Re: An attack on paypal -- secure UI for browsers

[John Kelsey]

At 04:29 PM 6/14/03 -0400, Sunder wrote:
...
If the day comes where MS Office DRM only works with MS Office DRM, how
many people will switch to it?  If your company is willing to switch to
it, then they'll give you a PC with it on it.  If they don't, then they
can't expect you to interact with them via such formats and can't require
you to do so.
So, have you ever tried doing substantial revisions on a large document 
that's going back and forth between two or more versions of Word?  It's in 
MS' interest to get everyone using the same version, so it's not really in 
their interest to spend great amounts of time debugging their version 
translation functions.  It shows.

If you need to coordinate working on a big Word document with several other 
people (e.g., clients or coworkers who are most comfortable with Word), you 
pretty-much will need to use not just Word, but the same version of 
Word.  That doesn't need any secure hardware to enforce, just buggy 
software.  You can sometimes work around this, but it's a pain to do.

You sound like someone's holding a gun to your head and requiring you to
have MS Office.
Well, let's distinguish between:

a.  The sort of network monopoly situation Microsoft is in, where the world 
has more-or-less settled on a bunch of their products, and so they can do a 
lot of irritating things before they actually lose their dominant market 
position.  (Note that this doesn't mean they are unassailable; Word Perfect 
and Lotus -123 were once in similarly dominant positions.)

b.  Eventual laws requiring that every new computer contain a secure 
processing unit to enforce the dictates of the government, the record 
companies, or whomever else on your computers.

I think a lot of the objection to TCPA is the worry that it will be 
mandated eventually, and that it will then be used to cement the network 
monopoly held by MS forever.  And Vinge's description of ubiquitous 
governance comes to mind here--whether it's MS or the US federal 
government or the UN or the Catholic Church, if someone can put themselves 
in control of all computer equipment you own in some secure way, they look 
a heck of a lot like the government.

Either way, you can ask them to export to other document formats which you
can read.  Even now Office will export to HTML for example which is
readable by Mozilla and other browsers.
Sure.  Or you can often translate their documents, or open them with 
OpenOffice.  I do this when I just need to read and comment on a Word 
document.  But if you are going to be revising and sending back the 
document a few times, this will not work--you will lose some formatting, 
you will probably introduce weird formatting bugs, you may mess up the file 
format, etc.  It's just not worth the pain.  Though I have a legitimate 
copy of Word on my machine, when given a choice, I always do everything in 
ASCII text until the very end, and then paste the text into Word and do 
formatting last.  But again, this isn't too helpful if it's a document I'm 
working on with someone else.
...
Either way, how much a revolt do you think there will be if Microsoft
decides to lock down their tools (such as word) to the point where they
can no longer export to HTML, plain text, RTF should the author wish
it to do so and provides whatever passphrases or ID's needed to unlock
the document and export it out?

Who would buy such a dog of a product?  Do you think businesses are so
stupid that they'd put up with a product that jails them in?  Get real
son, you're howling at the moon!
Mainframe customers used to put up with this kind of treatment routinely, 
so it's not impossible.  Whether it will fly these days is an interesting 
question, but I don't think the answer is obvious.  Someone might ask the 
same rhetorical question about whether customers would sit still for buggy, 
insecure software.  But nobody would ask that question these days, as the 
answer is so painfully obvious.
...

--John Kelsey, [EMAIL PROTECTED]
PGP: FA48 3237 9AD5 30AC EEDD  BBC8 2A80 6948 4CAA F259

Re: An attack on paypal -- secure UI for browsers

[Adam Lydick]

The faq (see attached) claims that anyone can write a nexus and that
users control which nexus(s) run.

I certainly didn't see anything that suggests that anyone can force you
to run arbitrary code, regardless of who has signed it. I also find it
absurd to worry about what code Microsoft is running on your system. If
you are running their operating system, you are already running
arbitrary code from them. If you install a security or functional patch,
you are running arbitrary code from them. How would this be different?

My only real concern is that once this becomes widespread, having the
correct nexus + DRM software installed will be the only way to get
play digital media. I have a feeling I won't be playing any of that
content from the MythTv box in my living room...

AdamL

--

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/NGSCB.asp

Q: What is the nexus component of NGSCB?

A:  The nexus is a new Windows OS component that will be introduced as
part of NGSCB. The nexus, what we used to refer to as a nub or
trusted operating root, is essentially the kernel of an isolated
software stack that runs alongside the existing software stack. The
nexus provides a limited set of APIs and services for applications,
including sealed storage and attestation functions. Think of nexus-aware
applications as residing in the user mode space of the parallel
execution environment and the nexus as residing in the kernel mode
space.

Anyone can write a nexus for use with nexus-aware systems. The user
always has the ultimate authority over what nexuses are allowed to run.
Only one nexus at a time will be able to run on a machine.

Q: What is the privacy model associated with NGSCB?

A: The user is always in control of whether or not nexus-aware
technology is enabled on his or her PC and what nexuses have access to
specific functions. The technology being developed as part of NGSCB
provides a fine-grained access control model that allows users to
specify (by hash) whether an individual nexus has the right to invoke a
specific security operation. In addition, SSC functions that reveal
potentially machine-identifying information, such as the RSA public key,
can only be performed once per SSC reset (and the SSC cannot be reset
from software; you have to power-cycle the PC). 

-- 
Adam Lydick [EMAIL PROTECTED]

Re: An attack on paypal -- secure UI for browsers

[lcs Mixmaster Remailer]

Adam Shostack writes:

 Actually, most of the features of Nogsuccob are features that I 
 want, like integrity protected, authenticated boot.  The problem, 
 bundled with those features, is the ability of the system to attest to 
 its secure boot.  This can be fixed by not letting the host know if 
 you've exported its host key or not, which makes it possible to run a 
 virtualized, trusted copy in your emulation environment. 

Nothing forces you to tell anyone else that you booted securely.  At most
someone may offer to give you something in exchange for such a proof,
but you're not obligated to take them up on it.

It's not clear what you're getting at about exporting the host key.
These systems (TCs) are generally designed to make that difficult or
impossible to accomplish.  The security of the whole system is built on
that assumption.  If you actually did manage to pull out the host key
then you could make it attest to any falsehood you wanted, although you
might get caught eventually.

