Linux May Succeed Windows XP As OS of Choice For ATMs

Dega704 sends this news from ComputerWorld: "Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles. Pushing them in that direction apparently is Microsoft's decision to end support for Windows XP on April 8, said David Tente, executive director, USA, of the ATM Industry Association. 'There is some heartburn in the industry' over Microsoft's end-of-support decision, Tente said. ATM operators would like to be able to synchronize their hardware and software upgrade cycles. But that's hard to do with Microsoft dictating the software upgrade timetable. As a result, 'some are looking at the possibility of using a non-Microsoft operating system to synch up their hardware and software upgrades,' Tente said."

heartburn in the industry?

Oh if only Microsoft had given them more than like 10 years notice of end-of-support, they might have had time to prepare....

Re:heartburn in the industry?

[jedidiah]

> Oh if only Microsoft had given them more than like 10 years notice of end-of-support, they might have had time to prepare....

I've been in shops where the key mission critical app was 30 years old. All of the shiny new MBAs would come in and try and replace that thing with newer tech but would ultimately fail. The 30 year old product did the job and the shiny new things couldn't.

ATMs are such a key part of their business that it really makes no sense for them to not be in total control.

Linux allows that.

Although they should have used a more industrial product to begin with. The choice really shouldn't be between Linux and Microsoft. There should be better targeted options and the market should have allowed those to thrive.

Re:heartburn in the industry?

[MightyYar]

Although they should have used a more industrial product to begin with.

This can be hard in practice. Vendors of niche products often only support Windows. Even if they support other OSes, you end up being the beta tester since the code is not as widely used. We ended up using XP embedded years ago because, of all things, USB memory stick compatibility. We tried to use Wind River's drivers, Linux drivers (years ago), and even Windows CE - but XP was the only solution that worked with almost every stick out there. When we used Wind River's solution, we had to maintain a compatibility list. But this effort was impossible once they started to explode in popularity. We of course sold compatible sticks to use with our equipment, but this was not popular with our customers and our competitors used Windows, so we were at a disadvantage.

Re:heartburn in the industry?

[Richard_at_work]

They originally chose XP because it had a much lower cost of entry than anything else, and I'm not saying that as a Linux hater - yes, you do get the source to do with as you may, but that means hiring developers who know how to do something with that rather than just hiring VB developers. Low start up costs versus less control over your long term environment. But that wasn't an immediate problem when the EOL date was a decade off.

So now, a decade on, they are reaping what they sowed.

Re:heartburn in the industry?

[Immerman]

I suspect ATMs straddle the line between being too sophisticated and varied to lend themselves to a simplistic embedded system, and too niche a product to be cost effective to develop a specialized OS from the ground up. Windows gave them something that got the job done more cheaply than a custom-built OS. Now that Linux has gone mainstream it does open the door to a specialized OS since it need not be built from the ground up - adding and removing modules typically involves *far* less effort, especially when there are numerous variations of stripped-down specialty distros to start from.

Re:heartburn in the industry?

[gweihir]

There is no reason to write-off 10 year old ATMs. They are likely in good working order, and you can get spare parts. You do not throw away a 10 year old plane or helicopter either. These devices are more like elevators: Keep them in good order, and they will serve you well for a few decades. The only problem is that the people that selected the OS had no understanding at all what kind of device they were designing for.

Now, with an (embedded) Linux, they can back-port security fixes (or have them back-ported for them) and can continue to use the same application code for at least a few decades, as the UNIX API has been pretty stable for 20 years (or even more if you restrict yourself a bit). Of course, some will be stupid and use Gnome or KDE for the GUI, but those that have some understanding of how things work will stick with Window-Managers that have been around forever and stable-as-stone graphics toolkits.

Re:heartburn in the industry?

[redmid17]

XP Embedded goes EOL in early 2016

Re:heartburn in the industry?

