Slashdot Mirror
Can Your ATM Play Beethoven?
bpiltz writes "A funk band in Harrisonburg, VA, called Midnight Spaghetti, has posted a story with photos about a newly installed Diebold Opteva 520 ATM at Carnegie Mellon University that crashed, then rebooted. The Windows XP operating system initialized without the actual ATM software. The result was a public desktop computer, with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of e-voting machines."
You know, I've been thinking for a few years now that ATMs (in the UK at least)
;-)
seem to be getting slower and slower to use. 10 years back, you'd insert your
card, be able to key in your pin number straight away and be straight into the
menu. Now, you insert the card, stand about while it thinks about checking it,
then you eventually enter a pin and wait around a bit more before using the
sluggish interface. Now I know that these machines have media player, web browser and
all sorts of other redundant crap installed on a full version of XP, I understand the
reason the queues are growing!
I don't need 24 million colours, animations and other crap just to take money out
of my account, dammit! It's staggering to think that the software has become so
bloated and slow that machines produced 10 years ago, with only a fraction of the
computing power of today were actually far more responsive to use.
I remember seeing an ATM reboot a few years back (brief power outage). It briefly
showed the OS2 logo before resuming normal operation
Code, Hardware, stuff like that.
I see you're trying to extract free cash from a bolloxored ATM cum jukebox. May I help you?
Sheesh, evil *and* a jerk. -- Jade
So who got the fastest ATM minesweeper times?
Diebold's not only suppling votes to GWBush, but also campaign finance!
Non impediti ratione cogitationus.
Start --> Programs --> ATM --> Configure --> Flush Cash (sic)
It didn't have Minesweeper or Solitaire! Was much entertaining though.
how? I mean given,
A) It's based off of Windows
B) It was made by Diebold.
Adding A + B != C where C equals something that works correctly.
Your hair look like poop, Bob! - Wanker.
More to the point, it's a desktop computer with a touch screen interface and an attached money dispenser.
-- Ed Avis ed@membled.com
The poor can eat cake. And use a broken-by-design ATMs.
I do not moderate.
The geek Jim goes to the election booth. Jim touches the opening screen. Jim watches while the screen BSoDs. Computer reboots. Jim is presented with the XP interface. Jim, finds the voting system back end. Jim "adjusts" the result:
Bush 15%
Kerry 15%
Nader 70%
Jim set's all Bush and Kerry votes to go to Nader.
Jim runs the voting system front end. Sets it to full screen.
Jim leaves.
Nader wins
Indefinitely Detained US Citizen
COME ON!!!!!!!!!! Why in the world would someone waste a computer that's capable of running Windows XP (which probably means at least a Pentium with 64 MB RAM?) on an ATM? I mean, the thing is supposed to check your card, pin and then give you a load of cash... Last time I checked, that's a job for something less than an 8080, which could do the job faster, more securely, and cheaper. The right tool for the right job, people! /me rolls eyes
Its "Midnight Spaghetti & The Chocolate G-Strings".
<homer-voice>chocolate g-strings.. argaaaahhhh</homer-voice>
I got a chance to talk to one of my bank's IT people about this a few months ago, and basically, they don't know what's causing the crashes because analyzing the log files would just be too much trouble. So their SOP is to have some guy with a key come out, literally pull the plug on the machine and wait till it reboots.
He also told me that they were slowly migrating over to a "custom XP version", whatever that's supposed to mean. I probably should have told him that Windows machines can be prone to virus infections (cough cought).
It won't be long before keyloggers are installed on these things. Hell, it beats the mini-camera scheme for capturing PINs.
"The number of Unix installations has grown to ten, with more expected." (Unix Programmer's Manual, 2nd ed.; june 1972)
Would it be possible to load data on
a swipe card so that the software reading the card
suffered some kind of buffer overrun ? (Depending
of course on how carefuly the software checked for
them).
I once had the pleasure of watching a Wells Fargo ATM reboot. A lot of strange hex stuff, then, as clear as a bell, "OS/2 2.0 Booting", then it started testing all of the lights and various slots on the ATM machine. Was fun to watch. Oh, and it did boot all the way up. I didn't get to see an OS/2 Desktop =/.
-- SKYKING, SKYKING, DO NOT ANSWER.
Why are these things running WinXP and not something a little more secure ?
Aren't there any regulations about cash machine security ?
I had read it recently, and I found it on /. But it seems that this is not a dupe :-). This link was posted in the comments section very recently.
:-)
/. story is based, gains you karma too :-)
Here's the link.
It's good to look at comments, and submit stories. It gets you karma. Also, it's good to look around that comment, and then post comments in this story. That would gain karma too
Posting a comment about the comment on which the current
I see "ordinary" ATMs stuck at a Phoenix BIOS boot prompt all the time. While I've never gotten to the Windows part of an ATM, it happens at information kiosks a lot.
They should have used the "On-Screen Keyboard" under Accessibility. It is a little scary that this was connected to cash.
If you want a good read for the database schemas an ATM uses, read "Principles of Transaction Processing." One interesting bit of knowledge is that the entire table of valid account names and their card hashes is replicated to each ATM! (Obviously for your bank only.) It sends out a ping that records "Joe took $50" to the main bank but it's only sort of a summary, the "full details" is kept at the ATM and sync'd at night.
One crazy thing that happened to me was I tried to withdraw $1100 from Bank A at Bank B's ATM. I got into a "Distributed Transaction Rollback" -- it got all the way through, printed out out my receipt that said I got the money, and -- never gave me my money. When I checked at a Bank A ATM, it showed the "hit" on my account. In about 15 minutes the Transaction Processor rolled back the transaction.
It's not immediately evident how Windows XP opens a security risk on an ATM, nor how this means that Diebold voting machines are somehow hackable.
ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection. And if you could do that, I suspect pretty much any ATM would be hackable. There is a reason why ATMs are built from heavy steel and anchored in concrete.
Diebold systems raise paranoiac hackles for another reason: control and oversight. You don't need to invoke security flaws and Windows XP to realize that ballot boxes represent power and money. Whoever controls the counting process controls billions, trillions of $, and this is a temptation that few, if any, people can resist.
The argument against paperless touch-screen voting systems comes from the fact that such systems open the way to serious internal fraud, rather than hacking through any hardware or software weakness. Election fraud is done by incumbent politicians, not by hackers exploiting BSoDs.
The nightmare scenario for future US elections is where after a largely electronic and unverifiable poll, the governing party gets 55% of the vote despite exit polls showing that it got 45%. What would happen after such an event is anyone's guess, but it would not be pleasant.
Ceci n'est pas une signature
Welcome to the 2004 Presidential Elections
Brought to you by DIEBOLD
Please select your new president:
George W. Bush [x] (recomended)
John Kerry [ ]
Ralph Nader [ ]
Submit Reset
If you are an official, and if you would like to adjust the vote manually, click here
Indefinitely Detained US Citizen
http://yogi.pdl.cmu.edu/~cgeisser/photos/
Video with audio of ATM in action
I once had a debit card, which would certainly cause the cash machines of a certain bank in my area to crash - it would give me my card back, and display an error message, and then reboot into DOS after a while of not responding..
Is shoud think the RISCOS would be a better solution for an ATM than it ever was for a desktop.
;)
BTW, I'm not totally averse to Arc's etc, I have a 4000 series here somewhere that I hacked a NIC into and managed to get on the internet (how proud of myself was I?)
Ripping an new rectum in the fabric of spacetime.
It's not exactly surprising that they waste complexity on an ATM when they have this bloated Flash website.
>Finally, an annoyed faculty member in an adjacent office unplugged the machine and dispersed the crowd.
I remember back in the day, when faculty in a technical university would stop two wars before breakfast, and still have time to help with a hack before the toast popped.