Trusted Computing lets people convincingly tell the truth about what
software they are running.  This is seen as a horrific threat in certain
circles.  It's easy to see why liars wouldn't like it.  What does an
honest man have to lose?

Re: An attack on paypal -- secure UI for browsers

[Adam Shostack]

On Sat, Jun 14, 2003 at 11:20:16AM -, a Microsoft employee wrote:
| Adam Shostack writes:
| 
|  Actually, most of the features of Nogsuccob are features that I 
|  want, like integrity protected, authenticated boot.  The problem, 
|  bundled with those features, is the ability of the system to attest to 
|  its secure boot.  This can be fixed by not letting the host know if 
|  you've exported its host key or not, which makes it possible to run a 
|  virtualized, trusted copy in your emulation environment. 
| 
| Nothing forces you to tell anyone else that you booted securely.  At most
| someone may offer to give you something in exchange for such a proof,
| but you're not obligated to take them up on it.

Well, sure.  And no one forces me to run Microsoft office, either,
except Microsoft's monoploy.  And when the document format can phone
home to prevent piracy or openoffice from running, no one will be
'obligating' me to pay monopoly rents to Microsoft.

In the same way, no one forces me to have a drivers license.  But its
damned hard living life without one.

| It's not clear what you're getting at about exporting the host key.
| These systems (TCs) are generally designed to make that difficult or
| impossible to accomplish.  The security of the whole system is built on
| that assumption.  If you actually did manage to pull out the host key
| then you could make it attest to any falsehood you wanted, although you
| might get caught eventually.

The security of the system to make attestations is built on that
assumption.  However, there are other values that a TBC can offer,
like secure key storage or trusted boot of a known OS image, that I
might like.

My ability to attest to any falsehood is limited by the statements the
key is expected to sign.  How broad are those?  I thought they were
quite limited.


| Trusted Computing lets people convincingly tell the truth about what
| software they are running.  This is seen as a horrific threat in certain
| circles.  It's easy to see why liars wouldn't like it.  What does an
| honest man have to lose?

Interoperability.
Fair use.
Market Choice.
Archives.
Control over their own computers.
Ability to decide when to patch.
The ability to run purchased software..
... privately.
... when there are bugs in the license code.
... when the license server or the network is unavailable.

That's off the top of my head.

Adam

-- 
It is seldom that liberty of any kind is lost all at once.
   -Hume

Re: An attack on paypal -- secure UI for browsers

[David Wagner]

Adam Lydick  wrote:
The faq (see attached) claims that anyone can write a nexus and that
users control which nexus(s) run.

I certainly didn't see anything that suggests that anyone can force you
to run arbitrary code, regardless of who has signed it.

Force, maybe not.  No one can force me to turn my machine on,
for instance.  But take a look at one line you quoted from the FAQ:

Only one nexus at a time will be able to run on a machine.

That looks to me like an important sentence.

Re: An attack on paypal -- secure UI for browsers

[Sunder]

Um, how's that agin?  How does Ballmer and Gates force you, Adam Shostack
to run Microsoft Office?  Did they put a gun to your head?  Did they
manage to twist Congress's arms to put a gun to your head?

Compatibility you say?  Well, that's your choice.  You can decide if it's
important enough to you and act accordingly.  I personally think MSFT is
evil, and provides nothing but mediocre software.  So I vote with my
wallet by not paying them for their junk and I won't buy upgrades of their
software if the previous versions do what I needed, and install Linux and
OpenBSD on new machines.

Yes, some of the older shittier machines I have run Windows, but that's
because I'm either too lazy to track down drivers for Linux or want them
to continue running what they run.  Doesn't mean I have to go to XP or
2003.

Yes, my work machine runs win2k, but I didn't pay for it, and I didn't
have much choice in it - actually I could either quit and find a new job
(really lots of fun in this economy) or reinstall Linux over it and live
with Open Office and other open tools or have paid for Crossover office
out of my pocket, etc.  Wasn't worth the trouble and we already have a
site license for win2k + office 2k, so that's the path I went.   Not my
money, the company's money.  They chose to pay the Redmond Beast, so what
do I care?

But for home use, I have no real use for much more than OpenOffice and
Linux.  There's no need for me to pirate garbage from Microsoft.  I can
live without it.  

These are some old pentium1- 100Mhz notebook machines I have that came
with Windows 95 and 98 - turd OS's really, but they serve a purpose - mp3
players and light web surfing in my living room and other places for
example.  And before you ask, no, I didn't pirate the mp3's.  They're all
ripped from CD's that I owned, and I still have the CD's as proof of
ownership.  Yes, I could go to linux on them, but why bother wasting half
a day tracking down drivers and tuning kernels for them when they're
already built and working the way I want them to?


So why do you feel it's required of you to either pay Microsoft for, or
pirate Office XP and Server 2003 and TCPA enabled junkware?  What's so
important that you can't live without them.


--Kaos-Keraunos-Kybernetos---
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
--*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.\|/
 + v + :   The look on Sadam's face - priceless!   
[EMAIL PROTECTED] http://www.sunder.net 

On Sat, 14 Jun 2003, Adam Shostack wrote:

 Well, sure.  And no one forces me to run Microsoft office, either,
 except Microsoft's monoploy.  And when the document format can phone
 home to prevent piracy or openoffice from running, no one will be
 'obligating' me to pay monopoly rents to Microsoft.

SNIP
 
 In the same way, no one forces me to have a drivers license.  But its
 damned hard living life without one.
 
SNIP

Re: An attack on paypal -- secure UI for browsers

[Sunder]

Oh get over it.  There are other formats.  You ever heard of
XML?  HTML? RTF?

If the day comes where MS Office DRM only works with MS Office DRM, how
many people will switch to it?  If your company is willing to switch to
it, then they'll give you a PC with it on it.  If they don't, then they
can't expect you to interact with them via such formats and can't require
you to do so.

You sound like someone's holding a gun to your head and requiring you to
have MS Office.

Either way, you can ask them to export to other document formats which you
can read.  Even now Office will export to HTML for example which is
readable by Mozilla and other browsers.

Microsoft is not the DMV.  You don't need to use their software.

And no, I will never be part of your problem because the documents I will
create for non work use will be made with Open Office or will be plain
text, html, or xml files.

If I'm required to use a DRM'ed Office for work, then fine, my company
owns those documents anyway and they can do whatever the fuck they like
with them either way.   It doesn't matter to me at all -- it's their call,
it's their company, it's their documents.

