Newsgroups: comp.risks
X-issue: 10.35
Date: Mon, 10 Sep 90 13:46:22 EDT
From: henry@zoo.toronto.edu
Subject: Re: New Rogue Imperils Printers

>... PostScript, that "surreptitiously reprograms a chip inside the
>printers, changing a seldom-used  password stored there. When the
>password is altered, ...  the printer no longer functions properly."

It's not entirely clear what is going on here -- whether the code is
simply doing a password change by virtue of knowing the old password
or whether it's doing it by some sneak path -- but it raises an
interesting risk either way.

The password on a PostScript printer (well, in the usual implementation)
is a number.  It protects certain parameters of the printer that user
code really shouldn't change, like communications parameters and idle
timeouts.  There is considerable potential for malice in knowing the
password, up to and including causing hardware damage of a minor sort
(the EEPROM used to store printer parameters can be rewritten only a
limited number of times due to wear-out processes in the chip).

The default password as shipped is 0.  Very few printer owners bother
to change this.  The problem is that there is significant incentive
*not* to change it... because the PostScript code from a good many
badly-written but legitimate applications tries password 0 and will fail
if it has been changed!  Typically, all the application uses it for is
to set some parameters back to reasonable defaults -- whether the printer
owner wants it that way or not -- but the code makes no attempt to cope
with the possibility of a non-standard password forbidding such changes.

Believe it or not, there are people who will defend the idea that you should
leave your printer's password unchanged so that programs can mess with its
parameters however they please.

                              Henry Spencer at U of Toronto Zoology utzoo!henry