Kind of sad to see the spirit of exploration being so ruthlessly crushed. Attention US Educators: creativity and free thinking is our only advantage over India and China. Ponder on who's going to be paying for your Medicare before you decide to quell your inquisitive students.
If you were blocking sigs, you wouldn't have to read this.
I'm curious how it could be legal to use windows for an atm machine. It seems to me that a windows machine can't possibly be made trustworthy (in the "verification of what's running" way), and therefore is just a network break-in waiting to happen. If you can't trust the platform you're running on, it's irrelevant how secure your software is. And I don't suppose secure is an appropriate word to describe diebold's software.
This reminds me of the case a few years back where people ran a network of fake atm machines. They would do the actual atm transaction, but then store your card info and pin, and since they had modified the actual atm, nobody was the wiser. It wasn't until millions of dollars started disappearing from accounts that people caught on.
I could never trust a financial network that's designed in a way that such a thing is even possible.
surprised it didnt say
" with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of failing software and hardware, next to microsoft."
seriously, why does anyone even uses diebold is beyond me.. they have a real bad track record with stability and security, on top of that.. with windows XP? I wouldnt trust that crap with my bank info, at all.
"ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection."
If you read the article you would find out that they managed to input text - but with charmap instead of a keyboard.. So having no keyboard is no insurance that noone will be able to input character data.
Take a look here
The moving cursor writes, and having written, blinks on.
This happens often at the local supermarket, with the "U-SCAN" self-checkout machines. My girlfriend always stops me from tinkering with them, and they appear to be running Win2k, but I have to wonder how difficult it would be to get it to spit out change.....
Take a dollar, divide it by 100, take two and call me in the morning.
Here is the Diebold specificaion PDF for the 520. It says the thing has a P4 in it, and I would assume this is because they designed some sort of software framework for the Optiva to be expandable in the future to do things like sell concert tickets.
Imagine if that CDR drive was usable to load programs onto it. Furthermore, I'm really hoping these things don't have bluetooth in them.
520 Spec PDF
-Steve
it's a good thing the phone was free.
No regrets.
no, dont think so...
but I hear it can play metallica and pong.
It comes down to making the best of commercially available hardware and OS'es. And the available stuff is PIII or better, so you might as well run XP if you are an MS shop. DOS is more stable, but when it comes to Microsoft, the developer skill sets are weighted towards Windows. I myself haven't written an app for DOS in 10 years.
But you are on to something. Can we invent something that is the opposite of Moore's law? Something like: "Software will become nn% harder to write every two years due to steadily increasing complexity in hardware and operating systems."
If you got a $100 bill, put your hands up...
If I find out this particular ATM is Windows-operated, I will hunt down Mr. Gates, roll him in tar and feathers and chase him out of town with a stick. In the meantime I will file a complaint with Ulster Bank for taking away my sole source of cash until next pay-day.
I'd rather find the execs of the bank, and roll them in tar and feathers and chase them out of town with a stick. Any one can make an offer... I can offer to run their ATM network on Linux 2.6.4-alpha1-test4-pre2 too. If they're willing to buy it, that's their stupidity, not mine.
Kjella
Live today, because you never know what tomorrow brings
Why's getting out money so hard?
Windows, Windows, every where,
It's eaten up my card.
The spirit deep within: O Gates!
That ever this should be!
Yea, buggy things did crawl with legs
Within Windows XP.
About, about, it must reboot
My card's still held within!
No beer to quench my thirst tonight,
Blue screen, and wallet thin.
And some in dreams assured were
Of the spirit that plagued me so:
The demon Gates had followed me
From Redmond's deepest flows.
And my poor tongue, through beerish drought,
Was withered at the root;
I could not speak, no more unless
This teller would reboot.
Ah! well a-day! what evil looks
Had I from old and young!
Instead of the cross, this penguin fine
About my neck was hung.
Gentoo Linux - another day, another USE flag.
I got a retrospective scare at an airport in souther Italy last month. While waiting for my luggage, all the screens suddenly showed an error Windows popup in the middle. I wanted to click the [OK] button so bad...
Non-Linux Penguins ?
I always liked the original song, "Puff The Magic Dragon", though it was always a sad song for me. We used to sing it when we were kids, and it always saddened me.
Bank Fraud! Something that debits let's say a penny per transation is actually a moderatly simple program to design provided you actually have access to bank accounts and a bank network. It's difficult for your average joe to do without access to machines on the bank network. Well... a cash machine is indeed on a bank network, and has the ability to withdrawl sums of money, log bank cards / pin numbers, the lot! These things rebooting in a way that can actually be used like normal windows scares the hell out of me.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
first of course, I'd get a job there, learn the service schedule
locally, I believe they use ISDN, but some just use modems... hack the line, take one that uses standard modem, and insert a relay// discern traffic based on your own atm both approved and denied.. when you feel confident, walk into another, insert a small box at end of phone cord that approves all atm withdrawal requests *up to the machine limit* and clean it out..
big heavy metal boxes, with little tiny unsecured phone lines.
the traffic sniffer shouldn't be anything more then a tone generator and two modems connected to a small pc.
every day http://en.wikipedia.org/wiki/Special:Random
Where is all the FUD about that??
The more I read Slashdot, the more disgusted I am. A bunch of little Linux fans sniping at Microsoft every chance they get.
Christ get a life.
I am very small, utmostly microscopic.
...remember, it does come with a smart card reader, which is accessible as a device in Windows. Insert rootkit card, run program from card and voila. You can probably skim card numbers, PINs, everything. Figure out how the money dispenser works and simply have it dump all the cash on demand, then clear itself from the ATM. They'd never have a clue what hit them.
Kjella
Live today, because you never know what tomorrow brings
Go into your local branch and take out a few quid...USING THE HUMAN BEING BEHIND THE COUNTER!!!!
And for large purchases use a credit card.
Now, I agree with your rant, but I'm tired of people who get so dependant on cash cards and their cell phone that they forget how to actually live.
You strike me as a person who is 72 hours of electricity away from being a cave-man.
Here.
... is whot bwings os tugevza tsuzay.
Why didn't they use the on-screen keyboard instead of the character map for entering text?
This sig under construction. Please check back later.
So if the money dispenser is connected via a serial port, maybe you could "echo tray1-4>COM1" and get 4 hundred dollar bills? obviously you'd need to know their system, but hey, if you knew someone who did know it, well then wikkid.
This machine is indeed massive overkill, but the economics are that a desktop PC is about the cheapest computer out there.
An 8080 computer set up in a config with USB ports, serial, parallel, video, etc etc will probably run you something close to $3,000 US, and spares will be difficult as they'll have to be single supplier.
Also, the drivers for things like printers and card readers are only going to be available for Windows (and increasingly Linux), so if you have an embedded device, the integration costs are going to be high.
On the other hand, you can get a robust PC from a major manufacturer for something under $1,000 US and it can be replaced by any manufacturer. There are drivers for everything, and software development will be cheaper because windows programmers are more available than embedded programmers.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Live today, because you never know what tomorrow brings
If not, then how could the internet outtage we hade some time ago(the ddos attack deal if I remember correctly). There were many reports that the problems on differrent parts on the internet, caused problems for banks and ATM machines.
That being said, I simply don't understand why they would use the internet as transportation media. Companies making WANs on the internet using VPN is one thing but even they use dedicated lines if the connectivity is vital to their business.
too honest
they had a machine that would give them money and all they did was use media player ? Diebold got off lightly!.
they [evil student] could of written a keylogger/pin reader/card cloner/data capture using the on-board vbscript/wscript language, (full access to filesystem and shell), build in a network check so as soon as the machine detects a network connection (as the students said it wasnt connected to anything presume at some point it will be connected to a network by an engineer or repairman) it trys to post the captured data to some.random.location.com, install it as a system service so it runs automatically in the background , even schedule it to run at specific times and you have one totally compromised machine
would of taken an hour max of programming time, maybe 15min if all you had to do was type it in and not compose it.
scary that not only is the software Windows but it has its own built in programming enviroment with access to every program on that machine including network access, and the only tool you need is notepad.
