
ATM operators eye Linux as alternative to Windows XP - gphilip
http://www.computerworld.com/s/article/9247096/ATM_operators_eye_Linux_as_alternative_to_Windows_XP
======
cnvogel
The main factor here is probably not the technology of Windows XP (which
certainly is up-to-par for the problem at hand), but the possibilities of
vendors to absolutely custom-tailor a computer OS, stripped down to the bare
minimum of running the ATM, and, if necessary provide all the service needed,
down to the kernel.

And currently it's pretty easy to do this, with build-scripts and
infrastructure in place. Maybe even using a tailored Android?

But then I somehow doubt that the industry would take that opportunity: I've
seem my share of "embedded" devices (signage, control-room-displays) where the
vendor just slapped their proprietary .exe in Autostart and left the Vendor
supplied Win-XP + Nagware + never-updated-virus-scanner + ... intact.

Why? Because people in industry are lazy (they should be, maximizing their
ROI, doing as little own work), and so going the same route, but with an 8
year old Ubuntu will not gain anything.

~~~
mcv
It's always amazed me that they used Windows. Why would an ATM ever need a
full blown OS like that? The requirements are totally different from a desktop
PC.

~~~
RogerL
I've done that with hardware that got installed in a factory.

Why not? You pay a one-time, small license fee, you get years of free support
from a major company, I don't have to document all the details of my stripped
down kernel and how to recreate it, you can hire anybody off the street to
work on it long after I am gone (and I am long gone from that company, but the
hardware lives on), they didn't have to pay me to build out a unique OS, the
low power computer we had could more than handle XP, there was (and continues
to be) continued new, unknown requirements and upgrades, the people required
to occasionally touch the interface had more PC experience than for any
embedded or linux OS, and on and on.

Why wouldn't I slap a copy of XP on there? Well, this story is the counter-
argument, of course. I still think it was the right decision.

~~~
_greim_
They took the path of least resistance and it paid off until now. Now that
path is a dead end and they face a painful upgrade. But arguably it was still
worth it in the long run.

~~~
ChuckMcM
This seems the most salient point. At some point someone said "What if XP
isn't supported?" and someone else said "Well we'll deal with that when it
comes, but for now we've got a product to ship."

------
Theodores
They should just go straight to Android - nice touchscreen drivers, 3G, that
Dalvik thing - what more is needed apart from a few device drivers to spit the
money out?

~~~
Nux
How well does Android fair on x86? (I'm assuming that's what most ATMs use)

~~~
josteink
Very well. It does better than most version of both Windows and Linux as far
as smoothing and responsiveness goes. It runs well on much less resources.

It does have some quirks when trying to use it with software designed for
swiping in mind and a keyboard and mouse, but that's probably not going to be
an issue here.

I say Android could be a good choice, and it will also give them a migration
path from X86 should they later on want to.

------
adamnemecek
April 8 is the EOL date for standard XP, XP Embedded (which is what most ATMs
run, the article suggests it too) is Jan 2016.

~~~
ZenoArrow
Part of this is confusing for me. Standard XP support ends on April 8th, so no
more bug/security fixes. However, I imagine most of the bug/security fixes for
Embedded XP will more than likely still apply to Standard XP. What is there to
stop people continuing on Standard XP with Embedded XP fixes?

~~~
joosters
Because they won't have been tested on standard XP. Microsoft will no longer
be doing all the hard work of validating OS patches to ensure that they run
correctly and have no unwanted side effects.

You could install one of these patches and it totals your machine. Now what do
you do?

~~~
ZenoArrow
But the thing is that XP Embedded is still XP, in fact it's just a modular
version of XP Pro...
[http://en.wikipedia.org/wiki/Windows_XP_editions#Windows_XP_...](http://en.wikipedia.org/wiki/Windows_XP_editions#Windows_XP_Embedded)

As for totalling your machine, you'd do the same thing you'd do if you
installed a flaky update now, i.e. a system restore.

~~~
joosters
And then what? Not install the update?

