OK, the Diebold ATM people are not the Diebold people who make their e-vote machines -- They're in totally different divisions of Diebold. But here's why it still matters.
Diebold ATMs used to use IBM's OS/2 operating system, but changed over to Microsoft Windows at the urging of their banking customers (for reasons discussed in this article). Diebold Election Systems has always used the Windows operating system (CE) for its e-vote machines.
In vulnerability terms, there is probably nothing inherently wrong with the Windows operating system that is not probably (in some fashion, at least) also wrong in other operating systems. Windows vulnerabilities instead are a function of its own great success; if you are going to spend time hacking, chances are that you are going to try hacking where it willhave the greatest effect; i.e., Windows, a victim of its own success. Security experts agree. Diebold's move to Windows for their ATMs was an "horrendous security mistake", literally an invitation to hackers.
Allow me to get technical. The only thing an operating system offers any computer is an abiltiy to multi-task (run multiple programs simultaneously). Single-use computers (ATMs, e-vote machines, etc.) simply do not require operating systems. The only reason they are used on single-use machines is for cost considerations.
In addition to providing a multi-tasking environment, today's operating systems also come bundled with useful subroutines (in Windows, ".dll" file extensions, a.k.a., application extensions). Subroutines do lots of great things. They refresh your monitor's display, accept keyboard input, manage communications over a modem, and a great deal more. But they can be implemented regardless of the existance of an operating system, and indeed, we did so in the early days of computers. So the manufacturers of single-use computers use operating systems merely for the convenience of the subroutines they provide.
The bottom line is that single-use computers have no need for an operating system. Every functionality demanded of them can be provided without one. While an operating system can also provide communications interfaces (subroutines) at a low cost, the very vulnerabilities offered by operating systems should preclude absolutely their use in single-use secure applications.
And I used to bill $500/day for this. Go figure.
Post a Comment