Security By Aggravation
How much can you handle to get secure?
Technology doesn’t always treat us nicely here at Chez
Case in point: Last month, our projection television didn’t project or
televise. We’d rented a movie, Fabio had made his special popcorn, and
we were just settling down on the sofa when the far wall turned blank
white. Oh, we could still hear the movie. But unless it was about polar
bears gamboling in a snowstorm, the picture was nowhere to be had.
Fabio got on the phone to deal with the repair critters (that’s his department) and your dear old Auntie sat down at the computer to rant (that’s my department). Of course, all I could think about was that empty wall where my movie should have been. Eventually, though, I stopped grinding my teeth and was struck by the resemblance between our erstwhile television and some of the plans Microsoft has discussed for NGSCB.
In case you missed the news, that stands for Next-Generation Secure Computing
Base, the technology formerly known as “Palladium.” Microsoft finally
took some of the wraps off this technology at this year’s WinHEC. (If
you weren’t paying attention, there’s a whole Web site full of stuff at
microsoft.com/resources/ngscb/default.mspx.) It’s hard to put NGSCB
into a nutshell, but it’s designed to be a security architecture that
allows programs to lock up their data safe from the Evil People™, among
So, where’s the connection? Well, one of the NGSCB product managers re-vealed
this part of the plan to CNET: “Information on secured windows will vanish
if another window is placed on top of it or shifted to the background.
Erasing the information will prevent certain types of attacks and remind
people that they’re dealing with confidential material.” (http://news.com.com/2100-1012_3-1000584.html?tag=fd_top).
Let’s think about the scenario. You’re reading your company’s internal financial information, and you find a snippet you’d like to leak to your largest competitor. (Assume for argument’s sake that you’re one of the Evil People™.) You can’t cut and paste the information, so you open Notepad to type it in. But when you switch to Notepad, the window of financial info goes blank. Foiled again!
Or, at least foiled until you memorize a number, Alt-Tab over to Notepad and repeat as necessary. Or find a pencil and a piece of paper and write the numbers down. Or get out your digital camera. Has it escaped the brainiacs at Microsoft that once you display information on screen, it’s no longer securely locked up in the computer? There’s a class of attacks that blanking windows prevents—but information on screen isn’t secure. Game over.
But think of the poor busy user. She’s trying to work with two confidential applications at the same time (or three or six, depending on the pressures of the job), and only one blasted window will work with her at a time. There may be a sharp upswing in reports of monitors being thrown out (real) windows if this comes to pass.
Now, of course, Auntie is only picking on one little part of a vast plan, and perhaps it’s even a part misrepresented by the press. But it’s a bit disturbing that most of the information on NGSCB so far boils down to four categories:
1. Look at this nifty thing we can do!
2. It’s not our problem if someone misuses this; we’re just building a tool.
3. Trust us, we’re from Microsoft.
4. Boy, is this ever going to improve hardware sales.
I understand that some users need high-security applications. But to saddle every copy of Windows (in some future version) with technology that requires all-new hardware—and enables software vendors to make life more difficult—isn’t a very compelling story for the average consumer. Of course, as MCSEs, we’re not the average consumer. Just think of all the overtime spent fixing this stuff in its first generation or two!
Meanwhile, Auntie doesn’t want shell games with windows on screen to give her a secure feeling anymore than she wants blank pictures in place of movies on the wall. Let’s hope Microsoft is open to feedback and that the technological prowess doesn’t cause its engineers to assume that everyone thinks like they do.
Em C. Pea, MCP, is a technology consultant, writer and now budding nanotechnologist who you can expect to turn up somewhere writing about technology once again.