The difference is, if you were running a supported version, then you could get
MS to help you solve the update installation. But with the unsupported OS, all
you can do is skip the update. And then you're back in the realm of an
unpatched, insecure OS.

~~~
ZenoArrow
The updates are being applied to the same components found in XP Pro. XPe is
essentially a nLite-customised XP Pro with a support contract. If Windows
Updates worked for nLite-customised XP, then I can't see XPe updates being
majorly different.

------
Nux
The news should be about anyone serious still running Windows (XP!) in ATMs.
Why hasn't everyone switched to Linux or BSD 10 years ago is a wonder.

I've seen last year an ATM stuck in a reboot loop of some kind running OS/2\.
Was the first time in my life I saw this OS and probably the last.

~~~
tluyben2
Even more scary; why do almost all consumer and non-consumer screens like
airports, train station, info screens, army rugged laptops, missile guidance
systems, most nuclear reactor systems, medical equipment etc run some form of
Windows? That's really what I will never get; I hear the excuses from people
which I already typed out elsewhere and I know these are bullshit these days.
So it must be some kind of MS infiltration tactic? What can they actually
offer I wonder besides a 'safe name'? Maybe that's just all there is to it?

~~~
danieldk
I think support. You have to remember that the first Red Hat Enterprise Linux
is from 2002. Back then, the old UNIX vendors were in steady decline, but the
freshness of enterprise Linux probably made potential customers weary.

Nowadays, things are really different. Red Hat is large and has a solid track
record. IBM has shown its support for Linux over an extensive period. SUSE is
now in the hands of a huge IT company.

Consequently, I don't think there is a good excuse in 2014 not to seriously
evaluate Linux. In fact, it should be (and often is) the standard option for
embedded devices.

~~~
brokenparser
_> SUSE is now in the hands of a huge IT company_

Which one are you referring to?

~~~
danieldk
[http://en.wikipedia.org/wiki/Attachmate](http://en.wikipedia.org/wiki/Attachmate)

~~~
brokenparser
Ah, I thought SUSE was split off into its own company back when they acquired
Novell.

------
nacos
Some banks would have liked to migrate a long time ago but some ATMs vendors
are not very cooperative : their XFS [1] interfaces were not compatible with
new versions of Windows .... That's the problem when you are stuck with a
locked down plateform.

[http://en.wikipedia.org/wiki/CEN/XFS](http://en.wikipedia.org/wiki/CEN/XFS)

~~~
frik
the wikipeda links to the official website, though the page is gone Sharepoint
error message):
[http://www.cen.eu/cenorm/sectors/sectors/isss/activity/banki...](http://www.cen.eu/cenorm/sectors/sectors/isss/activity/bankingsoftware.asp)

What's the new page? their CEN website is a bit confusing

------
joesb
Unless they established new Linux distro, say ATMLinux, where most ATM
operators pays to maintain and contribute, it's going to be interesting how it
will work.

I assume each operator paying to different opensource-shop of their choice is
going to be more problematic than all of them paying to only Microsoft.

~~~
e12e
I'm guessing they'll just fork something and keep using the same kernel for
"50" years, ignoring security updates. "Install this tgz as base system, add
your config".

What's the attack surface anyway, the modem drivers? It really, really
shouldn't be possible to overflow anything using a "custom" card, or the
number pad... (I do sometimes wonder about hostile smart card code for chip
and pin, though...).

~~~
stinos
_the same kernel for "50" years, ignoring security updates_

Well then don't they have the exact same problem as they do now with MS? Or
more general: are the update cycles from a typical linux distro that different
from Window's? I.e. can you really get security updates for such distro 20
years after it was released? That would mean the only benefit for choosing
linux is that there are possibly less securit issues to begin with, while the
article seems to claim the problem is all with the update cycle.

~~~
e12e
I (somewhat laconically) implied that the vendors could care less about
security, if they could get away with stability and low maintenance cost.

More seriously, with a truly stripped down free software solution (be that
Linux or *bsd founded), you can have a pretty good idea of exactly what code
you are running.

