Comment by moyix
9 years ago
It seems like it would be strange to give a printer a DNS name if you didn't intend to talk to it over the internet. If you're directly connected it doesn't need an IP at all.
I think the sniffing threat mentioned is overblown. As one of the commenters mentions, ISPs don't generally allow adjacent IPs to sniff traffic.
A bigger threat is that a vulnerability in the printer may have been exploited. E.g., for a long time most HP printers could have their firmware upgraded by sending them a print job. And so far the cursory look I've taken at various printer firmware has been really alarming – think thousands of calls to strcpy/memcpy and other unsafe friends.
Edit: Here's a reference for firmware upgrade via print job: http://www.internetsociety.org/sites/default/files/03_4_0.pd...
Edit2: Also, when I say "firmware upgrade" I mean arbitrary code – it wasn't verifying a digital signature or anything.
Printer firmware and drivers are the worst. I've integrated with a software package that supplies its own printer drivers because the manufactures can't make a driver that will actually work well.
They constantly screw up the most basic of things. A good test of a network printer is to set it offline, send 20 print jobs to it (a test page is fine), then set it back online. Way too many printers will not print out all 20 print jobs, despite reporting success for all of them (This is true even of $30k printers).
I think you've misread my point. I understand this indicates an intention to talk to the printer over the internet; I don't understand why this would indicate that the emails, specifically, were printed in that manner rather than directly through a local connection. Perhaps the printer was used for printing emails locally but also was made web-accessible as a (misguided) convenience feature for printing other content.
It was on a cable internet connection. Typically that means that everything is broadcast to every customer on the same node (because cable networks are inherently broadcast-only) and the only privacy protection is a crappy 56-bit DES encryption that can be broken with a couple of dollars of compute time.