Maybe we shouldn't be able to buy a lawnmower at 3am?
Any reason why shopping for a lawnmower at 3am somehow is a moral quandary? What is so magical about that time that we should keep people from shopping for lawnmowers?
I'm not saying we should keep people from doing so, I'm saying they shouldn't be able to (the store isn't open). There's a difference IMHO.
Signed in to say that there's something to be said for rolling the streets up at 5/6pm. Ever been to an Amish community? Everything is pretty much closed at 6pm, sans a few stores that aren't exclusively run by Amish folks. I know it really shocked me the first time I encountered it.
Maybe we shouldn't be able to buy a lawnmower at 3am?
It's either insecure systems or human error, or a combination of both that allowed this breach in my opinion. Why oh why most (not all) IT companies use the lowest common denominator or put things in for "ease of use" instead of "security" ? Folks need to start standing up to these sociopaths (the non-technical people in control) and set things up like they should be - SECURE.
They should be using locked down, secure systems (IBM Mainframes with security systems on top?) and two factor authentication. Does it make it a bit harder for the mouth breathers to log in? Perhaps. But I'd take that over these constant breaches we seem to be having. Fine the companies into the ground to the point that they have to go out of business (or have another company perhaps take them over so the actual healthcare WORKERS (not CEOs and other overpaid folks) keep their jobs).
Perhaps I'm rambling a bit but I hope you get my point.
To stay on topic, I am really torn. Part of me wants Microsoft to go away, or at least get diminished to the point where businesses and folks are forced to make a *real* choice on what software to purchase (other than "no one is fired for buying Microsoft"). There is just SO much more to technology than just the Windows monoculture.
However, their busted stuff pays my bills, so I really cannot complain too much.:)
Signed in just to post. Needless to say, I would avoid cars and entire brands that tried to pull this crap.
Upon further reflection, maybe I WOULD purchase a car like this, then hack it to pieces (not literally). Once the unlock codes are out there, who is to say?:) It still sounds like a bad idea for the consumer, however.
Back when I was in school, it was Apple// 's - then IBM (genuine, model 20's, 30's). I had an account on a VAX, then an Alpha and learned VMS a bit. Concepts were taught, not just what button to push. How to solve a problem in BASIC, Pascal, etc. Not just in one language. Now, I can sit in front of Windows, Linux, OpenBSD, VMS, and even a 3270 session and be able to navigate. I can use Word, WordPerfect, Open/LibreOffice and be able to make a document or spreadsheet. I see too many people out there that just know one system, one operating system, one way to do something and it's scary.
As they said in Star Trek II: "You have to learn WHY things work on a starship.":)
Perhaps a little overkill, but this is what I use.....
Asterisk, a cast off computer, and an FXS/FXO card. The phones don't ring here and when they do my wife and I get nervous. I have an Asterisk system set up with only inbound routes with CID set to folks I want to get through - they ring our extensions automatically. Everybody else gets a call routing announcement to press 1 for me, 2 for my wife (or dial an extension) and it goes to our respective voicemails. Folks I don't particularly care for get hung up on, banished to hold forever, or other inventive things. If you don't make a choice, it goes to general voicemail. Keeps the telemarketers away and only friends and family know they can get through. It's been up and running for a couple of years now. Bonus for SIP and IAX links to friends with systems to so I can "intercom" them.
Total cost was around $100 for the card. Cast off computers I acquire from time to time so that was $0. I have an exact duplicate spare in the closet ready for when this machine dies. Only problem is I have it configured so well I don't want to upgrade due to having to reconfigure and perfect everything again!
Here in Northern Ohio with ATnT, stay in the same CO and point to point T1's are $350/month at the 5-year contract rate. Month to month and lesser contracts are of course higher. Internet service on top of the T1 is of course, higher. But if you just want 1.5Mbps from here to the other side of town (if the other side of town is served by the same CO, which around here it is) that's all there is to it as far as costs go.
I use the FreePBX distro at home, used an old PIII machine I had laying around, one FXO/FXS card later and I have a nice whitelist that will ring my extension or my wife's SIP desk phone. Anybody else not on the whitelist gets an IVR asking to dial the proper extension, and then when that doesn't happen, goes to general voicemail. Works wonderfully and the phone never rings. When it does, we get nervous because it's someone important!
I also use the whitelist as a blacklist to blackhole, disconnect tones, hold music forever, busy, etc folks that I like to toy with.
Plus, if someone faxes me, it PDF's it automatically and emails it to me. I've been wanting to upgrade but it's working so well I don't want to fix what isn't broke!!
I completely agree with Edlll, however my experience has been that when I'm the CTO, there's a CEO (with an MBA of course) that loves to override my decisions when the whiny users complain that they "can't get their work done" (read: don't want to learn the systems in place to securely transfer data around). He's my boss, and I really cannot argue unless I find another job. Finally I got to the point where I didn't/wouldn't compromise my principles (and he tried to replace me by running ads in the local papers while I was still there) and was then shown the door. (mutual separation, they call it).
Now I work for a small company where I'm quite a bit more valued. The pay is less, but the stress is less. Would I go back to being a CTO? Yes, but with a clear, well written contract.:)
It rings so true that I think I'm going to add it to my random ring of email signatures. (think back to the QWK mailer days where your offline mailer on FidoNet would randomly pick a signature from your signature file.)
I run OpenVMS as a hobbyist at home (see the OpenVMS hobbyist site) and have a VAX and an Alpha, and I leave telnet (port 23) open to the Alpha. It's fun looking at "anal/audit" seeing all the Windows script kiddies and other folks trying "Administrator" and such. My passwords are rather long and obnoxious, and OpenVMS intrusion prevention/evasion will get you long before you can guess my password.
Higher taxes forcing reduced consumption and more efficient cars is a self defeating prophecy as it will result in... you guessed it! Higher efficiency and less consumption and LESS TAXES COLLECTED, causing them to raise taxes more, which makes no sense.
Signed, some of the most of the rest of the world:)
I realize the OP is already at 5, but mod parent up to the sky, please.
I've said it before but there is something to be said for not moving at a lightning fast pace. A Blackberry is nice, but as the neo-Nazi said in "Falling Down" - "I reserve the right" (to shut the damn thing off).
What is it with instant gratification? People think too much in the short term (money NOW, profits NOW) rather than long term. Maybe I've finally learned from time marching on, or maybe it's because life IS too short, and there are many things on this world to be enjoyed, and you and I better enjoy them before we are unable to anymore...
I'll address some of your points - you weren't totally wrong, but it is also not as cut and dry as you say. Never think what is malice could not be mistaken for stupidity, or whatever the saying goes. The human element is in play here more than the technological one, even more so when you have short sighted MBA's at the helm of some of these financial institutions...
1. The flimsy door is rigged. Fiddle with it for a while and a big red light goes off at the bank telling them to check their security cameras as some bozo is playing with an ATM.
Not necessarily. In all of the offsite (10+) ATMs I have had experience with, they were all for small, mid, and largish institutions. You'd be surprised how "penny wise, pound foolish" financial institutions are - they either don't connect them, or just flat out don't have the offsite ones alarmed at all. ($50 per month is too expensive for a POTS line, or $20 per month is too expensive for cellular alarm, I guess...)
Now if this ATM is inside a bank or other F/I, well then you need to assume that it is connected to the premise alarm system - HOWEVER, that could also mean just the vault, and NOT the flimsy door. YMMV of course.
2. The bank sets the passwords, the banks I'm aware of used random strings of 20-30 characters. Not guessable. That's for the OS password, the password to the software to just do normal tasks like restock the ATM or print off some data would be simpler.
In the case of Agilis, the Diebold software for Opteva and other series ATM's, it's just all zeros to get into Agilis - that's the master password. Hardly any institution that I have seen changes it. Oh, and BTW - the Windows XP side auto logs in. There is an opportunity to "stop" the Agilis software from running, and you get - you guessed it Explorer - free to do whatever you wish with an admin level account.
3. Windows is the industry standard. Diebold, Wincor, and NCR all use it. They all used OS/2 before Windows. The presentation layer is a *huge* part of an ATM's duty, and at the time Linux wasn't up to the task. Or do you not remember swearing at your X.conf files for days?
Ok, point slightly conceded that I don't like swearing at x.conf files, HOWEVER - with a company as big as Diebold they could save the licensing costs (they may have a bad reputation here on slashdot, but they employ some smart cookies) and use that to make what essentially is a "pattern disk" with all the little intricacies already worked out. Remember: these are little more than appliances, with the only difference is peripheral mix and what network they are connected to.
