She followed me in the rented cargo van till I left the New Jersey Turnpike. I had business on Long Island, and my wife was headed to Boston to move the eldest out of his dorm room for the summer break. A day later, meeting over, I headed for our planned rendezvous in Rhode Island.
But I needed cash so dashed into a Wal-Mart and swiped the card through an ATM. The machine accepted my electronic request for $300 and then suddenly returned to its initial welcome screen.
“Puzzling,” I thought, but assumed the small unit couldn't dispense that much money in a single transaction. “Pretty lame UI if that's the problem.” I tried again, now requesting $200. That frustrating “please wait” message that infests all of our equipment appeared.
Nothing happened. A minute went by. Then another. Trying to give up I hit the “cancel” button. More nothing happened. I tried again and again. Pretty soon the machine beeped when any key was hit. That sounded a lot like a full keyboard buffer ping generated by Windows 3.1 when it hung or got busy.
But by this point I was getting panicky. Over four minutes had passed. Do I just leave? What if the ATM finally came alive and spit a wad of cash onto the floor? Do I contact a manager? At Wal-Mart? The odds of finding anyone knowledgeable enough to help seemed remote so I stayed and stewed. Finally the machine did something. It didn't squirt greenbacks. Nor did it apologize for a problem with my account or with the unit itself. Instead it again returned to the welcome screen.
I called the bank and changed the PIN code just in case the machine was a front for some phishing operation. But it's unlikely that a unit positioned so prominently in a huge retailer had been compromised. I assume the software crashed. Perhaps it was the OS.
The machine sported a Diebold label, a pretty clear indication the unit uses some version of Windows. We do know that at least some of their electronic voting machines boot CE. A few days later a look at their web site confirmed that the ATMs use Pentium 4s with 20 Gb of hard disk and 256 Mb of RAM, which sure sounds Windows-ish to me.
Unlike most techies I really like Windows. My machines run XP, which has been highly reliable, intuitive and offers a wealth of functionality. But these are desktop computers. The occasional crash is simply not a problem. Extensive backup strategies insulate me against OS problems, as well as those from fire, floods and pestilence. Weekly prophylactic reboots keep the systems stable, and consume essentially zero time and energy. Now expending infinite energy dealing with teenagers I just can't get worked up about tiny annoyances.
Embedded flavors of Windows, too, are entirely appropriate for a wide class of systems. Agilent's Infinium oscilloscopes rely on the OS. An occasional crash is barely a nuisance. A CE-based cell phone with 99.9% uptime is good enough.
But some apps require much more reliability. That ATM crash in fact didn't cause any problems; the bank confirms the withdrawals never happened. But I'm left with my faith in the reliability of electronic banking shaken. Next time I see the Diebold label I'll probably look for a different machine. Not only must any bit of technology that manages money be reliable, it must appear to be reliable. The entire banking industry indeed, even the concept of paper money is based on trust. Without a perception of ATM integrity people will avoid electronic transactions.
Diebold's AccuVote-TSx was decertified in parts of California this week. (Here's Diebold's side of the story.) The State now requires much more extensive proof of correctness for all electronic voting machines. I applaud the new, tighter regulations, but worry that the requirements might still be too loose.
California's Secretary of State may demand access to any voting machine's source code if, in the case of COTS code, it's available and discloseable by the vendor. Since the Diebold units (and presumably those from other vendors) use Windows, the biggest component, the largest number of lines of code, are inherently proprietary and closed. Despite my liking for Windows, it's huge, it's secret, and it has never been certified to any safety-critical standard. If it were perfect, if it never crashed or behaved oddly, the OS is still a gigantic unknown lurking in the system.
Critical avionics applications would never run a massive chunk of unproven code. A failure causes deaths, injuries and lawsuits. A flaky ATM or voting machine won't hurt (physically, at least) or kill anyone. Lawsuits? Well, the Supreme Court mediated alleged election irregularities in 2000. I'd hate to see the same this year, especially if due to software bugs, real or alleged.
When consumers don't trust ATMs, they'll use direct deposit and face-to-face banking. If the electorate doesn't trust voting machines, few options exist. They'll simply stop showing up at the polls. And that's a Bad Thing for our republic.
