back to article Sysadmin finds insecure printer, remotely prints 'Fix Me!' notice

Well what do you know? The working week is all-but over, which means it is time to share a story from a reader's working life in our weekly On-Call column. This week, meet “Doug” a techie who tells us he has “a client in central Dublin and find myself in their offices every other week or so to deal with the usual stuff, new …

  1. Nick Ryan Silver badge

    A few years back, when the likes of BT were still foisting USB ADSL modems onto users and collectively sticking their fingers in their ears and chanting "lalalalalala, can't hear you", I demonstrated to a friend and his family that perhaps they should invest in a firewall. This was before Windows came with a firewall, therefore to deploy one a user had to actively go out of their way to install it.

    How did I demonstrate this? By grabbing their IP address from email headers, accessing their PC remotely, opening one of their personal files and printing it to their printer with a cover page telling them that I'd dunnit. :)

    1. ElReg!comments!Pierre
      Devil

      Noice, mate

      A few years ago went on a mostly unplanned roadtrip in an asian country which shall remain unnamed, although it IS very elongated and does sport some recent fortification line across the middle. Although technically on holidays I was keeping in touch with salary central every day, and I also used the web to book (and pay for) accomodation for the next night, meaning "sensitive" network communications pretty much every evening. One evening, I noticed that the wireless network for the boutique hotel I was staying in was open to the world, with the access points' admin credentials factory-set, and a wee bit of poking revealed that they were doing all the admin from a laptop connected to the same WiFi. I raised the concern with the staff who told me "no problem, very secure". Later that evening, while the handbrake was under the shower, I logged into all of the APs I could get from the room and set their WiFi passwords to "CHANGE_ADMIN_PASS". Half an hour later I heard some noise along the staircase. The next morning, I noticed that the admin credentials on the APs were no longer the factory-set ones. I got a few dark looks; I did leave a substantial tip, because I felt like a jackass, but their network is a bit more secure now. Not sure if angel or demon.

  2. Anonymous Coward
    Anonymous Coward

    'PUB'lic Printer

    Our local big-chain pub has their office printer connected to the pub's "The Cloud" public Wi-Fi, so when we get bored of paying extortionate prices for a pint, we 'AirPrint' dubious images and amusing messages from our phones, until the paper or ink runs out.

    Over a year later the printer is still on the public Wi-Fi accepting print requests, but we've never witnessed the fallout from our hi-jinks.

    Their Samsung TVs are all also controllable from an Android app, which makes for interesting responses to surreptitious channel changes just before a goal is scored!

    1. Anonymous Coward
      Anonymous Coward

      Re: 'PUB'lic Printer

      I stayed with friends a while ago who lived in a village in a house next door to a gastropub. Had a very nice lunch there, introduced to the landlord and the odd complimentary bottle of red made things even better. Later that afternoon Mrs X as I'll call her is having problems printing. She's sent the document several times but nothing is reaching the printer. It's a wireless one and I'm asked if I'll take a look because the laptop she's printing from is brand new and this is a first time print from it. She says her stuff isn't coming - out the printer just appears to be doing nothing no matter what she tries.

      After looking at her printer I can't initially spot the problem, it's connected to the wifi fine. Then I realised she's not sending things to her printer. The unsecured wifi that her laptop is connected to belongs to the gastropub. She's added that printer instead of her own and the pub must have the same model by the looks of it. A quick visit to the pub and they have two and a bit copies (paper ran out) of her 80 page thesis and they're mystified as to how she's been able to print on their machine. After pointing out that the wifi in the office is unsecured there's a very red face on the landlord. His security idea was 'interesting' in that he'd bought a wifi router just for the printer to connect to the ageing computer they used for just for printing the menu etc. After a few problems connecting to the router wirelessly he'd come up with a brilliant solution. He'd checked on his phone that the signal couldn't be picked up in the public areas of the pub through the thick stone walls & metal kitchen but not if it reached anywhere else. Happy with that he'd decided it was sufficient security and had disabled the wifi encryption to make things 'easier' and less likely not to connect. I suggested enabling the encryption and using an ethernet cable to connect to the router.

      1. Doctor Syntax Silver badge

        Re: 'PUB'lic Printer

        stayed with friends a while ago who lived in a village in a house next door to a gastropub etc

        Always a good idea to help out a gastropub landlord.

    2. joed

      Re: 'PUB'lic Printer

      Few years back I was looking up some firmware issue for an HP printer and sure enough, Google indexed web interface of some printer in Canadian provincial government. I surely printed out a note suggesting to have it fixed (if I recall the interface allowed to review at least titles of print jobs, possibly more). No idea why the printer was out on Internet.

  3. Lee D Silver badge

    "On one visit Doug couldn't help but notice a multifunction laser printer that had been hooked up to a neighbouring network, but left wide open to the world."

    "So one day Doug dug into the printer's web interface and figured out how enough about the network to which it was connected to learn the name of the company that owned it"

    "And because he knew enough about the company to also send a document to the printer by email..."

    Er... which is it? Is it open to the world, or did it have the print-by-email switched on? Was it open to the network and exposing the address book, or was the web interface open, or was it browseable?

    Because something doesn't add up here, as an anecdote.

    If the printer is insecure, and you SEE THE PRINTER, leave a Post-It on it.

    If the printer isn't visible but you found it on the network, just print to it.

    But, no, he went hunting on LinkedIn, then probed mail settings, and then the address book stuff? Address book from the printer? On an MFP it might contain certain people who've scanned, etc. but if the AD is open enough that you can just get a list of all users then that's a bigger problem than an open printer.

    My biggest question, really, though, is how you're able to access another company's network whatsoever. Even in a shared office. Because that's the REAL problem here. If one office can happily send broadcast to everyone, or probe IP addresses and web interface of any internal devices, that's a much serious problem - just think of WannaCry.

