Applying updates without user consent is the evil part.

The only problem is the closed source drivers that could use it at any time.

I doubt it would ever be prosecuted. It is important to remember that the law doesn’t mean what you think it means, it means what the average prosecutor and/or judge thinks it means. Those laws were invented for use against scary “hackers”, not printer manufacturers updating their own products

I wonder if this is a way to install custom firmware. Probably not. I would guess that the code that decodes the firmware from the print job probably passes it through the same signature check code as the regular firmware update process.

Still it's an interesting route for exploit exploration.

The complexity is really in constructing the replacement firmware to drive the hardware correctly; developing that is probably easier if you dismantle the printer and find debug leads on the motherboard. Getting the common chips like networking going sounds doable, but for the actual printing there's lots of trade secrets around driving the actual printing hardware.

A more likely route: a Chinese factory should be able to make a smallish batch of cheap monochrome laser printers with good-enough print quality, publish badly-written but usable specs for it, and make it easy to replace the firmware.

I don't know if I'd be surprised or not to find out that you actually can't print from ios. It seems crazy to me, especially considering ipads, but the entire Apple ecosystem seems crazy to me and yet it exists despite my incredulity.

I could even print from webos and palm but I guess that doesn't matter now. 50/50 toss up if the current webos on lg tvs still has any printer drivers. But if there was still any webos printer drivers, they will not be open source and so you can not trust them not to do unwanted things to your printer some day.

The printer doesn't care what physical connection or network protocol is used, including airprint, and in the case of ios, while you might be able to print some documents without using any software from HP, HP does still have a an "HP Smart" app (and probably others) for ios. Meaning that blocking the printer from the internet does not prevent the printer from receiving updates, and all of the closed-source platforms are the primary dangers as sources of update print jobs.

Technicall linux/bsd are not garanteed safe either. It's possible for a native linux app to send the same kind of update, but just far less likely without the users knowledge or intent.

You have to go pretty far out of your way to install non-repo software from a printer manufacturers web site, and actively grant it permission to install and activate services that run on their own... And even if you did that, if such software even existed that was not well-behaved, the first time it did that to a linux user that didn't expect it, we would all find out about it and every google search on the topic of linux drivers for that printer would warn about the bad software.

Or just no one would ever actually bother even looking to try to install it in the first place simply because the normal open source drivers and apps work well and the manufacturers software is a crazy mess.

I had a Samsung color laser printer that actually had linux software provided by Samsung that I actually installed just to check it out. HOLY SHITBALLS it was terrible both outwardly just using it as a user and behind the scenes how it was written. Just crazy utter garbage all around. That software, since it wasn't open source, might do anything on it's own just like a Windows driver, including sending a printer update, but it was such junk, and so not-needed, that no linux user ever installs it, so it does no harm even though it exists and could.

If the blob is delivered in a ps package over https, or bluetooth, or via lpr or jetdirect makes no difference.

The point is that software you don't control generated the data and delivered it to the printer.

The same danger on Windows doesn't come from Microsoft. You download and install software from HP and it does the deed.

You could in theory write an open source driver that runs on windows and is safe. There are also old closed source drivers which just happen to be well behaved. Which is why I said "drivers you aren't 100% sure about".

On Android, depending on the version and distribution, there have been both pre-installed and user-installable printer drivers from hp and samsung and everyone else, pretty much just like on Windows. Even the pre-installed whichbare "part of the os" are written by the manufacturer not Google or AOSP. And just like Windows it is technically possible to write an open source driver that you can safely use and trust. Which again is why I said "drivers you aren't 100% sure about"

I don't "fear" anything. It is simply a fact that printers have an update mechanism that doesn't require the printer to have access to the internet, which is merely a print job.

And so if one wants, as the gggp comment did, to ensure that ones printer cannot be updated without ones deliberate instigation, one must also be aware of all possible sources of print jobs.

I don't know why you seem to have a problem with this. What scenario do you fear? In what way does this knowledge hurt you?

An update print job is just a blob of data that anything can squirt at the printer. A person doesn't need to press "print" anywhere, or do anything at all, or even know that it happened.

Any driver or application software that was written by the same people as the printers own firmware can do it all by itself any time it wants, for the same reasons that the printers own firmware does in fact already do it all by itself any time it wants.

I don't know why you find this so unbelievable.

Two seconds on kagi yields http://h10032.www1.hp.com/ctg/Manual/c06530233.pdf

"HP printing devices have the ability to accept firmware upgrades, solutions software and custom color table “bundles sent as a print job. The “Allow firmware updates sent as print jobs (Port 9100)” setting controls the ability for the printing device to accept firmware over the standard printing port, and also applies to firmware sent over all print-path methods including FTP, LDP, IPP(s), EWS Print page or Copy command."

(meaning that although the label on the setting in this particular printer's ui mentions "port 9100", it's not actually limited to jetdirect, the special print job is recognized no matter what path or protocol it took to arrive at the printer)

I could never understand why my Windows Explorer (back in the ZoneAlarm days) were speaking to Microsoft when I was searching for my FileName.doc inside my C: Drive.

I could understand the Word or Excel accessing when I need "Help" (I assume online help file was more frequently updated).

No! Naughty developers and naughty businesses. My machines should leave my 127.0.01 when I want for MY uses and MY needs and MY convenience.

