HP Shutting Down Default FTP, Telnet Access To Network Printers (pcworld.com) 83
Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools. From a report on PCWorld: Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed. "HP has started the process of closing older, less-maintained interfaces including ports, protocols and cipher suites" identified by the U.S. National Institute of Standards and Technology as less than secure, the company said in a statement. In addition, HP also announced firmware updates to existing business printers with improved password and encryption settings, so hackers can't easily break into the devices.
SOP for a Company that Requires Registration (Score:2)
Fuck your liberty. We will track you!
Re: (Score:2)
No, no, courage is ripping out a feature that half your users use. Ripping out a feature that .0001% of your users use and is probably being actively exploited in the rare situations where it is used takes epic courage!
Re: (Score:2)
Firmware (Score:2, Informative)
Oh no HP, after you disabled my compatible cartridges, I am not getting your dirty firmware ever again in my printer.
Experts? (Score:3)
Re: (Score:3)
But it is a big company changing something that we took for granted in the 1990's. There has to be a motive behind it that is meant to screw with us.
Granted I remember back in the good old days of the 1990's where printers were setup with a static outside address. And when there was that LPR buffer overflow hack there were hundreds of wasted pages from people trying to hack the printer in hope it was an old unix server with the LPR flaw in it.
Re:Experts? (Score:5, Insightful)
There has to be a motive behind it that is meant to screw with us.
Not really. We started kicking printers off the network if they couldn't be secured. HP was the biggest offender by far.
If departments have to choose between having a dedicated "printer PC" vs having a decent network printer, they usually want the convenience of a network printer. And when HPs aren't eligible, HP loses sales.
A lot of businesses still don't care about security, but enterprise vendors are increasingly being pressured by those who do.
secured = can still print jobs to it and you can d (Score:2)
secured = can still print jobs to it and you can do a lot of damage with just that. Even say if you don't pay me $1000 I will send endless pages of pure black to this printer.
or this
https://hardware.slashdot.org/... [slashdot.org]
Re: (Score:2)
Printers have been a good harbinger of what is to come in the IoT world, especially ones made in the past decade. Basically they are vulnerable devices that will never see an update. I won't be surprised to see other planned obsolescence things like I encountered on one printer -- a sensor that watched a paper path gear, and when the gear wore out past a certain threshold, would stop the printer from printing completely, with the solution being to replace the entire printer. My fix was to 3D print anothe
Call me a cynic... (Score:2)
... but telnet and ftp are generic protocols with clients available on most systems. Wheres the many in that? Whats a company to do? Hey, how about rolling its own proprietary protocols to lock-in users with client software that need to be paid for? Ker-ching!
SSH (Score:2)
but telnet and ftp are generic protocols with clients available on most systems
As are SSH and SFTP.
Re: (Score:1)
by "most systems" you mean "windows servers", right? SSH is available in any other system: not existing by default on Windows systems is M$ fault...
Re: (Score:2)
There has to be a motive behind it that is meant to screw with us.
Shit security and the recent flood of botnets and DDoS attacks isn't enough reason?
Re: (Score:1)
Re: (Score:2)
The motive is that enterprise IT departments are choosing HP alternatives like Epson and Brother because of issues like this.
Re: Experts? (Score:2)
Re: (Score:2)
Authentication over Telnet or FTP sends a pre-shared key called a "password" over the wire in cleartext. This means of authentication is subject to a replay attack. SSH and SFTP lack this vulnerability, so long as the server can be identified out of band.
Re: (Score:2)
I can't wait for all the "how to I update my authorized_hosts on my printer" posts on stack.
SSH is irrelevant in a lot of case (Score:2)
Plenty of printers with telnet access didn't even ask for a password by default, they just dropped you straight into the printers command shell as soon as you connected. Encrypting the network link won't make that sort of zero security any safer.
Re: (Score:2)
Also the built-in firewalling on them often only protects certain services, leaving, for example, SNMPv2 running, the initial negotiation packets of which, even if the password is set, can still be used as a force multiplier for DDoS. Or in some cases, actually putting rules in the firewalling slows things to a crawl. Or in other cases, there is no firewalling facility. And all this can vary among individual models from a single vendor.
Re: (Score:3)
You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.
Actually you do. Non-experts don't even know what FTP and telnet are in the vast majority of cases. Hell, your average person doesn't even know why a web address starts out with "http://" or "https://", especially since browsers have largely done away with the need to type that stuff. Hell, most users don't even know why there's a tertiary level domain or even that domains are heirarchical in the first place.