    Techy detail please, when he says he could "see" this printer, and the configuration of that network that allows him to see that that DOESN'T come down to "Holy cow the whole site is insecure, but hey, let's play games with a printer".

    1. Anonymous Coward
      Anonymous Coward

      I agreed, if it was indeed a neighboring network, i.e. in the next office, why didn't he simply knock on the door, instead of doing this over the top, convoluted means of letting them know.

      1. Anonymous Coward
        Anonymous Coward

        "why didn't he simply knock on the door"

        Because that wasn't any fun?

      2. Anonymous Coward
        Anonymous Coward

        Let me answer that

        Because narcissists like to show off.

        1. Anonymous Coward
          Anonymous Coward

          Re: Because narcissists like to show off.

          I particularly like the way this narcissist showed off by anonymously (and remotely) printing a message some time later; then even later still, getting the story printed in a light-hearted Friday column of a not-especially-famous IT website, under the pseudonym "Doug".

          1. Hollerithevo

            Re: Because narcissists like to show off.

            All the people on ON CALL are given pseudonyms by El Reg.

            1. e^iπ+1=0

              Re: Because narcissists like to show off.

              "given pseudonyms by El Reg"

              I'm pretty sure that at least some of the pseudonyms are provided by the "on call" story submitter - here's looking at you Teresa May(be).

          2. Yet Another Anonymous coward Silver badge

            Re: Because narcissists like to show off.

            Hence the famous dyslexic advice to "beware of the doug"

      3. Tikimon
        Thumb Up

        Why not knock?

        "...why didn't he simply knock on the door, instead of doing this over the top, convoluted means of letting them know."

        Perhaps because you say these kind of things to people and they are ignored. Maybe their eyes glaze over. Maybe they've stopped paying attention to security warnings. Maybe they thank you, say they'll address it later and their regular day pushes it into Indefinite Limbo. It's just words, and those carry little meaning with civilians. How well do they respond to your other warnings? Poorly, of course.

        Demonstrate that someone can invade the network and print anything they like and you'll get their attention QUICK.

        1. e^iπ+1=0

          Re: Why not knock?

          "Demonstrate that someone can invade the network"

          Yeah, and just to show 'em, that particular "someone" encrypted all their files and asked for a ransom - makes me wannacry.

    2. Anonymous Coward
      Anonymous Coward

      Well maybe the printer was hooked up to a neighbouring network but had also left that handy little WiFi direct printing function turned on. Therefore when 'Doug' fired up his WiFi finder he saw the printer which could be somewhere in the same business park, for instance.

      Perhaps he then spend a few hours finding out a bit about the company as he was waiting for some windows updates to install and wanted to find out if they were a company that might be in a position to pay him for his services.

      However, it creates a bit more of an impact to print out that their printer/network is insecure that it does to knock on the door and try to explain it all. The company address book could just be stored on it as it was used for incoming faxes, or scan to e-mail or mailbox.

      But I'm not 'Doug' so I don't know.

      1. Lee D Silver badge

        Then why print-by-email?

        1. Anonymous Coward
          Anonymous Coward

          Perhaps so he didn't have to download and install the printer drivers, or he didn't have the relevant print service plugin on his mobile phone, or to prove that you could print to it from anywhere in the world.

    3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    "the printer was no longer visible"

    They moved it to another closed room, so the prankster couldn't see it, and connected it to the same network...

    You also get Google & others trying to convince you that printing sending your documents to their server first, which in turn route them to your printer, is a clever idea....

    1. Lee D Silver badge

      Re: "the printer was no longer visible"

      Google Cloud Print?

      Go ask your local school.

      Because it means that the kids are authenticated via their Google accounts (can be done without any AD integration by google-sync tools), they can print from their Google Classroom, Google Docs, Google Mail, etc. accounts (all free and unlimited storage for schools, by the way), no matter what device they print from (web, home PC, Chromebook, Android, iPad app, etc.) and it comes into the network as a Google Cloud Print account that you can plug direct into, say, PaperCut (so you are authenticated again, departmentalised, held-for-teacher-authorisation and billed accordingly before a printer is ever involved). Whether they are in the next room or the next continent (e.g. on holiday doing their homework, printing it to their teacher's printer to get it in on time, etc.)

      Some things have uses. Even if they have the word Cloud in them.

      And what horrendous, disgusting, terrible abuses of privacy are possible? The kids scribbles might be briefly visible to a bored tech at Google. Except they are one of the few companies (*cough* f*** you Apple) that provides EU data protection guarantees that state that your Google Education account data for ALL users will never leave the UK.

      1. Anonymous Coward
        Anonymous Coward

        Re: "the printer was no longer visible"

        Believe me, everything that pass through Google is carefully processed and any useful (for Google) information extracted - in UK, if needed to comply somehow with the law - and not by "bored techs".

        And I'm glad my local school is not a Google school. I would have something to say if it forced my children to have an account for a commercial entity well known for its privacy invasions to study. But luckily here privacy laws are much stronger.

        1. Anonymous Coward
          Anonymous Coward

          Re: "the printer was no longer visible"

          Privacy of a school assignment? That's a game changer. Burn them!

        2. ridley

          Re: "the printer was no longer visible"

          Google have stated that they do no slurping of GSuite Accounts and I find it hard not to believe them. If they do they are REALLY stupid and I think many things about Google but thinking them stupid isnt one.

          The moment they were found to be slurping kids accounts etc then schools would drop them in droves.

          Google want to do a Bank job on the kids, get them used to it at a young age and like most people and bank accounts they will never leave (even after they do start slurping)

          1. Doctor Syntax Silver badge

            Re: "the printer was no longer visible"

            "I think many things about Google but thinking them stupid isnt one."

