HP Shutting Down Default FTP, Telnet Access To Network Printers (pcworld.com)

← Back to Stories (view on slashdot.org)

HP Shutting Down Default FTP, Telnet Access To Network Printers (pcworld.com)

Posted by msmash on Tuesday December 6, 2016 @04:00AM from the business-as-usual dept.

Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools. From a report on PCWorld: Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed. "HP has started the process of closing older, less-maintained interfaces including ports, protocols and cipher suites" identified by the U.S. National Institute of Standards and Technology as less than secure, the company said in a statement. In addition, HP also announced firmware updates to existing business printers with improved password and encryption settings, so hackers can't easily break into the devices.

9 of 83 comments (clear)

Min score:

Reason:

Sort:

Firmware by Anonymous Coward · 2016-12-06 04:07 · Score: 2, Informative

Oh no HP, after you disabled my compatible cartridges, I am not getting your dirty firmware ever again in my printer.
Experts? by 110010001000 · 2016-12-06 04:09 · Score: 2

You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.
1. Re:Experts? by jellomizer · 2016-12-06 04:16 · Score: 2
  
  But it is a big company changing something that we took for granted in the 1990's. There has to be a motive behind it that is meant to screw with us.
  Granted I remember back in the good old days of the 1990's where printers were setup with a static outside address. And when there was that LPR buffer overflow hack there were hundreds of wasted pages from people trying to hack the printer in hope it was an old unix server with the LPR flaw in it.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
2. Re:Experts? by EndlessNameless · 2016-12-06 04:38 · Score: 4, Insightful
  
  There has to be a motive behind it that is meant to screw with us.
  Not really. We started kicking printers off the network if they couldn't be secured. HP was the biggest offender by far.
  If departments have to choose between having a dedicated "printer PC" vs having a decent network printer, they usually want the convenience of a network printer. And when HPs aren't eligible, HP loses sales.
  A lot of businesses still don't care about security, but enterprise vendors are increasingly being pressured by those who do.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
3. Re: Experts? by Zero__Kelvin · 2016-12-06 05:07 · Score: 2
  
  That is a ridiculous stance to take. Closing a vulnerability is exactly that ... You do it regardless of the fact that there are sure to be others in the system. If you don't start somewhere, how can you ever finish?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
4. Re:Experts? by TWX · 2016-12-06 05:53 · Score: 2
  
  You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.
  Actually you do. Non-experts don't even know what FTP and telnet are in the vast majority of cases. Hell, your average person doesn't even know why a web address starts out with "http://" or "https://", especially since browsers have largely done away with the need to type that stuff. Hell, most users don't even know why there's a tertiary level domain or even that domains are heirarchical in the first place.
  
  Don't confuse your professional or hobbyist knowledge with that which the average person would have. After all, if they had this knowledge they wouldn't need to pay you to take care of their computers for them.
  
  --
  Do not look into laser with remaining eye.
Telnet and FTP printing? by aglider · 2016-12-06 04:24 · Score: 2

Interesting! Modders, please mod up HP for a very interesting application!

--
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Re: what about not giving a printer an public IP by Junta · 2016-12-06 06:19 · Score: 2

worse than HTTP because the latter is a transport layer only. All auth is accomplished through HTTPS.

Strictly speaking, he did say HTTP, which without TLS isn't any better. Of course there's nothing suggesting that HTTP without TLS would be open so it's a bit of a weird leap to make.
I will say in practice HTTPS on embedded IT equipment is only a little useful in most cases, since they have unverified certificates to kick things off. There are rare areas that bother to do proper certificates and/or rare software that gives self signed certs the appropriate treatment, but overwhelmingly people click on https and click through the warning which reduces https to http level security (anyone who can sniff is almost always in a position to inject themselves).

--
XML is like violence. If it doesn't solve the problem, use more.
Re:Use case? by rgmoore · 2016-12-06 07:29 · Score: 2

A possible use case would be an enterprise with a very specialized, expensive printer- like a super-high speed or large format printer- that's kept in a centralized location. Jobs would be submitted remotely and then the output would be shipped to the submitter. HP makes some very high-end printing products where that kind of workflow makes sense.

--
There's no point in questioning authority if you aren't going to listen to the answers.