4. I wrote ATM software at one point. Even with the program to send signals to the hardware and direct access to the PC inside getting cash out is not trivial. There's generally a sequence of 6-7 events that need to be sent to the right pieces of hardware in the right order to get the cash from the drawer to the slot.
I'll agree with you there, although I wasn't suggesting attacking the USB peripherals directly, I was more thinking of attacking Agilis itself. It's a windows app, leaks memory something terrible, and I'm betting could be easily exploitable by those with access to an ATM. And before you say "good luck getting one" I could easily get a refurb stand up Opteva with no safe for about $4k. Chump change for the bad guys.
Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.
If you know the passwords (they are surprisingly easy... or just use Hiren's to blank them out) you can get into the OS itself.
I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.
The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.
NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.
I would think that the IRS would use an IBM mainframe for such a massive data warehouse such as taxes. Why should there even be "security patches" in the report. You mean to tell me they are using WINDOWS?!?! GMAFB.
Just try to break into an IBM mainframe not connected to the Internet at all (or just accessible via IP on the IRS's network or VPN protected by SecurID) running CICS or CA/TOP SECRET or pick your favorite mainframe security system. I don't get it. The US can run $some_obscene_number into the red but not get real, decent security for the bloodsuckers^H^H^H^H^H^H IRS?
This is exactly why the first thing I do when setting up security at a client site the first two domains I block are facebook and myspace. SonicWALL Content Filtering Service FTW!
It's fun to watch the logs and see how many people continue to try to go there despite the fact that it is blocked.
Slashdot Mirror
Logged in just to say YES. THIS. A thousand times this. Mainframes and text based FTW!
Lock that stuff down so only real work gets done, and if you don't know technology you do NOT get to make the decisions.
I don't go around telling the auto mechanic how to fix cars (since I do technology) so I don't expect non tech folks to tell me how to do my job.
Maybe we shouldn't be able to buy a lawnmower at 3am?
Any reason why shopping for a lawnmower at 3am somehow is a moral quandary? What is so magical about that time that we should keep people from shopping for lawnmowers?
I'm not saying we should keep people from doing so, I'm saying they shouldn't be able to (the store isn't open). There's a difference IMHO.
Signed in to say that there's something to be said for rolling the streets up at 5/6pm. Ever been to an Amish community? Everything is pretty much closed at 6pm, sans a few stores that aren't exclusively run by Amish folks. I know it really shocked me the first time I encountered it.
Maybe we shouldn't be able to buy a lawnmower at 3am?
It's either insecure systems or human error, or a combination of both that allowed this breach in my opinion. Why oh why most (not all) IT companies use the lowest common denominator or put things in for "ease of use" instead of "security" ? Folks need to start standing up to these sociopaths (the non-technical people in control) and set things up like they should be - SECURE.
They should be using locked down, secure systems (IBM Mainframes with security systems on top?) and two factor authentication. Does it make it a bit harder for the mouth breathers to log in? Perhaps. But I'd take that over these constant breaches we seem to be having. Fine the companies into the ground to the point that they have to go out of business (or have another company perhaps take them over so the actual healthcare WORKERS (not CEOs and other overpaid folks) keep their jobs).
Perhaps I'm rambling a bit but I hope you get my point.
Cheers,
Miser
I would hope not. :)
To stay on topic, I am really torn. Part of me wants Microsoft to go away, or at least get diminished to the point where businesses and folks are forced to make a *real* choice on what software to purchase (other than "no one is fired for buying Microsoft"). There is just SO much more to technology than just the Windows monoculture.
However, their busted stuff pays my bills, so I really cannot complain too much. :)
-Miser
Signed in just to post. Needless to say, I would avoid cars and entire brands that tried to pull this crap.
Upon further reflection, maybe I WOULD purchase a car like this, then hack it to pieces (not literally). Once the unlock codes are out there, who is to say? :) It still sounds like a bad idea for the consumer, however.
-Miser
Signed in to pile on more agreement.
Back when I was in school, it was Apple // 's - then IBM (genuine, model 20's, 30's). I had an account on a VAX, then an Alpha and learned VMS a bit. Concepts were taught, not just what button to push. How to solve a problem in BASIC, Pascal, etc. Not just in one language. Now, I can sit in front of Windows, Linux, OpenBSD, VMS, and even a 3270 session and be able to navigate. I can use Word, WordPerfect, Open/LibreOffice and be able to make a document or spreadsheet. I see too many people out there that just know one system, one operating system, one way to do something and it's scary.
