Rob Chartier ~ Contemplation...

No, the OS _is_ the problem.

Consider the amount of salesmanship going on.... vendors, banks, everyone. Selling this 'ease of use' bit. Do you really think the 'person attempting to secure it' has any power to really explain to those bottom-line people or those who suck up this marketing just how much is involved with truely securing it?

All that end user thinks about when he/she approaches an ATM is the same thing. They'll buy into an XP-driven ATM without a single concern over ATM security. Their biggest security concerns are much more likely leaning towards how well-lit and private their transactions are.... you know, location. They'll blindly trust the vendors and banks on the implied fact that the machine itself is secure.

Sorry Rob, this is one time you simply have to put some responsibility for security - no, make that ALOT or it - on the people who write the OS.

"...has any power to really explain to those bottom-line people or those who suck up this marketing just how much is involved with truely securing it?"

Isnt this part of their job? They have to curb the expectations of their managers, and more importantly provide accurate estimations for work such as this.

Every machine which is going to be exposed publically should always go through a very rigorous setup procedure. Hell once a single ATM is locked down, the rest should be a simple matter of following a "XX Step document".

MS and friends can do their best and attempt to stay on top of issues where they are responsible, but we can never rely on them 100% for anything in securing our networks. That is not their job, nor the intention of the OS.

Just pure speculation, but wouldnt a simple hardware port blocker device and a VPN suffice for 99% of the issues that would arise? Including the W32/Nachi worm? It would seem that these ATM's dont need any incoming connections at all, and the single connection out. To me, that seems to be damn simple to secure, then again I dont know all of the details.