But, for personal use, I won't buy any upgrades or new Microsoft
software.  End of story.

Either way, how much a revolt do you think there will be if Microsoft
decides to lock down their tools (such as word) to the point where they
can no longer export to HTML, plain text, RTF should the author wish 
it to do so and provides whatever passphrases or ID's needed to unlock
the document and export it out?

Who would buy such a dog of a product?  Do you think businesses are so
stupid that they'd put up with a product that jails them in?  Get real
son, you're howling at the moon!

On one hand you're bitching that you have to use Microsoft software on the
other you're complaining that I'm using it while I'm telling you I don't
want to and don't care to and won't upgrade to it.

You want to make a difference?  Go ahead, wipe every bit of Microsoft
wares off all your machines and burn the CD's you've installed them
from.  Go all open source and show others the right way.  At least I'd
have some respect for you for voting with your wallet and practicing what
you preach.

Right now all you're doing is bitching that you're forced to buy and use
Microsoft Office.  I say that's bullshit, and you know it.


--Kaos-Keraunos-Kybernetos---
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
--*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.\|/
 + v + :   The look on Sadam's face - priceless!   
[EMAIL PROTECTED] http://www.sunder.net 

On Sat, 14 Jun 2003, Adam Shostack wrote:

 Sure.  And I'm glad you work with a small group of people who
 understand that you don't read their documents.  After many years of
 refusal, I finally gave up.  I work with lots of customers who expect
 documents in MS formats, and look at you askance for giving them
 anything else.  You only get so many explanations before customers go
 elsewhere, and I chose not to spend them on this.  Similarly, I could
 choose to speak to everyone I meet in, say, Russian.  And some folks
 would understand.  Others would walk away.  So, you can argue that
 you're effectively required to speak English to do business in North
 America.  I would argue that you're similarly required to use MS
 Office.
 
 
 You'll be part of the problem when Nogsuccob is apon us, because the
 documents you create won't be readable in OpenOffice, and Crossover
 won't run.

 
 Office Nogsuccob will only interoperate with itself.  Companies will end
 up deploying it to interact with other versions, not for any real
 feature.
 
 You don't like the word force, I suggest quitting all use of .DOC,
 .PPT, and .XLS formats.  Please educate the world on how much better
 the alternatives are.  Me, I'll pay my $200 to not bother today, and
 regret it tomorrow.
 
 And by the way, do you have a driver's license, or other state-issued
 ID card?

Re: An attack on paypal -- secure UI for browsers

[Adam Shostack]

A charming naivete.

*Plonk*


On Sat, Jun 14, 2003 at 04:29:23PM -0400, Sunder wrote:
| Oh get over it.  There are other formats.  You ever heard of
| XML?  HTML? RTF?
| 
| If the day comes where MS Office DRM only works with MS Office DRM, how
| many people will switch to it?  If your company is willing to switch to
| it, then they'll give you a PC with it on it.  If they don't, then they
| can't expect you to interact with them via such formats and can't require
| you to do so.
|
| You sound like someone's holding a gun to your head and requiring you to
| have MS Office.
| 
| Either way, you can ask them to export to other document formats which you
| can read.  Even now Office will export to HTML for example which is
| readable by Mozilla and other browsers.
| 
| Microsoft is not the DMV.  You don't need to use their software.
| 
| And no, I will never be part of your problem because the documents I will
| create for non work use will be made with Open Office or will be plain
| text, html, or xml files.
| 
| If I'm required to use a DRM'ed Office for work, then fine, my company
| owns those documents anyway and they can do whatever the fuck they like
| with them either way.   It doesn't matter to me at all -- it's their call,
| it's their company, it's their documents.
| 
| But, for personal use, I won't buy any upgrades or new Microsoft
| software.  End of story.
| 
| Either way, how much a revolt do you think there will be if Microsoft
| decides to lock down their tools (such as word) to the point where they
| can no longer export to HTML, plain text, RTF should the author wish 
| it to do so and provides whatever passphrases or ID's needed to unlock
| the document and export it out?
| 
| Who would buy such a dog of a product?  Do you think businesses are so
| stupid that they'd put up with a product that jails them in?  Get real
| son, you're howling at the moon!
| 
| On one hand you're bitching that you have to use Microsoft software on the
| other you're complaining that I'm using it while I'm telling you I don't
| want to and don't care to and won't upgrade to it.
| 
| You want to make a difference?  Go ahead, wipe every bit of Microsoft
| wares off all your machines and burn the CD's you've installed them
| from.  Go all open source and show others the right way.  At least I'd
| have some respect for you for voting with your wallet and practicing what
| you preach.
| 
| Right now all you're doing is bitching that you're forced to buy and use
| Microsoft Office.  I say that's bullshit, and you know it.
| 
| 
| --Kaos-Keraunos-Kybernetos---
|  + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
|   \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
| --*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
|   /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.\|/
|  + v + :   The look on Sadam's face - priceless!   
| [EMAIL PROTECTED] http://www.sunder.net 
| 
| On Sat, 14 Jun 2003, Adam Shostack wrote:
| 
|  Sure.  And I'm glad you work with a small group of people who
|  understand that you don't read their documents.  After many years of
|  refusal, I finally gave up.  I work with lots of customers who expect
|  documents in MS formats, and look at you askance for giving them
|  anything else.  You only get so many explanations before customers go
|  elsewhere, and I chose not to spend them on this.  Similarly, I could
|  choose to speak to everyone I meet in, say, Russian.  And some folks
|  would understand.  Others would walk away.  So, you can argue that
|  you're effectively required to speak English to do business in North
|  America.  I would argue that you're similarly required to use MS
|  Office.
|  
|  
|  You'll be part of the problem when Nogsuccob is apon us, because the
|  documents you create won't be readable in OpenOffice, and Crossover
|  won't run.
| 
|  
|  Office Nogsuccob will only interoperate with itself.  Companies will end
|  up deploying it to interact with other versions, not for any real
|  feature.
|  
|  You don't like the word force, I suggest quitting all use of .DOC,
|  .PPT, and .XLS formats.  Please educate the world on how much better
|  the alternatives are.  Me, I'll pay my $200 to not bother today, and
|  regret it tomorrow.
|  
|  And by the way, do you have a driver's license, or other state-issued
|  ID card?
| 

-- 
It is seldom that liberty of any kind is lost all at once.
   -Hume

Re: An attack on paypal -- secure UI for browsers

[Jamie Lawrence]

On Sat, 14 Jun 2003, Sunder wrote:

 Oh get over it.  There are other formats.  You ever heard of
 XML?  HTML? RTF?

