95% of ATMs Worldwide Are Still Using Windows XP 346
BUL2294 writes "95% of the world's ATM machines are still running Windows XP and banks are already purchasing extended support agreements from Microsoft. (some of the affected ATMs are running XP Embedded, which has a support lifecycle until January, 2016). 'Microsoft is selling custom tech support agreements that extend the life of Windows XP, although the cost can soar quickly—multiplying by a factor of five in the second year, says Korala. JPMorgan is buying a one-year extension and will start converting its machines to Windows 7 in July; about 3,000 of its 19,000 ATMs need enhancements before the process can begin...'"
Price? (Score:5, Insightful)
The Market? (Score:2, Insightful)
If there is that big of a market why is nobody selling/buying a replacement OS already? Particularly one cheaper than windows.
What about OS/2? (Score:1, Insightful)
It seems every article that mentions OS/2 makes mention of how entrenched it is in ATMs...
should have gone with a browser... (Score:4, Insightful)
I never understand why ATM's dont use HTML/SVG and then the OS is replaceable as a browser is the interface and a HTTP server security is well understood and network security would be part of a core competency
thoughts ?
john jones
Windows.. (Score:5, Insightful)
Is a bad choice anyway. Not just a Microsoft bash, but aside from all the security issues, windows is XP is a desktop platform, not a OS to be putting on dedicated devices ( even the so-called embedded version really isn't any more appropriate for this, don't let the marketing folks fool you )
An ATM should be running off a custom embedded OS targeted for this purpose, not a commodity OS.
Re:Windows.. (Score:5, Insightful)
An ATM should be running off a custom embedded OS targeted for this purpose, not a commodity OS.
It is... it's called XP Embedded, as outlined in the summary. And yes, bank machines were a major target during XP Embedded's design phase.
Of course, it would make MORE sense to use an embedded OS where the banks/ATM manufacturers have full access to the source.
Re:Go to 8 (Score:5, Insightful)
Re:Global Financial Collapse (Score:5, Insightful)
Actually, that doesn't worry me nearly as much as Windows for Warships.
Re:The Market? (Score:5, Insightful)
Because Microsoft can be sued if they need to?
Ah, no. Not going to happen.
Your hardware, you installed the software,
You managed it for the last 10 years,
You probably didn't apply patches...
No way that ever gets a dime out of Microsoft in court.
Re:The Market? (Score:4, Insightful)
Re:Price? (Score:5, Insightful)
"The cost of the support agreements, would still be less than the replacement of several thousand ATMs and internal systems."
It won't. Is this extended support going to avoid XP from being replaced? I bet not. Therefore paying for the extended support *plus* replacing is certainly going to cost more than just replacing.
"There is a reason why people do this, and it's not just lazyniess.."
It *is* lazyness.
The very day they started deploying XP they knew that would come to an end for the very reason they were using a closed-source license-based operating system.
Paying through the nose now for something they knew it was coming but didn't nothing in time is the very definition of lazyness.
Re: Wow. (Score:2, Insightful)
Most people who comment on Microsoft stories here are clueless about the company's product portfolio, customer base, policies, and competitive status. Not saying that you're one of them though >:)>
Re:Windows.. (Score:5, Insightful)
Is a bad choice anyway. Not just a Microsoft bash, but aside from all the security issues, windows is XP is a desktop platform, not a OS to be putting on dedicated devices ( even the so-called embedded version really isn't any more appropriate for this, don't let the marketing folks fool you )
An ATM should be running off a custom embedded OS targeted for this purpose, not a commodity OS.
Who is going to write, maintain, and keep secure this custom OS?
The trouble with custom embedded OS's is that, in spite of the best intentions to limit their scope, they almost always need more features than can be written from scratch by a small team and be obviously secure. So they port code from more commodity OS's. Due to limited resources, the code in the embedded OS tends to fall behind. The porting effort can introduce bugs too that are non-obvious to the guy doing the port because he doesn't fully understand what he is porting.
Re: Price? (Score:4, Insightful)
Your spewing FUD.
Google, Amazon, IBM, and even Microsoft themselves are all HUGE Linux users.
Big business isn't afraid of Linux.
Re: Price? (Score:5, Insightful)
What a load of shit. Some of the biggest corporations in the world use Linux.
IBM demonstrated quite nicely what happens when some patent troll tries to shut down Linux.
Re:Price? (Score:5, Insightful)
I feel a lot of it has to do with a corporate mentality of holding everything blameless with contracts which have to be signed off on before the business will do anything. "Hold Harmless" seems the byword of the day.
I have tried to use Micrium's uC/OS [micrium.com] products, based mostly on their certifications for mission critical affairs such as aircraft and life support [micrium.com]. For me, this thing is like a "Super Arduino" for embedded applications.
Business will pay for people to play down everything the "leadership" type does not understand, and personal experience tells me that if I do not recommend Microsoft, I will not get the job. Regardless of my belief and experiences to the contrary. Its been my observation that once one gets high enough in corporate hierarchy, one is forced to play CYA, and the only way to play is find someone else to pin the blame on if things go sour - better yet be able to blame someone big - so the guy who hired them does not take the fall for it.
There seems to be a trivial amount of effort expended to mitigate the probability of a breach in the first place.
I am not trying to shill for Micrium - I just like their product and their philosophies of supporting an OS. It is all quite well documented [amazon.com] ( link to the book I use all the time ).
NetBurners run this code. This had been the most robust system I have ever studied, yet I find few people who are willing to let me implement it - and for now it runs on a machine I have for my own edification.
My own feeling if anyone wants to hack a bank ATM, go for it. No one's responsible, its just another ledger entry to the bank. If the thing gets too out of hand, the government will make it up to them.
Re:Obvious choice I think (Score:3, Insightful)
Well, in a way you may be right. WinXP is so old and so well understood now, that pretty much all possible attack vectors are known and can be defended against. Knowing your enemy is important.
Can't say that much of other OSes, like Linux or Win7. They are not as well known by ATM builders. And that's just the OS, not the software running on it and doing the actual work (interfacing with the user, with the bank, dispensing the money, etc), which would have to be rewritten from scratch (all of it, including the UI the drivers) if moving to Linux or BSD, and would need at least thorough testing if deployed on a newer version of Windows, with the drivers possibly needing a rewrite.
Re: Price? (Score:4, Insightful)
no one bothers hacking 1000 machines
They do if /dev/cash
# eject
spits out ten $20 bills at a time.
Re:Let me laugh even harder... (Score:2, Insightful)
They booted those systems off USB in order to rob them.
If you give somebody physical access to hardware that will boot off arbitrary media, it doesn't really matter what the underlying OS is. It's not because they were running XP, it's because they had USB.
Re:Price? (Score:5, Insightful)
Stop and think what using Linux would mean for them for a moment. They would have to pay hardware manufacturers to provide Linux drivers, or write their own. Those ATM NICs are proprietary and use certified encryption, so it's not even just a case of hacking some code together, it needs expensive certification as well.
They would also have to employ some experts to do OS level support for them. They are not paying Microsoft for security patches, this is an embedded system. They are paying for technical support when they have issues. That cost would probably be close to what they would have to pay some Linux experts, and they wouldn't have any other company to blame when things went wrong.
I'm not saying Windows is definitely a better solution, but Linux isn't as wonderful as you think either. No matter which one they picked they would have issues, but it an ancient Linux kernel that needs support or an ancient Windows kernel that needs support.