            So they'd never do anything stupid like have their streetview cars slurp any wifi access points they passed.

          2. Kiwi

            Re: "the printer was no longer visible"

            The moment they were found to be slurping kids accounts etc then schools would drop them in droves.

            The problem is, all this stuff they provide is convenient, and people like that. And people seldom really give a stuff about "it's only my school work, nothing really important" and so on. And people are creatures of habit. Look at how many people do stupid stuff they know is bad for them yet become "stuck in a rut" and continue even when they hate it (how many smokers get stuck in a "I wish I could stop but I can't" habit (no not addiction, I was stuck for a long time on that myself).

            As Dr Syntax mentions, Google did stupid. Most people did "meh" in response, at least among the relatively few who even heard about it.

      2. Doctor_Wibble
        Paris Hilton

        Re: "the printer was no longer visible"

        I'm assuming I missed the 'cynicism alert' icon or maybe some sort of irony whooshed over my head with a loud clang, otherwise that reads like a lot of scary google-fanboi fantasy.

        .

        There is no such thing as free. By the usual definition, this means the schoolkids are the product and this should make us all feel very uneasy indeed.

        1. Aladdin Sane

          Re: "the printer was no longer visible"

          Not quite.

          The incentive for Google is to hook them into their ecosystem early and then keep them as long term customers, same way that banks fall over themselves to give students bank accounts.

          1. Ken Hagan Gold badge

            Re: "the printer was no longer visible"

            @Aladdin: Er, so you've explained how the school-children aren't the product, they're merely being groomed to become the product later. Mmm... I feel much more comfortable with the arrangement now.

      3. Anonymous Coward
        Anonymous Coward

        Re: "the printer was no longer visible"

        "And what horrendous, disgusting, terrible abuses of privacy are possible?"

        Child's name, school, devices used, subjects taken, grades, likes / dislikes, friends, skills competencies, happiness levels, favourite music / films / tv shows....

        Shall I go on?

        1. Ken Hagan Gold badge

          Re: "the printer was no longer visible"

          Please do go on.

          Although you've hinted at it, the same information may also be available in respect of the friends and relatives of the child and since these are electronic documents you can add pictures (or possibly even sound or video) or links to social media to the list of source data.

        2. Roland6 Silver badge
          Pint

          Re: "the printer was no longer visible"

          @Lost all faith... Shall I go on?

          Read: "How Facebook's tentacles reach further than you think"

          http://www.bbc.co.uk/news/business-39947942

          I'm a little surprised it hasn't received the attention of El Reg yet...

      4. gnasher729 Silver badge

        Re: "the printer was no longer visible"

        "Except they are one of the few companies (*cough* f*** you Apple) that provides EU data protection guarantees that state that your Google Education account data for ALL users will never leave the UK."

        Well, the "f*** you Apple" company stores your iCloud data so that nobody can read it, including Apple itself, so (a) it doesn't matter where it is stored, and (b) it is safe from Theresa May and GCHQ.

        1. Kirk Northrop

          Re: "the printer was no longer visible"

          Actually, Apple very much can and will decrypt iCloud data including device backups - it's data on the devices they can't do.

  5. David Roberts

    See the printer?

    So presumably visible (look it up) over WiFi.

    I am assuming that the printer had the web interface enabled over WiFi and that there was no password set for WiFi access to the printer.

    Guessing further (yes, wild speculation) there was another connection to the printer by Ethernet or USB which opened up the internal LAN to the printer and it was browsable from the printer web page. Or there were at least two WiFi networks one secured and the other hosted by the printer.

    Otherwise it was just wide open WiFi and the printer was irrelevant.

    1. chivo243 Silver badge
      Holmes

      Re: See the printer?

      I'm guessing here, but he physically saw it, remembered make and model, and also saw it on one of his devices as discoverable and put 2 and 2 together... The rest of the shenanigans seem a bit fluffy, linkedin, address book etc.

      1. Stoneshop

        Re: See the printer?

        I'm guessing here, but he physically saw it, remembered make and model

        Not necessarily. If you can access the web interface, you're usually presented with this info, and much more such as page count and ink/toner levels, in one of the maintenance pages.

  6. GrumpenKraut
    Devil

    Biggest surprise to me...

    ... a printer that actually worked, REALLY? Printers ----->

    1. I ain't Spartacus Gold badge

      Re: Biggest surprise to me...

      We got a new printer yesterday. Small office, small network. So last thing I set it up and it worked. Then I went home for some well-earned dinner.

      This morning, it didn't work. But weirdly, though my PC couldn't see it, it could see my PC and so I could scan direct to my pooter.

      So I then fixed it, and got the printer working again. Now I can print to it, but it can't see my PC to scan to it. I guess this is like the uncertainty principle. My PC can either know where the printer is, or the printer my PC, but not both - or the universe explodes...

      1. Mark 85

        Re: Biggest surprise to me...

        Possibly a Windows update borked that. I'm seeing weird things with our Win 7 machines after every update. Suddenly "features" stop working or printer weirdness as you describe. Linux is getting closer to landing in my house.... just one more piece needs to work.

    2. Haku

      Re: Biggest surprise to me...

      I like how there's an link at the bottom of the page where you can buy a printed out copy of the cartoon...

  7. Anonymous Coward
    Anonymous Coward

    The long arm of the Law

    might be coming for you Doug. Like it or not, you commited a crime by accessing their printer. The wide open barn door won't fly as your defence. Look at all those poor sods who got into the NSA and other TLA's networks through open doors who have or are spending time behind bars!

    Knocking on their physical door when you noticed the open network should have been as far as you went. Getting into the printer was as I understand it, unauthorised access under the terms of the Computer Misuse Act.

