I am amazed that they are even using Windows for ATM's much less for voting machines. I mean can you think of anything less secure and less reiable for a mission-critical appication? Think about it: Would you want a Windows system running an air traffic contol station (I *really* hope that I am only joking here and ther aren't any Windows based ATC systems!)

Although I admit XP and 2000 are far more reliable that any previous version of Windows, I wouldn?t trust my and especially other people's money to it. If I ran a bank I certainly wouldn?t have Windows running anything that would be critical to daily operations (but then again if I was a banker I probably wouldn?t know that there was anything to be concerned about with Windows).

Open communication standards are a good idea but frankly an ATM is not that complicated of a device. You don't need a full-blown OS like Windows, OS-2 or even Linux - these are overkill. The main reason that Windows is being used is that the video implementation and the communications protocols are already in place, not a bad deal if you are running something non-mission critical like an airport kiosk or the like. But an ATM is supposed to be a _secure_ device, Windows is NOT a secure system. What you need is something that is more proprietary, small and simple, something developed in-house ? a true embedded system. That way the company that makes the ATM's has all the bases covered, they don't have to worry about Windows or other well known bugs and exploits and only a select number of people in the industry would know about vulnerabilities, if any, and (unlike Windows) also there wouldn?t be anything that would not be fully understood about the system. Early ATM?s were built this way and the ATM hasn't changed much in the last 20 or so years ? I think Diebold has just gotten lazy.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7517/24031#24031