Don't confuse your professional or hobbyist knowledge with that which the average person would
what about not giving a printer an public IP (Score:2)
what about not giving a printer an public IP so that any one can print to them.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
That is my therapy, you insensitive clod!
Re: what about not giving a printer an public IP (Score:1)
Re: (Score:3)
worse than HTTP because the latter is a transport layer only. All auth is accomplished through HTTPS.
Strictly speaking, he did say HTTP, which without TLS isn't any better. Of course there's nothing suggesting that HTTP without TLS would be open so it's a bit of a weird leap to make.
I will say in practice HTTPS on embedded IT equipment is only a little useful in most cases, since they have unverified certificates to kick things off. There are rare areas that bother to do proper certificates and/or rare software that gives self signed certs the appropriate treatment, but overwhelmingly people click on htt
Re: what about not giving a printer an public IP (Score:1)
Re: what about not giving a printer an public IP (Score:1)
It's bitztream (Score:1)
..the autism-hating, custom EpiPen-hating, Musk-hating Slashdot troll!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Feed the printer from a print server and put the printer on its own VLAN.
Re: (Score:2)
Xerox MFPs never did this! (Score:1)
I used for Xerox until a few months ago and they never allowed telnet or FTP access on MFPs that went out the door. The engineers there were smart enough to block that from day one. I'm amazed that HP had this kind of access available.
Telnet and FTP printing? (Score:3)
Re: (Score:2)
Like this?
https://www.youtube.com/watch?v=NPWi5yJK3zo
Wow, so soon? (Score:2)
Yeah, thanks HP....you're only about 20 years too late to the party.
What's HP's next innovative security move? Not passing SQL queries in the URL?
Re: (Score:1)
I guess Weev got their attention. (Score:1)
I guess sending swastika's to 29K open printers many of them in university "safe spaces" got HP's attention.
https://storify.com/weev/a-sma... [storify.com]
https://www.washingtonpost.com... [washingtonpost.com]
Use case? (Score:2)
Fax (Score:2)
What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?
The same legitimate use cases as facsimile.
Re: (Score:2)
A possible use case would be an enterprise with a very specialized, expensive printer- like a super-high speed or large format printer- that's kept in a centralized location. Jobs would be submitted remotely and then the output would be shipped to the submitter. HP makes some very high-end printing products where that kind of workflow makes sense.
How about (Score:2)
How about fixing your website(s), which use FTP, and possibly Telnet, before focusing on your printers? There are an awful lot of people who would love to be able to replace broken parts without spending 3 days trying to guess the right part number, as well as some of us working on more interesting equipment (like the Alphas) who just love it if you would fix some of those broken links to much needed firmware upgrades.
As for your printers, charge a lot for the printer, give it the ability to run some versio
Feed me a cat (Score:2)
Too bad... I remember using telnet to surreptitiously change the message displayed on the little LCD display on the office printer. "Error: out of white toner" "Insert coin to continue" "Help I'm stuck in a printer"... good times...
Re: (Score:2)
I remember this - I had a cron job running once every 5 minutes that would use curl to get the current weather report, parse that for the temperature and update the LCD on the printer. Good times indeed...
But... (Score:2)
Re: (Score:2)
Instead, try SSHing into the printer and typing directly into printer memory with copy con.
Source: How do i SSHot printing? [ubuntuforums.org]
I use it from time to time (Score:2)
I still use it from time to time, probably once a year. Sometimes, the cups server is down, or the default configuration of the printing server is messed up and I'm in a hurry, well, then I resort to using ftp to print documents (usually last minute exams). It's quite handy. When this happens I'm usually the only one in the lab able to print something...
LOL Now they know? (Score:1)
About time (Score:2)
I know a lot of people are thinking this is the first step to forcing people to pay HP by the page for their printers or something, but FTP and telnet have been on JetDirects forever, back when they were big chunky boxes you plugged into the parallel port of your LaserJet 4si. I doubt much of that JetDirect code has changed in decades, given what I see when I have to FTP to the odd printer to send it firmware or something.
I guarantee the main motivation is to make it so that HP doesn't have to keep patching
Next step: Premium Passwords (Score:2)
Big printers / copiers have HDD's with lot's of da (Score:2)
Big printers / copiers have HDD's with lot's of data on them and the places that resell them really don't wipe them.
Wat? (Score:2)
Who the hell is printing over telnet or ftp?
Re: (Score:1)
Telnet is the only way to print, from an IBM 3030.
Watch out for unwanted firmware changes (Score:2)