    But at least what you did got results. Sadly we don't have a statute of limitations in this country so beware Doug (if that is your real name), the Plod could come knocking on your door any time before you pop your clogs.

    But hey look on the bright side, that one way to get 3 meals a day on the state in your dotage isn't it!

    1. Doctor Syntax Silver badge

      Re: The long arm of the Law

      "Computer Misuse Act."

      UK legislation. RTFA - location of printer: Dublin. Location of Dublin: not in UK.

      1. Adam 52 Silver badge

        Re: The long arm of the Law

        Still a crime in Ireland though:

        http://www.irishstatutebook.ie/eli/2001/act/50/section/9/enacted/en/html#sec9

        1. James O'Shea

          Re: The long arm of the Law

          they're bloody _Irish_ cops! the next time I see an Irish cop who had clue one about anything more technical than how to drink a few pints without spilling any, why, that will be the _first_ time.

          To be sure, I haven't been near Ireland since 1977 so they could have improved. I doubt it.

          1. Dodgy Geezer Silver badge

            Re: The long arm of the Law

            ...To be sure, I haven't been near Ireland since 1977...

            Surely, that should read "...To be sure, to be sure, I haven't been near Ireland since 1977, to be sure..."

  8. Sebastian P.

    Never do this

    Seriously, don't. I work in IT Security and I can tell you: if you don't have a clear mandate (written request) from the system's owner, don't touch that system.

    It doesn't matter if you had the best of intentions. You still broke the law. All it takes is one determined prosecutor. You don't want to roll that dice.

    You want to be a hero? Fine. There are plenty of authorized bug bounty programs where you actually get paid if you find security holes.

    And if you do happen to notice by accident a (potentially) vulnerable system that's not part of your scope of work, just contact directly the respective company and let them know what you observed. But don't dig into the matter any further without written permission.

    To give you an analogy: if you notice someone's bag is open with a visible wallet inside, it's OK to tell them that they left the bag open and that you advise them to close it. But it's not OK to take the wallet yourself just to prove the point.

    1. Martin Summers Silver badge

      Re: Never do this

      "To give you an analogy: if you notice someone's bag is open with a visible wallet inside, it's OK to tell them that they left the bag open and that you advise them to close it. But it's not OK to take the wallet yourself just to prove the point."

      Ooh that explains what I've been doing wrong...

      1. Loyal Commenter Silver badge

        Re: Never do this

        "To give you an analogy: if you notice someone's bag is open with a visible wallet inside, it's OK to tell them that they left the bag open and that you advise them to close it. But it's not OK to take the wallet yourself just to prove the point."

        That's a bad analogy. A better analogy would be to slip a piece of paper into said wallet pointing out that they have left it on view and someone could have nicked it. Would that be a crime? I don't think it would, which illustrates a flaw in the Computer Misuse Act (and analogues in other countries, such as Eire in this case).

        1. Sebastian P.

          Re: Never do this

          The analogy is that you pick up (take control) of the wallet, even if just for a while. You still took it without permission, even if you return it.

          And even if you just slip the paper in without taking the wallet, it's still someone else's wallet. You don't have permission neither to take anything from it, nor to put something in it.

          It's not your wallet.

          1. Jason Bloomberg Silver badge

            Re: Never do this

            The analogy is that you pick up (take control) of the wallet, even if just for a while. You still took it without permission, even if you return it.

            Except theft requires the intent to permanently deprive the owner and there's the little matter of mens rea, having criminal intent.

            I am sure there might be some officious-a-hole who may try to sling the book at someone who pulled a wallet from someone's bag and tapped them on the shoulder to say "look what I got!", but I very much doubt it would stand up as a criminal offence in court.

            Some would probably argue that tapping them on the shoulder would also be assault.

            1. Dodgy Geezer Silver badge

              Re: Never do this

              ...Some would probably argue that tapping them on the shoulder would also be assault....

              ...it would actually be Battery....

        2. Cris E

          Re: Never do this

          But if someone steals that guy's credit card info there's no way to prove you were just "slipping in a piece of paper" and not "copying down all the CC info", is there?

    2. 404

      Take it further and don't say shit - ever.

      I ran into this a few years ago with an open AP in a neighboring doctor's office and walked over to advise them about it.

      They went off... accused me of being a hacker and literally called DHS on me. It took three weeks to get the Feds off my ass. I didn't appreciate it.

      1. Sebastian P.

        Re: Take it further and don't say shit - ever.

        Indeed. Good intentions and good advice can get you in trouble just as quickly (and sometimes quicker) than bad ones.

        Like on The Register: post a comment with good advice, and there will be someone to criticize you (duck!) ;)

        But seriously: "good" and "bad" are really a matter of perspective, and in situations like this, the perspective that matters is the system owner's one.

      2. sabroni Silver badge
        Happy

        Re: It took three weeks to get the Feds off my ass.

        Dope story blood!

      3. Lilolefrostback

        Re: Take it further and don't say shit - ever.

        Sadly, I have to agree. There are far too many bat-crap crazy people out there who will make you out to be the bad guy. Unless you have a direct interest being threatened, just move along quietly.

        1. DropBear

          Re: Take it further and don't say shit - ever.

          Never underestimate the propensity of stupid people to retaliate furiously for making them lose face, even in private - ie. by killing the messenger, in this case. As sad as the "not my problem" stance is, it's still the healthiest unless you have grounds to make additional assumptions about them welcoming assistance.

    3. Mark 85
      Devil

      Re: Never do this

      Maybe the appropriate way then is to post the IP of the printer to 4Chan? I'm sure the company will notice pretty quick. Best done on someone else's computer or phone though.

  9. Rusty 1
    Go

    Start in a subtle way

    ^[%-12345X@PJL RDYMSG DISPLAY="More cheese please"

    1. Kane

      Re: Start in a subtle way

      ++?????++ Out of Cheese Error. Redo From Start.