If they insist on using a Microsoft OS at least the could use Windows XP Embedded.
It's a componentized version of Windows XP with a set of tools to customize it, remove any unnecessary components and prepare system images. It also has tricks like running from read-only media and intercepting message boxes that end users should not see.
It's even cheaper (for a moderate number of licenses).
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
you'd think they would at least use the basic security of a password to logon!
In Philadelpia, and I imagine other large US cities, within just the past year or so taxicabs have begun sporting new rooftop electronic advertising signs. Each of the signs' 2 sides, about 4' long, is divided into 2 portions. For most of its length, it consists of a orangish leds, which are used to display sports scores and crude pixelated versions of league logos. The rightmost portion, however, is a full color lcd display, typically showing a red & white ESPN logo. What caught my eye was one day seeing a cab pulling away from a hotel, apparently from a cold start, and before it was out of view, I plainly saw the lcd going through post and the bios portion of a pc boot sequence. Regretably the cab was gone before I could observe what os it was running.
Reminds me of a couple of years back when by wiggling their god-awful pointer device too fast I managed to crash the in-flight seat-back entertainment system. BSOD, reboot, turns out it's a 90MHz Pentium running Win NT 4.0 Server Edition - no wonder the response was so sluggish (on the order of seconds).
:-)
I got to the desktop for about 5 seconds before their entertainment app autostarted again. I then spent a fun hour or two re-crashing the blasted thing and trying to defeat the autostart. Never managed it though - that's the only time I recall that I wished I knew more about Windows.
Eventually I had to stop because it turned out that poor old Pentium wasn't my in-seat client but actually the server for the entire cabin, and a lynch mob was starting to form... 8-O
Be faithful to your obsessions. Identify them and be faithful to them, let them guide you like a sleepwalker. JG Ballard
Indeed - most ATMs are on 56K dedicated frame relay circuits, sometimes faster (no, they don't use ATM!), but 56K is adequate for most installations.
A lot of the standalone units you see in grocery stroes and such sitting on a dialup line are going away due to new Fed requirements for increased comms security. (Besides, you could put a standalone terminal in a gas station that served only to collect card numbers and PINs, and nobody would know the difference if it looked and quacked like a duck)
Instead of bashing the stupid (or maybe just naive) bank people, why not offer them an open source alternative? If we want safe banking why not make it safe ourselves? Is there a problem (except for sco) with using linux as the OS for an ATM?
Who on earth was the brainiac that decided. "Gee, yeah, lets use a Microsoft operating system to power these cash machines". I suppose they've stable, secure, virus free, never need patching, fast, cheap... *sigh*
grab his penis and stroke his balls
welcome!
I hope you will enjoy your stay.
This must mean I'll be able to go into the device manager, disable the 'KINGSTON QUICKKAM' (the cam that snaps a pic after every transaction)
and then do my dirty deeds! Aha! No need for a disguise anymore!!
The site is already /.ed, so here's the google cache:u 3fTySEJ: midnightspaghetti.com/news.htm+&hl=en&ie=UTF-8
http://www.google.com/search?q=cache:Rxo2
Sorry, no images! Will someone please step forward and provide a decent mirror?
You're right, Kjella. Period.
"a network break-in waiting to happen"
Not really. You're not going to see ATMs directly connected to the public Internet. The typical connections are using frame relay or, very popular for ATMs, but now deprecated, SMDS (Switched Multimegabit Data Service) circuits from a telco LEC.
I've been told by a Vz test center old timer that the banks particularly like SMDS for the reason that it's trivial to switch the whole network over to an alternate head end/data center in an emergency or for maint. SMDS circuits have a cloud topology, similar to frame relay. Verizon was pushing SMDS for a few years as a less expensive alternative to PtP T1s (also was avail in other capacities from 56k up to 45mb). From what I understand, smds is no longer being provisioned due to the telco gear makers dropping it from their products; supposedly telcos now have to canibalize parts when something fails. The other downside of smds these days is in the event of a failure, you'll have to get lucky to find a Verizon tech who is familiar enough with it to get your trouble resolved anytime soon (tell 'em they need to reload the group addresses, that'll fix it usually, unless it's a catastrophic hardware failure at the CO).
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
It was banned because the PC lobby believed it was encouraging children to experiment in drugs.
Bandwidth Limit Exceeded
The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.
Apache/1.3.27 Server at midnight.scalebeyond.com Port 80
Well, the post said "a story with photos", WTF did you expect??
"It's the smell! If there is such a thing." Agent Smith - The Matrix
http://216.239.39.104/search?q=cache:Rxo2u3fTySEJ: midnightspaghetti.com/news.htm+midnight+spaghetti& hl=en&ie=UTF-8
Even without cloning the card, a lot of banks depend on your reporting the card lost/stolen to figure out what you did and didn't pay for. If you buy a big screen TV, the card gets back to the owner, and he goes a month without checking his balance for some stupid reason, it gets tricky.
I suppose they could make a little bank form that says, "Card missing from Date: XXX to Date: XXX", but I'm sure people would abuse the hell out of that...
...would be "greyed out".
1. If IE infringed on a patent (it did until that patent got cancelled) then would that mean all ATMs having to be altered? after all it's fairly hard to have an IE free XP install, you can lose the front end but the HTML engine remains.
2. Viruses? do you want a Windows virus to infect an ATM which is responsible for money!!
3. Cost, embedded Windows solutions require greater hardware costs.
1. With his contact info and where to send his card you could have gone on an internet spending spree.
Yes, I understand this fully. I assumed the guy was on vacation in washington from Alaska. As it turns out he was as he was listed in the phonebook
2. You could have cloned the card, if he continues using it you could at sometime in the future go on a fraudulent spending spree.
Sure I COULD have, but would a person cloning a card phone the damn bank from their home phone and be willing to share their contact info. If I wanted to go on a spending spree, I wouldn't have phoned the damn bank in the first place.
3. You could have cloned it in this situation too.
Sure I COULD have... but do you really think the employees are smart enough to think of this? Most of the ones I talk to are unaware you can make a copy. Do you think it's any complex issue activating a card that you thought was lost / stolen? It's painfuly easy, it's just a phonecall away.
Often times I find purses at Costco... left outside in the shopping cards. I make a good honest effort to find the owners in a timely fasion. Doesn't always work, and often times they call in their credit cards stolen, but fortunatly it's not a problem re-activating them.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Troll driving traffic to his website linking to completely unrelated articles. Check posting history!
The Death of a Site in XD Minor. . .
That site went down hard, and it's still the first article on the site. I fear the power of slashdot sometimes.
Blah.
Yes, Diebolt makes Vote for Bush machines.
As a grad student who has their office in this building, I got more than a little kick when I saw the tech fumbling aimlessly to try and fix the thing later. He was there literally all day long and each time I walked by he was on the phone trying to get more info. Where is a good ole OS/2 ATM when you need one?
Anyway, some people on misc.market also posted some movies that you might find interesting.
My Slashdot account is old enough to drink...
Am I the only one on earth who has never used an ATM machine?
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
TROLL linking to unrelated articles to drive traffic to his website... check posting history! MOD PARENT DOWN.
About a month ago, all of the National City ATMs in Pittsburgh (where CMU is) got switched from ancient working machines to snazzy new Diebold touch screens. Aside from the one playing Beethoven, there has been at least another one that BSOD'd.
The one on this article was funny and everything until that night when I remembered that I have my life savings in National City.
I stopped at some competing banks in the area on Thursday to get some pamphlets and I will be switching banks on Monday.
--------
It's OK to be social, just don't tell anyone about it.
Site slashdotted...anybody have a mirror?
