Under BitFrost, every program runs in its own virtual machine with a limited set of permissions. Thus a picture viewer can't access the web, so even if a hacker comes up with an exploit that lets him control the program, he couldn't use it to grab all the photos on the laptop and upload them to the internet.
From a redesign of how permissions are handled to a very strict sandboxing on every program, it looks very nice. One particularly interesting concept to me was the perpetual security certificate, which will supposedly deter theft by essentially bricking the machine if it can't get a valid lease extension in time. It is a little odd, considering it would seem the unit could very easily be bricked if someone just forgets to turn it on now and then. However, the article is very interesting - and I very much am looking forward to seeing how robust these units actually are in the field.