Current Linux might actually be a pretty poor choice, given the high rate of
change in the kernel (which tends to drag a lesser, but noticeable change in
userland). A few years ago 1.3 kernel might have seemed a sane choice to build
such a system on (along with busybox, minimal init etc).

Anyway, the idea would be to get a reasonably audited core system (mostly
userland) and a kernel - and then only ever update drivers, and/or add
functionality.

Personally I'd be a lot more confident doing that on Linux (or bsd) than on
Windows XP, even if given source access (would you really want to compile the
needed bits of XP kernel+userland to run on your embedded stuff? The thought
scares the beejeezes out of me)).

------
hartror
As usual the uptake or not of Linux for this or any other use case will be
moderated by quality drivers or the lack thereof.

~~~
ars
Linux drivers are no longer much a problem, and haven't been for a while.

Linux is have trouble shaking off its old reputation though.

~~~
tluyben2
The question is if anyone has gotten their hands on the few different ATM
machines hardware-wise and wrote Linux drivers for them. Basically the market
for these, magstripe and EVM cards is very much a Windows market => at least
most of the US providers of services, backends, software etc for this all are
almost entirely Windows based. And therefor the manufacturers, although it
would be easy for them, have not much incentive to deliver proper drivers. I'm
not saying it's a big problem per-se, but it might make people nervous anyway.

They also need to be complaint and that can take long on new software, so they
would need to pull in a provider who already has the compliance in some
related areas, probably Redhat has and then try to tape on the extra
compliance needed for the new software, drivers and whole combination.

All in all, it's all very possible, but I think going public with all of this
is unfortunately just a trick to get MS to play. I hope it's not as I have
always wondered, as a software engineer who created banners, POS systems and
information panels (I don't know the proper English jargon for these; I know
the Dutch names, but like the panels you see at events, train stations,
airports :) why they are not using Linux for everything anyway; everyone
always cries about drivers but those have been a non-issue already 10 years
ago. 'They are used to writing software on Windows' has also always been a
none issue; these apps are complete, fullscreen apps which are the only thing
running next to the kernel and a few drivers on these systems. They are almost
always completely custom drawn and, like 2D games, that means the difference
between Windows and Linux is not really there and hasn't been for many, many
years now. You can run SDL straight on the framebuffer and make a _tiny_ Linux
distro with your software/drivers to run on it.

We sold Linux POS systems over 10 years ago; built on C & Tcl/TK they were
faster, easier, cheaper, and nicer than the Windows versions at that time by a
long shot. There is 0 reason why you wouldn't do this, but people are ignorant
and unfortunately many of these people are coders; like people are stuck on
Linux & Mac, a lot of people are stuck on Windows and lose sight of what is
better for the customer (over 10 years ago that would have been stability and
price; both _much_ better under Linux) while peddling the 'everything is
better under Windows'. I would not expect that from smart devs but he, here we
go :)

~~~
Nursie
While the POS and ATM systems themselves often run windows, Linux is quite
often already in the picture.

That EMV terminal that's talking to the windows host might just be running ARM
or MIPS linux.

(yeah I work on this stuff...)

~~~
tluyben2
I work on the card creation/manufacturing (EMV) side and this is good to know;
people always send me Windows stuff and while I don't mind I always wonder if
there is a sane reason for it (there seems not to be).

~~~
Nursie
Huh, one of the few parts I've never touched - I've worked on acquirer and
issuer systems, retail-level switches, POS payment subsystems and lately
embedded reader/terminals, but not on what goes on inside the card itself.

I never really wanted to go back into payment systems and had a few years away
from them, but it turns out that when you've written an EMV L2 kernel people
want to employ you for that sort of stuff again...

------
_greim_
So are ATM machines monolithic devices where you have to scrap the entire
thing if you want to upgrade the OS? Or do you open a door in the side, remove
the old computer and hook up a new one, and as long as you have the drivers
that same cash dispensing and receipt printing hardware will continue working?

------
geekxworld
Seriously? This is happening now?! ATMs are supposed to be secure, then why
the hell are they running one of the most security loop-hole OSes even now?

That too Windows XP, which has been deemed as the most unsecure OS in the
world!. It's long time for them to switch to Linux!