I took a look at the videos, looks like Baker Hall at CMU (where the PNC ATM used to be). They have two shiny in-wall Mellon Bank ATMs in the University Center (which most students use), so it shouldn't have been as major a security problem as if it was the only ATM on campus.
# With his contact info and where to send his card you could have gone on an internet spending spree.
How so? You have the name - all they give you is a branch to mail it to. You can't get anything shipped to your home until you add the address (good luck with that). The best you could hope for is some free gas.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Just one question, in many parts.
Exactly _how_ would you go around hacking this ATM? OK, you can open windows and possibly run simply batch files. Does Windows XP have a built in assembler or other language that can be programmed to control the cash dispenser? Have you any other way to introduce the code you'd need to take control of the devices? Someone mentioned smartcard readers, but _exactly_ how do you introduce a smartcard via a touch screen? Has anyone _ever_ demonstrated an exploit on WinXP that is done by typing printable text into the regular user interface?
Someone has mentioned having insider access to the ATM, but this hardly needs a touchscreen keyboard and Windows. Stealing from your own bank is a long tradition that predates ATMs, and banks tend to guard pretty well against this.
So, how?
I'm not an MS astroturfer, but I don't like sensationalism and hype. If the Windows user interface presents a real security risk, someone will be able to explain the 'how'.
BTW, to answer my own question, if the cash dispenser itself was controlled by simple command-line programs, it would be easy. Start | Run program | "c:\bin\gimmecash 1000". But somehow I don't think so...
Ceci n'est pas une signature
Can your ATM suvive being Slashdotted?
We all at slashdot would like to bash MS for this. But somehow, it has a reciprocal effect that very few realize. Carnegie Mellon (CM) is highly recognized for software and quality. Now it gives me doubt over their institute for having a system that crashed. I know their not directly the cause or effect but the shadow somehow hovers over CM more than Microsoft. Years from now there may be an article about the first ATM to be hacked and it was at CM but probably no mention of MS.
Someone mod this guy up.
Thanks!
But does any one know why atm's here in the states have a decimal in the amount? So if I want to take out an amount (say $15) that isn't listed, I have to type:
1-5-0-0
to let the machine know I want 15 dollars instead of 15 cents. No atm that I've seen (granted, limited experience) will dispense change. I don't think I've seen any that even dispense dollar bills, so getting $17 is impossible. So why the decimals?
I'm not sure what issues they do or do not have, but I have actually used some additional useful features on Wells Fargo ATMs. Namely, printing out a copy of my bank statement from the ATM. There's some other stuff you can do as well, but I did find that handy on one occasion.
I mean...it's not like there are any computer geeks there. This could have become interesting, very interesting. A bunch of computer geeks running around loose with an insecure ATM? Ohhh...that could have been fun to watch.
I'm loving how CMU is in the news so much lately. With the Red Team car, this silliness...makes a CMU grad proud.
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
> The point is, banks will assume the worst when it
> comes to you no longer physicaly having your card.
As they should. Really, it is much simpler for the bank to just issue a replacement card than to bother returning the old one. Think about it: should they print a piece of embossed plastic that costs a few cents, or have the kindhearted finder send the old card in (37 cents) and remail it to the owner (another 37 cents + 15 minutes of somebody's time [or more, if Windows crashes]) all the while ensuring that no fraudulent transactions take place in the meantime (priceless)?
print1 ("Password: "); /* omega 0.90 site1.c by Laurence Raphael Brothers */
strcpy (passwd, msgscanstring ());
valid = (strcmp (passwd, Password) == 0);
if (!valid) {
done = TRUE;
menuclear ();
menuprint ("Alert! Alert! Invalid Password!\n");
menuprint ("The police are being summoned!\n");
menuprint ("Please wait for the police to arrive....\n\n");
menuprint ("----Hit space bar to continue----\n");
showmenu ();
response = menugetc ();
if (response == ' ') {
Player.alignment += 5;
xredraw ();
print1 ("Ah ha! Trying to rob the bank, eh?");
print2 ("Take him away, boys!");
morewait ();
send_to_jail ();
} else {
Player.alignment -= 5;
menuclear ();
sleep (4);
menuprint ("^@^@^@^@^@00AD1203BC0F0000FFFFFFFFFFFF\n");
menuprint ("Interrupt in _get_space. Illegal Character.\
showmenu ();
sleep (4);
menuprint ("Aborting _police_alert.....\n");
menuprint ("Attempting reboot.....\n");
showmenu ();
sleep (4);
menuprint ("Warning: Illegal shmop at _count_cash.\n");
menuprint ("Warning: Command Buffer NOT CLEARED\n");
showmenu ();
sleep (4);
menuprint ("Reboot Complete. Execution Continuing.\n");
menuprint ("Withdrawing: 4294967297 Au.\n");
menuprint ("Warning: Arithmetic Overflow in _withdraw\n"
showmenu ();
sleep (4);
menuprint ("Yo mama. Core dumped.\n");
showmenu ();
sleep (4);
xredraw ();
clearmsg ();
print1 ("The cash machine begins to spew gold pieces!");
print2 ("You pick up your entire balance and then some!"
Player.cash += Balance + 1000 + random_range (3000);
Balance = 0;
setgamestatus (BANK_BROKEN);
}
}
Does this remind *anyone* of the movie Hackers, in which Joey makes an ATM (in "Bumsville, Idaho") spit out a certain amount of cash?
;)
Something makes me think a next RPC vulnerability will do just that
XeeRz,
Jason
THSsMCHshrtrTHN160chrs -- And I don't even like to SMS!
I doubt it's the employee that just made up that policy. I'm sure that someone in the bank already thought of the cloning issues and that is why it their policy forbids the returning of lost cards.
Regards,
-JD-
Porn and internet gambling.
Back in the day, bank ATMs were dumb 3270 type "greenscreen" monitors invariably hard linked via leased line running CICS to an IBM mainframe running some transaction processing application written in COBOL with DL/1 or VSAM storage. Something like that anyway. Such architectures were not everyone's cup of tea but they were tuned to be extremely efficient and to handle vast throughput hence the fast response times.
The old green screens were the ultimate thin clients. The only code physically at the client end was in the monitor's electronics. It never went wrong because, erm, there wasn't anything to go wrong with. New applications were simply installed centrally et voila. Again, not the sexiest, but super-reliable.
So, to an ex-mainframer like me, the idea of having an ENTIRE XP image at the client end for what is basically a EPOS terminal sounds totally OTT, not to mention hard work - thats a LOT of deployed systems to look after. It wouldnt be so bad if the XP image was stripped down to reduce entropy, or if Microsoft didn't get to dictate it's update/patch/retirement schedule.
Re your OS/2 observation, big blue's desktop disappointment was able to routinely run as a CICS client hence leverage the same fast network and TP applications. The XP ATM is probably using TCPIP via application servers before your data gets to the big iron. Add in the modern prevalence of online banking transactions and you start to see why latency might start to increase.
Also, I imagine modern back-end systems are doing more that just checking/amending your balance these days. Anyone who has had a credit card stopped because they had the temerity to use it on a foreign holiday without informing the credit card company first will know all about that.
I wish at was Friday, but I dont want to wish my life away. So I wish it was last Friday.
What is the financial regulatory authority in the States that acts as a watchdog on this sort of thing? Using Windows XP in an ATM instead of a hardened embedded system is criminal negligence, no two ways about it.
Lots of people will tell you that the magnetic stripe can't hold that much information. That's true. You can make a device that can work though...
Think of a those adapters they have for playing a portable CD player in a car cassette deck. There is no moving tape, only a little head that changes magnetism based on the audio signal and feeds that direct to the Tape read head. A small wire in the right spot could work.
Same concept, much smaller head and it can look like something out of terminator 2, but that's overkill. Depending on how the machine is wired it could be easy. Sometimes the magstripe reader is wired right into the keyboard slot! Depends how cheap they make em.
Seriously if your plans are to rip off ATM machines add your own reader and collect the numbers. Get a card reader writer and reprogram an existing card. Cashiers never look at the signature, let alone check if the numbers match.
In theory anyway...
this may be a little off topic, but cell phones are full of the same damn bloat. Got a Samsung from verizon a couple of months ago and the damn thing has to boot, show a welcome scree, show the verizon logo, make a sound, "find" service, then finally you get access. God forbid if your phone is off and you need to make a call in a hurry.
Gives a new meaning to the term "microkernel".
Seriously, though, that wouldn't be cost-efficient. What's the point of including enough storage on every card to hold a kernel when you can still only use that card at an ATM? IMO, a credit card is more like a USB key than anything else: It's just a means of authentication used in accessing the ATM system.
ALL Diebold machines in florida booted BY DEFAULT to the windows screen not to the voting system software. You have to hold F10 to force them to boot in kiosk mode. Thus You could get back to the windows screen simply by forcing a reboot, no special passwords needed.
To top it off the central database that is used is not protected by an obligatory password. That is the data base has no pasword but the access software has a password. If you use your own non-customized version of Micro soft access you can access it directly. This too happens and is documented. See blackboxvoting.org. search for the King County and GEMS. King count found the diebold software cluymsy so they bypassed in in a real election leaving no password controls and no entry logs and open to all employees with physical or network access
Finally, as was reproted on slashdot a while back, two banking institutions had their XP based diebold machines get the blaster worm. Which is theoretically impossible since they technically are on isolated netowrk not connected to the general network. And yet...
Some drink at the fountain of knowledge. Others just gargle.
Oops, I boofed that link. here it is again
Adobe Type Manager? Playing Beethoven? Is this pref for auto-activation or something?
Strange...
"The greatest obstacle to discovery is not ignorance - it is the illusion of knowledge." - Daniel Boorstin
There's an ATM on the Purdue University campus that's extremely poorly-designed. For one thing, it's has an annoying low cash withdrawl limit per day, like fifty dollars or seventy five dollars.
It also does not stock one dollar bills. If you, therefore, try to withdraw $3 from the machine, it will crash and reboot. When it comes back online, it will be using a default, higher cash limit.
Quality machines abound.
Cogito ergo sum in Slashdot.
While I can agree there are probably simpler ways than using Windows to accomplish what ATMs need to do, the impetus for multimedia capable ATMs appears to be the Americans with Disabilities Act:
The Americans With Disabilities Act and ATMs:
Accessibility for Blind Users
In recent years, blind representatives have been approaching banks and other ATM owners about improving blind users' access to ATMs, relying on the 1992 Americans With Disability Act Accessibility Guidelines ("ADAAG") requirement that ATMs be "accessible to and independently usable by persons with vision impairments." ADAAG provides the technical requirements for making facilities accessible. The related regulation, which interprets the Americans with Disabilities Act ("ADA"), is promulgated by the Department of Justice and dictates which facilities must be available.
Unavailable in 1992, blind representatives have in recent years been demanding that ATMs provide audio output in some fashion in order to make them "accessible to and independently usable by persons with vision impairments." In addition, the Access Board in November 1999 proposed to amend ADAAG to specifically require audible "verification of user input," displayed text and labels, as well as receipts. The proposal also includes requirements related to keyboard layout and cash disbursement.
The Access Board released "draft final" changes to ADAGG in late April 2002. It made those changes final 10 September 2002 and will send them to OMB, which has 90 days to review before the final guidelines are made public. However, the Access Board's revised ADAAG has no legal effect until the Department of Justice adopts it as part of its ADA regulation. The Department of Justice must put out for public comment proposed changes to its regulation, along with the ADAAG appendix, review comments, and adopt the regulation as final before any revisions become effective. It has not yet released proposed changes to the regulation.
The new requirements are not expected to be mandatory until at least 2004, if not later. This should give ATM owners ample time to implement if they take advantage of the advance notice and begin plans early.
As expected, the "draft final" requires that ATMs be speech enabled, but it also reflects changes to the proposal that respond to many of the industry's comments. For example, it recognizes the technical difficulties in providing "dynamic" information in an audible format and provides appropriate exceptions for dynamic alphabetic information "where voice synthesis cannot be supported." It also specifically provides that certain information on receipts as well as statements and checks need not be provided orally. The draft final also eliminated many of the keyboard specifications as well as the proposed requirement to provide bills in descending order. The Board at this time is also not applying the requirements to POS terminals. The final guidelines are expected to be virtually identical to the draft final.
It is not clear how any modified new regulation will apply to existing ATMs. The general rule under ADA is that facilities existing in 1992 had to remove barriers if it was "readily achievable" and provide auxiliary aids and services if not an "undue burden." The Department of Justice must address how any modified requirements will apply to existing facilities. In discussions with Department of Justice staff, staff is sympathetic to the costs and burdens of retrofitting technologically-based facilities that depreciate over a short period relative to other facilities such as buildings.
ABA has been actively involved in this issue. It submitted comments to the Access Board on its 1999 proposal and testified at Access Board's hearings. In addition, it brought together the various interested parties, including ATM owners, vendors, networks, software vendors, as well as blind representatives, to attempt to agree on technical as well as
The Scene: Carnegie Mellon University
The Event: A newly installed Diebold Opteva 520 ATM crashes, then reboots. Suprizingly, it's vanilla-style Windows XP operating system initialized without the actual ATM software.
The Result: A desktop computer with only a touch screen interface is left wide open for the amusement of the most wired university in the U.S.
Eschewing more malicious schemes, the first move was to connect to the Internet. This plan proved unsuccessful as there seemed to be no network capability. The situation was complicated in that even typing proved extremely difficult due to the lack of a keyboard. The Character Map program was used to enter text by copy-and-pasting, yet the most that was accomplished by doing so was making the text-to-voice program say, "What, do you think I'm made of money?" Windows Media Player was set up to loop a series of Beethoven, Jazz, and Talking Heads (the sample sound files included with XP) while running a full screen visualization. Finally, an annoyed faculty member in an adjacent office unplugged the machine and dispersed the crowd. The story is humorous until one realizes that Diebold is the leading producer of electronic voting machines. We can all look forward to playing Minesweeper while exercising our citizenship.
I agree completely. I've borrowed the NASA idea of triple redundancy since I got here. If the DART doesn't show up - take the bus. If the bus doesn't show up - have enough cash for a cab. Then, allowing for the idea that taxis might not be nearby: Use the time on foot as a basis when planning anything.
There's something wrong when every store in the capital of an industrialized, western nation has a bouncer.
But the pubs can be nice.
I was thinking the other day, why doesn't Apple hop into the ATM and eVoting market? MacOS X would be perfect to on a iBallot or a iATM!
Dammit, server's down. Any known mirrors?
Yes but with the bank's contact info, he couldn't have done anything more with it. He could have sent it back to the bank, no questioned asked.
While I realize it's an ongoing joke here about Windows and blue screens, and I'm not above them myself really. What I want to know is are they running NT v4.0 or something!?
Since W2K and XP I've personally never seen a bluescreen on my boxes that run those OSes, and beat them up pretty good.
So what is the deal? Is Diebold running old software or are they just that bad at doing anything that they are managing to get W2K or XP to bluescreen?
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
It is absolutely unacceptable to use Windows for things like an ATM machine! They should have their own OS, or at the very leats could use DOS. Everything else should be coded in assembly, communicate directly with the hardware and not have anything redundant!!!!!
On 1/29/2004 I tried to get $300 from a Wells Fargo ATM at 600 Quarry Road, Stanford CA 94305 (Old Stanford Farm Branch). I was charged $300 but the money did not come out. I made a complaint at Wells Fargo Fraud Division and they gave me $600 instead of $300. I made another complaint and eventually they took $300 from my account.
In the States we have almost an overabundance of the tiny, store-installed kind that use only a dial-up line to communicate with the banks. These can take up to a minute and a half to complete a transaction. It's kind of funny, you can hear the modem clicking on and off the hook in the back.
We don't have these multimedia ATMs you're talking about, though. At least not in the little store-installed kind. Some of our bigger banks have these amusing ones that converse with you, but they seem to be pretty quick.
Incidentally, yours has to be the longest first post (legitimate one, not copy-pasted crapflood) I've ever seen. Kudos.
+++ATH0
would be to write the interface in Java, then a C program like
void main(char *argv, int argc) {
for(;;) {
system("java ATM");
}
}
If the virtual machine did crash it would just restart. I do a pretty good job of making systems that don't crash... This does work. Oh, it should be running on Linux too.
Midnight Spaghetii's website is out of bandwidth. Can anyone set up a mirror?
How are we supposed to trust a voting system, when the system itself is owned and operated by staunch supporters of the Bush administration?
I came across the following in the Graydon Carter's "Editor's Letter" section in the latest issue of Vanity Fair (April 2004):
"Walden O'Dell is chairman and CEO of Diebold, one of the largest electronic-voting-machine manufacturers in the country. He also happens to be a Bush 'pioneer,' which means he's raised at least $100,000 for the president's re-election campaign. In mid-2003, he helped organize a fund-raiser attended by Vice President Dick Cheney that brought in a further $600,000. A few months later, O'Dell called upon Ohio Republicans for even more money for the party, proclaiming his commitment to help 'Ohio deliver its electoral votes to the president next year.' Diebold itself has given $100,000 in soft-money contributions to the Republican National Committee. (The company has donated nothing to the Democrats.) One of the company's directors raised $200,000 for the Bush re-election campaign, and 11 other Diebold executives anted up $2,000 apiece."
Shouldn't these voting machines be operated by some kind of non-partisan/bi-partisan organization?
-- anthony
Hey, I appreciate the irony and all about the e-voting connection, but there really isn't one. Because Diebold's e-vote boxen have NOTHING TO DO with its ATMs. Diebold was desperate to get into the e-vote business as fast as possible. So rather than build their own machines, they bought out an existing company. Thus you had Diebold's ATM traditional division, and its _completely_separate_ e-voting machine division. Indeed, this fact got Diebold in trouble earlier on as people questioned why their e-voting boxen weren't nearly as secure as their ATM boxen.
I was withdrawing money from a Royal Bank of Canada ATM when it crashed. When it rebooted it came up with OS/2 logo, which means this legacy OS is still finding purpose today.
I once had a Crocker Bank ATM in California give me $40 and a receipt, and the withdrawal never showed up on my account. The bank staff ABSOLUTELY REFUSED TO BELIEVE the transaction had occurred, even when sent a copy of the receipt; they claimed that all the balances on the ATM machines added up properly, everything was consistent, nothing was missing or mislaid (hence implying I was mistaken. Would that I were thus mistaken more often.) I eventually closed that account, and Crocker later went under. Gee, I wonder why?
It boggles the mind how bankers could be so indifferent to their money going missing like that. As a programmer, I know that ANY (memory / money) leak of whatever size is trouble on the wing and must be tracked to its source, and it ought to be a matter of course for bankers to think likewise. Competent, honest ones, anyway...
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
The reason that machines now tend to say "Please Wait" or "processing card details" when you first insert the card rather than after you type in the pin number is because most debit cards in the UK are now smart cards ("chip and pin" as the industry calls them), hence the machine needs to read the (encrypted) details off the smart card before it can check your pin against it. This takes a bit more time than just reading a magnetic strip.
Actually, in Pittsburgh, my old PNCBank branch (just across the busway from Shadyside, I can't remember the street address) had both a single-dollar dispenser, as well as a change cup. It was fed in the same way that I believe those automated change dispensers you sometimes see in banks and at ticket booths get fed - a single slide down which coins fall. I think the manufacturer was NCR, but I'm not sure.
It didn't ever seem to be filled up, but at least one ATM has been designed that could dispense change! I used to withdraw $19, just because I could put the 4 $1 and the $5 into the change machine for the washer and dryers.
The machine also could accept deposited checks WITHOUT AN ENVELOPE. It would scan the front of the check, show you an image and ask you if the scan was valid. If you deposited a check this way, it got into your account a full day faster than if it was in an envelope. I think it must have OCRed the text, as well as read the magnetic information from the bottom. Plus I imagine the workflow for the ATM operator was speedier. Of course, this all ran under OS/2 1.3, as I confirmed later.
Ahh, Pittsburgh, land of the oddball ATMs.
"But always she's the spectre of uncertainty I first endured, then faded, then embraced..."
I was standing in line at an ATM one day, waiting my turn. The person in front of me put in her card and pressed some buttons. Then BAM, the machine froze and the screen went blank. The person left in disgust after hitting buttons in the hopeless attempt to get her card back. She eventually left and I used the working machine next to the broken one. I glanced over at the dead ATM before I left myself and noticed the it was finally rebooting itself. It was slightly modified, but clearly a Windows NT boot sequence. Heh.
(0)
I had something cool happen last night. I went to a coke machine to get a mr. pibb. I hear it fall but it is not below. So I pick up the flap and feel a can, so I pull it out, and another can comes with it. Neither one is a Pibb. So I open again, and feel a can wedged vertically creating a backup. I got 2 more making a total of 5 cans on 60 cents.
WOOOHOOO!!!!
best day ever...
--Joey
Ah. Nobody seemed to understand that there will not be a change to the better unless people actively try to make things better. Simply accepting the fact that "my money is now being processed by a broken ATM, built by a company with glaring security holes, and running an OS from a security-challenged company" does not help make the ATMs more secure!
Then again, if you don't have the money or the power to make a change (=you are poor), it's going to be difficult to do anything (unless you appear in large numbers). There's not much you can do, and the ATM builders know this.
To sum it up: "The poor can eat cake. And use broken-by-design ATMs".
Do you get it now?
I do not moderate.
And I don't want a cash machine to entertain me with up-sells and ads, I want cash. Now. If I need a low interest mortgage I'll use my phone to call the bank. Mortgages are not impluse items, if they were Wal-Mart would have them in displays by the check out lines. How many people walk around thinking, "Gee, I wish I had a low interest mortgage right now." Be interesting to find out if anyone has made a dime off cash machine ads.
Cash machines on XP. HAHAHAHAHAHA! Sorry, but that's f'ing hilarious.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Its not everyday that I click on a link in a /. topic and see a picture of my sister-in-law.
Its a small world after alll........
Later,
Honig
Simple: If your OS fraks up you got someone to give you support. With open source you ussually don't have that.
You can get a easier platform and GUI to program for(VB.NET, Flash). Also if something radically goes wrong you've got someone to sue. Try suing open source/as is software sometime and see how far you don't go.
You say things that offend me and I can deal with it. Can you?
when you use Windows and Gates to secure your bank vaults.
knowing that Windows XP may be powering my friendly neighborhood ATM. I'm sure my money's secure...right? Right?
What's next? Diebold forgot to disable Universal PnP?
If it's a credit card, sure.
If it's an ATM card, no fuckin way.
If it's a credit card and the guy doesn't report it stolen, he's already asking for trouble.
If it's an ATM card, you can make 500 clones of it and you still need a PIN number to get anywhere with it.
I wonder if Slashbots speak the same language. They seem to be close, but there's always something that makes them carry on two conversations about two different topics at once, in the same thread, as replies..
You can also place some blame on the bank exexutives who sign off on such shitty software.
Best Buy can have you arrested
Found an ATM here in Amsterdam, the Netherlands, last january. It still ran Windows NT. See picture(s) at http://o.sessink.nl/~valentyn/postbank/ (there's a single picture there, will try to upload more from my photo album)
my other sig is a 500 page novel
This just happened to me in one of Chicago's Redline train stations. I have an old ATM card that sometimes requires a sales person to enter my card number manually. Well, using one of these *new* ATM's looks like it totally confused the ATM and it gave me an "mu.exe" memory access exception.
Then, as the article stated, I was dropped into the Windows CE Shell. Was able to startup IE, etc.
Also, had this experience with some BP Amoco gas pumps. Except that I was getting JVM stack traces when trying to view online content while pumping gas. The world is ending...
-- uh...
My biggest complaint about drive up ATMs is that at least in my area (Southern California), most of the drive up ATMs are not almost unusable for anyone driving a regular car. The buttons are touch screen that are geared for people in SUV's and trucks.
--
Time is on my side
I was on a family vacation many moon ago in Tulsa. I was probably in 3rd or 4th grade. The hotel we were staying at had a couple candy and pop machines. I went to load up on sugar one night and found that one of the candy machines was spitting out candy non-stop for free. I had one of those "The Way Things Work" books at about that age and remembered reading about coined-operated machines. I assumed one of the coins got lodged in one of the various types of coin-detecting mechanisms. I had waaaay too much candy that night. Nearly made me sick.
An ATM ate my card once, and then the screen wouldn't stop blinking "FREE KEVIN".
Automated tellers that spit tickets somehow was left in OS mode.
First I recalibrated the bad touch pad.
Next I opened notepad by a recent file.
Next I started copy/pasting letters RANSOM NOTE style.
I entered some wierd mode where numbers kept spewing down the screen like the matrix.
I was trying to snag some free tickets, but the matrix movie was about to start so I bolted.
God spoke to me
It lets the programmer handle system popup message in any way including the one you have described.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
when I closed my national city (student) account, they charged me $3 to see the teller to close it, then left the account open for a quarter with a -$3.00 balance.
idiots.
My ZX-Spectrum had a 8MHz CPU. It booted in 1.3 seconds.
;)
My pc has a 1.4GHz CPU and boots in just under 3 minutes.
I think that's called progrss
Privacy is terrorism.
Anyone notice how the in flight entertainment system *must* be off for takeoff and landing?
Is this some legal fluff or is it because they need the horsepower for autopilot!?
Spoon not. Fork, or fork not. There is no spoon.
Go back to your cave!
$3k for 808x-based kiosk hardware? You're crazy... and a USB port is not needed for a kiosk anyway. Believe me; I used to develop kiosks containing embedded Amiga-500 boards. The entire cost of a relatively fancy kiosk with touchscreen, hard drive, modem, printer, monitor and custom cabinet was around 3 grand. The cheaper kiosks with monitors, Amiga motherboards and modems but no printers, touch screens or hard drives were built for around 1 grand. Security onb these systems by the way, 14 years ago, was superior to what we're seeing in today's Diebold boxes.
If you think 808x machines with serial & parallel ports are somehow worth kilobux, then let me tell you what... I have a garage stall filled with old PC/XT's and Leading Edge Model D's complete with monitors and keyboards that I will sell to you for only $50 for the entire lot. Think of the money you'll make! Woo hoo...
Really, the things are so completely devoid of monetary value that very few charities will even accept this kind of rubbish. I still have them because I'm too lazy to invest the effort required to haul them off to the recycle center.
The reasons you don't see 808x machines for public sale anymore is A) They can't run MS-bloatware, and B) there's just no money in it anymore.
Nonetheless brand new industrial controllers can be had for fairly cheap. They are capable of running FreeDOS, *nix or a number of other OS'es, with a rich diversity of existing drivers already available. Development cost of drivers for a kiosk is simply not an issue.
The real issue is, who today knows how to do embedded development anymore? It's become strictly the realm of the "Real Programmer," and how many of those do you know, who would also be willing to work for, say, the $15 per hour that Diebold can hire a Flash newbie for?
How many of these "Real Programmers" would be willing to move to India for this $15/hour job?
Or stated more personally, why would I move to India to work for a pittance when I can charge $150/hr in my hometown, and actually get it? I don't develop kiosks anymore because the money has almpost entirely gone out of this kind of development.
System quality decisions which determine security are indirectly made in the Sales process, where issues such as robustness of software design simply don't get discussed. Buyers of these kiosks are only concerned about eye-candy, user tracking, and advertising revenue. So, "Of Course" they end up running MS-Windoze. The caliber of developer wannabees which are working on these things today simply aren't capable of evaluating one operating system versus another. Expect it to get worse, because such meaningful things have never been taught in College... and I for one, am contributing to the problem by retiring early.
ATM machines
Is this anything like Cartoon Cartoon Friday?
Shop as usual. And avoid panic buying.
...strange...
I think most people (99.9999%) know that ATMs are owned by banks and not the owner of the building (the bank name in big lighted letters above EVERY ATM is a pretty good clue of that). I mean, this is like saying that this crashed ATM reflects poorly on Pittsburgh, PA.
If anything, the first article in a few years might say that the first ATM was hacked by CMU students. Not such a bad thing.
An ice cream machine was recently installed at my high school. (It uses a little vacuum dealie to retrieve the ice cream bars, which is really neat, but that's beside the point.) Ice cream bars cost anywhere from $1-$1.50, but the machine accepts up to five dollar bills. The machine, however, does not give paper change - only coins. So pay for a fudgecicle with a five-dollar-bill and the thing starts churning out nickels and dimes like a slot machine. Problem is, the coin-counting mechanism isn't exactly accurate if you use way too much money to buy an ice cream bar (like ten bucks for a $1.50 popsicle.) On several occasions, I have recieved more change than the cost of the ice cream bar itself. I'm not one to promote embezzling money from ice-cream companies, but a free popsicle and a couple of bucks in profit isn't bad... (Note: since this incident the machine has been fixed)
a) When the bank loses money, it's YOU, the customer, who pays for that. Don't expect the shareholders to take a hit just because the company's ATM's are spewing extraneous $100 bills all over the street.
b) When the bank screws up, it's usually YOU, the customer, who finds that there's no money in your account all of a sudden, just when you need to buy groceries. And they take their sweet time to admit there's a problem, let alone fix it.
c) One of the reasons we have governments is to keep businesses from willy-nilly taking short-term gain/long-term pain actions which harm society.
Freedom: "I won't!"
It was well known amongst the students that one particular vending machine was slightly mis-adjusted: if you were careful, you could pull a bottle through that area without triggering the coin drop, hence letting you get two or more bottles for the price of one.
My father's record was around 20 or 30 bottles on one payment.
The more things change...
No, I can echo what the first guy said. I work with every major kiosk vendor from IBM to Kinetics, and they're all x86 PC based these days. Many are Linux based, most are Windows based.
Here's the thing... you've got to use industry standard peripherals these days, dip readers, pin pads, door sensors, ticket sensors, cash readers... and they have been all RS-232 serial, which means you have to support multi-port serial. But since those boards are expensive, everybody has switched to USB (also USB is simpler to implement). And while all these things can be exploited on a custom board, in reality, nobody wants to do anything but write a software layer that hides peripheral complexity from the main application.
So you've got to support USB, SVGA-style graphics, and many big implementations are browser based, so now you really have to have an OS to support this level of complexity. And it turns out the cheapest things to use in this situation are PC's.
Now, we can argue about the value of all these things, but I suspect you developed relatively simple kiosks which didn't dispense money, or didn't have to work in multiple environments or required constant software updates to support new sales campaigns.
Kiosks are an important part of the CRM process these days. There are still some ROM'able apps on kiosks, but that isn't where the big money is these days.
So I suspect the first guy has a little more recent experience than you, or has probably worked in the travel and/or hospitality industry.
I doubt it's the employee that just made up that policy. I'm sure that someone in the bank already thought of the cloning issues and that is why it their policy forbids the returning of lost cards.
Really? I lost my card once and my bank was nice enough to phone me up and say someone returned it.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
I see this all the time with quiz machines in pubs. It annoys the hell out of me that people get the impression that Windows runs everything just because it is the only OS that they ever see rebooting.
So they get free advertising _because_ of the faults in their products whilst the guys that have done a good job don't.
Why in the world would ATMs need winXP? I can think of plenty of reasons why they dont, but not a single one why they do...
What's the worst that can happen if your POS gets screwy? Send some bad data out to the corporate DB? Open up the register?
With an ATM you have a much larger immediate vulnerablity (ATMs carry a LOT more money than any point-of-sale terminal), and the possibility of corruption/bad data in the home DB is much more frightening.
When code MUST be secure, as with an ATM, it must be SIMPLE, without a ton of bells and whistles that can be exploited. Only a fool would write the ability to run arbitrary code into a secure system! It really bothers me that there are banks out there that do things like this! They wouldn't have bozo the clown guarding their vault, but they don't care if their ATMs go nuts.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Seing as I do first-line support on ATM's in the Pacific Northwest I have a bit of "first" hand experience in os's..
:) They don't crash/lock-up as much as the XP ones ..
Majority of the ATM's around are running os/2 warp.. The machiness with nicer graphics/anims are either running Nt 4.0 or WinXP.. The prev msg is correct about XP on that model.. Touchscreen mouse too.. no keyboard outside so you couldn't do a lot other than click around..
I was amazed how many still run os/2.. Guess half an os does ok
I had an experience like that in junior high school.
:-)
This was in the 1970s, and we had a soda machine that gave you soda in a paper cup, along with ice that felt remarkably like cardboard.
Well, one day in summer school, word is spreading like wildfire that the soda machine is just pumping out free soda. So, anybody who can get any container was running over to the lunch area to get some. I had a cup from before and got several free fillups of the Seven-Up like mixture it was continuously pumping. One of my very best days in junior high
More recent, no doubt. The bulk of my kiosk-building experience was from before companies had figured out how cheaply these software systems could be slapped together. Nonetheless I did witness the seeds of this veritable management antipattern, and I believe I am largely on track about what I am seeing around me today.
My systems were for grocery stores, hotels, shopping malls, convention centers, office buildings, truck stops, doctor's offices, state fairs, local colleges, regional Bell Operating Companies and one major airline. Some interacted with mainframes, many dispensed coupons, some featured sound samples and Pioneer laser disks. Indeed they did work in multiple environments requiring frequent updates to support new marketing campaigns. But none of my systems ever dispensed cash, that is true. However I'd consider the latter to be primarily a reflection of my employer's market presence than any kind of statement of our technical teams' abilities.
My systems did support detailed fault logging, ad-hoc downloading of new ad campaigns, refreshing of data such as news/weather/sports and could be completely controlled, (yes) even software upgraded via modem.
Prior to that, I had also done some x86 PC based systems, a platform which you'll recall could support four RS-232 and up to three Centronics parallel ports using nothing but standard off-the-shelf cards.
A little creativity can help with an RS-232 shortage. Sometimes we split the TX and RX from a single serial port between the printer and card reader, respectively. Other times we selected a keyboard-wedge card reader or a parallel printer because of port shortages.
On multiscreen systems, we could use the ports from both Amiga motherboards. We did also have some custom boards with additional ports for one-time demo applications which never required buffering so we simply addressed those chips directly from C routines running in the background without any unnecessary driver overhead. (The latter is also a clue to the very hideous and slapshod Sales process which I believe is inherent in the industry. Really; eye candy is king.)
I'd get these development requests like, '[XYZ Fortune 500 corporation] will be in our conference room this afternoon. Can you add a keyboard to the Grocery Store product locator system, totally change the look & feel, redo all the graphics, throw in a pizza training course database, paint the cabinet gold and make the software accept and interact with the user's training history based on identification from credit cards?'
After hearing me say "Not by this afternoon" a few too many times to unbelievable requests such as these, a different team started successfully fielding these requests by literally faking it - with a software package called "The Director." Before long, the executives had entry-level non-programmers making the leap into misguided attempts to develop entire kiosk systems using primarily this package, and witnessing such efforts gave me a new grasp of the word "farce."
But executives are quite blind to these things. If for example it took me a year to develop a robust system in C, then that means that as an experienced programmer I am quite out of line for criticising a beginner's futile use of an inappropriate tool until they've spun their wheels on it for at least a year and instead come up empty handed. Follow how that works? "Fast and cheap" are like magic words which can totally brainwash an otherwise intelligent corporate executive. When a technical person says "quick and dirty," the executive hears "first to market."
Today's more mature analogies to 'The Director' would be Flash, Front Page and their equivalents. So you see, I view many of today's kiosk systems as incarnations of the executive-level farce whose time has actually come. Today, beginners can be set loose on these packages, and they can actually come up with something that might be able to slip past QA within a short period of time.
Ever see a BSOD on an
The same thing happened to me!
:(
There I was, visiting Ireland, spending money, getting extra money from the ATM, having my card swallowed. By an Ulster bank ATM.
After looking around I found an Ulster bank office with someone still there (it was around closing time), and the lady there told me it was handled by contractors and she would send me my card when it was serviced the next week.
Before you think "Well, that's nice", I'll have you know that she lost my address, and when I rang her to remind her, she once again promised me she would send it but never did. Sigh.
The money I wanted to withdraw was even taken from my account, but put back after I complained, since I didn't get it.
Oh, and since my card had about 20$ in electronic cash (proton in Belgium), I lost that, too
I'm not putting anything of mine into anything of Ulster bank, ever again.
I once used an ATM in Amarillo, TX, which after completing a dial-up referral, would play the first bar of "We're in the money" in monophonic bleep-o-sound (music by Harry Warren, from "Gold Diggers of 1933")
OK, the gov't is not our mommy. I agree that people need to speak with their pocketbooks* (the only language that amoral corporations listen to) but I do think that there are very good reasons for legally-mandated banking security - namely that the consequences of banking security breaches are potentially huge to the "little guys", i.e. you and I with our pathetic little savings accounts.
* and people need to do it more - there's a lot of griping about sucky companies, by people who seem to think they have to buy those products/services anyway. It's a (weak but effective) illusion of no-choice which corporations have carefully fostered for years.
Freedom: "I won't!"
Dangit, it won't let me fix the URL. Slashdot is munging it -- remove the space in "3334".
The final word was heard from Ulster Bank today. I've ordered a new card from my Norwegian bank.
I ain't puttin' nothin' of mine into any of their ATMs again either.
except - perhaps - a welding flame
Oh, reading through this comment: Before the affectation of the cognitively superior is put into words: Ain't is a word.
(As in: "I ain't convinced that English is defined by its dictionaries alone.")
Doubt me?
Well not in the AMERICAN branch of RBS, Citizens.
There's a mainframe backend in Medford, MA and East Providence, RI, but the VAST majority of the middleware and ATMs run XP. I know, I was the guy installing XP machines on the desks of the processing centers.
The ATM network is slowly making a transition from OS/2 to XP, the desktops are already there, the majority of the internal servers should be Win2003 by now, they were transitioning from Netware as I left. The 'legacy' OS/2 systems doing check processing and lockbox ops have all been replaced by new HPQ Windows systems.
I also read in the RBS 'look back at 2002' brochure that RBS/Europe has also centralized on Windows XP for all but the mainframe operations.
The 'feel' inside RBS and Citizens is VERY pro-windows, the Active Directory migration gives everyone an excuse to get a flat-panel P4 with oodles of RAM and a better server backend. (the old Novell backend was 350MHz PII machines with full-height 9GB hard drives).
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
This is the site administrator for midnightspaghetti.com. Thanks for all the traffic! The site's back up (we purchased more bandwidth). Try not to go too crazy with the hits...
There's a funk band in Harrisonburg, PA?!?!
The Independent: Reverend Spooner Arrested in Friar Tuck Incident - ISIHAC, Historical Headlines