Yes, as a matter of fact. RTF is an MS format, BTW. They do change it
sometimes, breaking various attempts at interoperability. They don't do
it much; it seems like something they forget to break much of the time.

 If the day comes where MS Office DRM only works with MS Office DRM, how
 many people will switch to it?  If your company is willing to switch to
 it, then they'll give you a PC with it on it.  If they don't, then they
 can't expect you to interact with them via such formats and can't require
 you to do so.
 
 You sound like someone's holding a gun to your head and requiring you to
 have MS Office.

No, there's no gun to anyone's head. However, as part of negotiating my 
current contract (I'm a partner in a small software development
company), we recieved lots of MS Word/Excel docs. When you're
negotiating new business, saying erm, I don't do windows. Can you give
me something else is a bit of a show stopper. By comparison, if you're
selling someone a car, are you going to stop them mid-sale and ask that
they please haggle in Euros? (And in case you're curious, our project 
is entirely open source driven.)

 Microsoft is not the DMV.  You don't need to use their software.

For that matter, one can drive without a license.

I see your distinction, however it is very difficult to do business
without MS software. I'm typing this on a Linux-running laptop, which is
my primary user-level machine, and in order to do business, have to run
Crossover. (And I do own my MS Office license.) All of my proposals are
written in plain text and sometimes, done in Postgres when I need
spreadsheet-like behavior. They have to be rendered in Word format for
client consumption. (Open source spreadsheets still suck, in my
opinion.)

 And no, I will never be part of your problem because the documents I will
 create for non work use will be made with Open Office or will be plain
 text, html, or xml files.

That's a rather fine point to put on it. There isn't much difference
between work and non-work for me. Rather, there is, but nonwork choices
directly impact my work choices.

You seem to offload a lot of your choices onto your company.

 If I'm required to use a DRM'ed Office for work, then fine, my company
 owns those documents anyway and they can do whatever the fuck they like
 with them either way.   It doesn't matter to me at all -- it's their call,
 it's their company, it's their documents.

Just workin' for the man, eh?

 Either way, how much a revolt do you think there will be if Microsoft
 decides to lock down their tools (such as word) to the point where they
 can no longer export to HTML, plain text, RTF should the author wish 
 it to do so and provides whatever passphrases or ID's needed to unlock
 the document and export it out?

Honestly, this is supposition, entirely unsupported by anything other
than my intuition about how companies I've worked for in the past 
behave. Feel free to ignore. 

I think they'll lap it up. Along with expensive and annoying licensing
terms, companies get no-forward emails and expiring spreadsheets. Think
about what Enron would have done with that. Hell, I suspect MS
probably evaluated what they did wrong in the antitrust trial in order
to avoid similar outcomes in the future. There's a market there.
 
 Who would buy such a dog of a product?  Do you think businesses are so
 stupid that they'd put up with a product that jails them in?  Get real
 son, you're howling at the moon!

Um. Who owns the market in desktop productivity software?

 You want to make a difference?  Go ahead, wipe every bit of Microsoft
 wares off all your machines and burn the CD's you've installed them
 from.  Go all open source and show others the right way.  At least I'd
 have some respect for you for voting with your wallet and practicing what
 you preach.
 
 Right now all you're doing is bitching that you're forced to buy and use
 Microsoft Office.  I say that's bullshit, and you know it.


I use MS software for interoperability testing (much like I use
Quickbooks, some Oracle wares, etc.), and for client communication.
Everything else in my company is open source. Everything we deploy is
open source, unless the client asks for something else. They typically
pay for that choice, not only because I'm frequently not familiar with
the software they choose, but also because it's a bitch to work with
(anyone else ever have to deal with Adobe Distiller under unix?)

It isn't bullshit that to operate as a business entity, one needs MS
software. I can certainly dick around with my personal website and write
my memoirs without it, and 98% of what I do for a living is MS free,
getting business without it (read aloud as public interfaces)
is nearly impossible. Perhaps you can ignore that, becuase you're just
working for the man, and it isn't your fault that you write MS Word
docs.

DRM is going to 

Re: MS Format Flames Re: An attack on paypal -- secure UI for browsers

[Bill Stewart]

 Oh get over it.  There are other formats.
You ever heard of XML?  HTML? RTF?
There are output formats and input formats.

It's easy to output data in formats other people can read -
if you want something prettier than ASCII,
HTML is usually fine, though there's not much support
for embedded pictures as opposed to separate files.
XML is a meta-format - you can't really guarantee that
anybody else's XML tool can read your XML tool's documents,
because they may not have all the same objects.
If you want to give them something quasi-immutable,
there's always PDF.  That lets you be rude _and_ proprietary :-)
Postscript is more flexible, but too many people don't have
tools to read it with.
Input formats are harder, because Microsoft keeps adding
backwards-incompatibility every time they upgrade Office,
just to force everybody else to upgrade.
OpenOffice can often help, but not always.
Microsoft does make free readers for Word and Powerpoint.
They're only intended for running on Windows,
but perhaps they work on WINE?

Re: An attack on paypal -- secure UI for browsers

[Mike Rosing]

On Fri, 13 Jun 2003, Nomen Nescio wrote:

 Apparently you neglected to read
 http://www.microsoft.com/resources/ngscb/NGSCB_Overview.mspx, where
 Microsoft says (as they have repeated many times) Customers and partners
 need reliable ways to ensure the quality of technology that addresses
 the critical needs met by NGSCB. That's why Microsoft will make available
 for public review the source code of the core piece of enabling software
 in NGSCB, called the 'nexus,' so it can be evaluated and validated by
 third parties for both security and privacy considerations.

So why isn't it open for review *before* it's finalized?  Might it
give too many people an idea of what's really wrong with it?

 Therefore some educated person (obviously not you, at least not yet)
 will in fact be able to perform their own examination of the trusted part
 of the OS, since it will have its source code published for exactly this
 sort of review.

Let's see it now.  Not after it's finisihed.

 Microsoft's legacy software is all extremely complex.  Palladium is
 taking a different approach, aiming at simplicity and transparency.