~~~
kyberias
Are you seriously suggesting that Windows as an operating system has some
serious holes that has made it insecure as an ATM OS? Care to elaborate which
those holes have been and how have they been exploited in the ATMs?

~~~
tsahyt
I came across this yesterday. Not necessarily just exploiting a Windows
security hole though.

[http://media.ccc.de/browse/congress/2013/30C3_-_5476_-_en_-_...](http://media.ccc.de/browse/congress/2013/30C3_-_5476_-_en_-
_saal_2_-_201312271600_-_electronic_bank_robberies_-_tw_-_sb.html)

------
frik
I saw a Windows 95 blue screen on an Siemens Nixdorf ATM with a CRT monitor
two years ago.

The operators (Germany, Austria) say they are not connected to the "internet".
I wonder if they use a separate telephone-line-network or just use
VPN/firewall.

~~~
ExpiredLink
They have their own network, no "internet".

~~~
thirsteh
Barnaby Jack showed how much that isolation is worth at DEF CON a few years
ago:
[https://www.youtube.com/watch?v=htDMu7USsZQ](https://www.youtube.com/watch?v=htDMu7USsZQ)

------
NDizzle
I still know of one ATM (Bank of the West - Walnut Creek) whose ATM runs
Microsoft Network OS 2.01. (or maybe 2.1?)

I think that's OS/2 - it looks like DOS with tcp/ip. The copyright on the
screen states 1992.

------
shmerl
Good development which really had to happen earlier. As usual, MS shoot
themselves in the foot.

~~~
orf
By marking an ancient OS that everyone should have moved off as obsolete? It
is the ATM manufacturers fault for accuing so much technical debt

~~~
shmerl
By not being able to provide flexible updates the way ATMs need. Custom Linux
distros can easily enable that. So it's good they realized that sticking with
MS is a bad idea.

~~~
kevincrane
They did provide flexible updates, for like ~10 (ish) years. They're done
doing that now and everyone should be well aware already.

~~~
shmerl
With Linux no one can pull the plug. Here, they are at MS's mercy. So they
learned their mistake the hard way.

Naturally, even supported versions of Linux like RedHat's and etc. have an EOL
date support wise. But in the worst case if some company is stubborn enough to
stay on the old version for whatever reason (which might be valid for them),
they can take the code and support it themselves. With Windows it's not
possible. So open systems have a clear advantage here.

~~~
orf
Great, let's support companies who like to run financial software on ancient,
insecure and decrepit platforms who don't want to invest in pulling their
software into the 21st century.

Microsoft has offered an embedded version of Windows since 7, and say what you
will about Windows but it's backwards compatibility is second to none. If they
can't or won't move to a more modern, secure OS (after 10+ years) then I would
argue that they shouldn't be trusted to make ATM's

~~~
shmerl
While their reason was wrong (not taking care of upgrading in time), their
outcome was right - they consider ditching Microsfot ;)

~~~
orf
Great, now they can stick their ATM's on a 2.6.x kernel and not touch it for
another 10 years. Everybody wins right?

~~~
shmerl
In general yes, since it won't make it any less secure than it was already.
But it will reduce MS grip on the market. Those who really cared about
security didn't even use MS to begin with anyway. Having a black box closed
source system with who knows what kind of backdoors as an ATM OS? Sounds
bizarre of you think of it.

~~~
kevincrane
> Those who really cared about security didn't even use MS to begin with
> anyway.

I don't know enough about this field to comment definitively, but I have to
imagine that if one industry cares about security very, very deeply, it's the
one that makes machines that give away money when you have a card with a
magnetized strip and you push the right buttons. I'm willing to bet that the
Windows XP that lives inside an ATM is not the same one that you buy from New
Egg to play Half-Life.

------
dn2k
they just skipped a decade...

------
aaronchriscohen
it's more customizable, more secure, and free. really hard decision.

