If this is your first visit, be sure to
check out the FAQ. You will have to register
before you can post. To start viewing messages,
select the forum that you want to visit from the selection below.
If you have copied text output that contains formatting (colors, highlighting, etc.), please do not enclose it in QUOTE or CODE tags. Just right-click your mouse and choose "Paste Without Formatting" or similar (Paste as plain text).
Announcement
Collapse
No announcement yet.
Printer security? I remember when you just plugged them in to LPT1:
"A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
– John F. Kennedy, February 26, 1962.
Once, while visiting a customer to help work through a malware infection, I saw the Xerox guy walk past the office and into the printer/supply room. He began systematically dismantling the printer/copier/beverage-cup-stand/diaper-changer.
I asked the customer, "How often does that guy come here?"
"Every 90 days," she responded.
"Hm," I mulled, "you know, every 90 days you and I are on the phone working through some kind of malware problem. What a coincidence!"
Later that evening, a thought occurred to me. I emailed the customer and asked her to grab some logs off the servers that were infected. "Have you checked the source IP addresses of those suspicious connections?"
The next day we reviewed the logs. Sure enough, the attacks were coming from that blasted printer! The sucker ran a copy of Windows XP Embedded. Now unlike with ordinary Windows, owners of devices containing embedded Windows don't own the license for that software, and usually can't perform any kind of maintenance. The particular version of XP on that printer was the original released product, with nary an update or service pack.
Each time the repair dude visited, he attached his laptop to the printer for who-knows-what. Turns out, that guy's laptop was a veritable ocean of malware, some of which would jump to the printer's hard drive at the moment the two were connected. My customer quickly changed their maintenance company, and replaced that printer not too long after that.
---
Earlier I wrote about the mostly security theater nature of PC-based outbound firewalls, and mentioned that administratively controlling outbound connections has its places. Well, this is one such place. There's absolutely no reason for any software on a device like a printer to make uninitiated outbound connections. Customers ought to have control over stuff like that. A pox on all vendors who refuse to acknowledge this.
A) Not involved with a copy of XP on a copier, printer, but the high shcool whereat I taught got an early one and it was regularly having problems. It was one of the things with the bed that literally moved back and forth on top of the machine. One day it had gone south, the secretary had taken the back of and yet again, the cable ( rather like a picture hanger twisted wire) was frayed and broken. I leaned over and looked at it and noticed a "burr" on one of the guide wheels and asked if the cable was normally very tight. She said it was. I indicated that I thought this was a purposeful situation wherein they knew about the burr and we were paying a deductible maintanance fee on it. Maybe they should change companies.
They did!
b) The college does not allow students to get onto the "networked" printers at the college for this precise reason. The student printers are in two situations a) the kiosk printers cannot get onto the intranet but can get on the internet and have printers that are physically wired to the computer. b) the "computer lab" computers and computer "classroom" computers are in hardwired seperated "subnets" that only have external access through the teacher's work. station. The college has a variety of "online information" such as online encyclopedias, paid journals such as "Science" magazine, or a "psychology" magazine. In other words, when they have an "exercise" where they have to do "research" they have the free run of those online resources but are not connected to the "internet". The printers for these rooms cannot be accessed from other subnets. The teachers and staff have password access to all of the terminals that are in a teacher desk, laboratory, etc. and they have full access to multicolor, black and white, and "photocopier" printers. However, each teacher has to log into the desired printer and can only have access to one printer at a time. We can even print to another campus, but the whole system is seperate from the kiosks and computer class intranets.
And the precise reason is that stated in the article that the printer really is a server.
"A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
– John F. Kennedy, February 26, 1962.
Comment