I want the drugs you are on dude.  You have a very rosy picture, and
it seems all your inputs have been hijacked by supreme chemicals!

 The Nexus, which is the micro-kernel for the trusted components (NCAs),
 will be published for review.  Its tasks are relatively few and well
 defined, nothing like the massive Windows OS.  That is what Microsoft has
 gained by architecting Palladium as they did, with the new trusted
 CPU mode, which allows side-by-side operating systems to run.  On the
 left hand side (LHS) we find the legacy Windows OS and applications.
 On the right hand side (RHS) we find the Nexus acting as the OS, and
 the NCAs acting as the applications.

And in the mean time the user can't control their own computer.

 The brilliance of Palladium is that the LHS can't touch the RHS,
 because of hardware protection.  At one stroke, the new trusted mode is
 insulated from bugs in the Windows OS, device drivers and applications.
 It in effect allows the designers to start with a clean piece of paper
 and produce a simple micro-kernel (the Nexus) whose only job is to
 service the NCAs.  This is a manageable task and, in conjunction with
 public review, there is good reason to hope and expect that the Nexus
 will be secure.  If so then NCAs will indeed run in a mode where they
 are protected from other software components (including other NCAs).

Very nice drug induced rant.  Too bad reality doesn't work that way.
Who owns the hardware?  The user or the RIAA?  True hardware protection
means the user is protected from Microsoft, not the other way around.

 Your comments above make it clear that you are not at all acquainted
 with the material in those documents.  If you're going to pretend to
 be a security expert (remember when you advocated ECB mode for the XML
 encryption effort?!!), you could do worse than spending a few hours
 studying these documents closely.  It's very likely that NGSCB will
 be a central technology for security in the next two to ten years or
 even longer.  This is undoubtedly an area where security consulting
 could be lucrative.  Sadly, even experts of your caliber can probably
 be very successful in this area.  But you'll have to do your homework.

Palladium changed to NGSCB and will morph to something else and something
after that.  It won't ever fly because the user can't control their own
machine.

Trust is a two way street.  Until Microsoft learns to trust their
customers, nobody will trust Microsoft.  What we do in person we can do
on a computer.  We can con each other in person, so we'll be able to con
each other with computers.  That's how reality works, and no hardware
or laws is going to change that.

Instead of trying to wave a magic wand while everyone is on lsd, it'd
be better if Microsoft and the RIAA came out with their own hardware
for the specific purpose of DRM sales.  Everyone would know who owns
the hardware because they'd just rent it instead of buying it.  IBM
is already on the right track for this.  Microsoft has yet to get it.

Patience, persistence, truth,
Dr. mike

Re: An attack on paypal -- secure UI for browsers

[Thomas Shaddack]

 The problem (among others) is that this allows a virus to steal the
 client cert.  If it is protected by a password, the malware must hang
 around long enough for the user to unlock the cert (perhaps because the
 malware sent a spoofed email calling for the user to visit the site,
 even the real site!).  It can then read the user's keystrokes and acquire
 the password.  Now it has the cert and password and can impersonate the
 user at will.

 The solution to this is Palladium (NGSCB).

BAH! *shudders*

All we need for this is an external cryptographic token - a smartcard with
a keypad, an USB device, a Bluetooth-enabled thingy. You plug it into the
machine, the server you connect to sends its certificate name and
challenge to the browser, which passes it unchanged to your token. The
token asks you for a PIN, and calculates a response. The browser then
transparently relays the response back. There is nothing in the unit
that's accessible from the computer, and because of a physically different
keypad nothing can be sniffed from the computer. The cost of the unit can
get as low as few dollars, can easily interface with just about any OS
including PDAs, and doesn't require The Megacorp Whose Name Shouldn't Be
Spoken to take over your machine.

Re: An attack on paypal -- secure UI for browsers

[Adam Shostack]

On Fri, Jun 13, 2003 at 11:04:42PM +0200, Thomas Shaddack wrote:
|  The problem (among others) is that this allows a virus to steal the
|  client cert.  If it is protected by a password, the malware must hang
|  around long enough for the user to unlock the cert (perhaps because the
|  malware sent a spoofed email calling for the user to visit the site,
|  even the real site!).  It can then read the user's keystrokes and acquire
|  the password.  Now it has the cert and password and can impersonate the
|  user at will.
| 
|  The solution to this is Palladium (NGSCB).
| 
| BAH! *shudders*
| 
| All we need for this is an external cryptographic token - a smartcard with
| a keypad, an USB device, a Bluetooth-enabled thingy. You plug it into the
| machine, the server you connect to sends its certificate name and
| challenge to the browser, which passes it unchanged to your token. The
...
| get as low as few dollars, can easily interface with just about any OS
| including PDAs, and doesn't require The Megacorp Whose Name Shouldn't Be
| Spoken to take over your machine.

Actually, most of the features of Nogsuccob are features that I
want, like integrity protected, authenticated boot.  The problem,
bundled with those features, is the ability of the system to attest to
its secure boot.  This can be fixed by not letting the host know if
you've exported its host key or not, which makes it possible to run a
virtualized, trusted copy in your emulation environment.

Adam

-- 
It is seldom that liberty of any kind is lost all at once.
   -Hume

Re: Re: An attack on paypal -- secure UI for browsers

[Joseph Ashwood]

- Original Message - 
From: Anonymous [EMAIL PROTECTED]
Subject: CDR: Re: An attack on paypal -- secure UI for browsers


 You clearly know virtually nothing about Palladium.

Actually, properly designed Palladium would be little more than a smart card
welded to the motherboard. As currently designed it is a complete second
system that is allowed to take over the main processor. It has a few aspects
of what it should be, but not many. It does include the various aspects of
the smart card, but it also makes room for those aspects to take over the
main system, properly designed this would not be an option, of course
properly designed it could also be a permanently attached $1 smart card that
internally hangs off the USB controller instead of a mammoth undertaking.

I still stand by, Arbitrarily trusting anyone to write a secure program
simply doesn't work regardless of how many times MS says trust us any
substantially educated person should as well be prepared to either trust a
preponderance of evidence, or perform their own examination, neither of
these options is available. The information available does not cover the
technical information, in fact their Technical FAQ about it actually has
the following:
Q: Does this technology require an online connection to be used?

A: No. 

That is just so enlightening, and is about as far from a useful answer
as possible.


