Saturday, February 18, 2017

You don't need printer security

So there's this tweet:

What it's probably refering to is this:

This is an obviously bad idea.

Well, not so "obvious", so some people have ask me to clarify the situation. After all, without "security", couldn't a printer just be added to a botnet of IoT devices?

The answer is this:
Fixing insecurity is almost always better than adding a layer of security.
Adding security is notoriously problematic, for three reasons

  1. Hackers are active attackers. When presented with a barrier in front of an insecurity, they'll often find ways around that barrier. It's a common problem with "web application firewalls", for example.
  2. The security software itself can become a source of vulnerabilities hackers can attack, which has happened frequently in anti-virus and intrusion prevention systems.
  3. Security features are usually snake-oil, sounding great on paper, with with no details, and no independent evaluation, provided to the public.

It's the last one that's most important. HP markets features, but there's no guarantee they work. In particular, similar features in other products have proven not to work in the past.

HP describes its three special features in a brief whitepaper [*]. They aren't bad, but at the same time, they aren't particularly good. Windows already offers all these features. Indeed, as far as I know, they are just using Windows as their firmware operating system, and are just slapping an "HP" marketing name onto existing Windows functionality.

HP Sure Start: This refers to the standard feature in almost all devices these days of having a secure boot process. Windows supports this in UEFI boot. Apple's iPhones work this way, which is why the FBI needed Apple's help to break into a captured terrorist's phone. It's a feature built into most IoT hardware, though most don't enable it in software.

Whitelisting: Their description sounds like "signed firmware updates", but if that was they case, they'd call it that. Traditionally, "whitelisting" referred to a different feature, containing a list of hashes for programs that can run on the device. Either way, it's a pretty common functionality.

Run-time intrusion detection: They have numerous, conflicting descriptions on their website. It may mean scanning memory for signatures of known viruses. It may mean stack cookies. It may mean double-checking kernel modules. Windows does all these things, and it has a tiny benefit on stopping security threats.

As for traditional threats for attacks against printers, none of these really are important. What you need to secure a printer is the ability to disable services you aren't using (close ports), enable passwords and other access control, and delete files of old print jobs so hackers can't grab them from the printer. HP has features to address these security problems, but then, so do its competitors.

Lastly, printers should be behind firewalls, not only protected from the Internet, but also segmented from the corporate network, so that only those designed ports, or flows between the printer and print servers, are enabled.


The features HP describes are snake oil. If they worked well, they'd still only address a small part of the spectrum of attacks against printers. And, since there's no technical details or independent evaluation of the features, they are almost certainly lies.

If HP really cared about security, they'd make their software more secure. They use fuzzing tools like AFL to secure it. They'd enable ASLR and stack cookies. They'd compile C code with run-time buffer overflow checks. Thety'd have a bug bounty program. It's not something they can easily market, but at least it'd be real.

If you cared about printer security, then do the steps I outline above, especially firewalling printers from the traditional network. Seriously, putting $100 firewall between a VLAN for your printers and the rest of the network is cheap and easy way to do a vast amount of security. If you can't secure printers this way, buying snake oil features like HP describes won't help you.

Wednesday, February 01, 2017

1984 is the new Bible in the age of Trump

In the age of Trump, Orwell's book 1984 is becoming the new Bible: a religious text which few read, but which many claim supports their beliefs. A good demonstration is this CNN op-ed, in which the author describes Trump as being Orwellian, but mostly just because Trump is a Republican.

Monday, January 30, 2017

Uber was right to disable surge pricing at JFK

Yesterday, the NYC taxi union had a one-hour strike protesting Trump's "Muslim Ban", refusing to pick up passengers at the JFK airport. Uber responded by disabling surge pricing at the airport. This has widely been interpreted as a bad thing, so the hashtag "#DeleteUber" has been trending, encouraging people to delete their Uber accounts/app.

These people are wrong, obviously so.

Thursday, January 26, 2017

Is 'aqenbpuu' a bad password?

Press secretary Sean Spicer has twice tweeted a random string, leading people to suspect he's accidentally tweeted his Twitter password. One of these was 'aqenbpuu', which some have described as a "shitty password". Is is actually bad?

No. It's adequate. Not the best, perhaps, but not "shitty".

Friday, January 20, 2017

The command-line, for cybersec

On Twitter I made the mistake of asking people about command-line basics for cybersec professionals. A got a lot of useful responses, which I summarize in this long (5k words) post. It’s mostly driven by the tools I use, with a bit of input from the tweets I got in response to my query.

Friday, January 13, 2017

About that Giuliani website...

Rumors are that Trump is making Rudy Giuliani some sort of "cyberczar" in the new administration. Therefore, many in the cybersecurity scanned his website "" to see if it was actually secure from hackers. The results have been laughable, with out-of-date software, bad encryption, unnecessary services, and so on.

But here's the deal: it's not his website. He just contracted with some generic web designer to put up a simple page with just some basic content. It's there only because people expect if you have a business, you also have a website.

That website designer in turn contracted some basic VPS hosting service from Verio. It's a service Verio exited around March of 2016, judging by the archived page.

The Verio service promised "security-hardened server software" that they "continually update and patch". According to the security scans, this is a lie, as the software is all woefully out-of-date. According OS fingerprint, the FreeBSD image it uses is 10 years old. The security is exactly what you'd expect from a legacy hosting company that's shut down some old business.

You can probably break into Giuliani's server. I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses.

But that doesn't matter. There's nothing on Giuliani's server worth hacking. The drama over his security, while an amazing joke, is actually meaningless. All this tells us is that Verio/ is a crappy hosting provider, not that Giuliani has done anything wrong.

