[rescue] Printing to the 'net

[David Cantrell]

s at avoidant.org wrote:

> Yes, my printer has a public IP address. What's the worst that could
> happen? Some goober empties the paper tray printing porn? So what? I've
> secured the admin interface, and the thing's under warranty. Is a
> printer smart enough to be used for a DDOS attack or some such?

Assuming it does Postscript, then yes.  You can deny service by running
out of paper, by making it run out of toner, by tieing up all the printer's
CPU resource (Mandelbrot in Postscript, anyone?), you might be able to
break font resources in the printer even without access to the admin
interface.

Then there are extensions to Postscript to make it possible to use the
network interface from Postscript.

At $previous_ork, a lazy admin used this for updating fonts in all the
company printers.  He effectively embedded a virus in a Postscript font
and uploaded it to a single printer.  When someone used that font, it
spread itself to other printers in the company and so on, so it should be
possible to make a printer part of a DDOS attack.  Of course, the risk
is minimal - it's a lot of work for not much gain as it's so much easier
to target Wintoys - but it's definitely there.

> I guess my question is; what's to defend against besides paper waste?

What about the possibility of getting sued by $insecure_employee if (s)he
walks in and finds hard-core porn sitting on top of the printer.  I'm sure
there are some people stupid enough to claim that's harrassment, and I
*know* that there are jurisdictions idiotic enough for that to succeed.

-- 
David Cantrell | david at cantrell.org.uk | http://www.cantrell.org.uk/david

Do not be afraid of cooking, as your ingredients will know and misbehave
   -- Fergus Henderson