On 23/03/2014 18:39, Mark Andrews wrote:
As for printers directly reachable from anywhere, why not.
because in practice it's an astonishingly stupid idea. Here's why: chargen / other small services ssh www buffer overflows open smtp relays weak, default or non existent passwords information leakage from non-protected services and so forth. Nothing wrong with global reachability, don't get me wrong - and if I thought for a pico-second that printers or any other connectible device took even the most basic steps at handling security fundamentals, I might even be ok about the idea. But they don't: printer drivers and interface firmware are written by people whose only ability is relaying eps and pcl files from one socket to another and pumping their code full of rage-inducing bloatware, the only purpose of which is to serve the blind whims of idiotic product managers who derive a sadistic satisfaction from ensuring that their products interfere as much as humanly possible with the process of committing ink and toner to paper. Security management doesn't even get a look in. 12 months after market debut, printer firmware updates cease forever for that particular model, and the inevitable result is a line-rate bot spewing obnoxious crap until the day that the device is thrown on to the scrap heap that it deserved when it was first unpacked. Exactly the same principal applies to pretty much any consumer device, although I admit that printers are worse offenders than most. We can all agree that what's needed here is full consumer choice and the ability to address things globally, should one desire to do so. In practice, default deny is more sensible approach to handling the reality of connecting devices to a public network. Nick