Remember, if you run Windows and everything goes south, nobody will yell at you, because itâs Windows. Surely job security is more important than⊠security.
I suppose that was technically a violation of the DMCA.
If you left a stack of bricks of $20 bills on the counter with a napkin on top, with â010110â written on the napkin, and somebody stole them, would that also constitute a violation of the DMCA?
âOnce youâve plugged in the USB to deliver the exploit, you could have just as easily written malware to the safe to perform remote transactions at a later point in time,â Petro explained.
So unrestricted local (physical) access to system + root exploit to boot into and possibly even installing your own mouse/keyboard, Linux wouldnât have fared better.
What does the exploit have to do with Windows at all?
Come on, even Microsoft had to admit Windows XP is not a recommended choice for security-minded applications after they ended support for it (no new security patches) last year. The cluelessness shown by this âCompuSafeâ should be self-evidently funny.
Microsoft attempted to retire it, but there remain new security patches being paid for by many corporations and governments.
If you have any understanding of security, Windows XP is not so much the issue versus local access to the device with all ports enabled. Any OS will find its protections sidestepped via these attack vectors.
It doesnât have much to do with Windows - they say right in the (short) article that Windows 10 wouldnât have fared any better.
Yes, there was unrestricted physical access - to the outside of the safe, not to any sort of service panel on the inside. They didnât have access to the motherboard, the RAM, the flash drive with the OS on it, anything like that. Thatâs exactly the sort of scenario that safes are designed to withstand, except this one didnât.
Rule 1 of hacking, If you can physically access it, you can own it. Who the heck thought a public facing USB port was a good idea?
Doesnât match the article, which goes over the attack vector I mentioned-
One of the main vulnerabilities we are focusing on comes by way of a USB port that is on the exterior of the safe," Salazar told eWEEK. "We have created a little tool that we can just plug into the safe, wait 60 seconds for the tool to do its work, and then the safe doors will open and you can take all the cash out.
I get you, there seems to be a perfect storm of âcomputer securityâ expertise fail.
But you might agree that the âWinXP being a virus and exploit magnetâ clichĂ©, right or wrong, will be familiar to anyone whoâs had to fix the damn thing for a relative. Even if they wouldnât know an attack vector from a Vector W8.
My point is that the windows angle makes for a catchier story lead than a dry âsupposedly safe thing actually unsafe for a number of reasonsâ if your intended public is not security experts.
I mean, I agree that the lede is âcatchyâ, just not factual.
How does my description not match what you quoted?
They had access to the outside of the safe, and only to the outside. There was a USB port on the outside of the safe, yes - so they had access to the USB port. On the outside of the safe.
So⊠lock security is typically rated for how long the device will slow an intruder- really good padlocks are worth like 10 minutes (tops!). Safes are the same. The very best are able to take 60 minutes of abuse (and ho-boy the list of abuse in the rating is epic! hint: nitroglycerin!).
This safe is clearly not one of the best.
The USB port is a direct connection to the innards of the device, so full local access to exploit.
are you saying that the headlines here are, on occasion, imprecise to hyperbolic?
I can argue with an element of the story without getting âthe vaporsâ, insulting the editors, or being âdisappointed in BoingBoingâ 
I suppose itâs just a distracting element. An old-ass build of Windows Embedded could probably be secure in any ATM, seeing as theyâre still releasing security updates for legacy builds.
It really isnât though.
Itâs fairly typical to consider âability to plug in a keyboard, type on it, and view the screenâ on a separate level from âfull unrestricted physical accessâ - where the latter includes the ability to induce reboots, replace the boot media, pull internal storage out and connect it to an external reader, connect a signal analyzer to the RAM bus, etc.
Itâs a safe. Safes are rated assuming the attacker has full access to all exterior surfaces of the safe - but not to the inside of the case, where things like a combination reset lever might be present.
This topic was automatically closed after 5 days. New replies are no longer allowed.
