Printer recommendation please

Tue Apr 3 13:41:20 UTC 2012

On Tue, 03 Apr 2012 11:22:24 -0700, perryh at pluto.rain.com wrote:
> Jerry <jerry at seibercom.net> wrote:
> 
> > Obviously you are not aware of the latest trend towards the
> > movement to standardize PDF as the standard print format. I would
> > recommend you start by reading the documentation located at:
> > <http://www.linuxfoundation.org/collaborate/workgroups/openprinting>
> > and continue on from there.
> 
> That page seems to be concerned with using PDF, rather than PS, as
> a common intermediate print language in CUPS.  I see nothing there
> relevant to sending PDF directly to a printer.

See this page:

http://www.linuxfoundation.org/collaborate/workgroups/openprinting/pdfasstandardprintjobformat

It discusses (quite short, I admit) programs outputting PDF
instead of PS when generating printing data. Handing that
data over to the printer does not involve any conversion
or intermediate formats anymore.

The functionality of CUPS would then be "reduced" to what
the system's default printer spooler does (and did since
the 1970's): Read data from a program and send it to the
printer. Only the format of data has changed: pure text,
text with control characters, PS, PCL, PDF. It starts at
the "application front".

> > While there might be some rational for your security concerns on
> > a business network in regards to wireless networks, they are not
> > really relevant on a home networks. The simple ease of use that a
> > wireless network gives a user on a home network far outweigh any
> > pseudo claims of espionage.
> 
> Following that line of reasoning to its logical conclusion would
> lead one to believe that home networks have no need of any malware
> protection, e.g. anti-virus.  Any ISP which has had to deal with
> incidents precipitated by customers' infected machines -- including
> but likely not limited to DDoS and spambots -- would likely disagree.

Home networks and carelessly treated corporate networks
make the majority of what causes trouble on the Internet.
Don't notice == doesn't exist. :-)

> I maintain that an attacker can more easily trick a less-than-
> paranoid user into sending a malware "print file" to a PDF-accepting
> printer than to a non-PDF-accepting printer, simply because PDF
> is such a commonly used distribution format. 

In regards of the web being a main source of attacks, few
lines of Javascript would allow to automatically access the
printer and send it some PDF data, "drive-by attacks" made
simple.

> If someone prints a
> malware "PDF" file that they have downloaded, and the process of
> printing it does not require that it be transformed in any way (such
> as conversion to PS) before being sent to the printer, their only
> protection from disaster is whatever validation may be built into
> the printer itself.  (Keep in mind that what started the malware
> discussion was Poly's link to a report stating that some printers
> do not sufficiently validate an "update firmware" job.)

That's why I _hope_ printer manufacturers will take care
about that topic. As far as it's _possible_ to validate
PDF data that _might_ be a threat, it should be done, and
in worst case, "malicious portions" of the data should be
ignored.

> Granted the identical exposure exists for a PS printer if the
> downloaded malware file is identified as a PS file, however the
> risk is much less in practice because distribution of PS files
> is sufficiently uncommon that most unsophisticated users would
> have no idea what to do with one if they were to come across it.

Furthermore, PS files would - on most cases - undergo another
conversion, for example to PCL. A PS interpreter would have to
be exploited to "carry" malicious code from PS to PCL (if the
PCL language allows the same kind of hostile manipulation as
the PS language would). In this case, FOSS is a good shield.
Code that gets many reviews by the _public_ is less prone to
contain "backdoors" (phrase incorrectly used) that would allow
such "mis"-interpretation.

-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...