[serviscope_minor]

They originally chose XP because it had a much lower cost of entry

Really? I'd heard they chose XP because they wanted to be able to run flash on the ATMs. As stupid as that sounds, many ATMs play advertisements (generally for the bank in question) of some sort and flash was the popular delivery platrform. Since the ATM vendors had control over the content it presented no security risk, but they did require a supported platfotm.

Re:heartburn in the industry?

[OhSoLaMeow]

Someone bring me my flux capacitor!

The questions is not "where is my flux capacitor" but "when is my flux capacitor". You're just not thinking fourth-dimensionally.

Re:heartburn in the industry?

[Deathlizard]

I don't see where Linux would be that much of a better benefit for ATM's since it's lifecycle is typically short as well.

XP is kind of a enigma for MS, since they supported far longer than most of their OS'es (I think windows NT and maybe DOS had a longer support cycle) Lifecycle was one of the reasons OS/2 survived so long since IBM supported it for 10 years.

In the Linux world, the longest LTS distro support I've seen is 5 years. Sure you can upgrade Linux easier than Windows in many cases but you may still run into issues from one kernel update to the next.

Best practice would be the ATM Vendors (Diebold, NCR, ETC) supporting their own RTOS build specifically designed only for ATM use, and Hardened to the hilt for financial transactions.

Re:heartburn in the industry?

[whitroth]

Sorry. RHEL (and thus CentOS, and I presume Scientific Linux) have 10 year support.

                  mark

Embedded

[Moblaster]

So does this mean we can expect our special hardened ATM Linux OS to have names like Filching Finch, Moneybiting Mongoose, Overcharging Oranguatan?

Re:Embedded

[oodaloop]

More importantly, will 2014 finally be the year of Linux on the ATM?!?!

Here's what I don't get

[dingen]

What's a desktop operating system doing on an ATM anyway?

Re:Here's what I don't get

[CastrTroy]

I don't even get why they'd switch to Linux. Something like QNX or VXWorks (I'm sure people will chime in with other/better examples) would make much more sense for something as simple as a bank machine. A bank machine has to do very little. Why would something as complex as Windows or Linux be used.

Re:Here's what I don't get

XP embedded was the OS of choice after OS/2. Turns out the bankers wanted to know why, if they're paying the same price, they're not getting XP Pro. It's really that simple.

It was never a question of "can we install Linux or Windows 7 or BeOS" - it's basic Intel hardware.

The reason XP is still on the ATMs and not Win7 is due to the banking industry and PCI regulations - it costs hundreds of thousands of dollars to make a simple change to the ATM and get it certified by the banking industry and prove that it's still PCI-compliant in order to work with 3rd party transaction processors who perform the actual ATM transactions. Most banks don't to that themselves.

There's one other big reason - the industry requires that each ATM have a HAL that implements a well-known, well-defined interface so the higher level software from any vendor will work on any other vendor's ATM. The HAL is big technical piece that has been in development by each vendor for years. Re-writing that from scratch to support Linux isn't trivial.

Re:Here's what I don't get

[j35ter]

Because Blackberry might pull another XP on them in a couple of years..

Re:Here's what I don't get

[tlhIngan]

I don't even get why they'd switch to Linux. Something like QNX or VXWorks (I'm sure people will chime in with other/better examples) would make much more sense for something as simple as a bank machine. A bank machine has to do very little. Why would something as complex as Windows or Linux be used.

Because of developer tools. The software on ATMs isn't static - it changes often enough to be annoying as new banking requirements come up - new language support, accessibility, currency handling, etc.

The ATM hardware basically is static, but the software it runs on is customized for the bank and for the purpose the bank is using it for.

Embedded OS tools generally are quite awful and hard to set up. But desktop tools are easier to use - just point a developer at Visual Studio, the source repo and they can get building that afternoon. And with a few peripherals, they can even emulate the ATM hardware right on their desktop without having to have the ATM beside them, transfer the code and assets over, etc.

