In message <532F42AA.9000604@foobar.org>, Nick Hilliard writes:
On 23/03/2014 18:39, Mark Andrews wrote:
As for printers directly reachable from anywhere, why not.
because in practice it's an astonishingly stupid idea. Here's why:
chargen / other small services ssh www buffer overflows open smtp relays weak, default or non existent passwords information leakage from non-protected services
and so forth.
Nothing wrong with global reachability, don't get me wrong - and if I thought for a pico-second that printers or any other connectible device took even the most basic steps at handling security fundamentals, I might even be ok about the idea.
But they don't: printer drivers and interface firmware are written by people whose only ability is relaying eps and pcl files from one socket to another and pumping their code full of rage-inducing bloatware, the only purpose of which is to serve the blind whims of idiotic product managers who derive a sadistic satisfaction from ensuring that their products interfere as much as humanly possible with the process of committing ink and toner to paper. Security management doesn't even get a look in.
12 months after market debut, printer firmware updates cease forever for that particular model, and the inevitable result is a line-rate bot spewing obnoxious crap until the day that the device is thrown on to the scrap heap that it deserved when it was first unpacked.
Exactly the same principal applies to pretty much any consumer device, although I admit that printers are worse offenders than most.
We can all agree that what's needed here is full consumer choice and the ability to address things globally, should one desire to do so. In practice, default deny is more sensible approach to handling the reality of connecting devices to a public network.
Nick
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly. It also does not cost much on a per device basis. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org