Linked by Thom Holwerda on Sun 23rd Mar 2014 22:58 UTC
Linux

Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles.

Pushing them in that direction apparently is Microsoft's decision to end support for Windows XP on April 8, said David Tente, executive director, USA, of the ATM Industry Association (ATMIA).

"There is some heartburn in the industry" over Microsoft's end-of-support decision, Tente said.

Say what you want about Microsoft, but when it comes to clear and well-communicated support cycles, they belong at the very top. This is the ATMIA's own fault for not properly getting ready for the future even though XP's EOL has been known years and years in advance, and has even been extended a few times.

Order by: Score:
Comment by shmerl
by shmerl on Sun 23rd Mar 2014 23:24 UTC
shmerl
Member since:
2010-06-08

Even though it's "their own fault", in the end they came to the right conclusion - Microsoft is not needed for making operating systems for ATMs.

Edited 2014-03-23 23:25 UTC

Reply Score: 2

It basic comes down to two things
by someone on Sun 23rd Mar 2014 23:29 UTC
someone
Member since:
2006-01-12

1. If it ain't broke, don't fix it
2. MS doesn't have any current offerings that fit the ATM market

Edited 2014-03-23 23:30 UTC

Reply Score: 1

bhtooefr Member since:
2009-02-19

Actually, Microsoft DOES have an answer for ATM operators that need to stay on XP, even - Windows Embedded POSReady 2009.

And it's supported for several more years, it hits end of support 2019-04-09.

(Not that clinging to XP like your life depends on it is a healthy behavior, but if a bank is in panic mode and can't migrate to Linux yet, they'll get a few more years with that...)

Reply Score: 7

RobG Member since:
2012-10-17

I have to wonder which idiot thought it would be a good idea to put a desktop O/S in an ATM, which is such an obvious candidate for the category "embedded".

Reply Score: 3

tingo Member since:
2007-10-13

Probably an application developer. Why do you ask?

Reply Score: 1

1c3d0g Member since:
2005-07-06

Why the f*ck would you need an "app" on a bloody ATM?!? That's why the numerous embedded O.S.'s are for!

I agree with RobG, whoever thought this was a good idea is a f*cking idiot and has no business designing/developing software for ATM's. >:(

Reply Score: 2

zima Member since:
2005-07-06

Or... they saw numerous possible usages for apps on ATM-like devices that we have today - like what pica linked to nearby: http://www.osnews.com/permalink?585160
(and remember, this started already with OS/2 ...plenty of time has passed, plenty rewrites)

Reply Score: 2

orsg Member since:
2011-02-09

One cannot expect to keep sitting on one version of a software indefinately, especially if you are security sensitive. Fixing known vulnerabilites is one thing, incorporating modern techniques to mitigate certain kinds of problems or making it hard for an attacker to actually exploit a problem is another. In the case of XP, the whole security concept is just not up for 2014 and the future.

Reply Score: 4

Comment by moltonel
by moltonel on Sun 23rd Mar 2014 23:56 UTC
moltonel
Member since:
2006-02-24

It's hard to rejoice about a company that was happy running user-facing financial services on a decade-old desktop OS. It's the right decision for the wrong reason. They may not get an explicit EOL call from their Linux vendor after 10 years, but that doesn't mean they don't have to keep up with the release train.

If they chose Linux because they want better control, like writing their own device drivers, or maintaining their own very-long-term-support distro, then brilliant. But if they want an OS that'll never need an update, they'll only find disappointment.

Reply Score: 14

Say what you want...
by vtpoet on Mon 24th Mar 2014 00:02 UTC
vtpoet
Member since:
2013-12-31

//but when it comes to clear and well-communicated support cycles, they belong at the very top.//

LOL!!!

Don't know what fantasy land you're living in...

XP support was originally going to end long before now. They extended it. And now this:

"Microsoft today announced it will continue to provide updates to its security products (antimalware engine and signatures) for Windows XP users through July 14, 2015. Previously, the company said it would halt all updates on the same day as the end of support date for Windows XP: April 8, 2014."

Yeah... really clear and well-communicated... cause ya' never know if they'll change their mind...

...again.

Reply Score: 2

RE: Say what you want...
by judgen on Mon 24th Mar 2014 04:15 UTC in reply to "Say what you want..."
judgen Member since:
2006-07-12

The 2015 date is because they still had to support Server 2003 until that date anyways, which is essentially XP with some services added to it.

Reply Score: 3

RE: Say what you want...
by Phloptical on Mon 24th Mar 2014 22:58 UTC in reply to "Say what you want..."
Phloptical Member since:
2006-10-10

//but when it comes to clear and well-communicated support cycles, they belong at the very top.//

LOL!!!

Don't know what fantasy land you're living in...