Monday, January 09, 2017

NAT is a firewall

NAT is a firewall. It's the most common firewall. It's the best firewall.

I thought I'd point this out because most security experts might disagree, pointing to some "textbook definition". This is wrong.

No, Yahoo! isn't changing its name

Trending on social media is how Yahoo is changing it's name to "Altaba" and CEO Marissa Mayer is stepping down. This is false.

What is happening instead is that everything we know of as "Yahoo" (including the brand name) is being sold to Verizon. The bits that are left are a skeleton company that holds stock in Alibaba and a few other companies. Since the brand was sold to Verizon, that investment company could no longer use it, so chose "Altaba". Since 83% of its investment is in Alibabi, "Altaba" makes sense. It's not like this new brand name means anything -- the skeleton investment company will be wound down in the next year, either as a special dividend to investors, sold off to Alibaba, or both.

Marissa Mayer is an operations CEO. Verizon didn't want her to run their newly acquired operations, since the entire point of buying them was to take the web operations in a new direction (though apparently she'll still work a bit with them through the transition). And of course she's not an appropriate CEO for an investment company. So she had no job left -- she made her own job disappear.

What happened today is an obvious consequence of Alibaba going IPO in September 2014. It meant that Yahoo's stake of 16% in Alibaba was now liquid. All told, the investment arm of Yahoo was worth $36-billion while the web operations (Mail, Fantasy, Tumblr, etc.) was worth only $5-billion.

In other words, Yahoo became a Wall Street mutual fund who inexplicably also offered web mail and cat videos.

Such a thing cannot exist. If Yahoo didn't act, shareholders would start suing the company to get their money back.That $36-billion in investments doesn't belong to Yahoo, it belongs to its shareholders. Thus, the moment the Alibaba IPO closed, Yahoo started planning on how to separate the investment arm from the web operations.

Yahoo had basically three choices.
  • The first choice is simply give the Alibaba (and other investment) shares as a one time dividend to Yahoo shareholders. 
  • A second choice is simply split the company in two, one of which has the investments, and the other the web operations. 
  • The third choice is to sell off the web operations to some chump like Verizon.

Obviously, Marissa Mayer took the third choice. Without a slushfund (the investment arm) to keep it solvent, Yahoo didn't feel it could run its operations profitably without integration with some other company. That meant it either had to buy a large company to integrate with Yahoo, or sell the Yahoo portion to some other large company.

Every company, especially Internet ones, have a legacy value. It's the amount of money you'll get from firing everyone, stop investing in the future, and just raking in year after year a stream of declining revenue. It's the fate of early Internet companies like Earthlink and Slashdot. It's like how I documented with Earthlink [*], which continues to offer email to subscribers, but spends only enough to keep the lights on, not even upgrading to the simplest of things like SSL.

Presumably, Verizon will try to make something of a few of the properties. Apparently, Yahoo's Fantasy sports stuff is popular, and will probably be rebranded as some new Verizon thing. Tumblr is already it's own brand name, independent of Yahoo, and thus will probably continue to exist as its own business unit.

One of the weird things is Yahoo Mail. It permanently bound to the "" domain, so you can't do much with the "Yahoo" brand without bringing Mail along with it. Though at this point, the "Yahoo" brand is pretty tarnished. There's not much new you can put under that brand anyway. I can't see how Verizon would want to invest in that brand at all -- just milk it for what it can over the coming years.

The investment company cannot long exist on its own. Investors want their money back, so they can make future investment decisions on their own. They don't want the company to make investment choices for them.

Think about when Yahoo made its initial $1-billion investment for 40% of Alibaba in 2005, it did not do so because it was a good "investment opportunity", but because Yahoo believed it was good strategic investment, such as providing an entry in the Chinese market, or providing an e-commerce arm to compete against eBay and Amazon. In other words, Yahoo didn't consider as a good way of investing its money, but a good way to create a strategic partnership -- one that just never materialized. From that point of view, the Alibaba investment was a failure.

In 2012, Marissa Mayer sold off 25% of Alibaba, netting $4-billion after taxes. She then lost all $4-billion on the web operations. That stake would be worth over $50-billion today. You can see the problem: companies with large slush funds just fritter them away keeping operations going. Marissa Mayer abused her position of trust, playing with money that belong to shareholders.

Thus, Altbaba isn't going to play with shareholder's money. It's a skeleton company, so there's no strategic value to investments. They can make no better investment choices than its shareholders can with their own money. Thus, the only purpose of the skeleton investment company is to return the money back to the shareholders. I suspect it'll choose the most tax efficient way of doing this, like selling the whole thing to Alibaba, which just exchanges the Altaba shares for Alibaba shares, with a 15% bonus representing the value of the other Altaba investments. Either way, if Altaba is still around a year from now, it's because it's board is skimming money that doesn't belong to them.

Key points:

  • Altaba is the name of the remaining skeleton investment company, the "Yahoo" brand was sold with the web operations to Verizon.
  • The name Altaba sucks because it's not a brand name that will stick around for a while -- the skeleton company is going to return all its money to its investors.
  • Yahoo had to spin off its investments -- there's no excuse for 90% of its market value to be investments and 10% in its web operations.
  • In particular, the money belongs to Yahoo's investors, not Yahoo the company. It's not some sort of slush fund Yahoo's executives could use. Yahoo couldn't use that money to keep its flailing web operations going, as Marissa Mayer was attempting to do.
  • Most of Yahoo's web operations will go the way of Earthlink and Slashdot, as Verizon milks the slowly declining revenue while making no new investments in it.