What is Digg?Sponsored by Dragon Age: Origins
Follow the Dragon Age: Origins development team on Twitter view!
twitter.com/DragonAge - EA presents BioWare's new dark fantasy epic Dragon Age: Origins. '9/10' from Game Informer.
60 Comments
- mithrasinvictus, on 06/30/2009, -1/+47i bet it's diebold
- ausfahrt, on 06/30/2009, -1/+39Come on baby come on baby .... easy money
http://farm1.static.flickr.com/170/475472885_5f1b1 ... - jobeus, on 06/30/2009, -1/+27Hopefully he just posts it online instead... Please? ;)
- GreenNoise, on 06/30/2009, -1/+24"Diebold ATMs, one of the most popular brands, runs on a Windows operating system, as do some other brands of ATMs."
Why am I not surprised... - vulcanius, on 06/30/2009, -3/+18I'd be curious to know the interaction that Juniper/Jack had with this vendor before they scheduled the talk. Did they bother to disclose the vulnerability to the vendor or were they just planning on being cowboys about it? The latter is obviously unethical and in my opinion negligent.
- tunafizzle, on 06/30/2009, -0/+14Barnaby Jack
Somewhat badass of a name. - kenlaw, on 06/30/2009, -1/+15Taken from Wikipedia:
Jeff Dean, Senior Vice-President and Senior Programmer at Global Election Systems (GES), the company purchased by Diebold in 2002 which became Diebold Election Systems, was convicted of 23 counts of felony theft for planting back doors in software he created for ATMs using, according to court documents, a "high degree of sophistication" to evade detection over a period of two years[4]. In addition to Dean, GES employed a number of other convicted felons in senior positions, including a fraudulent securities trader and a drug trafficker[5].
In December 2005, Diebold's CEO Wally O'Dell left the company following reports that the company was facing securities fraud litigation surrounding charges of insider trading[6]. - kenlaw, on 06/30/2009, -1/+11Take a look at the Diebold managment. Many are CONVICTED felons.
- magic6435, on 06/30/2009, -0/+10yes they would.
- johnwes16, on 06/30/2009, -4/+14If he offered to help the company fix the problem first, but was ignored, then he has every right to go public with the information.
But if he didn't even give them a chance, then I would agree he has no right to release a guide or even outline on how one would do this. I mean, I honestly don't know the answer to this question, but would someone be allowed to hold seminars on how to rob a bank? - kingmanic, on 06/30/2009, -4/+13Security through obscurity is very poor security. At this point we don't knwo if the ATM producers is actively trying to patch that hole or even knows of it. It is pretty serious and if the info got out too far before they coudl patch it they might lose some money BUT the public knowing the problem is would prompt them to fix it fast.
- kevincw01, on 07/01/2009, -0/+8all the BofA atm's are the new diebold windows OS ATMs. Some of the alert tones are actually re-used windows wav files stored in the windows system directory. I wouldnt use that OS for secure applications because you cannot control all aspects of the operating system -- you have to rely on microsoft. This is why there are embedded OSs out there that are traditionally used. You could even use linux because you're able modify/tailor any of its functions.
- haikuFU, on 06/30/2009, -0/+8ATM machines are crap. I used to work with them and found numerous flaws, which were all verified by a Diebold engineer that I knew. As far as I know, none were ever addressed. But this was back when Diebold ran OS2 on their ATM's, not windows. And the attacks were not directly against the OS, but rather on the communication channel.
- PsychoBrat, on 07/01/2009, -1/+8But people *should* be able to say to other people "oh, hey, {manufacturer of your locks} is putting out a broken product, so don't buy it -- here's my proof".
If nobody goes public on these things, the vendors drag their heels. - wmorrow, on 07/01/2009, -1/+8Maybe because IBM finally killed OS2 Warp and almost forced them to go with windows?
- inactive, on 06/30/2009, -0/+7Maybe if they hired a team of programmers (and/or Hardware Engineers) instead of lawyers, they'd be able to fix the ATMs.
Better yet, if they would have hired the right Software and/or Hardware people at the start, they wouldn't have this problem. Considering the ATM fees they charge, they should be able to afford the best employees available. - bluenile, on 06/30/2009, -1/+8Jackpot - i could do with some.
- SpudDuffer, on 07/01/2009, -0/+6Perhaps the ATM vendor feels that by not discussing the problem, it will go away. If the helpful hacker were to disclose the vulnerability, then the problem would have to be addressed immediately, thereby securing the cash from exploit. Rest assured, the ATM vendors have our best interests at heart, not their own?
- caramba421, on 06/30/2009, -8/+14Good. Maybe then I can get back some of my tax money from the multi-billion dollar money orgy they are having at our expense.
- anonymousmedic, on 06/30/2009, -4/+10Knowing that this is the Black Hat conference, it was probibly withheld until he announced it as the topic.
Basically, he utterly trolled Diebold. - SpudDuffer, on 07/01/2009, -0/+6A fine example of "Backwards Thinking", if there ever was one. I hope you never are in charge of MY security!