XP support was originally going to end long before now. They extended it. And now this:

"Microsoft today announced it will continue to provide updates to its security products (antimalware engine and signatures) for Windows XP users through July 14, 2015. Previously, the company said it would halt all updates on the same day as the end of support date for Windows XP: April 8, 2014."

Yeah... really clear and well-communicated... cause ya' never know if they'll change their mind...

...again.


"updates to its security products (antimalware engine and signatures) for Windows XP users through July 14, 2015"

Yeah....gotta love that reading comprehension.

Reply Score: 2

RE: Say what you want...
by BlueofRainbow on Fri 28th Mar 2014 01:34 UTC in reply to "Say what you want..."
BlueofRainbow Member since:
2009-01-06

This is adding a bit more than one (1) year of the most critical update - antimalware engine.

This should be just about long enough for the ATM to convert/port to another OS.

Hum - what should it be?

Return to OS/2 via eComStation?

Go with QNX and enable BlackBerry devices to become mobile eATM machines of BitCoins?

Go with an embedded version of Windows?

Reply Score: 2

Using Linux to make support cheaper
by delta0.delta0 on Mon 24th Mar 2014 01:16 UTC
delta0.delta0
Member since:
2010-06-01

Easiest way to get microsoft to lower price or extend support - Mention migration to Linux...

Edited 2014-03-24 01:16 UTC

Reply Score: 7

Fault?
by Soulbender on Mon 24th Mar 2014 03:23 UTC
Soulbender
Member since:
2005-08-18

"It's their own fault".
Exactly what is the "fault" here? It's not like ATM's has stopped working or anyone lost a lot of moneybecause of this.
They couldn't get MS to extend XP support so they're looking at a different platform that would give them more control.
Seems like a sensible thing to do for an application that even XP is overkill for.

Reply Score: 2

RE: Fault?
by WereCatf on Mon 24th Mar 2014 07:47 UTC in reply to "Fault?"
WereCatf Member since:
2006-02-15

It's not like ATM's has stopped working or anyone lost a lot of moneybecause of this.


Are you sure? I seem to recall there having been some sort of news about people and banks losing money exactly because someone got in the banks' systems via one of these ATM's last year.

Reply Score: 3

RE[2]: Fault?
by saso on Mon 24th Mar 2014 08:48 UTC in reply to "RE: Fault?"
saso Member since:
2007-04-18

That's because the US hasn't yet decided to move out of the stone age and switch to two-factor (chip&pin) authentication on all money transactions. This kind of attack would have been mostly impossible anywhere else in the world, as the secret key used to sign transactions never ever leaves the smartcard.

Reply Score: 6

RE[3]: Fault?
by r00kie on Mon 24th Mar 2014 13:56 UTC in reply to "RE[2]: Fault?"
r00kie Member since:
2009-12-10

Yeah sure, because chip and pin has never been proved insecure.

You probably want to follow CCC a bit closer if care about chip and pin security.

Reply Score: 1

RE[4]: Fault?
by saso on Mon 24th Mar 2014 23:49 UTC in reply to "RE[3]: Fault?"
saso Member since:
2007-04-18

Yeah sure, because chip and pin has never been proved insecure.

Read what I wrote again. Then respond to that. I did not claim chip & pin is impervious to all attacks.

Edited 2014-03-24 23:49 UTC

Reply Score: 2

RE[2]: Fault?
by Soulbender on Mon 24th Mar 2014 12:01 UTC in reply to "RE: Fault?"
Soulbender Member since:
2005-08-18

I dunno but even so XP was still supported at that time so it was obviously not because XP was EOL'd.

Reply Score: 3

Are we talking about the right XP?
by bubba_sparxxx on Mon 24th Mar 2014 03:33 UTC
bubba_sparxxx
Member since:
2014-03-24

Don't these ATMs run Windows XP Embedded? It seems much more appropriate than the plain 'ol XP the article talks about, and its end of support isn't until January January 12, 2016.

Edited 2014-03-24 03:34 UTC

Reply Score: 3

ATM support still available
by Bobthearch on Mon 24th Mar 2014 03:48 UTC
Bobthearch
Member since:
2006-01-27

Bank ATMs use Windows XP Embedded, which is supported until 2016.

Banks will also continue to use Windows XP for other functions. The only difference, they'll have to pay extra for support contracts.

Apparently some banks need three more years to finish the migration to Windows 7:

http://www.theinquirer.net/inquirer/news/2334577/banks-negotiate-ex...

Reply Score: 5

RE: ATM support still available
by tingo on Mon 24th Mar 2014 14:34 UTC in reply to "ATM support still available"
tingo Member since:
2007-10-13

XP Embedded isn't used everywhere. Many ATM's in Norway use "normal" XP, not XP Embedded.