As they said in Star Trek II: "You have to learn WHY things work on a starship." :)
Miser
Perhaps a little overkill, but this is what I use .....
Asterisk, a cast off computer, and an FXS/FXO card. The phones don't ring here and when they do my wife and I get nervous. I have an Asterisk system set up with only inbound routes with CID set to folks I want to get through - they ring our extensions automatically. Everybody else gets a call routing announcement to press 1 for me, 2 for my wife (or dial an extension) and it goes to our respective voicemails. Folks I don't particularly care for get hung up on, banished to hold forever, or other inventive things. If you don't make a choice, it goes to general voicemail. Keeps the telemarketers away and only friends and family know they can get through. It's been up and running for a couple of years now. Bonus for SIP and IAX links to friends with systems to so I can "intercom" them.
Total cost was around $100 for the card. Cast off computers I acquire from time to time so that was $0. I have an exact duplicate spare in the closet ready for when this machine dies. Only problem is I have it configured so well I don't want to upgrade due to having to reconfigure and perfect everything again!
Cheers,
Miser
Where do you live?
Here in Northern Ohio with ATnT, stay in the same CO and point to point T1's are $350/month at the 5-year contract rate. Month to month and lesser contracts are of course higher. Internet service on top of the T1 is of course, higher. But if you just want 1.5Mbps from here to the other side of town (if the other side of town is served by the same CO, which around here it is) that's all there is to it as far as costs go.
Cheers,
Miser
I second the mentioning of Asterisk.
I use the FreePBX distro at home, used an old PIII machine I had laying around, one FXO/FXS card later and I have a nice whitelist that will ring my extension or my wife's SIP desk phone. Anybody else not on the whitelist gets an IVR asking to dial the proper extension, and then when that doesn't happen, goes to general voicemail. Works wonderfully and the phone never rings. When it does, we get nervous because it's someone important!
I also use the whitelist as a blacklist to blackhole, disconnect tones, hold music forever, busy, etc folks that I like to toy with.
Plus, if someone faxes me, it PDF's it automatically and emails it to me. I've been wanting to upgrade but it's working so well I don't want to fix what isn't broke!!
Cheers,
Miser
.... is not to play.
Seriously. Lots of my friends want me to join facebook but I staunchly refuse.
Call me old fashioned (at 35) but I consider Facebook and social networking a fad.
Maybe it doesn't help that I still check my mail with (al)pine. :)
-Miser
I completely agree with Edlll, however my experience has been that when I'm the CTO, there's a CEO (with an MBA of course) that loves to override my decisions when the whiny users complain that they "can't get their work done" (read: don't want to learn the systems in place to securely transfer data around). He's my boss, and I really cannot argue unless I find another job. Finally I got to the point where I didn't/wouldn't compromise my principles (and he tried to replace me by running ads in the local papers while I was still there) and was then shown the door. (mutual separation, they call it).
Now I work for a small company where I'm quite a bit more valued. The pay is less, but the stress is less. Would I go back to being a CTO? Yes, but with a clear, well written contract. :)
-Miser
I wish I had mod points, as I'd mod you up as high as the system would let me.
My gal and I? Childfree and loving it. :)
Cheers,
Miser
A challenger appears .... :)
This, shentino ...
It rings so true that I think I'm going to add it to my random ring of email signatures. (think back to the QWK mailer days where your offline mailer on FidoNet would randomly pick a signature from your signature file.)
Thank you kind sir.
Cheers,
Miser
This.
I run OpenVMS as a hobbyist at home (see the OpenVMS hobbyist site) and have a VAX and an Alpha, and I leave telnet (port 23) open to the Alpha. It's fun looking at "anal/audit" seeing all the Windows script kiddies and other folks trying "Administrator" and such. My passwords are rather long and obnoxious, and OpenVMS intrusion prevention/evasion will get you long before you can guess my password.
Cheers,
Miser
Dear most of the rest of the world,
Higher taxes forcing reduced consumption and more efficient cars is a self defeating prophecy as it will result in ... you guessed it! Higher efficiency and less consumption and LESS TAXES COLLECTED, causing them to raise taxes more, which makes no sense.
Signed, :)
some of the most of the rest of the world
I realize the OP is already at 5, but mod parent up to the sky, please.