- Choobie, on 07/01/2009, -0/+6If you actually read the article, it explains that the vendor already knows about the vulnerability (assuming from Juniper/Jack) and had already patched it on most of the ATMs that they provided. The ATM vendor just wanted a little bit more time to finish completing the patching before the talk is given.
- xenuxenuts, on 07/01/2009, -0/+6I'm not sure who dugg you down. IBM killed OS2 and most if not all ATMs used it.
- palmer, on 07/01/2009, -0/+6And what did he use? Yep, an Atari Portfolio.
http://oldcomputers.net/portfolio.html - haikuFU, on 06/30/2009, -0/+6They sometimes can tell who was overpaid and they will take the money back out of your bank account. They loaded a machine with $100's in vegas at a place I was working, and it was programmed to think it had $20's in it. People withdrew thousands of dollars each, but it all came back out of their bank accounts, and the ones that didn't have the money were sued.
- mantis108, on 07/01/2009, -0/+5I think you're thinking of election-fixing machines. That exploit was unchecked in the wild from circa 2000-2004.
- kinerry, on 06/30/2009, -2/+6Sweet, keep blinded. I'll get rich that way.
- hawkspur, on 06/30/2009, -2/+6Law of unintended consequences.
- PsychoBrat, on 07/01/2009, -0/+4Unfortunately a lot of vendors will drag their heels unless there's a threat of public shaming such as this.
- lepetitmousse, on 06/30/2009, -0/+4This one time, i tried to get 40 dollars from an atm and it gave me 120. I didn't return it. :(
- jjesusfreak01, on 06/30/2009, -1/+5Now why would you say that?
- palmer, on 07/01/2009, -0/+4Diebold also spent a lot of time touting their "triple-DES" encryption between the keyboard and the processor. Even years ago the natural reaction to that was, "So what?" The obvious maneuver was to put a fake front on the machine and physically intercept the transaction. And of course that's exactly what people did.
- dolemite01, on 06/30/2009, -0/+4A few years ago this happened with a guy revealing Cisco vulnerabilities. The irony of the situation:
"At the end of his talk, Lynn asked the audience if anyone wanted to give him a job. Juniper Networks, the company now responsible for pulling the Barnaby Jack talk, hired Lynn shortly thereafter." - ausfahrt, on 07/01/2009, -0/+3That 128 kB mem card is hot.
- aychseven, on 07/01/2009, -1/+4"a crackers conference?" um sorry, but defcon is a little further up the road, buddy.
- theaceoffire, on 07/01/2009, -0/+3Well for one thing, he hasn't leaked it online.
If he was trying to be a douche, he could have put it on liveleak and it would be un-undoable. - palmer, on 07/01/2009, -2/+5if it WERE broken
- anonymousmedic, on 06/30/2009, -4/+6Im not arguing for security through obscurity. Im arguing he had an obligation ethically and morally to report the flaw to the ATM company before going public with it at a crackers conference.
- orangefly, on 06/30/2009, -1/+3Automated Teller Machineyolatrolamatons aren't secure....???....
- Chaotyk, on 07/18/2009, -0/+2You are confusing "hated" with "thrives on."
- JohnnySoftware, on 07/09/2009, -0/+2I don't think a keyboard logger and/or keystroke spoofer would care. It would just end run around the code that did the encrypt/decrypt. Most of the time, the processor is what is doing the encryption/decryption.
I have lost track of the number of kiosk systems running on MS-Windows I have seen crashed. Couple of months ago the ones at the gas pumps had crashed.
I would say that an OS used in myriad DDoS attacks like the one going on this week is not safe. Putting banking software on it does not seem like it would make it safer.
If the technology existed to make certain operating system(s) secure then it would have been done a decade ago and this would have been quiet since 1999.
Yeah, the malware targeting Diebold is already out there and it even harnesses the ATM's resources to divulge the information, according to this article in The Register:
http://www.theregister.co.uk/2009/03/17/trojan_tar ... - senae, on 06/30/2009, -5/+6Because it's the most widely used OS?
- afx1, on 06/30/2009, -0/+1excellent
- hadak, on 06/30/2009, -0/+1It must have been the multiples of 3 day!
- lepetitmousse, on 07/03/2009, -0/+1i checked my balance, it never withdrew the 100.
- Gr1nch, on 06/30/2009, -0/+11. Insert ATM card
2. Hit Withdraw 40
3. ????
4.PROFIT!
....
5. Check balance, make sure it didn't overdraft.
optional: 6. If 5.=true then 1. - 4rp4n3t, on 07/07/2009, -0/+1How do you know he didn't report the flaw to the manufacturer?
- JohnnySoftware, on 07/09/2009, -0/+1I thought big business hated lawsuits?
- 0firefly0, on 07/15/2009, -0/+1Wait, wait.. you read the article too!?
We should hang out. -
Show 51 - 61 of 61 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is 