Re: Windows-based cash machines 'easily hacked'

["Dennis Henderson" <hendomatic () gmail com>]

On Tue, Mar 18, 2008 at 3:16 PM, Rich Kulawiec <rsk () gsp org> wrote:

> On Tue, Mar 18, 2008 at 11:40:36AM -0400, der Mouse wrote:
> > There's just no excuse - IMO - for using the most insecure (in
> > practice) operating system on the planet for an ATM...especially in the
> > presence of all the alternatives.  (Not all the alternatives are really
> > _good_, but practically anything else is better than Windows.)
>
> I strongly concur.
>
> And I'll go one step further: use of ANY general-purpose operating
> system on an ATM is a bad move.  It only needs to perform a small subset
> of the computing operations available in a general-purpose OS, therefore
> it shouldn't be running one.  What it *should* be running is something
> tailored explicitly for the task at hand, which deliberately omits
> every bit of functionality that's unessential.  (Every excess function
> represents increased potential for exploitation as well as increased
> software maintenance and testing effort.)
>
> Now whether that OS/monitor is built from the ground up or whether
> it's built by stripping an existing OS is an interesting question.
> I think for this particular application, "ground-up" is a better
> approach, since cost is obviously not an issue and because it
> diminishes the risk of propagating known flaws in the general-purpose
> OS downward.  Moreover, ground-up allows for the full SDLC --
> where I'd hope that security requirements would be allowed to
> trump all others.  (Which is often not the case in general-purpose
> OS design.)
Great ideas and I couldnt agree more. You're about 5 years too late.

:)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.