For vast majority of home users the only app that needs to 'get out' is their browser and their "windows udpate". Everything else is just tracking.

Yes.

But every now and then consumers get a tempting offer and trade a bit of their freedom for lower price, more comfort, more prestige, or something else. I.e. in practice buyers don’t mind that much and likely also don’t understand the difference and the consequences that well.

this could be a very good argument to explain why so many have become skeptical of companies.

we have example after example where companies take advantage of people.

hearing my grandfathers generation go on about “the days when you could trust a company to be fair” i used to think they were seeing with rose-tinted glasses, but more and more im convinced we’re dealing something much more nefarious than that generation.

Those days never really existed. It was simply that their misbehavior affected groups of people who didnt have access to the media and power structures. For the US, e.g.: central Americans (banana company inspired coups), native tribes (water pollution, deforestation), poor whites (coal ash pollution), etc.

I can see that companies treated their employees better, but that might also be correlated with strong unions, less regulatory capture, more competition, or some other factor, rather than intrinsic goodness.

Behaviour has improved for various reasons.

All we’re seeing now is that people’s technological surface area is expanding from zero to infinity so there are lots of new little cracks and edge cases society still has to sort out.

this is part of the trend lately that has money flowing upwards and not back down again. if the end-user/customer is at the bottom, wages they're paid are what go into the economy and do the work that money does all the way up the chain of commerce until it reaches some rich guy shaped like a sphere who smokes cigars and laughs maniacally all the time. but because he's been tightening budgets on all the companies he's on the boards of, the employees of those companies get less money every year to spend on things. so more of the money stays in his hands. so customers have necessarily less choice on things they can buy and choices they can make in the marketplace.

eventually people get laid off or fired and now they have no money to do anything with and in the end take any job they can, if they aren't found by some employer before then. so they have less and less agency while the people selling things have more and more and more.

the end result of this is that we will become pets of the bourgeois which is exactly what they want. they not only have a need to win (which is fine by itself) but a need for all others to lose (which is not ok in any way) and they can never ever be happy with what they have.

I truly wish I had not had children. Life is going to be hard for them.

People want security issues patched, preferrably without them having to do any work or even know about it (because they won't do the work and get annoyed at popups they don't feel like they need). People want bugs fixed (and crash reports do actually help with that, despite what some say). People want companies to prioritize the features that they're using and fix places where users get "stuck", and that's much easier with telemetry. People will almost always choose free shit over products they have to pay for, and for many products, free only works if you know what ads the user should see.

most apps fall into the latter, into the network blackhole they go. You give them an inch, they take everything.

You cant even get away from this by paying (and i'm willing to to so!) because people who actually are willing to pay are the most valuable ones to advertisers - so the incentives are there to extract even more value in such case.

In case of products from outside of software domain there's this consumer assumption that product does the thing and just the thing - food doesn't try to poison you, toys are just toys and so on.

they are aware of tradeoffs - something's cheaper, it might be less safe, less featured or maybe made a bit worse.

99% of modern software is user hostile first - data extraction and maximizing value for adverts and then it might do a bad job of actually fulfilling its purpose, with updates usually making it worse over time, or jacking up prices in form of monthly subscription instead of license sale.

The only way it could have security issues is if it's connected directly to the internet (not behind NAT) or a device on my LAN is actively attacking it. The former case is difficult to accomplish without enough expertise to know better; the latter is plausible, but mitigated by a printer too simple to easily harbor a persistent threat.

And the vast majority of people hate ads like me.

I don't mind respectful¹ ads, and refrain from using sponsorblock & similar. What I object to, and actively block, is the stalking that is endemic in the ad industry and is in no way respectful.

----

[1] i.e. not the pop-ups/-unders of yore, not those that autoplay video or, worse, audio, not those that otherwise interfere with the normal use of the page I'm trying to look at, stalking etc.

When I ask around me people don't really have a very nuanced view either, though they're not as hostile as me, most of them just believe it is unavoidable. They don't have the skills I have in ad avoidance. But they don't have any kind of ethical concerns.

I can't remember the last time I was exposed to respectful ads. My home PiHole deny-lists keep growing in size and this will continue unless the internet at large changes. Which I don't believe it will, barring any civilization-wide disaster.

There are still some out there, or at least some that aren't actively disrespectful. At least sponsor spots in podcasts don't stalk me online, etc, at least when they are honest about what is happening¹. They are very much in the minority though.

----

[1] The 3D printing “community” on youtube is rife with “personal” recommendations that are obviously paid for but try to look more organic. “Today I'll test if you _really_ need to dry your PLA filament rolls, in a video sponsored by the company that makes one of the dryers I'll be testing…”

> don't include any independent rogue networking capability

Everybody and their broligarch mom wants to make these two qualities incompatible.

- Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via Alexa! I love the future!

- Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.

P.S. More seriously I agree, we witnessed multiple times over the enshitification that inevitably follows.

Could some rogue javascript establish a connection from your browser to your printer?

I'm actually worried that some newer smart devices might be set up to use well known public wifi services that are available from consumer routers.

Just sitting here I have public "EE Wifi X" and "BT Internet" which it could connect to if configured at the factory to do that.

Then I am boned.

If it can, it's a vulnerability that has to be fixed.