Obviously, I think most of us with a reasonable schooling in software would agree that applications written in C++ are the biggest security threat for PCs today. This is why you've been seeing more and more Java based applications on the PC lately. Most of the C++ vulnerability comes from a single, well known, and often exploited bug in the Windows C++ virtual machine. This bug allows C++ programmers to access protected and private data that is SUPPOSED to be secured by the C++ virtual machine. Here's a simple example of a crack that would allow a C++ programmer to access improperly secured data:
Let's say we have this class called PersonalFinances: Class PersonalFinances {
private:
char creditCardNumber[16]; };
To bypass the Windows C++ security manager, all we need to do is write some code like this: Main( ) {
PersonalFinances finances;// Forge a pointer to peek inside the class
char *cardno = (char*)
printf("Stolen credit card number = %s\n", cardno); }
Simple as that... we have stolen "secure" data. Curiously enough, this code sample came from O'Reilly's "Learning Java" book. This book was first printed in 2000, which means that this critical security bug has been known for over 3 years! I find it quite unbelievable that this lack of response (from Microsoft) is tolerated in the software community. Why haven't they responded? Simple... MONEY. Rather than maintain old code, Microsoft would rather push their new.Net framework as a new standard and make big cash off of its widespread adoption. Another way that MS will profit from this security hole is by pushing their dreaded Palladium scheme on us. Palladium, put simply, is just a hardware solution for this exact sort of security issue. Meanwhile, we consumers sacrifice our privacy through insecure software so Microsoft, Intel, and AMD can reap big profits sometime in the future.
If you are fed up with these monopolistic profit schemes, this is what you do. Start or support an open source Windows C++ virtual machine project. A port from the Linux VM should be possible.
Well, that is just a simple example... it would be just as easy to do from ANY application if you know the location of the data structure in memory (not hard to find). This type of access is not possible to do with the Java VM.
Obviously, I think most of us with a reasonable schooling in software would agree that applications written in C++ are the biggest security threat for PCs today. This is why you've been seeing more and more Java based applications on the PC lately. Most of the C++ vulnerability comes from a single, well known, and often exploited bug in the Windows C++ virtual machine. This bug allows C++ programmers to access protected and private data that is SUPPOSED to be secured by the C++ virtual machine. Here's a simple example of a crack that would allow a C++ programmer to access improperly secured data:
Let's say we have this class called PersonalFinances: Class PersonalFinances {
private:
char creditCardNumber[16]; };
To bypass the Windows C++ security manager, all we need to do is write some code like this: Main( ) {
Finances finances;// Forge a pointer to peek inside the class
char *cardno = (char*)
printf("Stolen credit card number = %s\n", cardno); }
Simple as that... we have stolen "secure" data. Curiously enough, this code sample came from O'Reilly's "Learning Java" book. This book was first printed in 2000, which means that this critical security bug has been known for over 3 years! I find it quite unbelievable that this lack of response (from Microsoft) is tolerated in the software community. Why haven't they responded? Simple... MONEY. Rather than maintain old code, Microsoft would rather push their new.Net framework as a new standard and make big cash off of its widespread adoption. Another way that MS will profit from this security hole is by pushing their dreaded Palladium scheme on us. Palladium, put simply, is just a hardware solution for this exact sort of security issue. Meanwhile, we consumers sacrifice our privacy through insecure software so Microsoft, Intel, and AMD can reap big profits sometime in the future.
If you are fed up with these monopolistic profit schemes, this is what you do. Start or support an open source Windows C++ virtual machine project. A port from the Linux VM should be possible.
A second parallel approach should be to put political pressure on Microsoft to fix this issue. I've started this petition to get things started. Please sign and forward the link to everyone!
Slashdot Mirror
Obviously, I think most of us with a reasonable schooling in software would agree that applications written in C++ are the biggest security threat for PCs today. This is why you've been seeing more and more Java based applications on the PC lately. Most of the C++ vulnerability comes from a single, well known, and often exploited bug in the Windows C++ virtual machine. This bug allows C++ programmers to access protected and private data that is SUPPOSED to be secured by the C++ virtual machine. Here's a simple example of a crack that would allow a C++ programmer to access improperly secured data:
// Forge a pointer to peek inside the class
.Net framework as a new standard and make big cash off of its widespread adoption. Another way that MS will profit from this security hole is by pushing their dreaded Palladium scheme on us. Palladium, put simply, is just a hardware solution for this exact sort of security issue. Meanwhile, we consumers sacrifice our privacy through insecure software so Microsoft, Intel, and AMD can reap big profits sometime in the future.
Let's say we have this class called PersonalFinances:
Class PersonalFinances
{
private:
char creditCardNumber[16];
};
To bypass the Windows C++ security manager, all we need to do is write some code like this:
Main( )
{
PersonalFinances finances;
char *cardno = (char*)
printf("Stolen credit card number = %s\n", cardno);
}
Simple as that... we have stolen "secure" data. Curiously enough, this code sample came from O'Reilly's "Learning Java" book. This book was first printed in 2000, which means that this critical security bug has been known for over 3 years! I find it quite unbelievable that this lack of response (from Microsoft) is tolerated in the software community. Why haven't they responded? Simple... MONEY. Rather than maintain old code, Microsoft would rather push their new
If you are fed up with these monopolistic profit schemes, this is what you do. Start or support an open source Windows C++ virtual machine project. A port from the Linux VM should be possible.
We DEMAND better protection of our privacy!!!
Well, that is just a simple example... it would be just as easy to do from ANY application if you know the location of the data structure in memory (not hard to find). This type of access is not possible to do with the Java VM.
Obviously, I think most of us with a reasonable schooling in software would agree that applications written in C++ are the biggest security threat for PCs today. This is why you've been seeing more and more Java based applications on the PC lately. Most of the C++ vulnerability comes from a single, well known, and often exploited bug in the Windows C++ virtual machine. This bug allows C++ programmers to access protected and private data that is SUPPOSED to be secured by the C++ virtual machine. Here's a simple example of a crack that would allow a C++ programmer to access improperly secured data:
// Forge a pointer to peek inside the class
.Net framework as a new standard and make big cash off of its widespread adoption. Another way that MS will profit from this security hole is by pushing their dreaded Palladium scheme on us. Palladium, put simply, is just a hardware solution for this exact sort of security issue. Meanwhile, we consumers sacrifice our privacy through insecure software so Microsoft, Intel, and AMD can reap big profits sometime in the future.
Let's say we have this class called PersonalFinances:
Class PersonalFinances
{
private:
char creditCardNumber[16];
};
To bypass the Windows C++ security manager, all we need to do is write some code like this:
Main( )
{
Finances finances;
char *cardno = (char*)
printf("Stolen credit card number = %s\n", cardno);
}
Simple as that... we have stolen "secure" data. Curiously enough, this code sample came from O'Reilly's "Learning Java" book. This book was first printed in 2000, which means that this critical security bug has been known for over 3 years! I find it quite unbelievable that this lack of response (from Microsoft) is tolerated in the software community. Why haven't they responded? Simple... MONEY. Rather than maintain old code, Microsoft would rather push their new
If you are fed up with these monopolistic profit schemes, this is what you do. Start or support an open source Windows C++ virtual machine project. A port from the Linux VM should be possible.
A second parallel approach should be to put political pressure on Microsoft to fix this issue. I've started this petition to get things started. Please sign and forward the link to everyone!
We DEMAND better protection of our privacy!!!