      1. collinsl Bronze badge

        Re: Start in a subtle way

        +++ Error at address: 14, Treacle Mine Road, Ankh Morpork +++

        +++ MELON MELON MELON +++

        +++ Divide by cucumber error. Please reinstall universe and reboot +++

        1. Myvekk

          Re: Start in a subtle way

          "DRIED FROG PILLS!!!"

  10. Anonymous Coward
    Anonymous Coward

    B&B when contracting

    Often get told "You can use the WiFi - there's no password", only to find a load of similarly unsecured networks, all with default SSIDs, so no easy way to find which is the right one.

    Sometimes the connection shows up a printer, in which case you can helpfully print a page stating "Do you know your wireless network isn't secured and anyone can look in?"

    1. gnasher729 Silver badge

      Re: B&B when contracting

      Happened to me, except they said "Use just any WiFi, nobody cares" :-).

      Where I'm right now my Mac sees about 25 WiFi networks, using channels all over the place, and if they agreed to use one or two with a decent router it would probably be cheaper and work better. (I assume that a good router would handle 50 people trying to connect better than 3 people trying to connect to one cheap router, and 47 trying to connect to random other routers in the neighbourhood).

    2. Doctor Syntax Silver badge

      Re: B&B when contracting

      A few years ago I used to see two or three unsecured access points from home. Occasionally I'd wonder why network performance seemed to have gone down & then discovered the laptop had latched onto one of them. Nowadays they're all secure but mostly showing the default SSID. I'm still wondering about the brief appearance a few months ago of an SSID that seemed to belong to a farm a good mile away across the valley.

  11. Outer mongolian custard monster from outer space (honest)

    I was brought in by a company to firefight issues when their sysadmin left/was fired under bad circumstances and deleted all the docs and reset all the passwords on his way out. There wasn't even network diagrams and they had 3 branch offices in the UK alone that I knew about.

    So I started to map out the network with nmap and friends and take some dumps of traffic just to get a idea of things and it was in pretty bad shape, no firewalls and routed to the internet with all sorts of out of place packets wandering round. Then I noticed a vnc server on our internal ip range. A quick probe and it hadn't even got a password securing it, so vncclient was fired up, and someone's xp desktop appeared. I tried to identify with some others round the office where this machine was, and nobody had a clue. So I opened notepad and started typing, and for some reason I just remembered the original amiga SCA virus and I had a bit of a mischevous streak back then, "Your computer is alive" then it went dark suddenly.

    The guy I answered to called me into the office later that day, and gave me a telling off with a smirk on his face (fair cop, it wasn't the most responsible thing to type, I was quite young back then and hadn't taken the full corporate faceless emotionless persona mandatory training course) and asked me to refrain from doing it again.

    Apparently it had been identified as a machine belonging to the middle aged secretary that ran the scottish branch. And we knew this for sure because it had come down that she had been sat at the computer wondering why the mouse kept going funny while fighting for control of the cursor, then when the window opened and declared the computer was alive, fearing RoTM, she yanked the power cord and keyboard out and pushed it off her desk screaming in terror.

    Not as irresponsible as printer bod, but we've all been tempted. I don't think I would have hooked their address book out and printed to prove a point though, not even way back in the days this story was from.

    1. GingerOne
      Pint

      A story worthy of the main article itself!

      Have one on me >>>

    2. rh587

      On the upside, you identified where the machine was!

      1. tfewster
        Angel

        Ah, the scream-tracing method. Power an unknown server off and see who screams.

        1. 404

          I LOVE Scream Tracing! Amuses the hell out of network owners too.

          -Upvoted!

        2. Stoneshop

          Scream-tracing

          A little over a decade ago I was contracting with a large software supplier/bodyshop[0] that was closing down one of their branch offices. Which involved moving most of the systems in that office (let's call it 'E') to the one where I was orking (let's call it 'N'). After some culling and rearranging about 53 racks had to be moved from E to N, but initially N had only space for 18. So we had a look around to see what could be culled from N. This promised to be quite worthwhile, because the floor was littered with gear for customer projects that had long been delivered, patched, upgraded, patched some more and declared finished. With the project teams long disbanded, reassigned to other projects, split off into separate ventures and members having left the company or even this earthly plane. Documentation was either stored in a filing cabinet in a disused lavatory, or buried in soft peat for three months and recycled as firelighters. So I called a meeting of all department heads that might have some equipment in use on the floor in N, handed them a document template and a pile of stick-on envelopes[1], and the notice that any system not labeled two weeks from that date would be subject to gravitationally motivated impact tests in the car park.

          Of course we did not do so right away after those two weeks, instead simply unplugging any network cabling[2] from those systems. And one sub-department came and wailed bitterly that they could not access their test rig, explaining that their lack of labeling was because of the department they were part of not passing on the meeting request. We then reconnected their gear, and there was much rejoicing.

          (this action netted twelve racks of orphan systems that nevertheless had been running, consuming power and cooling, for several years)

          [0] they clearly had insufficient bodies available with the skills required for their own operations.

          [1] none of this faffing about with a shared database, which would have taken weeks to set up, deploy, get everyone to add their data (for which they probably would have needed to visit the computer room floor), after which we would have needed to match that data with the systems ourselves anyway.

          [2] deemed safer than powering off; quite a few systems were expected to suffer Spontaneous Loss of Magic Smoke in case they needed to be powered back on.

        3. Mr Temporary Handle

          I got severely told off for doing something similar.

          Someone at one of the branch offices had been making repeated attempts to access our department's shared directory.

          Phoning them was a waste of time, nobody knew anything about it of course. Sending a follow up memo likewise. By this time it was pretty obvious that it wasn't accidental.

