[170037] in North American Network Operators' Group
Re: misunderstanding scale (was: Ipv4 end, its fake.)
daemon@ATHENA.MIT.EDU (Mark Andrews)
Sun Mar 23 17:02:53 2014
To: Nick Hilliard <nick@foobar.org>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Sun, 23 Mar 2014 20:23:06 -0000."
<532F42AA.9000604@foobar.org>
Date: Mon, 24 Mar 2014 08:02:13 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <532F42AA.9000604@foobar.org>, Nick Hilliard writes:
> On 23/03/2014 18:39, Mark Andrews wrote:
> > As for printers directly reachable from anywhere, why not.
>
> because in practice it's an astonishingly stupid idea. Here's why:
>
> chargen / other small services
> ssh
> www
> buffer overflows
> open smtp relays
> weak, default or non existent passwords
> information leakage from non-protected services
>
> and so forth.
>
> Nothing wrong with global reachability, don't get me wrong - and if I
> thought for a pico-second that printers or any other connectible device
> took even the most basic steps at handling security fundamentals, I might
> even be ok about the idea.
>
> But they don't: printer drivers and interface firmware are written by
> people whose only ability is relaying eps and pcl files from one socket to
> another and pumping their code full of rage-inducing bloatware, the only
> purpose of which is to serve the blind whims of idiotic product managers
> who derive a sadistic satisfaction from ensuring that their products
> interfere as much as humanly possible with the process of committing ink
> and toner to paper. Security management doesn't even get a look in.
>
> 12 months after market debut, printer firmware updates cease forever for
> that particular model, and the inevitable result is a line-rate bot spewing
> obnoxious crap until the day that the device is thrown on to the scrap heap
> that it deserved when it was first unpacked.
>
> Exactly the same principal applies to pretty much any consumer device,
> although I admit that printers are worse offenders than most.
>
> We can all agree that what's needed here is full consumer choice and the
> ability to address things globally, should one desire to do so. In
> practice, default deny is more sensible approach to handling the reality of
> connecting devices to a public network.
>
> Nick
Actually all you have stated in that printer vendors need to clean
up their act and not that one shouldn't expect to be able to expose
a printer to the world. It isn't hard to do this correctly. It
also does not cost much on a per device basis.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