Reply Score: 2

Bobthearch Member since:
2006-01-27

Most of the recent 'news' articles don't specify, so I wonder what % of cash registers and ATMs are on Embedded XP, and what % are running standard XP?

This article for example from Australia:

http://www.smh.com.au/it-pro/business-it/doomsday-approaches-for-wi...

With less than 20 days to go before Microsoft ends support for the 13-year-old platform on April 8, millions of machines including 95 per cent of the world's ATMs are still running on it.

About 30 per cent of Australian computers still run on XP

Reply Score: 3

RE[3]: ATM support still available
by tingo on Mon 24th Mar 2014 19:06 UTC in reply to "RE[2]: ATM support still available"
tingo Member since:
2007-10-13
v Good Alternatives
by Indian-Art on Mon 24th Mar 2014 04:39 UTC
I was involved in such a decision
by pica on Mon 24th Mar 2014 07:49 UTC
pica
Member since:
2005-07-10

despite the fact the complete server infrastructure is Linux based, we decided to go for Microsoft Windows Embedded 8.x and .Net 4.5.x.

Why?

These boxes are no standard ATMs. Well, ATM functionality is provided. But that is only a small part of the functionality. As a consequence the software was quite complex. The System was coded in C# .NET 2.0. Consequently porting would have resulted in major porting efforts = major costs.

Beside a card reader, a touchscreen and a keyboard these boxes used much more devices. Some devices have been custom developed. Drivers exist for Microsoft Windows, but not for Linux based OSes. Another big cost factor.

Greetings,
pica

Reply Score: 3

etrek Member since:
2006-03-29

Sounds like an interesting project to play around with.. too bad you couldn't explore it further using technologies like mono (C#), NDISWrapper (Win Drivers) and Wine (API/LIB compatibility).

Sadly ReactOS isn't further along - that system seems perfect for this kind of thing.

Reply Score: 2

pica Member since:
2005-07-10

another detail:
Device drivers are implemented as Windows system services (http://support.microsoft.com/kb/101501/en-us). Driver and business logic communicate with SOAP over HTTP based web services. First time I saw such a solution :-)

pica

Edited 2014-03-24 11:53 UTC

Reply Score: 2

Soulbender Member since:
2005-08-18

Beside a card reader, a touchscreen and a keyboard these boxes boxes used much more devices.


Interesting. What other devices does an ATM use? Inquiring minds want to know.

Reply Score: 2

pica Member since:
2005-07-10

http://www.dhl.de/en/paket/pakete-empfangen/packstation.html

These boxes are
* ATM
* parcel service
* DHL web shop front end

Greetings,
pica

Reply Score: 2

Bobthearch Member since:
2006-01-27

Just guessing, but they have integrated cameras to record each transaction, plus I imagine specialized and probably custom communication modems. Security stuff, like alarms and automatic locks and shut-down protection devices. Currency readers and check scanners. Receipt printers.

Reply Score: 4

General House Clean
by REM2000 on Mon 24th Mar 2014 08:45 UTC
REM2000
Member since:
2006-07-25

Here in the UK RBS especially but others such as Lloyds have been hit pretty badly with computer related issues.

http://en.wikipedia.org/wiki/2012_RBS_Group_computer_system_problem... (article from 2012 but they had another failure in Dec 2013).

It seems a general shake up is needed for the whole infrastructure, a lot of modernization.

I completely understand that financial services are heavily regulated with various compliances (PCIDSS) but surely someone high up in banking management must been looking at all those legacy ATM's with XP, Legacy UNIX servers from the 80's and thinking we really need to do something about it.

Personally im still amazed that something like Windows XP is the OS of choice for an ATM, it seems so primative when compared to the industrial stuff like QNX and Solaris. I understand why Train stations might use them for billboards but in a customer interactive environment dealing with something people are very serious about (i.e. money) to me it always seemed wrong to use such an unstable OS (i have seen plenty of ATM's crashed out on the modern UI but hardly any during the OS/2 days).

They simply need to invest heavily into the environment, see that the money spent now will save them in the future, something like QNX or Linux would provide them with something solid for years to come, both at the ATM level and at the organisation level/back office.

Reply Score: 1

RE: General House Clean
by MOS6510 on Mon 24th Mar 2014 09:33 UTC in reply to "General House Clean"
MOS6510 Member since:
2011-05-12

I don't think "primitive" is an issue. An ATM doesn't have to do much, it just has to do it secure and well. Despite XP being "primitive" I think it's overkill for an ATM and it provides a lot of attach vectors.

Linux would make much more sense. You can strip off everything that's not needed leaving just the code you actually need and nothing else that can be exploited.

My guess is XP was chosen because it was easy to develop applications for it.