          So I disabled the terminal being used by the culprit and waited for the 'my screen's not working' phone call.

          Things went downhill rather rapidly from there...

  12. Anonymous Coward
    Anonymous Coward

    I recall the old days at uni when documents would be sent to a print server - a desktop next to the printer which you would log into and release the print job, with the appropriate payment docked from your account.

    The technically-minded spotted that the printers weren't actually USB printers connected to the Print Release Stations. They were very basic network printers open to everybody! The machines were simply configured to send print jobs to the room's release station rather than the printer. The release station then forwarded them on.

    With that discovery it was trivial to print a diagnostic page from the front panel giving you the IP, then you'd "Print to File", open the printer's spooler in Explorer and throw that file across the network direct into the printer's queue.

    This discovery was fortuitously timed ahead of some rather hefty submission deadlines!

    Just before I left the spoilsports replaced them all with fancy MFPs with an integral print release interface, so not so easy to bypass the print release and send jobs direct to the print queue (given the state of printer firmware, there was probably a way of hacking around it, but I never took the time to try as I was on my way out).

    1. Martin Summers Silver badge

      Ah yes this was quickly discovered by individuals in my Computer Science group back in the early 00's. To be honest what were they expecting, computer geeks and poor students equals 'work arounds'.

    2. Anonymous Coward
      Anonymous Coward

      Just because the printer was never properly configured and locked down. Most network printer accept jobs from any IP by default, so you may avoid to set up a print server, often done in small environments. Most printers have every protocol active in their default configuration.

      Usually, as soon as you installed and configured the printer (which also implies disabling everything not needed, and setting passwords), you locked down the panel, and make the printer accept jobs only by its print servers.

      If you can access the IP directly you can configure it as a network printer easily.

      1. 2Nick3

        At my daughter's dorm this past year just about every room at a WiFi printer in it, including hers via her roommate, which they were sharing.

        The first issue was that, between all of devices attached to the network the IP table for the building was consumed. That sorted out when all of the extra devices (family cell phones, etc.) left after move-in was complete. Then there was the fact that most everyone had the same model printer (it was on sale at the nearest office supply store), so identifying which one was which on the network was near impossible, unless you changed the printer name (and were willing to go through pages of names to find yours - always start with 'AAAA' to be at the top of the list!). And IP addresses changed frequently, so permissions had to be updated frequently, for those that had even bothered.

        My solution was a USB cable off the back of the printer - worked every time my daughter plugged it into her laptop. Her roommate fought the WiFi until they were both sick of the printer firing up at 03:00 and printing a random job from someone else in the building.

        Simple is so often better.

    3. Doctor Syntax Silver badge

      "I recall the old days at uni when documents would be sent to a print server - a desktop next to the printer which you would log into and release the print job, with the appropriate payment docked from your account."

      Those weren't old days. Old days were when your print came out on 14" sprocket-feed paper and placed in a pigeon hole along with the cards you submitted the job on.

      1. Mr Temporary Handle

        Cards?

        One of my first jobs we still had a paper tape reader.

        Ok, so it wasn't *actually* connected to anything, just sort of shoved in a corner out of the way to make room for the card reader, but we still had it :)

        1. Doctor Syntax Silver badge

          "One of my first jobs we still had a paper tape reader."

          The teletypes had PTRs on them. We also had a typewriter (possibly a Friden Flexowriter) that had paper tape. It had the oddity that normal was upper case, lower case was shift.

        2. JohnG

          "Cards?"

          Hollerith cards.

          One card per line of code.

          The program to be compiled, the data and job control all had to be on cards with different colours and submitted in the correct sequence.

          You would submit your job and come back the next day to find that there was an error in a JCL card and the program was never compiled or run.

          Paper tape was only the teleprinters and where I was, this was only for BASIC. Compiling and running Fortran was only by submitting batch jobs on the aforementioned cards.

          1. Doctor Syntax Silver badge

            "Paper tape was only the teleprinters and where I was, this was only for BASIC. Compiling and running Fortran was only by submitting batch jobs on the aforementioned cards."

            QUB had a home-grown system* which allowed FORTRAN to be compiled and then run from teletypes. I managed to crash the whole mainframe from a teletype.

            *Including their main OS which turned out to have been somewhat larger than George when they finally adopted that.

            1. DropBear

              I think these days you could just stuff a WiFi chip into a tape puncher, set it to listen to a twitter account then legitimately pass it off as an "art statement"...

          2. kwhitefoot

            That's why I switched to Basic from Fortran at Exeter Uni in 1974. Shortened the length of the debug cycle by nearly 24 hours.

  13. Anonymous Coward
    Anonymous Coward

    Some LaserJet MFP's have a built in WiFi connection which if not locked down allows one to peruse the config pages including the address book, details of the wired network to which the printer is connected, HP e-print config and a whole lot more besides. It's on by default. You wouldn't have to physically see the printer at all.

  14. Tom Wood

    University printers

    In our Computer Science department at uni (2003-2007) they had some network printers which were connected such that every page printed cost a few pence in credit. Students were allocated a couple of quid of free credit each term and if you used that up you had to buy additional credit using a coin box.

    They also had stuck fixings to the printer trays with epoxy and used a padlock and chain to stop people fiddling with the internals, or taking paper from the paper trays.

    Some bright spark figured out that you could walk up to the printer and print a diagnostics page from the menu, and it showed the printer's IP address. The printer had a FTP interface enabled and any postscript file transferred to it would be printed instantly. Of course this was all anonymous and bypassed the print credit charging system.

    After that I don't think anyone seemed to run out of printer credits. One guy even took to printing a blank postscript file whenever he wanted a blank piece of paper.