Anyhow, it's not like banks didn't have a lot of notice - way back in the Windows 7 days Microsoft had already announced end of support (this was over 5 years ago). They reiterated it several times since then. The fact that support was ending next month has been known for years.

Problem is, most companies see it as "far off" and too far away to bother, ignoring the fact that migrating can take years. Just because you were told in 2009 that XP was going away in April 2014, means most companies will ignore it until the last minute. It's so bad that Microsoft is getting requests to extend XP support another year. (And most of those are from people who did NOT need more than 5 years to migrate - they just ignored it until they had the "oh shit it's only 6 months away!" moment).

It's been going on for years now - the banks have had more than ample opportunity to prepare.

Re:Here's what I don't get

[dingen]

No. The ATMs in question are running XP Pro, not Embedded. The same thing is happening in the UK, where banks are paying Microsoft hundreds of millions of dollars for extended support contracts (link), just to keep releasing patches every now and then. This wouldn't be the case if the machines were on XP Embedded.

What about OS/2?

[BenJeremy]

I was told OS/2 was the choice for ATM operating systems!

Re:What about OS/2?

[Stargoat]

It was, before the ADA required banks to replace any ATM that could not handle audio integration. That was about 2-3 years ago. OS/2 typically could not handle the hardware upgrade necessary for the required audio. The banking industry paid millions, maybe billions, to upgrade tens of thousands of ATMs. Diebold, NCR and Hyosung made out like bandits.

Re:What about OS/2?

[LordNimon]

OS/2 typically could not handle the hardware upgrade necessary for the required audio.

Can you explain this further? I worked on OS/2 multimedia back in the day, and it is more than capable of handling all kinds of audio requirements.

Re:What about OS/2?

[flinxmeister]

ADA was only one reason. The main reason was OS/2 was EOL and they couldn't really do anything with it. You haven't truly loathed an OS until you waited an hour for an ATM to boot, only to find out the next config change would require another reboot. ...and you had 5 more config changes to make.

Ok seriously though ...

[Jumperalex]

I guess I'm missing the difference. Linux distros and kernels do indeed go EOL. When that happens there are no more security updates and backporting right? Well how is that different than what MS is doing right now with XP? In either case they will still have to face the fact that the OS isn't going to be supported anymore and will require them to upgrade software.

Or are they thinking they will go it alone and continue to update their Linux distro/kernel just because it is open source? Do they really think they are qualified to do that? Or is the hope that they can spend money to keep the OS in long-term-support status?

Re:Ok seriously though ...

[vidarlo]

Or are they thinking they will go it alone and continue to update their Linux distro/kernel just because it is open source? Do they really think they are qualified to do that? Or is the hope that they can spend money to keep the OS in long-term-support status?

That is not as hard as it sounds. There's already tons of mission critical in-house applications in banks, some of them probably quite a lot more complex than an OS with some drivers and an application on top of it...

Re:Ok seriously though ...

[a_n_d_e_r_s]

Since the code is free you can just buy support from any IT company who offers it. You are not forced to buy it from the original manufakturer. So with Linux - you can basically get eternal support if you want it.

The truth is if Microsoft sold it off they could probably get very good payment from other companies that would love to take over support and upgrades of Windows XP.

Microsoft is killing the business to be able to force the customers to downgrade to their new operating systems.

Re:Ok seriously though ...

[Grishnakh]

You are missing the difference. Linux is open-source, and not under the control of any one vendor. Distros go EOL, kernels basically do not; you can always upgrade to a newer kernel, and you're not going to break anything in the process. So if you're an ATM maker and you roll your own Linux distro, it's pretty trivial for you to just keep upgrading to the latest (stable, not bleeding-edge) kernel. Or, if you prefer to have a vendor do your OS work for you, your vendor (like Wind River, Timesys, etc.) can do that too. So basically "yes" to your second paragraph, first sentence. If they're not qualified, they can outsource it to one of the many commercial Linux companies. And if they get sick of their chosen vendor, they can easily switch to a different vendor, or move it in-house; these are options that aren't present with MS.