Reply Score: 3

RE[2]: General House Clean
by tingo on Mon 24th Mar 2014 14:39 UTC in reply to "RE: General House Clean"
tingo Member since:
2007-10-13

FWIW, the "application framework" for applications running on ATM's in Norway (well, most of them) is Java. Yes, a JRE. So the operating system could (in theory) be anything, as long as it has drivers for all the devices in use. I don't know why XP (and not XP embedded) was chosen.

Reply Score: 2

Coin counting machines run XP too...
by rklrkl on Mon 24th Mar 2014 10:16 UTC
rklrkl
Member since:
2005-07-06

My local HSBC bank branch has an ancient coin paying-in machine (very handy when you want to cash in bowls or jars of coins because there's no commission and it goes into your bank account the same day). Bizarrely, it's so old, it didn't have a debit card reader, so you had to type your bank account number and sorting code into it (stars replacing the numbers, so you could be paying it into someone else's account if you made a typo!).

It crashed on me almost like it had a virus - screen had red vertical stripes on it and eventually became unreadable. When the bank rebooted it for me, it came up the Windows XP boot screen, which actually shocked me! So paying in machines run XP as well as ATMs...

Reply Score: 5

Comment by seanc7
by seanc7 on Mon 24th Mar 2014 16:34 UTC
seanc7
Member since:
2012-03-26

I never understood why NCR and Diebold didn't go to Linux from OS/2. It may require them to rewrite their device drivers and interface software, but it would make the machines easier to use. Generally, NCR and Diebold onsite technicians are more technical than an average person so they wouldn't have issues using a Linux-based system. Especially if they install a version of X and port their GUI tools to it.

Reply Score: 1

RE: Comment by seanc7
by pica on Mon 24th Mar 2014 19:20 UTC in reply to "Comment by seanc7"
pica Member since:
2005-07-10

There are several reasons these companies migrated from IBM/Microsoft OS/2 to Microsoft Windows:

1. same Microsoft tool chain
2. same thread semantics
3. long term product road maps

just to name the most obvious three reasons.

Greetings,
pica

Reply Score: 3

Do we really want them running Linux?
by zima on Mon 24th Mar 2014 21:05 UTC
zima
Member since:
2005-07-06

Remember: when the machines rise against us, ATMs will lead the charge. ;)

Reply Score: 3

Ignoring EOL
by deathshadow on Tue 25th Mar 2014 06:54 UTC
deathshadow
Member since:
2005-07-12

Is endemic industry-wide. In many ways I think people are STILL, even after thirty years of it, failing to grasp the notion that 3 years is obsolete, 5 years is the scrap heap.

XP hitting end of life and people NOT being ready for it despite being told time and time and time and time and time again it's coming is just another stunning example of this laissez-faire attitude and complete lack of forward planning.

You're going to see something similar in web development quite soon when PHP 6 comes along, and the "insecure by design" mysql_ functions go the way of the dodo in favor of mysqli and PDO. We've been told for EIGHT YEARS to STOP using mysql_ functions, which of course is why 90%+ of books released THIS YEAR, 99% of tutorials online, and the vast majority of systems written with PHP still use them; with no plans even on the table for the migration. It's quite literally going to take saying "Your program no longer works, PERIOD" to get people to update past 5.3; hell some people won't even updated to 5.4 because their crappy outdated code hemorrhages errors like crazy on things we've been told for at least a DECADE to stop doing.

Then of course everyone wonders why there are security holes in things big enough to sail the USS IOWA through.

Reply Score: 2

RE: Ignoring EOL
by Soulbender on Tue 25th Mar 2014 10:40 UTC in reply to "Ignoring EOL"
Soulbender Member since:
2005-08-18

Well, that's because PHP is an inconsistent mismatch of C library wrappers put together in a haphazard manner by people who don't know what they're doing.
Most programming languages aren't quite as awful.

Reply Score: 2

RE[2]: Ignoring EOL
by pica on Tue 25th Mar 2014 15:40 UTC in reply to "RE: Ignoring EOL"
pica Member since:
2005-07-10

A PHP lover as myself. Nice to read I am not alone.

pica

Reply Score: 1

Windows will lose the embedded market...
by benali72 on Tue 25th Mar 2014 18:32 UTC
benali72
Member since:
2008-05-03

With free linuxes and BSDs around, I doubt we'll see critical infrastructure -- ATMs, navy ships, utilities control, nuclear panels -- using Windows in the future.

This should be the wake-up call the hold-outs needed.

Reply Score: 2

Comment by snorkel2
by snorkel2 on Tue 25th Mar 2014 20:46 UTC
snorkel2
Member since:
2007-03-06

Lazarus and Free Pascal would be perfect for ATMs.
They could run ubuntu with KDE and write the UI with
Lazarus. No need for visual studio or .net.

Reply Score: 1