Date: Mon, 02 Apr 2012 20:14:49 +1000 From: Da Rock <freebsd-questions@herveybayaustralia.com.au> To: freebsd-questions@freebsd.org Subject: Re: Printer recommendation please Message-ID: <4F797C19.1080801@herveybayaustralia.com.au> In-Reply-To: <4f79c113.4NFuCWPOnCnPln6u%perryh@pluto.rain.com> References: <4F75D37C.2020203@lovetemple.net> <20120330232307.41e420b1.freebsd@edvax.de> <4f7770b7.BkVKquuSmumStBb/%perryh@pluto.rain.com> <20120401112923.47e6c8a7.freebsd@edvax.de> <4f79c113.4NFuCWPOnCnPln6u%perryh@pluto.rain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/03/12 01:09, perryh@pluto.rain.com wrote: > Polytropon<freebsd@edvax.de> wrote: > >> On Sat, 31 Mar 2012 14:01:43 -0700, perryh@pluto.rain.com wrote: >>> I personally don't trust wireless, because it's well nigh >>> impossible to truly secure it. >> In that case, one should also pay attention to secure the >> printer. Wait - secure the printer? What am I talking about? >> >> Firmware attacks! >> >> Yes - malware has already reached printers ... > All the more reason to avoid wireless. (I had been thinking more > along the lines of someone intercepting sensitive print files, e.g. > tax returns, as they were being sent to the printer.) > > A printer connected to a hard-wired network, behind a firewall with > no tunnelling to it allowed, is not going to get anything sent to it > from outside. Granted this does not protect against malware jobs > sent from a local machine, but it at least avoids having malware > sent wirelessly to the printer by someone parked out front, thus > there's one less pathway needing to be secured. > > It may also be a reason to _avoid_ printers that accept PDF directly. > Since PDFs are often downloaded and printed, an attacker could post > a bogus firmware download under an innocent-sounding name like > "manual.pdf" leading someone to do > > $ fetch http://.../manual.pdf&& lpr manual.pdf > > Oops. > > However if said PDF has to first be locally converted to PS (e.g. > by xpdf) before being sent to the printer, an attacker would have > to (somehow) formulate a PDF that would cause xpdf to emit a > "PostScript" file that looked to the printer like a firmware > download. I don't know enough about either PDF or xpdf to say > whether that's possible, but I imagine it would at least be a > whole lot more difficult than in the direct PDF case. Sounds pretty good to me. I'd implement it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F797C19.1080801>