    Worse still, at least at that time universities had huge IPv4 address blocks meaning every PC - and yes, the printers - in the department had real-world public IP addresses. Not sure if anyone tried but I reckon you could have logged in to that printer from anywhere in the world, without any authentication, and printed stuff off.

    1. Ken Hagan Gold badge

      Re: University printers

      "every PC - and yes, the printers - in the department had real-world public IP addresses"

      Just because the address is routable doesn't mean it is routed. I imagine that anyone outside that university's network would have some difficulty in sending so much as a ping packet to a host inside it.

  15. bexley

    these are all a bit weak

    SO far all of these anecdotes have been a bit weak. I suspect that most of us cannot actually reveal the biggest fuck ups that we have seen due to maintaining a thin veneer of professional courtesy.

    I have been witness to some mind melting levels of incompetence over the past few years that have resulting in a rather large and previously successful business going out of business, it would make a good story but i doubt that anyone would believe it.

    Instead we are just dredging up questionable stories from 15 years ago or telling fibs.

    1. Blotto Silver badge
      Pint

      Re: these are all a bit weak

      @bexley

      do you work for IBM?

      there's certainly some mind melting levels of incompetence going on there over the last few years.

  16. FuzzyWuzzys

    Don't want to be a kill joy, I know he was being public spirited and doing the right thing but I think if I found someone I employed was messing about with kit they weren't employed to touch, I'd be a bit miffed as my company be in trouble for the actions of one of their employees. It wasn't his kit to play with and he should just have left a simple message on top of it or better still advised someone formally about what he thought the risk was. Playing silly games with kit he wasn't supposed to touch doesn't seem like a very good career move.

  17. Anonymous Coward
    Anonymous Coward

    Its a fun pastime

    I often break out an IP scanner when I connect to a new public WiFi.

    The amount of times that there is an "Establishment-Public" and an "Establishment-Private" SSID, yet it's blatantly obvious that there is no SSID isolation.

    I have a picture of Ainsley Harriott and a network printing app for my android phone for just these occasions.

    The best one I cam across was the wedding venue that had *everything* connected to the same LAN as the public WiFi. PoS printers, tills, HVAC controllers, back office PCs, you name it, it was on there.

    Back in the day though I did send several thousand pages of pi to someones printer who was trolling an IRC channel I used to frequent, that was back before the personal firewall days, just connect direct to someones IP and *BAM*. There was another troll who I went and edited a file I found on his computer called "dissertation", I still wonder if they ever caught the fact I searched and replaced the word "and" with a much ruder word.

    /AC because reasons.

    1. allthecoolshortnamesweretaken

      Re: Its a fun pastime

      "I have a picture of Ainsley Harriott and a network printing app for my android phone for just these occasions."

      Obligatory: Can't Smeg, Won't Smeg.*

      Have a nice weekend, everybody!

      * Fast-forward to 3:50 to avoid the trailer show.

    2. Doctor Syntax Silver badge

      Re: Its a fun pastime

      "The best one I cam across was the wedding venue that had *everything* connected to the same LAN as the public WiFi. PoS printers, tills, HVAC controllers, back office PCs, you name it, it was on there."

      I wouldn't have liked to pay by card there.

  18. adam payne

    While I was doing some troubleshooting on a Phaser 3610, I found a a couple of those printers in Google search results. I was able to get to the web interface and all the menus. Had I been mean I could have changed settings as the admin password was the default.

  19. Stevie

    Bah!

    Although I take most of these "I spotted such-and-such vulnerability and exploited it in this what-I-judge-to-be-humourous-fashion to alert the system owner" stories with a big pinch of salt, the commentor who pointed out the risk to those who are feeling clever is spot on.

    Why this business seems to produce clever people with such poor impulse control beats me. I get the need to be seen to be as clever as they think they are, just not the lack of risk assessment skills.

    FWIW these sorts of exploits go back into the greenscreen/mainframe days. I once discussed a simple and annoying hack possible with the old Sperry Univac editor messaging service with a colleague. Next day, yep, I was a victim. Entirely predictable, but the bright young man should have had the common sense to know that if I was telling him about this, I had a way out. Once out I (of course) turned the very same hack in such a way he sued for peace.

    But in this case we were both drinking buddies and doing nothing to intrude where we didn't belong. Had we done the same to someone in the systems department to "illustrate the danger" we'd both have been fired and we knew it.

    1. John Brown (no body) Silver badge

      Re: Bah!

      "Why this business seems to produce clever people with such poor impulse control beats me."

      There does seem to be an abnormal number of hackers who are a little further along either or both of the autism or asbergers spectrums than average. Maybe it applies to IT in general.

  20. Anonymous Coward
    Anonymous Coward

    Suns on Janet

    At Salford tech in the early 90s we had a network of Solaris Sun workstations hooked up to Janet. Very quickly it transpired so did a lot of other universities. Just as quickly we realised that every machine had a unique IP address. Even more quickly we realised that you could remotely run the screenlock command without admin privs. (you could also take a copy of the password file for a dictionary attack, but that's another story)

    Oh the fun we had! We were able to do this for well over 2 years, talk about slow to fix. The only real solution to a screen lock was to reboot the machine, losing whatever was running on it. Many of the colleges also had several terminal machines hooking off the back of one Sun. Rebooting that resulted in the terminals booting too. Eventually after a couple of years I think Sun had started locking down the open-by-default access. The were also able to remotely kill the session without rebooting the machine.

  21. Luiz Abdala

    What really bugs me...

    ... my freaking EPSON printer took a while to setup, dinky drivers, etc...

    My Playstation 3 (PLAYSTATION!!!) found it on the wi-fi and plugged itself in, ready to go, and print pictures, model name and everything. No setup whatsoever.

    1. gnasher729 Silver badge

      Re: What really bugs me...