I've said it before but there is something to be said for not moving at a lightning fast pace. A Blackberry is nice, but as the neo-Nazi said in "Falling Down" - "I reserve the right" (to shut the damn thing off).
What is it with instant gratification? People think too much in the short term (money NOW, profits NOW) rather than long term. Maybe I've finally learned from time marching on, or maybe it's because life IS too short, and there are many things on this world to be enjoyed, and you and I better enjoy them before we are unable to anymore ...
Color me a little philosophical this evening. :)
Cheers,
Miser
I'll address some of your points - you weren't totally wrong, but it is also not as cut and dry as you say. Never think what is malice could not be mistaken for stupidity, or whatever the saying goes. The human element is in play here more than the technological one, even more so when you have short sighted MBA's at the helm of some of these financial institutions ...
1. The flimsy door is rigged. Fiddle with it for a while and a big red light goes off at the bank telling them to check their security cameras as some bozo is playing with an ATM.
Not necessarily. In all of the offsite (10+) ATMs I have had experience with, they were all for small, mid, and largish institutions. You'd be surprised how "penny wise, pound foolish" financial institutions are - they either don't connect them, or just flat out don't have the offsite ones alarmed at all. ($50 per month is too expensive for a POTS line, or $20 per month is too expensive for cellular alarm, I guess ...)
Now if this ATM is inside a bank or other F/I, well then you need to assume that it is connected to the premise alarm system - HOWEVER, that could also mean just the vault, and NOT the flimsy door. YMMV of course.
2. The bank sets the passwords, the banks I'm aware of used random strings of 20-30 characters. Not guessable. That's for the OS password, the password to the software to just do normal tasks like restock the ATM or print off some data would be simpler.
In the case of Agilis, the Diebold software for Opteva and other series ATM's, it's just all zeros to get into Agilis - that's the master password. Hardly any institution that I have seen changes it. Oh, and BTW - the Windows XP side auto logs in. There is an opportunity to "stop" the Agilis software from running, and you get - you guessed it Explorer - free to do whatever you wish with an admin level account.
3. Windows is the industry standard. Diebold, Wincor, and NCR all use it. They all used OS/2 before Windows. The presentation layer is a *huge* part of an ATM's duty, and at the time Linux wasn't up to the task. Or do you not remember swearing at your X.conf files for days?
Ok, point slightly conceded that I don't like swearing at x.conf files, HOWEVER - with a company as big as Diebold they could save the licensing costs (they may have a bad reputation here on slashdot, but they employ some smart cookies) and use that to make what essentially is a "pattern disk" with all the little intricacies already worked out. Remember: these are little more than appliances, with the only difference is peripheral mix and what network they are connected to.
4. I wrote ATM software at one point. Even with the program to send signals to the hardware and direct access to the PC inside getting cash out is not trivial. There's generally a sequence of 6-7 events that need to be sent to the right pieces of hardware in the right order to get the cash from the drawer to the slot.
I'll agree with you there, although I wasn't suggesting attacking the USB peripherals directly, I was more thinking of attacking Agilis itself. It's a windows app, leaks memory something terrible, and I'm betting could be easily exploitable by those with access to an ATM. And before you say "good luck getting one" I could easily get a refurb stand up Opteva with no safe for about $4k. Chump change for the bad guys.
Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.
If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.
I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.
The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.
NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.
-Miser
Seconded. :) ... and to the OP - get off my lawn!
Cheers,
Miser
I would think that the IRS would use an IBM mainframe for such a massive data warehouse such as taxes. Why should there even be "security patches" in the report. You mean to tell me they are using WINDOWS?!?! GMAFB.
Just try to break into an IBM mainframe not connected to the Internet at all (or just accessible via IP on the IRS's network or VPN protected by SecurID) running CICS or CA/TOP SECRET or pick your favorite mainframe security system. I don't get it. The US can run $some_obscene_number into the red but not get real, decent security for the bloodsuckers^H^H^H^H^H^H IRS?
Miser
This is exactly why the first thing I do when setting up security at a client site the first two domains I block are facebook and myspace. SonicWALL Content Filtering Service FTW!
It's fun to watch the logs and see how many people continue to try to go there despite the fact that it is blocked.
Cheers,
Fred
I wish I had mod points, as this so far as the most insightful comment I've seen on slashdot today.
Cheers,
Miser
Businesses (and in this case people) rip people off. It happens all the time.
Nothing to see here, move along.