From owner-freebsd-questions@FreeBSD.ORG Tue Apr 3 13:30:47 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23E3D106564A for ; Tue, 3 Apr 2012 13:30:47 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id A8BCB8FC14 for ; Tue, 3 Apr 2012 13:30:46 +0000 (UTC) Received: from r56.edvax.de (port-92-195-101-40.dynamic.qsc.de [92.195.101.40]) by mx02.qsc.de (Postfix) with ESMTP id 5ACB21E834 for ; Tue, 3 Apr 2012 15:30:40 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id q33DUdZu002024 for ; Tue, 3 Apr 2012 15:30:39 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Tue, 3 Apr 2012 15:30:39 +0200 From: Polytropon To: freebsd-questions@freebsd.org Message-Id: <20120403153039.55a7f5d5.freebsd@edvax.de> In-Reply-To: <20120403084005.576af98e@scorpio> References: <4F75D37C.2020203@lovetemple.net> <20120330232307.41e420b1.freebsd@edvax.de> <4f7770b7.BkVKquuSmumStBb/%perryh@pluto.rain.com> <20120401112923.47e6c8a7.freebsd@edvax.de> <4f79c113.4NFuCWPOnCnPln6u%perryh@pluto.rain.com> <20120402073303.1ae0ea96@scorpio> <4f7b3fe0.PWM597T4KrLqJxhq%perryh@pluto.rain.com> <20120403084005.576af98e@scorpio> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Printer recommendation please X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2012 13:30:47 -0000 On Tue, 3 Apr 2012 08:40:05 -0400, Jerry wrote: > On a serous note, I have spent the last 12 hours, more or less, > checking with my friends and business associates. Not a single one has > ever had or knows of a single incident of anyone actually ever being > infected or having suffered any negative reaction to having printed a > PDF file. Most, but not all of these friends / associates are Microsoft > users; however, that should not invalidate the statistics. That might be a problem: Malicious acts take place in the background. The time where a virus would pop a "funny message" on the screen are long over. In "Windows" land, there are limited resources for means of diagnostics and troubleshooting. Many people believe (and please take that word seriously) that they "have no virus", and if you bring a laptop with a traffic scanner (e. g. Wireshark, ex Ethereal), you can see scary things happen on their network. In worst case, the police rushes in, takes all the PCs, and the sloppy explaination they give is: "We're investigating a case of copyright infringement, we suspect your PCs being an active sharepoint of copyrighted material." While "Windows" and its programs presents lots of bells & whistles to the user, there's no real chance to find out what's _really_ happening behind that curtain. There are _tons_ of programs out there that can be considered "snake oil" in regards of security. "Windows" users know 'em, many of them use 'em. I can imagine if PDF printers spread more and more, they become more interesting to attackers, and malware like "Professional Printer Anti-Malware Check XXL Super High Security Programs" will spread, waiting for the poor-minded victims to run them, and BANG! printer pwn'd. This is the _first_ step into turning a corporate network into a botnet. If the attacker is able to "hide inside" a printer, it's much easier for him to do "sniper attacks" with precision as he is in control of a full-featured networking devices that nobody recognizes... or verifies. Running virus scans, malware scans and so on on "Windows" PCs has become standard by the majority of its users. Printers are not concerned here, and maybe there are no proper tools available to do the pending tests. Applying that consideration to PDF files, virus scanners would have to check them before they are sent to the printer. > In fact, the > FOSS society claims MS is more vulnerable to infections/hijacking > then they are. This is due to its usage share. I believe if Linux (for example) would run on 90% of home PCs, attackers would concentrate their activities on that platform. Given the statement that the platform is more secure in a technical way (by design and implementation), attackers would potentially try to access the weakest part: the user. This kind of attack is different from those that work in a technical way (e. g. overwriting a printer's firmware silently and secretly), because it does not depend on technical vulnerabilities in the first place. FOSS or not, people have to understand that security is not a static thing, it's a process that involves _them_ to act. A Linux server with telnet enabled and empty root password is as dangerous as a "Windows" PC in a corporate network. Now there's something interesting "hidden": Let's say a malicious file is sent to the printer to compromise it. It's send from a Linux workstation. Will Linux (to keep this example) have to contain a kind of "PDF virus scanner" by default? Take into mind what I said about "behind the curtain". When a printer is compromised, and it acts maliciously within a Linux environment that is poorly secured, I agree with your statement that using a FOSS system does not imply security per se. > The original PDF code was written years ago. Since about 2006 hackers > have started finding vulnerabilities in it. That's a well-known fact in IT security. As I said, it's up to the manufacturers to properly deal with the security issues as good as possible. If they _can_ remove certain attack vectors for example by ignoring specific sections of PDF data, it would be a benefit for security without actually reducing functionality. It starts beginning complicated if there is a feature that is needed which can be used _against_ the system. Maybe data validation can help here... > There was one that attacked > scanned documents in MS Office. That problems was fixed over two years > ago. Virtually all PDF attacks now target Web Browsers. A case can be > made that viewing PDF files in a Web Browser is far more likely to > infect a machine than printing such document ever could. Yes, that approach is welcome to attackers as it allows them to take over a full-featured "Windows" PC within seconds - the user just has to visit a certain web page. By "auto-open magic" of certain MUAs it's even easier to accomplish. Attacking a printer, however, is much more silent. Why? Because nobody CARES. Printers are not in the scope of security. Does anyone imagine to run a virus check on a printer? Does the firmware have the latest manufacturer patches? Is there a password in the administration interface? What traffic is running across the printer? While many sysadmins (even in MICROS~1 environments) are aware of checking and cleaning (and reinstalling) the "Windows" PCs frequently, the things "hidden" in the printer are often left out. So right after cleaning the PCs, the network could be "re-initialized" by an attacker who "lives inside" the printer. After all, I think social engineering based attacks will become much more popular than addressing printers. I do _not_ say to keep ignorant and carry on, but there are higher threats than the PDF-capable laser printer in room 101. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...