Printers get smarter but less secure

If you've seen my column photo, you know I like the occasional spoon of sugar in my coffee. (OK, four spoons, so bite me.) Point is, since Brian Chee keeps me well stocked in Hawaiian Kona coffee, I make sure to keep a box of Domino instant-dissolve sugar in the kitchen. Tear off plastic, open little metal spout on side of box, pour sugar, reactivate synaptic functionality — simple. Then some product marketing management wizard apparently decided to fix it. Now the spout is cardboard, no longer firmly attached to the box, and inexplicably blocked by another slab of cardboard that serves no discernable purpose, yet must somehow be removed without dislodging the spout.

I look at IT infrastructure and sometimes have similar sentiments. Take printers, for example. It used to be you write your doc and hit Print, and those little dot-matrix pins would start whining away. Then came color, ink jets, thermals, and lasers. All that seemed like a natural and (mostly) intelligent progression.

But then came "network" printers. And while printing over a network is certainly a necessary evolutionary step in the history of mankind, the technologies that are being used to bring us this feature often aren't.

A typical multifunction networked printer today isn't just a printer with an Ethernet port. It's also a fax machine with a phone port — often still POTS, regardless of whether the rest of the office is on VoIP. It also has a full operating system with access controls (often open by default and containing open backdoors so that support people can do off-site maintenance); a Telnet server; an FTP server; a pretty big hard disk; and usually SNMP turned on by default, too. All those smarts enable some cool print features, especially along the lines of remote printing, but they also make your printer a serious security risk.

That can be a problem for harried IT guys running Vista in gen-pop and most likely for those who will run Server 2008. Not because the security mechanisms aren't there, but because those operating environments try to make printer connectivity so easy. Plug a couple of Vista laptops into my network and they'll find both the HP Color LaserJet 3800dn and the little downstairs Kyocera ink jet all by themselves. The Kyocera still requires me to manually install a driver, but three out of four Vista machines know how to find the HP's driver on their own and install on command. It's very similar to the MacBook Pro, which did the same thing.

It's great for IT staffers in one sense, since they don't need to do much to enable printing, provided the printer isn't made by some company in the hinterlands. But it's not so great for security, because it engenders a feeling of neglect toward the printers themselves. It was the same with wireless access points a while back. Just plug them in and fiddle until you got the green link light. Who wants to deal with advanced security protocols on both AP and client side when you can just be lazy and have your clients find them automatically? Vista is going to push the same kind of feeling with printers. Why deal with real security on your print side when it might mean you have to toddle over to the client side and do actual work?