Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment: A little bit of FUD and misinformation (Score 1) 192

by penguin359 (#42756911) Attached to: Thousands of Publicly Accessible Printers Searchable On Google

This article seems to focus on spreading FUD about HP printers. The truth is that most network-enabled printers have similar web interfaces and system administrators need to be diligent about securing them if they are going to attach them to a network. This is nothing new and it's not specific to HP in any way. Most any printer with a web interface, including many (all?) of the ones showing up in that Google search, offer mechanisms to require a password to access them. They also usually offer SSL to protect the passwords from packet sniffing, but a good systems administrator should not even allow their printers to be visible beyond their firewall. If they merely spent the time to set a password on the web interface, then Google would not index them.

The link to the web listener is merely the documentation on configuring the network settings for an HP JetDirect printer. You'll find something similar for Brother, Canon, Epson, Ricoh, etc. The last link about an unpatched JVM is complete misinformation. The link points to an article about Java's latest vulnerability being patched, but I've searched online and can find no evidence that any HP printers actually run Java. The best I can determine is that they are referring to the HP LaserJet Toolbox which is an embedded Java Applet on some web interfaces for LaserJets. There is no need to update the firmware on your HP printer for this. The security vulnerability there would be in a JVM running on the computer that you are using, not the printer, and that JVM is fully upgrade-able and can even be removed if your concerned about Java.

The only real news here is just how many system administrators have left their printers exposed to the Internet without a firewall, and, on top of that, have not bothered with even basic security on their devices like setting a password on the web interface and mandating HTTPS to secure their printers.

Comment: A little bit of FUD and misinformation (Score 1) 192

by penguin359 (#42756869) Attached to: Thousands of Publicly Accessible Printers Searchable On Google
This article seems to focus on spreading FUD about HP printers. The truth is that most network-enabled printers have similar web interfaces and system administrators need to be diligent about securing them if they are going to attach them to a network. This is nothing new and it's not specific to HP in any way. Most any printer with a web interface, including many (all?) of the ones showing up in that Google search, offer mechanisms to require a password to access them. They also usually offer SSL to protect the passwords from packet sniffing, but a good systems administrator should not even allow their printers to be visible beyond their firewall. If they merely spent the time to set a password on the web interface, then Google would not index them. The link to the web listener is merely the documentation on configuring the network settings for an HP JetDirect printer. You'll find something similar for Brother, Canon, Epson, Ricoh, etc. The last link about an unpatched JVM is complete misinformation. The link points to an article about Java's latest vulnerability being patched, but I've searched online and can find no evidence that any HP printers actually run Java. The best I can determine is that they are referring to the HP LaserJet Toolbox which is an embedded Java Applet on some web interfaces for LaserJets. There is no need to update the firmware on your HP printer for this. The security vulnerability there would be in a JVM running on the computer that you are using, not the printer, and that JVM is fully upgrade-able and can even be removed if your concerned about Java. The only real news here is just how many system administrators have left their printers exposed to the Internet without a firewall, and, on top of that, have not bothered with even basic security on their devices like setting a password on the web interface and mandating HTTPS to secure their printers.

Comment: Re:But is there any working software? (Score 2, Insightful) 58

by penguin359 (#32673032) Attached to: Dot-Org TLD Signed For DNSSEC
It might be nice to know whether the Bank your using is using a signed zone, for example. If they don't, your prone to receiving DNS data that points to a crackers IP address. SSL does not protect against this attack if SSL is not used. Most people don't realize when SSL is in use or not and will gladly log into a site without SSL. SSL can only protect once the end user gets the right IP address of the SSLized Web Server they need to log into for their Bank.

