From owner-freebsd-questions@FreeBSD.ORG Mon Apr 2 10:14:52 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25375106564A for ; Mon, 2 Apr 2012 10:14:52 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id B0D348FC19 for ; Mon, 2 Apr 2012 10:14:51 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.182]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id DF8515C29 for ; Mon, 2 Apr 2012 20:28:25 +1000 (EST) Message-ID: <4F797C19.1080801@herveybayaustralia.com.au> Date: Mon, 02 Apr 2012 20:14:49 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4F75D37C.2020203@lovetemple.net> <20120330232307.41e420b1.freebsd@edvax.de> <4f7770b7.BkVKquuSmumStBb/%perryh@pluto.rain.com> <20120401112923.47e6c8a7.freebsd@edvax.de> <4f79c113.4NFuCWPOnCnPln6u%perryh@pluto.rain.com> In-Reply-To: <4f79c113.4NFuCWPOnCnPln6u%perryh@pluto.rain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Printer recommendation please X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2012 10:14:52 -0000 On 04/03/12 01:09, perryh@pluto.rain.com wrote: > Polytropon wrote: > >> On Sat, 31 Mar 2012 14:01:43 -0700, perryh@pluto.rain.com wrote: >>> I personally don't trust wireless, because it's well nigh >>> impossible to truly secure it. >> In that case, one should also pay attention to secure the >> printer. Wait - secure the printer? What am I talking about? >> >> Firmware attacks! >> >> Yes - malware has already reached printers ... > All the more reason to avoid wireless. (I had been thinking more > along the lines of someone intercepting sensitive print files, e.g. > tax returns, as they were being sent to the printer.) > > A printer connected to a hard-wired network, behind a firewall with > no tunnelling to it allowed, is not going to get anything sent to it > from outside. Granted this does not protect against malware jobs > sent from a local machine, but it at least avoids having malware > sent wirelessly to the printer by someone parked out front, thus > there's one less pathway needing to be secured. > > It may also be a reason to _avoid_ printers that accept PDF directly. > Since PDFs are often downloaded and printed, an attacker could post > a bogus firmware download under an innocent-sounding name like > "manual.pdf" leading someone to do > > $ fetch http://.../manual.pdf&& lpr manual.pdf > > Oops. > > However if said PDF has to first be locally converted to PS (e.g. > by xpdf) before being sent to the printer, an attacker would have > to (somehow) formulate a PDF that would cause xpdf to emit a > "PostScript" file that looked to the printer like a firmware > download. I don't know enough about either PDF or xpdf to say > whether that's possible, but I imagine it would at least be a > whole lot more difficult than in the direct PDF case. Sounds pretty good to me. I'd implement it.