Re:Ok seriously though ...

[Ziggitz]

You don't think banks have the money or the interest to support a linux distro that will be a core component of all of their ATM's. Next you'll tell me they pay taxes.

Re:Ok seriously though ...

[Eric+Damron]

I have worked in an IT department where we were getting slammed every few years with huge upgrade crunches. These were on desktop PCs not ATMs so I don't know how closely our problems mirrored those of banks but for us it was all of in-house software that had to be tested and upgraded to work with Microsoft changes.

We had a hardware maintenance contracted so every few years,like it or not, we would get new PCs that had Microsoft's newest OS. It's not as easy as just dropping new PCs on everyone's desks. Every piece of software that our employees used needed to be tested with the new version of Windows. A lot of them broke. Microsoft products like MS Office mostly worked in vanilla form but we had to test all of our macros and any third party add-ons like Dragon Dictate which often broke.

Basically any third party or in house applications were a crap shoot. The PCs would come in and we had little time to adapted. It was a total pain. If we were running Linux we could have tested at our own pace and then deployed instead of rushing to meet someone else's schedule.

Re:Ok seriously though ...

[TheRealMindChild]

you can always upgrade to a newer kernel, and you're not going to break anything in the process.

This is just wrong. Threading and libc compatibility isn't transferable between 2.4 and 2.6. There are innumerable 2.4 applications which will flat out not run on a 2.6 system. The same goes between 2.2 and 2.4. And 2.0 and 2.2.

Re:Ok seriously though ...

[Yunzil]

you can always upgrade to a newer kernel, and you're not going to break anything in the process.

Hehe. That's a good one.

Yes and no

Yes it's free, but I'm sick of the "it's more secure" nonsense. It has the potential to be secured properly by the integrator, but that's it.

Re:Yes and no

[jedidiah]

This is the perfect example of why gratis doesn't mean so much. The really important thing here is that the user or even the "integrator" can have complete control of the system. They don't have to worry about ANYONE else interfering with the degree of control they want and the features that they want to be active.

The people building the ATM are in total control. For a device like an ATM, that's really how it should be.

Re:Yes and no

[Grishnakh]

I'm sick of the "it's more secure" nonsense. It has the potential to be secured properly by the integrator, but that's it.

Aren't you basically contradicting yourself here? If it has the potential to be secured properly (and the alternative does not), then doesn't that make it more secure by definition?

To make a crappy car analogy, let's suppose I have two options for cars, and I want a car that's extremely safe (as in offers the best crash protection). Option 1 is a car that has freely-available design documentation and which I can build myself from cheap, readily-made parts. It's also very cheap and easy for me to add a bunch of airbags, and other advanced features like crumple zones, impact-resistant fuel tank, etc. Other people get this car and build their own versions without some of these options, or they add in other features that render these protective features less effective, but not everyone does, and some build their own version with all the best protective features without any extra fluff that decreases safety. Option 2 is a car with the hood welded shut and which you can't modify at all. It has a drivers-side airbag only, and it claims to have a crumple zone but there's a lot of controversy about exactly how well it actually works in a crash, and there's very little real crash-test data available for it as the company that makes Option 2 is very secretive about the design of this car (Option 1 has been crash-tested numerous different ways by different agencies). You can't add any extra airbags either. Obviously, Option 1 is the safer choice, even though that means you can't just grab some off-the-shelf version put together by someone who doesn't care much about safety.

Finally!

[StripedCow]

Finally, the year of Linux on the... oh wait... ATM.

Re: I'd just like to interject for a moment

[Kusuriya]

In this case it may not contain GNU

Forget Windows and Linux

[ArcadeMan]

They should be developing their own OS anyway. I guess they'll call it ATMOS.