      Well, my £100 Brother Laserprinter needed very little setup, but I had to give it access to my home network, and it only accepts commands from that home network. Obviously everyone on the same network can use it. I don't have a Playstation, but if it was set up to connect to that network, then I'd expect it to work.

      Obviously important: My network is reasonably secure (I think), and you need to be on the network to use the printer.

  22. Anonymous Coward
    Anonymous Coward

    Newcastle Hotel fun (no not that kind.)

    I was staying in a Newcastle hotel a couple of years ago, ironically for an info sec based course and took to poking around their wifi, which was entirely open. I decided to give it a quick scan from my trusty Nexus 7.

    I was a bit surprised to find switches using default password, pay terminals with the same, printers open to anyone to abuse.

    So I put together details of all of this and printed off 200 copies on every printer on the network, every day until I left.

    I've still no idea if they've fixed it but I hope they've at least replaced the old WEP access point in the bar.

  23. Dave the Cat
    Trollface

    Up until about a year or so ago I had a client who was on the more challenging end of the scale to deal with. One of the dangerous types who has a tiny amount of IT knowledge, you know the type... he installed iTunes all by himself so that made him a master of everything involving 1s and 0s, well in his mind at least.

    He ran a small office of solicitors and decided to upgrade his printer to one of the new swanky HP all in one laser jobs with the HP ePrint service. Despite my suggestions to turn the feature off, he insisted he KNEW it was safe and secure, I mean what would I know?

    I suggested he perhaps use the feature to limit it to known email addresses etc. but no, there it sits open to the world for all to abuse. I warned him this was a bad idea but after a particularly depressing discussion with him, about how he was the master of all technology I decided I no longer wished to take his money and we parted ways.

    A close friend still works at that office and apparently he's completely baffled as to why his printer randomly spits out full pages of black and cyan, magenta and yellow, ten pages at a time.... I know why....

  24. bombastic bob Silver badge
    Devil

    back in the 'code red' infection days

    back in the 'code red' infection days, I was rather sick of the constant hits scanning for devices to infect. So I *allegedly* did something about it: I figured out how the 'code red' back door workd (basically an exposure of CMD to the world), and then *allegedly* wrote a script that would do the following:

    a) write a note and place it on the desktop of the 'administrator' user, something like "idiot.txt" that contained information on how to patch, avoid, etc. the problem

    b) pop up a window saying "YOU ARE INFECTED with CODE RED" (I think that was the 'net message' command if I remember right).

    c) disable the web server (and thus stop the infection and its spread)

    Code RED left open access to 'CMD' over the internet with 'administrator' context as I recall. It was a serious problem. I *allegedly* did notice LESS activity over time. So it was *allegedly* working.

    1. Cpt Blue Bear

      Re: back in the 'code red' infection days

      Ah those were the days!

      It was either Code Red or Nimda or somesuch that had me driving from site to site as Site Service Minion for a managed services company. Park car, sign in, remove worm, patch, sign out, drive away - rinse and repeat for the working day. I billed 15 hours in one working day. A colleague managed 25 billable hours but worked a 13 hour day and drive 400km to do it.

  25. Herby

    Hacking for fun and profit...

    My escapade was with WiFi routers. Many moons ago, while I was visiting my mother-in-law, I noticed that there was an open router nearby. With much glee, I connected to it, and the joys of the internet were mine. The problem I faced was that I really wanted to continue to have access the next time I stopped by.

    So, I looked at my routing and discovered the IP address of the router (in un-routable space), and connected to it. Then I found it needed a password. Not wanting to be locked out, I looked up the default password for this brand of router, and lo and behold, it worked nicely. With this wonderful knowledge I set about to password protect the nice access port and left the other things alone. This worked nicely for a few trips, but I later discovered that the access point had vanished from the list.

    Oh, well, it was nice while it lasted. I didn't interfere with the normal intended access, and thought I was helping out by not allowing someone with malicious intent to do something nasty. Oh, yes, the statue of limitations has expired on this one too.

    As for printers, a friend got a printer (dumpster diving as I recall) and set it up after polishing it up a bit. It was connected to an email account, and he got mystery printouts at times. I'm always amazed at the lack of security on such things. Don't they give classes on this stuff?

    1. John Brown (no body) Silver badge

      Re: Hacking for fun and profit...

      "Don't they give classes on this stuff?"

      No. no one is teaching that stuff.

      Some of my work takes me into schools. We are at the stage where many of the teachers grew up using computers at school and are now using them to teach the next generation. And most of them don't have a fucking clue about computer security. The security that is there, they complain about because it's "inconvenient". They don't have the excuse that it's "new fangled and complicated".

      The only security stuff kids get taught, and it seems to be box ticking in many cases, is the on-line version of stranger danger.

      1. Doctor Syntax Silver badge

        Re: Hacking for fun and profit...

        The security that is there, they complain about because it's "inconvenient".

        It seems that the only way things will improve is by the sort of tactics in TFA bringing it homw to people that security isn't just something that's inconvenient.

      2. Ken Hagan Gold badge

        Re: Hacking for fun and profit...

        " The security that is there, they complain about because it's "inconvenient". "

        That's the problem. We've produced a generation who think that "it just works" is the highest praise that can be bestowed on software and they've never considered the downside. Downside number one is that when it stops working, there are no knobs to tweak or user-serviceable parts inside, you just have to buy a new one. (Because if *that* doesn't work, you can take it back to the shop!) Downside number two are the security issues described here.

        Perhaps we need some more sound-bites:

        "If it just works, then one day it just won't."

        "If you didn't have to unlock it, no-one else has to either.".

        These could be siblings for "If you didn't pay, you are the product, not the customer.".

  26. Anonymous Coward
    Anonymous Coward

    Curiosity killed the cat5 network.

    I once accidentally deleted the login exe files on a college network, without needing admin rights....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like