Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
HP Network Networking Printer

HP Shutting Down Default FTP, Telnet Access To Network Printers (pcworld.com) 83

Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools. From a report on PCWorld: Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed. "HP has started the process of closing older, less-maintained interfaces including ports, protocols and cipher suites" identified by the U.S. National Institute of Standards and Technology as less than secure, the company said in a statement. In addition, HP also announced firmware updates to existing business printers with improved password and encryption settings, so hackers can't easily break into the devices.
This discussion has been archived. No new comments can be posted.

HP Shutting Down Default FTP, Telnet Access To Network Printers

Comments Filter:
  • Fuck your liberty. We will track you!

  • Firmware (Score:2, Informative)

    by Anonymous Coward

    Oh no HP, after you disabled my compatible cartridges, I am not getting your dirty firmware ever again in my printer.

  • by 110010001000 ( 697113 ) on Tuesday December 06, 2016 @11:09AM (#53433061) Homepage Journal
    You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.
    • But it is a big company changing something that we took for granted in the 1990's. There has to be a motive behind it that is meant to screw with us.

      Granted I remember back in the good old days of the 1990's where printers were setup with a static outside address. And when there was that LPR buffer overflow hack there were hundreds of wasted pages from people trying to hack the printer in hope it was an old unix server with the LPR flaw in it.

      • Re:Experts? (Score:5, Insightful)

        by EndlessNameless ( 673105 ) on Tuesday December 06, 2016 @11:38AM (#53433315)

        There has to be a motive behind it that is meant to screw with us.

        Not really. We started kicking printers off the network if they couldn't be secured. HP was the biggest offender by far.

        If departments have to choose between having a dedicated "printer PC" vs having a decent network printer, they usually want the convenience of a network printer. And when HPs aren't eligible, HP loses sales.

        A lot of businesses still don't care about security, but enterprise vendors are increasingly being pressured by those who do.

        • secured = can still print jobs to it and you can do a lot of damage with just that. Even say if you don't pay me $1000 I will send endless pages of pure black to this printer.

          or this

          https://hardware.slashdot.org/... [slashdot.org]

      • ... but telnet and ftp are generic protocols with clients available on most systems. Wheres the many in that? Whats a company to do? Hey, how about rolling its own proprietary protocols to lock-in users with client software that need to be paid for? Ker-ching!

        • by tepples ( 727027 )

          but telnet and ftp are generic protocols with clients available on most systems

          As are SSH and SFTP.

        • telnet and ftp are generic protocols with clients available on most systems

          by "most systems" you mean "windows servers", right? SSH is available in any other system: not existing by default on Windows systems is M$ fault...

      • There has to be a motive behind it that is meant to screw with us.

        Shit security and the recent flood of botnets and DDoS attacks isn't enough reason?

      • The motive is that enterprise IT departments are choosing HP alternatives like Epson and Brother because of issues like this.

    • Plenty of printers with telnet access didn't even ask for a password by default, they just dropped you straight into the printers command shell as soon as you connected. Encrypting the network link won't make that sort of zero security any safer.

      • by skids ( 119237 )

        Also the built-in firewalling on them often only protects certain services, leaving, for example, SNMPv2 running, the initial negotiation packets of which, even if the password is set, can still be used as a force multiplier for DDoS. Or in some cases, actually putting rules in the firewalling slows things to a crawl. Or in other cases, there is no firewalling facility. And all this can vary among individual models from a single vendor.

    • by TWX ( 665546 )

      You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.

      Actually you do. Non-experts don't even know what FTP and telnet are in the vast majority of cases. Hell, your average person doesn't even know why a web address starts out with "http://" or "https://", especially since browsers have largely done away with the need to type that stuff. Hell, most users don't even know why there's a tertiary level domain or even that domains are heirarchical in the first place.

      Don't confuse your professional or hobbyist knowledge with that which the average person would

  • what about not giving a printer an public IP so that any one can print to them.

    • by Anonymous Coward
      Nobody does that. The problem is that you cannot consider your internal corporate network secure. Anyone still doing that is in for a rude awakening. Devices on the corporate network need to run host firewalls and generally protect themselves just like they were on the internet.
      • EVERYBODY should do that! Unless you want all your paper and ink/toner used up by random people printing penises on your printer, for God's sake, DON'T let the internet have access to it!
    • by wkk2 ( 808881 )

      Feed the printer from a print server and put the printer on its own VLAN.

