Slashdot Mirror
Thousands of Publicly Accessible Printers Searchable On Google
Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."
Well, some states persecute for sharing offensive material over the internet. I'm sure the courts will say this falls into the category.
But at least it keeps the major search engines from indexing your web-accessible device, which is where script kiddies and the malevolently ignorant will go to find strange machines to play with.
.....or 4chan.
I'm wait for the LULZ.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.
Mad Software: Rantings on Developing So
And I use these open web interfaces all the time to help guide dumb ass engineers how to fix things over the phone.
The first time I spotted an MFP on the internet I did send a print job letting them know that they should probably fix it (I did check the machine was in a English speaking country first!) But I no longer bother any more.
The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.
Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.
--- Signature? You must be kidding!
There is a way to upload new printer firmware - usually protected with default administrator credentials. First, set the printers TCP settings to point to YOUR own DNS host.... :-)
"Flyin' in just a sweet place,
Never been known to fail..."
Yes, unauthorized access of pretty much anything is illegal, WTF makes you think it wouldn't be anyway?
However, specifically, unauthorized access of a computer or telecommunications equipment is most certainly covered under several federal laws.
Unauthorized access means 'doing anything they didn't want you to do, specifically stated in advance or otherwise.', so pretty much anytime you touch any computer without permission in any way, its covered.
That doesn't consider any pornography or offensive content standards and a crapton of other laws.
I'm just curious as to why you wouldn't instinctively know this is covered in about a billion different ways. Are you 12? Do you still think some silly little 'well they didn't say THAT' kind of thing is a legal loophole?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager