In message <532f42aa.9000...@foobar.org>, Nick Hilliard writes: > On 23/03/2014 18:39, Mark Andrews wrote: > > As for printers directly reachable from anywhere, why not. > > because in practice it's an astonishingly stupid idea. Here's why: > > chargen / other small services > ssh > www > buffer overflows > open smtp relays > weak, default or non existent passwords > information leakage from non-protected services > > and so forth. > > Nothing wrong with global reachability, don't get me wrong - and if I > thought for a pico-second that printers or any other connectible device > took even the most basic steps at handling security fundamentals, I might > even be ok about the idea. > > But they don't: printer drivers and interface firmware are written by > people whose only ability is relaying eps and pcl files from one socket to > another and pumping their code full of rage-inducing bloatware, the only > purpose of which is to serve the blind whims of idiotic product managers > who derive a sadistic satisfaction from ensuring that their products > interfere as much as humanly possible with the process of committing ink > and toner to paper. Security management doesn't even get a look in. > > 12 months after market debut, printer firmware updates cease forever for > that particular model, and the inevitable result is a line-rate bot spewing > obnoxious crap until the day that the device is thrown on to the scrap heap > that it deserved when it was first unpacked. > > Exactly the same principal applies to pretty much any consumer device, > although I admit that printers are worse offenders than most. > > We can all agree that what's needed here is full consumer choice and the > ability to address things globally, should one desire to do so. In > practice, default deny is more sensible approach to handling the reality of > connecting devices to a public network. > > Nick
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly. It also does not cost much on a per device basis. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