 NCAs do not have
 complete access to private information.  Quite the opposite.  Rather,
 NCAs have the power to protect private information such that no other
 software on the machine can access it.  They do so by using the Palladium
 software and hardware to encrypt the private data.  The encryption is
 done in such a way that it is sealed to the particular NCA, and no other
 software is allowed to use the Palladium crypto hardware to decrypt it.

This applies only under the condition that the software in Palladium is
perfectly secure. Again I point to the issues with ActiveX, where a wide
variety of hoels have been found, I point to the newest MS operating system
which has it even been out a month yet? and already has a security patch
available, in spite of their secure by default process. Again I don't
believe this is because MS is inherently bad, it is because writing secure
programs is extremely difficult, MS just has the most feature bloat so they
have the most problems. If the Palladium software is actually secure
(unlikely), then there is the issue of how the (foolishly trusted) NCAs are
determined to be the same, this is an easy problem to solve if no one ever
added features, but a hard one to solve where the program evolves, once MS
shows the solution for this, I will point to the same information and show
you a security hole.

 In the proposed usage, an NCA associated with an ecommerce site would seal
 the data which is used by the user to authenticate to the remote site.

After running unattended on your computer, a sarcasmbrilliant/sarcasm
idea, hasn't anyone learned?

 The authentication data doesn't actually have to be a certificate with
 associated key, but that would be one possibility.  Only NCAs signed by
 that ecommerce site's key would be able to unseal and access the user's
 authentication credentials.  This prevents rogue software from stealing
 them and impersonating the user.

Not in the slightest, a single compromise of a single ecommerce site
(remember they're trusted) will remove all this pretend security. Let's
use a particularly popular example on here right now www.e-go1d.com, they
could easily apply to be an ecommerce site, they collect money, they offer a
service, clearly they are an ecommerce site. Are you really gullible enough
to believe that they won't do everything in their power to exploit the data
transfer problem above, as well as any other holes in Palladium? I should
hope not.


 Seriously, have you read any
 of the documents linked from http://www.microsoft.com/resources/ngscb/?

Yes I have, in fact at this point I think it is safe to say that you have
not, or you didn't understand the implications of the small amount of
information it actually contains.
Joe

Re: An attack on paypal -- secure UI for browsers

[Nomen Nescio]

Joe Ashwood writes:
 From: Anonymous nobody_at_cryptofortress.com 
  You clearly know virtually nothing about Palladium. 

 I still stand by, Arbitrarily trusting anyone to write a secure program 
 simply doesn't work regardless of how many times MS says trust us any 
 substantially educated person should as well be prepared to either trust a 
 preponderance of evidence, or perform their own examination, neither of 
 these options is available.

Apparently you neglected to read
http://www.microsoft.com/resources/ngscb/NGSCB_Overview.mspx, where
Microsoft says (as they have repeated many times) Customers and partners
need reliable ways to ensure the quality of technology that addresses
the critical needs met by NGSCB. That's why Microsoft will make available
for public review the source code of the core piece of enabling software
in NGSCB, called the 'nexus,' so it can be evaluated and validated by
third parties for both security and privacy considerations.

Therefore some educated person (obviously not you, at least not yet)
will in fact be able to perform their own examination of the trusted part
of the OS, since it will have its source code published for exactly this
sort of review.


 The information available does not cover the 
 technical information, in fact their Technical FAQ about it actually has 
 the following: 

 Q: Does this technology require an online connection to be used? 

 A: No.  

 That is just so enlightening, and is about as far from a useful answer 
 as possible. 

Very few of the Technical FAQ answers are so brief.  In this case, it is
a stupid question and deserves a trivial answer.  The only reason it is
in there is because of the lies spread by Lucky Green and Ross Anderson,
all about how Palladium will connect to a central server and refuse to
let you work with your own documents, or delete files that Microsoft or
the U.S. Government don't like.


  NCAs do not have 
  complete access to private information.  Quite the opposite.  Rather, 
  NCAs have the power to protect private information such that no other 
  software on the machine can access it.  They do so by using the Palladium 
  software and hardware to encrypt the private data.  The encryption is 
  done in such a way that it is sealed to the particular NCA, and no other 
  software is allowed to use the Palladium crypto hardware to decrypt it. 

 This applies only under the condition that the software in Palladium is 
 perfectly secure. Again I point to the issues with ActiveX, where a wide 
 variety of hoels have been found, I point to the newest MS operating system 
 which has it even been out a month yet? and already has a security patch 
 available, in spite of their secure by default process. Again I don't 
 believe this is because MS is inherently bad, it is because writing secure 
 programs is extremely difficult, MS just has the most feature bloat so they 
 have the most problems.

Microsoft's legacy software is all extremely complex.  Palladium is
taking a different approach, aiming at simplicity and transparency.
The Nexus, which is the micro-kernel for the trusted components (NCAs),
will be published for review.  Its tasks are relatively few and well
defined, nothing like the massive Windows OS.  That is what Microsoft has
gained by architecting Palladium as they did, with the new trusted
CPU mode, which allows side-by-side operating systems to run.  On the
left hand side (LHS) we find the legacy Windows OS and applications.
On the right hand side (RHS) we find the Nexus acting as the OS, and
the NCAs acting as the applications.

The brilliance of Palladium is that the LHS can't touch the RHS,
because of hardware protection.  At one stroke, the new trusted mode is
insulated from bugs in the Windows OS, device drivers and applications.
It in effect allows the designers to start with a clean piece of paper
and produce a simple micro-kernel (the Nexus) whose only job is to
service the NCAs.  This is a manageable task and, in conjunction with
public review, there is good reason to hope and expect that the Nexus
will be secure.  If so then NCAs will indeed run in a mode where they
are protected from other software components (including other NCAs).


 If the Palladium software is actually secure 
 (unlikely), then there is the issue of how the (foolishly trusted) NCAs are 
 determined to be the same, this is an easy problem to solve if no one ever 
 added features, but a hard one to solve where the program evolves, once MS 
 shows the solution for this, I will point to the same information and show 
 you a security hole. 