    • I tried this once using cups-pdf. After about 8 months I shut it off, I didn't get any print jobs submitted to it. Very disappointing, I was really interested in what sort of things I might get. I guess no one is scanning the Internet for printers to print to them anymore.
  • by Anonymous Coward

    I used for Xerox until a few months ago and they never allowed telnet or FTP access on MFPs that went out the door. The engineers there were smart enough to block that from day one. I'm amazed that HP had this kind of access available.

  • by aglider ( 2435074 ) on Tuesday December 06, 2016 @11:24AM (#53433205) Homepage
    Interesting! Modders, please mod up HP for a very interesting application!
  • Yeah, thanks HP....you're only about 20 years too late to the party.

    What's HP's next innovative security move? Not passing SQL queries in the URL?

  • Comment removed based on user account deletion
  • by Anonymous Coward

    I guess sending swastika's to 29K open printers many of them in university "safe spaces" got HP's attention.

    https://storify.com/weev/a-sma... [storify.com]

    https://www.washingtonpost.com... [washingtonpost.com]

  • What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?
    • by tepples ( 727027 )

      What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?

      The same legitimate use cases as facsimile.

    • by rgmoore ( 133276 )

      A possible use case would be an enterprise with a very specialized, expensive printer- like a super-high speed or large format printer- that's kept in a centralized location. Jobs would be submitted remotely and then the output would be shipped to the submitter. HP makes some very high-end printing products where that kind of workflow makes sense.

  • How about fixing your website(s), which use FTP, and possibly Telnet, before focusing on your printers? There are an awful lot of people who would love to be able to replace broken parts without spending 3 days trying to guess the right part number, as well as some of us working on more interesting equipment (like the Alphas) who just love it if you would fix some of those broken links to much needed firmware upgrades.

    As for your printers, charge a lot for the printer, give it the ability to run some versio

  • Too bad... I remember using telnet to surreptitiously change the message displayed on the little LCD display on the office printer. "Error: out of white toner" "Insert coin to continue" "Help I'm stuck in a printer"... good times...

    • I remember this - I had a cron job running once every 5 minutes that would use curl to get the current weather report, parse that for the temperature and update the LCD on the printer. Good times indeed...

  • I create my documents by telnetting into the printer and typing directly into printer memory with copy con. Whatever will I do now?
  • I still use it from time to time, probably once a year. Sometimes, the cups server is down, or the default configuration of the printing server is messed up and I'm in a hurry, well, then I resort to using ftp to print documents (usually last minute exams). It's quite handy. When this happens I'm usually the only one in the lab able to print something...

  • The Telnet protocol was obsolete and insecure as of 20 years ago... They only now realize it? No wonder the company has beeing going in the wrong direction that investors want.
  • I know a lot of people are thinking this is the first step to forcing people to pay HP by the page for their printers or something, but FTP and telnet have been on JetDirects forever, back when they were big chunky boxes you plugged into the parallel port of your LaserJet 4si. I doubt much of that JetDirect code has changed in decades, given what I see when I have to FTP to the odd printer to send it firmware or something.

    I guarantee the main motivation is to make it so that HP doesn't have to keep patching

  • For our security, one can go buy passwords from HP for 40$ each. They'll be encased in boxes about 6" x 6" x 10", and printed on plastic cards in case you ever need to log into your printer during a downpour. You'll be able to obtain HP-Certified passwords, produced using premium random string generation systems to be able to access your printers. They last six months, then they expire and you need to buy another in order to get your printer working again.
  • Big printers / copiers have HDD's with lot's of data on them and the places that resell them really don't wipe them.

  • Who the hell is printing over telnet or ftp?

    • by Anonymous Coward

      Telnet is the only way to print, from an IBM 3030.

  • With HP adding 'regional protections' to new printers, effectively locking out after market consumables, you should investigate any security firmware upgrades carefully, they may come with unwanted 'features'.

Where there's a will, there's an Inheritance Tax.

Working...