Comment: Re:But is there any working software? (Score 1) 58

by penguin359 (#32673000) Attached to: Dot-Org TLD Signed For DNSSEC
Your Windows computer still relies on an outside computer for doing the DNS lookup. This recursive DNS server can also validate all DNS data and drop data that fails validation protecting your client Windows computers. Comcast is currently in DNSSEC trials, but Comcast end-users can switch their DNS servers to the test servers and get all their DNS data validated automatically. Once this goes live, all Comcast end-users will get benefits of DNSSEC. Also, anyone can run their own recursive validating DNS servers internally and not rely on their ISP's DNS servers.

Comment: Re:As an end-user, is there some way to tell? (Score 1) 58

by penguin359 (#32672986) Attached to: Dot-Org TLD Signed For DNSSEC
It is possibly to run a validating resolver on your own laptop which validates DNS data regardless of where you are connected to the Internet. You can be using any free Wi-Fi hotspot of your choosing and still be assured that the secured DNS data is accurate. Granted, this is only for zones to which you have valid trust. An unsigned zone, as most are currently, can still be spoofed.

Comment: Re:As an end-user, is there some way to tell? (Score 2, Informative) 58

by penguin359 (#32672966) Attached to: Dot-Org TLD Signed For DNSSEC
To help with this situation, there are a number of Trust Anchor Repositories (TAR) that do a certain amount of testing on the trust anchors to verify they are correct. I use ISC's DLV repository on my home servers, but there is also SecSpider that has a large database of keys as well. They run multiple resolvers around the planet that regularly pull for DNS keys and verify that they are consistent across all servers. It's less secure than trust provided by the parent, but still extremely difficult for crackers and in the absence of a signed parent, a decent alternative, IMHO.

Comment: Re:As an end-user, is there some way to tell? (Score 2, Informative) 58

by penguin359 (#32672944) Attached to: Dot-Org TLD Signed For DNSSEC
Actually, any validating resolver should drop DNS data that failed to validate. Most DNS data is currently unsigned which means that is can't be validated. That does not mean it failed to validate, just that it the data is not secure. A stub resolver can notify it's calling process whether the data is secure or not, but data that should be secure and failed to validate will never be passed to the process.

Comment: Re:There will be a lot more TCP (and IPv6) queries (Score 2, Interesting) 58

by penguin359 (#32672912) Attached to: Dot-Org TLD Signed For DNSSEC
The DNS extension called EDNS0 allows larger UDP DNS queries so that TCP can be avoided. The size for UDP queries is now at 4096 bytes from the 512 byte limit without EDNS0. A lot of the preparation going into DNSSEC has been testing for resolvers with broken EDNS0 support. I find that the vast majority of my DNS queries with DNSSEC enabled are still successfully sent as UDP with EDNS0 currently.

Comment: Re:.org first over .com ?? (Score 3, Informative) 58

by penguin359 (#32672874) Attached to: Dot-Org TLD Signed For DNSSEC
Size does play some part in it. There are a number of smaller two-letter country code TLDs that were signed before .ORG as well as the fact that .GOV also beat .ORG to being signed with .GOV being signed in March of '09 and .ORG being signed since June of '09. I think the big news is that .ORG is now allowing regular domain owners to submit their keys into the .ORG database. VeriSign who runs both .COM and .NET plans to first sign the smaller .NET which is still larger than .ORG. before finally tackling .COM.

Comment: Re:Excel doesn't even do CSV correctly... (Score 1) 467

by penguin359 (#30601532) Attached to: Is OpenOffice.org a Threat? Microsoft Thinks So
I believe proper quoting will fix that problem. All CSV files I've seen exported from OOo seem to quote automatically, but not sure about Excel. Try:
"Smith","Joe","E","121 Mockingbird Lane","Metropolis","BS","(330)555-1212","0023456789"

Normal numbers naturally don't need quoting. You can even embed quotes in fields by doubling them up:
0123,"5'2""","Height"
Which is the number 123, followed by 5'2" as in 5 feet 2 inches, and Height.

Yes, the quotes are correct.

"Pascal is Pascal is Pascal is dog meat." -- M. Devine and P. Larson, Computer Science 340

Working...