, buffer overflows, ActiveX controls, spam and Gator. Would anyone but the MPAA mention graphics cards?
Re:Why redefine a working metaphore? (Score:2, Insightful)
A lot of things about the technology formerly known as Palladium scare me, but if it could be implemented in an open architecture where the machine owner has the keys, I think good things could happen.
Just my $0.02.
Comment removed (Score:5, Insightful)
Re:So...... (Score:3, Insightful)
Why not just prevent them from doing that, then?
This is like "inventing" a problem (Score:3, Insightful)
Re:How does Microsoft know my dogs' names? (Score:5, Insightful)
Seriously, given the number of people who use a pet's name for a password, displaying a list of them on the screen seems like a huge security risk.
Hey, I've got a wacky idea (Score:2, Insightful)
Oh wait, that would deprive MS of ad revenue...
No no, much easier to put up a purty border of your kids middle hyphenated names because malicious hackers would never figure out where that configuration information is stored (regedit).
"Honey, why does Thomas-Clark's name keep appearing in the border of my window underneath this ad for a web cam?"
More McSoftware... (Score:2, Insightful)
I'll tell you why it's great... (Score:4, Insightful)
Furthermore, I think that this could turn out to help security much more than some obscure feature. It is this low-level, "no shit sherlock" kind of basic security that is much more needed.
Re:One problem solved (Score:5, Insightful)
What this allows is secure playback of DRM-protected material, in such a way that it is impossible for the user to grab the data.
Once manufacturers jump on the bandwagon, you'll end up with a PC with "Palladium-enhanced" components, such as the DVD drive, hard drive, video card and sound card, where you are unable to do anything at all with data streams from sources (the HDD or DVD drive) to sinks (the video or sound card) that's not permitted by the supplier of that data. In other words, forget ripping your DVDs or CDs.
Doesn't make sense to me (Score:5, Insightful)
Tricks like these are not addressed by this approach which means that Microsoft still hasn't learned that con artists are probably the most likely to be able to get your confidential information
Re:One problem solved (Score:4, Insightful)
Re:Not so secure (Score:5, Insightful)
I was thinking that too. Then I read the article:
"A hacker can create a spoof page with dogs' names running along the border but, in all likelihood, not one reading "Buffy, Skip and Jack Daniels--and in that order," Biddle said."
True, but anyone could just create a similar-looking window, and just put words "Secure Window" instead of "Buffy, Skip and Jack Daniels". Guess which one will look to be secure and which one will not.
Also, if this system is not clearly explained to non-savvy users (and I am guessing it will not be), then there will be other implications as well - such as people typing in their passwords, or realizing their pet name *is* their password, etc. I look forward to how they implement this and confuse users.
Re:So...... (Score:2, Insightful)
Yes, becauser we know custom XUL prompts won't give the user a rather obvious security message... really they don't. It's exactly the same level as a page I could just browse to without trying to...
I was going to mod you down, but they still don't have the damn -1 incorrect.
Re:How does Microsoft know my dogs' names? (Score:2, Insightful)
There are technical means to do this much better, but society seems to be afraid of using cryptographic means.
Would the personalised text really help? (Score:1, Insightful)
The computer has to come with some text built in from the start. Let's say it will be "this is a secure window". Ok, great. Now think of the 99% of computer users out there. How many of them will actually bother to change that default text to something more original? 10%? 5%? 1%?
Now put yourself in the shoes of a typical computer user and think about this: you're out there surfing the web, when out of nowhere comes this window with the text "this is a secure window" running around the border all fancy-like. And what do you know, the window claims to be from a sysadmin, saying they need you to enter your password. How many average users would happily comply? 50%? 80%? 95%?
Great idea Uncle Bill, more zombies for me to command!
Re:Security? (Score:1, Insightful)
Small correction if I might. The great wall of China cannot be seen from space. This is a common misconception. Recall that at its best the Wall is no wider than an American two lane highway, which also cannot be seen from space. ("from space" defined as at least orbital altitude)
Secondly, as far as security is concerned the wall, which is not one wall but a series of interlocked fortifications, stopped nothing that really wanted over it. Like computers, Wall security is only as good as the people that have the keys. As the guard had the keys, not the Emperors, sufficient bribes got anyone through that wanted through.
Please, in future diatribes get the incidental facts straight. Thank you.
Now, Microsoft wants you to give them the keys. Being that they do not see fit to obey the law of the land, a simple thing, are you trusting them with you computer security? Something that is at least as "important" as the law, and to my mind even more so.
Emulating NGSCB (Score:2, Insightful)
What about a emulation that runs NGSCB? E.g. some kind of Wine or Bochs? You could easely compromise secured connections (and windows) because for the host OS they're running in normal, unprotected memory.
Even worse: What about a NGSCB client that pretends to be a real NGSCB-aware OS but is a fake in reality? You say asymmetric encryption? I say: Once these NGSCB-ready computers are out, it's only a matter of days until
Done by close integration with IE? (Score:1, Insightful)
I was under the impression... (Score:2, Insightful)
Re:Oh this is bright... (Score:2, Insightful)
The whole point of it is, if someone can get 60 seconds alone with your box, you're SOL..
And even if they can't get physical contact with your box, if they really want in, they will get in.
There are a lot of ways. With all the miniture cameras out now, well, you know the rest of the story..
I used to sell Tempest PC's to the gubmint a number of years back and learned a few things about physical security in the process.
They used isolated power supplies, fiber optic for any lans, faraday caged buildings and rooms, you name it.
And the really secured machines were DEEP underground in a faraday cage in a concrete bunker and ran on battery banks that were disconnected from the charge source before the systems were powered up. And to prevent tampering, guards were posted with M16's..
Now THAT was security.. They went from that, during the cold war, to losing hundreds of laptops in the post cold war era.. Some security eh??
If you don't maintain physical control of your box then you can not be certain of privacy and integrity of your data. Most people think that with the stupid password on their W2k or XP box that their stuff is private. Wrong. I can boot up Knoppix and your hard drive is mine to do with as I please.
I can email your private data out, FTP it out, http upload it anywhere I want, burn it to a CD or RW, FTP it all into a laptop with an ethernet x-over cable, dump it to zip disks, I could go on and on.
A person that can get to a box in the middle of the night and has a few hours to spare can have a real playday with your box and a Knoppix CD. I've shown this to customers and they crap all over themselves when they discover that that dipstick password "security" is utterly useless.
Knoppix+Windows box+ethernet+time alone=b0xen_0wnership..
Of course this is no concern to M$, they just care about you listening to music on your PC and paying per listen. And they have to stop those EVIL LINUX people from watching movies on their LINUX BOXES. All of these new proposals are not about security, they are about THEM controlling YOU..