Jack G. Ganssle is a lecturer and consultant on embedded development issues. He conducts seminars on embedded systems and helps companies with their embedded challenges. He founded two companies specializing in embedded systems. Contact him at . His website is .
Microsoft just does not stand by their stuff the way they should. I rememberback in an old job, I inherited a Flight Line Channel Memory Loader Application that usedMS Visual C++ 1.52c under DOS. It did not fly, but I did coverage testing, and leaktesting on it anyway with Boundschecker from NuMega. I found dynamic memory leaks in 2library functions from MS, and when I reported the bugs, the response was “How do youguys always find these things?” They did not have a clue about doing dynamic memory leaktesting, or code coverage testing in some cases. They did not fix the bugs, and so wehad to put a notice in the users guide that the PC should be re-started after eachsession as a precaution.
– Bill Murray
I just read your article about ATMs. I have no direct commentson the technical aspects of your article (other than to violentlyagree), but I thought you might be interested in a link regardingthe social aspects of what you wrote:
I have not personally tried to validate this article but othersI trust have and claim it is not a hoax. When you look at the pictures, it is plain to see that it COULD be done even if thisweb page turns out to be a hoax. In general, ATMs are not to betrusted 100% for a lot of different reasons.
– Dan Miner
You LIKE windows?? In an embedded world, how can you LIKE windows. You shouldn't have to reboot in any embedded item. My wife has a cell phone (Nokia) that seems to lose track of the time often. I call AT&T (the provider's current name) and they give me all sorts of grief and say “power off then on” (human terms) reboot for us techies. Why should we even have to do this? It is silly to the extreme. I tell the phone to display the time, and also sync to the signal received, it SHOULD DO IT. If it detects an error, it should find a way to correct the problem. My wife shouldn't have to hand the phone to me and say “why doesn't this #$%^^&*$@ thing keep time”. If pacemakers were built like this (I've worked on them as well) nobody would EVER want one. It seems that nobody wants to test, just ship. It is a very bad sign!!
– Tom Watson
Windows contains millions of lines of code that can perform no usefulfunction, in an embedded system. Non-useful code serves only to degrade systemperformance and add bugs.
I would like to see anybody who advocates the use of Windows in an embedded system spenda year in a space capsule, with a Windows system (any version they choose) controllingthe life support.
– Ken Hoppe
Very good article. I think people went off a tangent about Windows being a”likeable” system. I think Windows is perfect for non-critical, non-embeddedapplications. When it comes to products where safety, reliability, security is involved,private and proprietary software is not a good idea.What if the voting systems were based off linux ? Since the code is widely open, bugsand fixes would be available immediately.As for voting machines, I think it's a BAD idea to go for anything electronic. If Idon't trust this ATM, I'll go to the clerk and get my cash. If I don't trust my votingmachine, I'd rather use plain paper-in-envelope-in-box voting system.Going to all-electronic is not the solution to everything.BTW, I own a Nokia and never had to reboot 🙂
– Stephane Provost
I've had to take my Nokia back for a software upgrade to fix a powering downproblem. This concerns me as a Nokia shareholder. As a design engineer there can be anumber of reasons for Tom's Wife's Phone not keeping time. I've seen chrystals thatwere cracked in shipping, that were not caught in manufacturing test. (Takes an X-ray,or long term test, both expensive so you don't get the phone for $19.95 — Not an issuefor a $25,000 pacemaker you can xray, and long term test for that kind of money — it'scovered in the price. Also pacemaker's usually don't get dropped on concrete which ishard on the chrystal as well. Do the same to a $1500 rolex and you've got a big repairbill. The software is different, It is amortized over millions of units and should bewell tested, well inspected, and generally bullet proof. There are even criminalpenalties for certain types of software defects in cell phones, so this is potentiallyserious.
– Bill Murray
Diebold's older ATM's did not use Windows, but had a number of boards with 8051-class controllers (slow 8-bitters) linked by RS-485. When they added more bells and whistles, they added a Pentium motherboard. In the version I worked on, this used IBM's OS2, which is probably more stable than Windows but maybe not stable enough. However, their Accuvote line and their newest series of ATM's use embedded Windows of some sort.
– Mark Moss