nanog mailing list archives

Re: misunderstanding scale (was: Ipv4 end, its fake.)

From: Mark Andrews <marka () isc org>
Date: Mon, 24 Mar 2014 08:02:13 +1100


In message <532F42AA.9000604 () foobar org>, Nick Hilliard writes:

On 23/03/2014 18:39, Mark Andrews wrote:

As for printers directly reachable from anywhere, why not.


because in practice it's an astonishingly stupid idea.  Here's why:

chargen / other small services
ssh
www
buffer overflows
open smtp relays
weak, default or non existent passwords
information leakage from non-protected services

and so forth.

Nothing wrong with global reachability, don't get me wrong - and if I
thought for a pico-second that printers or any other connectible device
took even the most basic steps at handling security fundamentals, I might
even be ok about the idea.

But they don't: printer drivers and interface firmware are written by
people whose only ability is relaying eps and pcl files from one socket to
another and pumping their code full of rage-inducing bloatware, the only
purpose of which is to serve the blind whims of idiotic product managers
who derive a sadistic satisfaction from ensuring that their products
interfere as much as humanly possible with the process of committing ink
and toner to paper.  Security management doesn't even get a look in.

12 months after market debut, printer firmware updates cease forever for
that particular model, and the inevitable result is a line-rate bot spewing
obnoxious crap until the day that the device is thrown on to the scrap heap
that it deserved when it was first unpacked.

Exactly the same principal applies to pretty much any consumer device,
although I admit that printers are worse offenders than most.

We can all agree that what's needed here is full consumer choice and the
ability to address things globally, should one desire to do so.  In
practice, default deny is more sensible approach to handling the reality of
connecting devices to a public network.

Nick


Actually all you have stated in that printer vendors need to clean
up their act and not that one shouldn't expect to be able to expose
a printer to the world.  It isn't hard to do this correctly.  It
also does not cost much on a per device basis.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: misunderstanding scale, (continued)
- - - Re: misunderstanding scale Barry Shein (Mar 27)
    - Re: misunderstanding scale, SMTP edition John Levine (Mar 26)
    - Re: misunderstanding scale, SMTP edition Jack Bates (Mar 26)
    - Re: misunderstanding scale, SMTP edition Lamar Owen (Mar 26)
    - Re: misunderstanding scale, SMTP edition Tony Finch (Mar 26)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Saku Ytti (Mar 23)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Andrews (Mar 23)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Nick Hilliard (Mar 23)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Andrews (Mar 23)
    - Re: misunderstanding scale Nick Hilliard (Mar 23)
    - Re: misunderstanding scale bmanning (Mar 23)
    - Re: misunderstanding scale Mark Andrews (Mar 23)
    - Re: misunderstanding scale Matt Palmer (Mar 23)
    - RE: misunderstanding scale Ray (Mar 23)
    - Re: misunderstanding scale Mark Tinka (Mar 23)
    - Re: misunderstanding scale Nick Hilliard (Mar 24)
    - Re: misunderstanding scale Mark Tinka (Mar 24)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Mark Tinka (Mar 23)
    - Re: misunderstanding scale (was: Ipv4 end, its fake.) Owen DeLong (Mar 24)

(Thread continues...)