> the stakes are low that not much thought is put into security.
What I don't get is that NO though was put in to security. Sure the card reader and the payment processing, I'm honestly sure that someone did a reasonable job at that part, because that comes as part of the payment terminal.
For a management perspective I can't see why you didn't think about the security for just a few minutes extra and came up with a much better product in general. There's certainly a point to being overly focused on security and never shipping, but it's also the case that thinking about security and misuse will help you to build better, more stable products.
These devices fail, and they fail constantly. I was a a Burger King two weeks ago, and again at the same restaurant two days ago. Two out of three kiosk where broken when I arrived two days ago, that all three where broken after I order two weeks ago. At the local McDonald's it often that three or four out of ten kiosks are broken. They aren't broken as in physically damaged, it's the software that's not working or stuck somehow.
As the article points out, they break so frequently that they are left unlocked, which in turn violates the idea that they are physically secured.
Three things I'd change is:
* Don't run as administrator, because hey, it's a quick thing to fix, so might as well.
* Read-only filesystems.
* PXE boot those things, so that they'll get fresh OS + application install on each boot.
If you ever see staff try to fix a kiosk, then you'll notice that they just open them and reboot the device. From what I've seen that frequently fails to fix the device, meaning that the system is in a broken state. Having the whole thing boot a known good image could help.
When the normal recovery plan for thousands of these kiosk is: "Reboot and hope it works. If not, wait for a technician to re-image, or reboot again." then you didn't spend enough time on systems design.
What I don't get is that NO though was put in to security. Sure the card reader and the payment processing, I'm honestly sure that someone did a reasonable job at that part, because that comes as part of the payment terminal.
For a management perspective I can't see why you didn't think about the security for just a few minutes extra and came up with a much better product in general. There's certainly a point to being overly focused on security and never shipping, but it's also the case that thinking about security and misuse will help you to build better, more stable products.
These devices fail, and they fail constantly. I was a a Burger King two weeks ago, and again at the same restaurant two days ago. Two out of three kiosk where broken when I arrived two days ago, that all three where broken after I order two weeks ago. At the local McDonald's it often that three or four out of ten kiosks are broken. They aren't broken as in physically damaged, it's the software that's not working or stuck somehow.
As the article points out, they break so frequently that they are left unlocked, which in turn violates the idea that they are physically secured.
Three things I'd change is:
* Don't run as administrator, because hey, it's a quick thing to fix, so might as well.
* Read-only filesystems.
* PXE boot those things, so that they'll get fresh OS + application install on each boot.
If you ever see staff try to fix a kiosk, then you'll notice that they just open them and reboot the device. From what I've seen that frequently fails to fix the device, meaning that the system is in a broken state. Having the whole thing boot a known good image could help.
When the normal recovery plan for thousands of these kiosk is: "Reboot and hope it works. If not, wait for a technician to re-image, or reboot again." then you didn't spend enough time on systems design.