

Hacking an ATM - rlpb
http://henryschwarz.blogspot.co.uk/2012/06/black-hatted.html

======
tptacek
Some backstory that isn't in this article: Barnaby Jack (who goes all the way
back to the original eEye research team in the last '90s early '00s) did this
ATM research while working as a researcher for Juniper Networks. I believe the
original vendor he targeted was Tranax; they make the crappy free-standing
ATMs you see in bodegas†.

Jack notified the vendor and (obviously) got his talk accepted and announced
at Black Hat. The vendor complained to Juniper, and Juniper had the talk
pulled††. Jack left Juniper for IOActive and gave the talk the following year.
Last time I checked, I believe he was at McAfee.

† _Funny thing about Tranax: they managed to let Google crawl their
maintenance manual a couple years ago, and the manual had their default
maintenance code in it; a huge number of ATMs were found to be running with
that default password, which allowed people to re-denominate the bills in the
machine._

†† _This was probably a reasonable call, because Juniper has billions of
dollars to lose to a negligence suit brought by an ATM company._

------
twelvechairs
Its not very nice that the author turns a 'security researcher' (his words)
who is effectively helping (if not actually doing) the authors job for him
into a pantomime villain.

[edit: I do get that they became 'friends', which gives some levity to these
descriptions, but it still strikes me as casting aspersions not just on the
individual but more generally on the way he and others like choose to work]

~~~
Lewton
It's a joke. He later on describes how they've become friends.

~~~
robk
Then he mentions booing him at an event at the bottom. Friends seems to be
loosely meant.

~~~
tptacek
If the tables were turned, The Dread Pirate Barnaby would do worse than 'boo'.

Sorry, there's no drama to be found here. The guy's just having fun writing
this up.

------
darklajid
I couldn't bear reading that article.

The story could've been good, but the style of writing is neither witty nor
clever and when I arrived at reserved seats in the front row at Black Hat I
closed the tab with a quick sigh of relief afterwards. Horrible.

~~~
arthurgibson
Has HN turned into a literary club? Despite trying to make it a spy novel, I
thought this article was one of the better stories read on HN.

~~~
tptacek
I liked it a lot too, and, obviously, I'm on Barnaby Jack's side of the
vulnerability research fence, not the ATM vendor's. I even thought the style
was amusing.

~~~
mitjak
Agreed. I came here wanting to say I thoroughly enjoyed the writing style.
Technical details coupled with great entertaining writing? Count me in. I
already read enough dry technical tumblrvomit as it is.

------
adnam
Here's the video of Barnaby Jack hacking ATM at the Black Hat conference in
Las Vegas, July 2010: <http://www.youtube.com/watch?v=qwMuMSPW3bU>

------
splatzone
Excruciating, hammy read - wish he'd tone down the dramatic prose and just
give us the info.

~~~
pferdefleisch
I really enjoyed the hamminess. I found it a pleasure to read.

~~~
edkennedy
Agreed, and I found it quite opposed to the stiff boring technical read it
could of been. Which I believe was the exact point the author was trying to
make at the end of his story.

------
epaga
Just wanted to chip in that I thought the article was a great read,
informative, and the author's self-deprecating sarcasm was very refreshing.
Much preferred to extremely dry and technical stuff.

------
follower
FWIW Barnaby Jack (or a reasonable facsimile of him) links to this article
with the comment "the right way to respond to security vulns...".
(<http://twitter.com/barnaby_jack/status/210052884497313793>)

------
merlish
Found this article quite amusing. I'm not sure why so many people are getting
turned off by it.

------
andyjohnson0
Its worth noting that the events described occurred in 2010.

~~~
joelhaasnoot
Can't find a full length video of the presentation anymore online. Anyone else
find a copy of the presentaton?

~~~
andyjohnson0
I don't know about full-length, but there are some >10min videos on youtube.
[http://www.youtube.com/results?search_query=Black+Hat+2010+b...](http://www.youtube.com/results?search_query=Black+Hat+2010+barnaby+jack)

------
GigabyteCoin
I remember watching barnaby's video when it first came online in 2010 and was
wowed like the live crowd.

Thank you for such a detailed follow up.

------
MiguelHudnandez
> [My company's ATM] was just the most conveniently available to purchase on
> the web and be delivered to his home. Note to our salespeople: for security
> purposes, please make it more difficult to purchase our product.

In this sentence, the author mistakes _obscurity_ for security.

~~~
waqf
In this comment, the author mistakes irony for idiocy.

~~~
MiguelHudnandez
I beg your pardon. It seemed to me like the author dropped the sarcasm near
the beginning of the write up and he actually thought denying individuals
access to the equipment would make it more secure.

------
JabavuAdams
Well-executed humble-brag marketing.

------
dfc
_"Note to our salespeople: for security purposes, please make it more
difficult to purchase our product."_

This guy still does not get it...

~~~
ssdsa
I'm sure this was meant as a joke.

~~~
dfc
Really? For more context here is the entire paragraph:

 _"Barnaby chose my company's ATM arbitrarily, it was just the most
conveniently available to purchase on the web and be delivered to his home.
Note to our salespeople: for security purposes, please make it more difficult
to purchase our product."_

~~~
Lewton
Yes, really. The whole article is thick with sarcasm and jokey stabs

~~~
dfc
The whole article is thick with sarcasm? The only other bit of sarcasm/joke in
the last nine paragraphs is that the author booed/jeered barnaby when he came
to the stage. If "the whole article is thick" with sarcasm why is the last 37%
so straight forward and not funny?

~~~
jacalata
It comes directly after the line 'Barnaby is from New Zealand and I'm from
Australia, and trans-Tasman friendships are regarded as treasonous', which FYI
is also a joke.