Read the documents!  Actually you claim you already read them, but
obviously you are lying or you would know that this question has been
answered.  I wrote a long posting about this last month explaining how
it worked.  The mechanism is called a Manifest and is described in section
9 of http://www.microsoft.com/resources/ngscb/documents/ngscb_tcb.doc.
You can either use a hash of the NCA 

Re: An attack on paypal -- secure UI for browsers

[Sunder]

It's simple.  It solves the problem that Microsoft Salesmen have.  In
order to sell shit, you have to make it look like gold.  Cee Eee Ohs have
heard it said that Microsoft software is insecure crap.  Now the Microsoft
Salesmen can do fancy demos with pretty colors and slick Operators Are
standing By, Act Now, *New*, Don't Delay, Improved, Secure, Bells Whistles
and Coolness demos and sign the suckers up.

Just like the wonderful ads that peppered NYC when Ex-Pee came out saying
Reliable, and Secure.


--Kaos-Keraunos-Kybernetos---
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
--*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.\|/
 + v + :   The look on Sadam's face - priceless!   
[EMAIL PROTECTED] http://www.sunder.net 

On Tue, 10 Jun 2003, Nomen Nescio wrote:

 I don't see how this is going to work.  The concept seems to assume
 that there is a distinction between trusted and untrusted programs.
 But in the NGSCB architecture, Nexus Computing Agents (NCAs) can be
 written by anyone.  If you've loaded a Trojan application onto your
 machine, it can create an NCA, which would presumably be eligible to
 put up a trusted window.
 
 So either you have to configure a different list of doggie names for
 every NCA (one for your banking program, one for Media Player, one for
 each online game you play, etc.), or else each NCA gets access to your
 Secret Master List of Doggie Names.  The first possibility is unmanageable
 and the second means that the trustedness of the window is meaningless.
 
 So what good is this?  What problem does it solve?

Re: An attack on paypal -- secure UI for browsers

[Nomen Nescio]

Adam Lydick writes:

 I'd guess that no applications (besides the secure nexus) would
 have access to your list of doggie names, just the ability to display
 it. The list just indicates that you are seeing a window from one of
 your partitioned and verified applications. I would also assume the
 window would get decorated with the name of the trusted application (not
 just your secret list). Thus you only need a single secret list to
 handle all of your authorized applications.

That makes sense.  However it puts the burden onto the user to closely
inspect his window frames in order to make sure that he is talking
to the program (or NCA in Palladium) that he thinks he is talking to.
It also introduces the problem of program-name spoofing; you might be
given a dialog to enter your password for Paypa1 or E-Go1d.

If users were that careful, we wouldn't have these kinds of problems in
the first place.

Re: An attack on paypal -- secure UI for browsers

[Morlock Elloi]

 The solution to this is Palladium (NGSCB).
 
 You'd want each ecommerce site to download a Nexus Computing Agent into
 the client.  This should be no more difficult than downloading an Active-X
 control or some other DLL.  The NCA has a manifest file associated with it

No shit? This is moronic. But then it reflects the impaired cognitive abilities
of corpdrones in mintel.

I pay for the computer, and then all these corporations start downloading
shit to my computer in order to make it safe for me to use it, right ? I am
lay person and need to trust these people, as I am clueless about stuff they
download. But their web page says it's good.

This all happens *after* I buy the computer.

So, to recap, I pay several $K for the computer and then have to customize it
so that it becomes safe. The computer, as malladium authenticates the
computer. 

Why do I want $3,000 authentication token ?

No, mintel making money is not the right answer. Try again.



=
end
(of original message)

Y-a*h*o-o (yes, they scan for this) spam follows:

__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

Re: Re: An attack on paypal -- secure UI for browsers

[Joseph Ashwood]

- Original Message - 
From: Anonymous [EMAIL PROTECTED]
Subject: CDR: Re: An attack on paypal -- secure UI for browsers


 In short, if Palladium comes with the ability to download site-specific
 DLLs that can act as NCAs

Ok what flavor of crack are you smoking? Because I can tell from here that's
some strong stuff. Downloading random DLLs that are given complete access to
private information is one of the worst concepts that anyone has ever come
up with, even if they are signed by a trusted source. Just look at the
horrifically long list of issues with ActiveX, even with WindowsXP (which
hasn't been around that long) you're already looking at more than half a
dozen, and IIRC win95 had about 50. This has less to do with windows is
bad than with secure programming is hard. Arbitrarily trusting anyone to
write a secure program simply doesn't work, especially when it's something
sophisticated.

Now for the much more fundamental issue of your statement. Palladium will
never download site-specific anything. Palladium is a hardware technology,
not a web browser.

I will refrain from saying Paladium is a bad idea, simply because I see some
potentially very lucrative (for me) options for it's use.
Joe

Re: An attack on paypal -- secure UI for browsers

[Anonymous]

The problem to be solved is this.  Spoofed sites can acquire user
credentials, especially passwords, and then use those to impersonate the
user on the real sites.  With paypal and e-gold, this allows stealing
real money.

Using client certificates to authenticate would solve this, because
even if the user got fooled and authenticated to the spoofed site, the
attacker wouldn't learn the client cert secret key and so would not be
able to masquerade as the user.

The problem (among others) is that this allows a virus to steal the
client cert.  If it is protected by a password, the malware must hang
around long enough for the user to unlock the cert (perhaps because the
malware sent a spoofed email calling for the user to visit the site,
even the real site!).  It can then read the user's keystrokes and acquire
the password.  Now it has the cert and password and can impersonate the
user at will.

The solution to this is Palladium (NGSCB).

You'd want each ecommerce site to download a Nexus Computing Agent into
the client.  This should be no more difficult than downloading an Active-X
control or some other DLL.  The NCA has a manifest file associated with it
that contains the ecommerce site's signing key.  This allows the NCA to be
effectively locked to that key.

The user's site-specific client certificate would be sealed to this NCA.
That means that no other NCA could get access to the client cert for
that site, nor could any legacy software.  All this is protected by the
Palladium hardware and software.

If a password is used for further security, to unlock the client cert
(in addition to the NCA-specific encryption), it can use a secure
channel to the NCA so that no keystroke loggers can steal the password.
(However, as mentioned in a previous mail, this may not stop rogue NCA's
from fooling the user by pretending to be the ecommerce site's NCA and
picking up the password.  It's not clear that adding a password really
increases security.  Fortunately the NCA security itself is already
vastly stronger than anything available on a PC today.)

In short, if Palladium comes with the ability to download site-specific
DLLs that can act as NCAs, it should allow for solving the spoofed-site
problem once and for all.  When you login to paypal or e-gold, you would
authenticate yourself using a cert that only those sites could see.
This can be done in the framework of standard SSL, but would require a
Palladium-aware browser.

