From owner-freebsd-questions@FreeBSD.ORG Mon Apr 2 08:11:59 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 337D71065670 for ; Mon, 2 Apr 2012 08:11:59 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (unknown [IPv6:2607:f678:1010::34]) by mx1.freebsd.org (Postfix) with ESMTP id E75F88FC0C for ; Mon, 2 Apr 2012 08:11:58 +0000 (UTC) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id q328BsmI041038 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 2 Apr 2012 01:11:54 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.14.2/Submit) with UUCP id q328BsT4041037; Mon, 2 Apr 2012 01:11:54 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: from fbsd81 ([192.168.200.81]) by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA16508; Mon, 2 Apr 12 01:10:01 PDT Date: Mon, 02 Apr 2012 08:09:07 -0700 From: perryh@pluto.rain.com To: freebsd@edvax.de Message-Id: <4f79c113.4NFuCWPOnCnPln6u%perryh@pluto.rain.com> References: <4F75D37C.2020203@lovetemple.net> <20120330232307.41e420b1.freebsd@edvax.de> <4f7770b7.BkVKquuSmumStBb/%perryh@pluto.rain.com> <20120401112923.47e6c8a7.freebsd@edvax.de> In-Reply-To: <20120401112923.47e6c8a7.freebsd@edvax.de> User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: karel@lovetemple.net, freebsd-questions@freebsd.org Subject: Re: Printer recommendation please X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2012 08:11:59 -0000 Polytropon wrote: > On Sat, 31 Mar 2012 14:01:43 -0700, perryh@pluto.rain.com wrote: > > I personally don't trust wireless, because it's well nigh > > impossible to truly secure it. > > In that case, one should also pay attention to secure the > printer. Wait - secure the printer? What am I talking about? > > Firmware attacks! > > Yes - malware has already reached printers ... All the more reason to avoid wireless. (I had been thinking more along the lines of someone intercepting sensitive print files, e.g. tax returns, as they were being sent to the printer.) A printer connected to a hard-wired network, behind a firewall with no tunnelling to it allowed, is not going to get anything sent to it from outside. Granted this does not protect against malware jobs sent from a local machine, but it at least avoids having malware sent wirelessly to the printer by someone parked out front, thus there's one less pathway needing to be secured. It may also be a reason to _avoid_ printers that accept PDF directly. Since PDFs are often downloaded and printed, an attacker could post a bogus firmware download under an innocent-sounding name like "manual.pdf" leading someone to do $ fetch http://.../manual.pdf && lpr manual.pdf Oops. However if said PDF has to first be locally converted to PS (e.g. by xpdf) before being sent to the printer, an attacker would have to (somehow) formulate a PDF that would cause xpdf to emit a "PostScript" file that looked to the printer like a firmware download. I don't know enough about either PDF or xpdf to say whether that's possible, but I imagine it would at least be a whole lot more difficult than in the direct PDF case.