Re:Forget Windows and Linux

[kthreadd]

Which turns out will just be Ubuntu with a custom desktop.

Well Duh...

[bobbied]

Why an ATM was hosted on XP in the first place is beyond me. I suppose you dance with the one who brought you and banks are solidly Windows shops, but using XP for a device where security and reliability is paramount seems like a bad choice, at least in hindsight. I suppose in the depths of the XP heyday, when the base design decisions where being made, Linux was a decidedly hit and miss affair (mostly miss). X support was spotty and other devices had limited support. I remember the heady days of installing slackware and configuring video card and monitor by editing that text file. XP must have looked pretty good.

Now, ATM venders are faced with having to port everything to newer versions of Windows, which forces them into more expensive hardware (faster CPU's, more memory, greater drive space, modern video hardware etc.). This in the face of being able to keep using the old proven hardware, put Linux on it and get another decade or two, not to mention control of your own destiny because the source code is available and free. You are going to pay to retool to Linux, but you get to step away from Microsoft license fees. It's a long term gain, short term loss.

Maybe they will make the right choice this time? Who are we kidding... You KNOW that Microsoft has pulled out all the stops on the Redmond FUD machine and would gladly cut some "deals" to keep these guys on the hook and make Linux look less desirable in terms of ROI.

Re:I'd just like to interject for a moment

[AF_Cheddar_Head]

Would that be Gary GANOOOOOOOOOU Linux?

Re:possibility...some...

[icebike]

Linux is already the norm in Brazilian ATMs, so the banks can just buy ready built versions.

Bye now, I'm off to my Portuguese class.

So how is support...

[Plumpaquatsch]

So how is support for RHEL 2.1 (a year younger than XP) these days?

Re:So how is support...

[Todd+Knarr]

That's the thing, though: for the most part the basic programming APIs haven't changed much since then. There's some new ones, but mostly code written for RHEL 2.1 will compile and run on Debian 7.4. The kernel will have been upgraded, the libraries and packages will have been upgraded, but the source code and makefiles and scripts will need minimal changes to make the jump. You won't be able to take advantage of the new features, but you won't be looking at nearly the work to migrate. Even widget sets are mostly backwards-compatible, and for an application like an ATM you can omit the desktop environment stuff that's undergone major changes over the years (why would an ATM need a desktop environment anyway, it's not like customers will be interacting with the ATM's desktop). Combine that with the ability to just not run services like Samba (Windows networking) and the like and you make it a lot easier to do support in-house as well, reducing the need to migrate in the first place.

Re:So how is support...

[Plumpaquatsch]

You are assuming that companies will actually have access to the source of the applications they bought, even if they were written for them instead of some off the shelf software. And that's mostly the case even when they run Linux beneath. So all this does is to change the problem from "Microsoft won't support XP after 10 years" to "I sure hope Billy Bob's Software will still support (as in just recompile) my software for the next RHEL version."

Re:Good for Linux

[Spiked_Three]

Well that a business would decide they didn't like having support dropped, so much so that they plan on moving to something unsupported all the time is ludicrous.

Wait until a bank goes to hire linux support employees. As most moves to Linux, I expect this one to last about 26.2 seconds.

Re:ATMs?

[BitZtream]

You can't 'tell them what you want' ... they'll hand you back a slip and tell you to fill it out and sign it ... which is what you do when you poke the buttons and enter your pin number at an ATM.

You're naive at best.

Banks are some of the most ruthlessly efficient organizations on the planet, by their very nature.

First off, those bored people behind the counters 'watching you fill out those ridiculous slips' aren't bored, I promise you they've been working ALL day, doing something the bank hasn't yet automated. Just because the counter is high and you can't see they've been counting night deposits doesn't mean they were just sitting back their rubbing one off.

