Decrepit Old Fool

“There’s nothing that will change someone’s moral outlook quicker than cash in large sums.”
- Larry Flynt

(Bear with me a moment; this post isn’t really about software.)
A few months ago I was in Wal-Mart and noticed one of the cash register was sporting a Windows error dialog box.  I don’t remember what the specific error was, but I remember thinking; “Using Windows to run a transaction system is a pretty big error in itself.”

Seriously.  There are others who could explain it better than I can, but Windows is a stitched-together Rube Goldberg machine that tries to be all things to all people.  Which it does very well – it runs on nearly everything and it runs nearly everything.  It can be made secure, but it sure doesn’t start out that way by any stretch. 

I’ve had people tell me that Linux can be hacked too, but the thing about a transaction system is that it doesn’t have nearly as many functions as a desktop computer.  Linux geeks tell me that you can actually open up the kernel, remove functions that aren’t necessary to, say, a transaction system, and recompile the now stripped-down kernel.  External functions can be removed too until you have your own version of Linux that really keeps its eyes on the road, so to speak.  No side trips!

Today we learned from the Consumerist that ATM machines in Europe have been hacked in outrageous ways.  The bad guys actually used the ATM’s own card-swipe machine as an interface device to install their own version of lsass.exe, a Windows utility, on the system.  The phony lsass keeps a record of everyone’s cards and PIN numbers and obligingly prints them out at the end of the day using the built-in receipt printer.  Crooks have been successfully using the hack to clone large numbers of card and rip off a lot of money.  (Consumerist: Meet the virtual ATM skimmers.)

So why am I ticked off? The article said that lsass.exe doesn’t even play a role in the operation of the ATM machine!  Apparently nobody even tried to strip down the operating system to remove nonessential functions.  If that is even possible with Windows.

Companies keep telling us that they really care about our data security.  Then laptops get stolen with whole databases in them, but the company offers to pay for regular credit checks as if that makes it all better.  Systems get hacked, but they say “We are improving our security procedures” (closing the barn door, most of the way, after the horse has left).  Someone walks into a branch and gets terminal access for four hours because they claim to be from the head office, and the company says; “The incident has certainly caused concern but customers need not worry.”

Last week someone with a compromised laptop asked me; “Why do hackers write viruses?  Can’t they make any better use of their talent?”  I have gotten that question literally about every two weeks for the last 14 years. My stock answer, at least currently, is that the hackers do it for money.  For example selling conflicker access for other malware is very profitable.  For some reason this answer never satisfies the person asking the question.

But it should.  When plastics companies found out that the plasticizer BPA is an endocrine disruptor that hurts developing babies, did they stop using it in food packaging?  Nope, they put their heads together to try to dream up a better public relations campaign.  Health insurance companies are, as I write, trying to keep millions of Americans uninsured, because it’s better for their bottom lines.  It’s standard procedure for industry generally: when they are found to be harming the public good, they don’t shape up, they lawyer up and start massive public relations campaigns to muddy the issue.

So why does it surprise anyone that hackers are in it for the money?  And how, exactly, is it less moral than putting poison in food packaging and trying to call it “consumer choice”?

NOTES:

• h/t Les Jenkins for the link about the ATM machines