Some backstory that isn't in this article: Barnaby Jack (who goes all the way back to the original eEye research team in the last '90s early '00s) did this ATM research while working as a researcher for Juniper Networks. I believe the original vendor he targeted was Tranax; they make the crappy free-standing ATMs you see in bodegas†.
Jack notified the vendor and (obviously) got his talk accepted and announced at Black Hat. The vendor complained to Juniper, and Juniper had the talk pulled††. Jack left Juniper for IOActive and gave the talk the following year. Last time I checked, I believe he was at McAfee.
† Funny thing about Tranax: they managed to let Google crawl their maintenance manual a couple years ago, and the manual had their default maintenance code in it; a huge number of ATMs were found to be running with that default password, which allowed people to re-denominate the bills in the machine.
†† This was probably a reasonable call, because Juniper has billions of dollars to lose to a negligence suit brought by an ATM company.
Its not very nice that the author turns a 'security researcher' (his words) who is effectively helping (if not actually doing) the authors job for him into a pantomime villain.
[edit: I do get that they became 'friends', which gives some levity to these descriptions, but it still strikes me as casting aspersions not just on the individual but more generally on the way he and others like choose to work]
If you read it all the way down, the author reveals that he befriended the hacker and was very grateful for helping and co-operating with the fix. The villain part in the beginning was just joking, although I did not particularly enjoy that style of writing either.
Considering the think layer of sarcasm above, it's pretty clear the booing was joke as well. Same thing for sitting with crossed arms on the front row while everyone else cheered at the jackpot demonstration.
I thought it was part of who the author is. He doesn't strike me as a particularly serious person, so booing the security researched who has become a "star" of Black Hat in the eyes of the rest of the applauding audience sounds like a funny and friendly thing to do to me.
The story could've been good, but the style of writing is neither witty nor clever and when I arrived at reserved seats in the front row at Black Hat I closed the tab with a quick sigh of relief afterwards. Horrible.
I liked it a lot too, and, obviously, I'm on Barnaby Jack's side of the vulnerability research fence, not the ATM vendor's. I even thought the style was amusing.
Agreed. I came here wanting to say I thoroughly enjoyed the writing style. Technical details coupled with great entertaining writing? Count me in. I already read enough dry technical tumblrvomit as it is.
some geeks seem to have the misconception that you can't be entertained and educated at the same time. I suspect this is the same group who hates analogies.
Typically the vendor side of a publicized security exploit never releases details to this extent, ESPECIALLY in the financial sector. It's a very interesting perspective to get to read in detail.
Obviously my statement was purely subjective (style of writing).
That said: What details did you take away from the article? I'm serious. I just went back and skimmed the rest. It seems this is really a long version of 'someone found an exploit, we fixed it, he presented it in public and we handled the aftermath'. No details at all. The most technical bit was the 'Now we're so much more secure by requiring signed code', and that was it?
Agreed, and I found it quite opposed to the stiff boring technical read it could of been. Which I believe was the exact point the author was trying to make at the end of his story.
Just wanted to chip in that I thought the article was a great read, informative, and the author's self-deprecating sarcasm was very refreshing. Much preferred to extremely dry and technical stuff.
> [My company's ATM] was just the most conveniently available to purchase on the web and be delivered to his home. Note to our salespeople: for security purposes, please make it more difficult to purchase our product.
In this sentence, the author mistakes obscurity for security.
I beg your pardon. It seemed to me like the author dropped the sarcasm near the beginning of the write up and he actually thought denying individuals access to the equipment would make it more secure.
Really? For more context here is the entire paragraph:
"Barnaby chose my company's ATM arbitrarily, it was just the most conveniently available to purchase on the web and be delivered to his home. Note to our salespeople: for security purposes, please make it more difficult to purchase our product."
The whole article is thick with sarcasm? The only other bit of sarcasm/joke in the last nine paragraphs is that the author booed/jeered barnaby when he came to the stage. If "the whole article is thick" with sarcasm why is the last 37% so straight forward and not funny?
It comes directly after the line 'Barnaby is from New Zealand and I'm from Australia, and trans-Tasman friendships are regarded as treasonous', which FYI is also a joke.
Jack notified the vendor and (obviously) got his talk accepted and announced at Black Hat. The vendor complained to Juniper, and Juniper had the talk pulled††. Jack left Juniper for IOActive and gave the talk the following year. Last time I checked, I believe he was at McAfee.
† Funny thing about Tranax: they managed to let Google crawl their maintenance manual a couple years ago, and the manual had their default maintenance code in it; a huge number of ATMs were found to be running with that default password, which allowed people to re-denominate the bills in the machine.
†† This was probably a reasonable call, because Juniper has billions of dollars to lose to a negligence suit brought by an ATM company.