Second, the slips are not so you can 'tell them', its so the bank has a record of what YOU told them you were asking for or giving them, and BEFORE The transactions complete, they can reject it. If they accept it, they have, IN WRITING, what YOU requested from them, and how they filled it. They are protected against YOUR mistakes in transactions. The ATM does the EXACT same thing, but you just don't realize its doing it. This is a matter OF LAW, not practice or fun. This kind of stuff goes right along with the regulations that let them put that nice little Insured by the FDIC sticker on the window.

Third, Awesome, you think because the bank has off loaded doing their job onto YOU and a machine, that people who use the old method, where the bank actually provides services ... are the ones with a problem. And notice ... those people have ... money.

Irony: You think you're smarter because the bank is much more efficient at ripping you off than those stupid old people. Congratulations, there is an old dude sitting in an office, laughing his ass off about how you and the kind of ignorance you carry with you, filthy fucking rich.

ATMs are banks giving you less service and charging you for the privilege. You're an idiot. You kinds of guys are mind blowing to me. So excited about the new hotness not being 'old and busted' to notice that 'new hotness' is in fact, busted from the start and 'old and busted' got the job done better and cheaper.

Re:For the ones arguing that M$ gave 10 Years Noti

[Missing.Matter]

Wouldn't we have Microsoft's own incompetence with Windows Vista to thank for that?

Re:ATMs?

[astro]

Most countries, obviously including economically advanced and powerful Germany (where I live) also use ATMs (Geldautomaten). Here, the culture is still such that "cash is king". Other than supermarkets, huge chains like Ikea, H&M and McDonalds, there are very few places that you can use a debit/credit card to pay for goods and services. Asking "people still use cash?" is centered around a single first-world culture and in no way representative of the wider presence of ATMs.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Sync on Hardware and software

[njnnja]

There are plenty of non-frivolous reasons why ATMs should be upgradeable. Banking is highly regulated, and if tomorrow the FDIC, the FRB, the OCC, or the CFPB made a rule about ATMs that could not be easily reconfigured for then an OS upgrade might be required to be in compliance. And it is unlikely that any sufficiently large organization has no security breaches on their internal network. A good defense in depth strategy would almost certainly devote some resources to making sure that ATMs are secure, to reduce the headline risk they pose if nothing else. And a part of that is ensuring that they are up to date.

Re:possibility...some...

[mlts]

I've seen XP on some ATMs, not XPe, although it does get annoying when an ATM is down due to an XP activation screen.

The ATM industry needs to stop being pennywise and pound foolish.

Instead, they need to design their platform once, do it right, then as time goes on, add a UI refresh every so often so the cute cartoon characters get a facelift every year or two.

Were it up to me with ATM design, I'd probably charge off a quarter profit to do the architecture right, then once done, pretty much coast from there.

First, I'd give a lot of consideration to QNX. ATMs are not really needing a RTOS, but QNX has an excellent reputation for security (with decent government certifications to back that.) From there, add a TPM chip, userland, and the application. Done right, someone plugging in an unauthorized USB flash drive won't be able to do as much, compared to XP with AutoPlay/AutoRun turned on.

Linux is also a good choice. One could go with a full userland or an Android style userland, both with SELinux to minimize damage. Linux may not have the C2 cert that QNX does, but it will hold its own in security, if done right.

Re:possibility...some...

[Hognoxious]

Where is it? The one I use always comes up with "Insufficient funds".

Re:possibility...some...

[quitte]

Or maybe they could even not do facelifts?

Of course I'm glad the CRT ATMs with burned in interfaces are gone. But apart from that? I don't like the Welcome screen and Ads. I want the thing to be fast.and easy to use. I don't want a lot of functionality. I want to enter the sequence of keys I press to get money without having to follow the rules on the screen that I have seen hundreds of times before.
I want to be able to read the screen at all times of day independent of where the sun is.

As with all embedded systems if the question wether something is an improvement can not be answered without a doubt you'd better leave it as is or find a simpler solution. Like a physical button. Or an instructional poster.