Re: An attack on paypal -- secure UI for browsers

[Peter Gutmann]

Nomen Nescio [EMAIL PROTECTED] writes:

I don't see how this is going to work.  The concept seems to assume that
there is a distinction between trusted and untrusted programs. But in the
NGSCB architecture, Nexus Computing Agents (NCAs) can be written by anyone.
If you've loaded a Trojan application onto your machine, it can create an NCA,
which would presumably be eligible to put up a trusted window.

So either you have to configure a different list of doggie names for every
NCA (one for your banking program, one for Media Player, one for each online
game you play, etc.), or else each NCA gets access to your Secret Master List
of Doggie Names.  The first possibility is unmanageable and the second means
that the trustedness of the window is meaningless.

Maybe MS will implement something like the secure attention key in the old VAX
A1 VMM (Ctrl-Alt-Del already serves this purpose for logins) which gives you a
guaranteed non-spoofed interface to the kernel (see for example A
Retrospective on the VAX VMM Security Kernel by Karger et al for more
information on this).  They certainly have the VMS knowhow :-).

Peter.

Re: An attack on paypal -- secure UI for browsers

[Rich Salz]

 For example, a proposal I saw recently which
 would have the OS decorate the borders of trusted windows with facts or
 images that an attacker wouldn't be able to predict: the name of your
 dog, or whatever.

But if the system is rooted, then the attacker merely has to find the
today's secret word entry in the registry and do the same thing.
Unless Windows is planning on getting real kernel-level kinds of protection.

 It was none other than Microsoft's NGSCB, nee Palladium.  See
 http://news.com.com/2100-1012_3-1000584.html?tag=fd_top:

See previous sentence. :)
/r$

--
Rich Salz  Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

Re: An attack on paypal -- secure UI for browsers

[Sunder]

Yes, NOW if you can load yourself into kernel space, you can do anything
and everything - Thou Art God to quote Heinlein.  This is true of every
OS.  Except if you add that nice little TCPA bugger which can verify the
kernel image you're running is the right and approved one. Q.E.D.

Look at the XBox hacks for ideas as to why it's not a trival issue, but
even so, one James Bond like buffer overflow in something everyone will
have marked as trusted (say IE 8.0, or a specially crafted Word 2005
macro), and the 3v1l h4x0r party is back on and you iz ownz0red once more.

It's not enough to fear Microsoft, you must learn to love it.  Give us 2
minutes of hate for Linux now brother!


--Kaos-Keraunos-Kybernetos---
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
--*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.\|/
 + v + :   The look on Sadam's face - priceless!   
[EMAIL PROTECTED] http://www.sunder.net 

On Tue, 10 Jun 2003, Rich Salz wrote:

 But if the system is rooted, then the attacker merely has to find the
 today's secret word entry in the registry and do the same thing.
 Unless Windows is planning on getting real kernel-level kinds of protection.
 
  It was none other than Microsoft's NGSCB, nee Palladium.  See
  http://news.com.com/2100-1012_3-1000584.html?tag=fd_top:
 
 See previous sentence. :)

Re: An attack on paypal -- secure UI for browsers

[Peter Gutmann]

Amir Herzberg [EMAIL PROTECTED] writes:

Ka Ping Yee, User Interface Design for Secure System, ICICS, LNCS 2513, 2002.

Ka-Ping Yee has a web page at http://zesty.ca/sid/ and a lot of interesting
things to say about secure HCI (and HCI in general), e.g. a characterisation
of safe systems vs. general-purpose systems:

  In order for Alice to use her computer usefully, she has to be able to
  instruct programs to do things for her.  In order for those programs to
  carry out tasks, she has to trust those programs with some authority.  So
  every useful operation involves making the system a little bit less safe.
  In order to keep the system from becoming unboundedly unsafe, Alice must
  also be able to make her system more safe.

  A system in an ultimately safe state is one that can't do anything other
  than what was planned ahead of time.  General-purpose computing is useful to
  Alice only because she can make unpredictable inputs into the system, asking
  it to do new things.

Peter.

Re: An attack on paypal -- secure UI for browsers

[Nomen Nescio]

Tim Dierks wrote:
  - Get browser makers to design better ways to communicate to users that 
 UI elements can be trusted. For example, a proposal I saw recently which 
 would have the OS decorate the borders of trusted windows with facts or 
 images that an attacker wouldn't be able to predict: the name of your 
 dog, or whatever. (Sorry, can't locate a link right now, but I'd 
 appreciate one.)

It was none other than Microsoft's NGSCB, nee Palladium.  See
http://news.com.com/2100-1012_3-1000584.html?tag=fd_top:

   NEW ORLEANS--Microsoft is trying to make security obvious.

   The software giant plans to visually alter document or application
   windows that contain private information that's secured through
   Microsoft's Next-Generation Secure Computing Base (NGSCB), formerly
   known as Palladium. Secure windows will look different than regular,
   unsecured windows in order to remind users that they are looking
   at confidential material, Peter Biddle, product unit manager for
   Microsoft, said Thursday at the Windows Hardware Engineering Conference
   (WinHEC) here.
   ...
   The border of a secured page may contain information--such as the
   names of all the dogs that someone has ever owned--to make the data
   instantly recognizable as sound to the individual owner, as well as
   difficult to replicate. A hacker can create a spoof page with dogs'
   names running along the border but, in all likelihood, not one reading
   Buffy, Skip and Jack Daniels--and in that order, Biddle said.
   ...
   Information on secured windows will vanish if another window is placed
   on top of it or shifted to the background. Erasing the information
   will prevent certain types of attacks and remind people that they're
   dealing with confidential material, Biddle said.

   When the secure window returns to the top of the stack, the information
   will reappear, he said.

I don't see how this is going to work.  The concept seems to assume
that there is a distinction between trusted and untrusted programs.
But in the NGSCB architecture, Nexus Computing Agents (NCAs) can be
written by anyone.  If you've loaded a Trojan application onto your
machine, it can create an NCA, which would presumably be eligible to
put up a trusted window.

So either you have to configure a different list of doggie names for
every NCA (one for your banking program, one for Media Player, one for
each online game you play, etc.), or else each NCA gets access to your
Secret Master List of Doggie Names.  The first possibility is unmanageable
and the second means that the trustedness of the window is meaningless.

So what good is this?  What problem does it solve?