
UK Teen Hacked 150,000 Printers - Osiris30
https://motherboard.vice.com/en_us/article/this-teen-hacked-150000-printers-to-show-how-the-internet-of-things-is-shit?utm_source=mbnl
======
OJFord
This deserves a better, less clickbaity (which I think has the opposite to
intended affect with this audience) title.

Particularly towards the end, s/he comes across extremely self-aware, and
makes some salient points around the state of school CS education in the UK.
It certainly resonated with my experience.

~~~
ihatestylometry
He's way too young for this attitude. I've hacked things in my teenage years
too and was obsessed with hacking for many years before I started to do
freelance work \- the feeling of being superior is a common problem for all
types of skills if you're young, no matter what, so he definitely shares
wisdom with his last paragraphs.

But I don't think the problem is not that society has problems finding
interesting challenges for highly skilled young people like him. It's
unfortunate his school doesn't have hackathons and other activities, but he's
not dependent on such circumstances. I think his problem is that he doesn't
recognize that he's in full control of his life.

I've talked with several security researchers who hack IoT gadgets and other
things for a living - they write their own ROP chains, hack web applications
and test software for airlines with very high security standards \- and they
told me that they take every talent they can get. They're getting 4 to 5-digit
daily rates for penetration test gigs and are well-respected. So there's
demand and there are great people who want to share their knowledge.

So my question: Instead of hacking printers, why not talk to companies who are
searching for his talent?

I'm not defending the current state of CS education, it's really bad and
decoupled from reality, but it's no excuse for gifted people to give up and
justify blackhat hacking - which is just another word for being criminal.

Edit: Absolutely agree on the click-baity title!

~~~
cblock811
> He's way too young for this attitude

I've always found these kind of comments unusual. How old is old enough? For
me this usually came off as arrogant.

> the feeling of being superior is a common problem for all types of skills if
> you're young

I know plenty of people who still have that exhibit that sort of behavior in
pretty much every age bracket. Arrogance doesn't correlate to age. It's kind
of arrogant to say "You cant think that way, you're too young" too.

~~~
ihatestylometry
It's just sad to see that he's already so negative about his options. My
comment wasn't about how old one has to be to justify his negativism, I'm
sorry if it came across as such. I can relate to his feelings and it makes me
sad, this is all I meant with this sentence.

~~~
throwaway35012
When I was his age and doing similar things I felt the same way. I didn't
understand how the university entrance game worked until it was too late
because I was a poor first gen immigrant with no guidance or support. I
thought I was going to be stuck washing dishes in the back of restaurants
forever. Thankfully I finally got out of all that because I found people that
actually valued my skills and would pay to take a chance on me, even though on
paper I was probably not very attractive.

------
kieranmjones
Reading the article I found myself dwelling on the quote,

"People need to take their printer out of the public internet unless it's
needed..."

I'm trying to think of a single reason that a printer would need to be exposed
to the public internet in any way at all. Even a corporation sharing printers
between offices surely would rely on inter-site VPNs rather than just opening
ports and exposing the printer to the world?

If anyone can think of a good reason to put a printer on the internet I'm all
ears because I'm struggling to think of a good reason.

Credit to the teenager for not doing something malicious and in fact just
being a little playful with it and educating the owners with a cheeky print
out. Good work, I hope he can do well going forward and get a career from his
skills despite his worries about grades etc.

~~~
foodstances
Google's Cloud Print service (used on Chromebooks at least) has to constantly
keep your printer in communication with the internet. To print to a printer on
your LAN from a Chromebook, it goes out through the internet to Google's
servers then back down to the printer. (And often times it stops working, so
you can't even print to the thing 2 feet away).

~~~
Retric
That does not require an open port on the printer connecting to the public
internet.
[https://support.google.com/a/answer/3179170?hl=en](https://support.google.com/a/answer/3179170?hl=en)

 _Is Port 5222 required inbound for the print server? No, only 5222 outbound
is required.

443 TCP (HTTPS), with connections to:
[https://www.googleapis.com/*](https://www.googleapis.com/*)
[https://accounts.google.com/*](https://accounts.google.com/*)
[https://www.google.com/cloudprint/*](https://www.google.com/cloudprint/*)

5222 TCP (XMPP, using STARTTLS), with a persistent connection to:
talk.google.com_

------
milesf
The "S" in IoT stands for security :)

~~~
MorePowerToYou
Another fun one: I Don't IOT

------
ryanmarsh
I love how this guy thinks he has no future because he makes bad grades. LOL.
So many great programmers I know were flunkies because they only cared about
doing _different_ hard things. Myself included.

~~~
__m
I don't know man, hiring a teen with questionable ethics to take care of
security seems like a bad idea.

~~~
collinstevens
"teen" "ethics" I'm sure he will be able to become more professional when
entering the work place. He's not Mr. Robot.

------
bdukic
>One problem I have is that I'm not noticed at all for my skills. Everyone I
know who is this age and has the skillset I have are either blackhat or legit
depressed. There's nothing for us at this age.

Anyone else found this part a little bit sad and somewhat disturbing?

~~~
kieranmjones
It is sad for sure, he is clearly very skilled but because it doesn't fit into
the framework of the national curriculum for computer science or IT he is
getting bad grades. It just goes to show that grades aren't everything, I just
hope he can apply those skills and make it in the industry doing legitimate
work not malicious work. Some employers are quite good at seeing past grades
so fingers crossed for him!

------
atesti
How is this possible? If random restaurants are able to assign a public IPV4
address to every POS printer they have, do they all have their own /24 net?
Why wouldn't they all use NAT?

~~~
semi-extrinsic
FWIW, my old 20k-student university (a few years back) had tons of printers
sitting wide open on IPv4. The university had a full /16 that was used a lot
for misc. computers and other equipment (no firewalls).

Used to be very convenient that I could send off a few documents to print
before I left home at morning, and have them waiting at the printer when I
arrived at campus.

Even after they added "swipe your card to print" to reduce waste, using plain
old lpr to the printer IP still worked (it even cut in front of the queue, to
much grumbling from the chemistry students we shared computer labs with).

------
RIMR
This is insanely easy to do.

I know exactly what he did, and the only reason I didn't do it myself was
because I didn't want the inevitable legal problems.

Best of luck to this kid, because as smart as he is, and as destructive as
this isn't, the law takes a very dim view of taking over other's equipment,
even if it's wide-open.

------
umberway
The principle battle with printers as I see it is getting them to accept a
third party print cartridge.

------
hathawsh
There's a great business opportunity hidden here. This kid (or anyone else)
could set up a web site where people go to scan their own network for IoT
vulnerabilities. Make it like the Qualys SSL testing service: let people test
for free without installing anything, but charge for additional services like
repairs, enterprise service, deeper inspection, etc. If there really are so
many IoT vulnerabilities out there, this should be a slam-dunk business.

~~~
olleromam91
Would this become a search engine for malicious people to find vulnerabilites
on other networks then? Sounds risky.

~~~
sasas
It already exists - [https://shodan.io](https://shodan.io)

------
kevinwang
Sad to hear that they feel gloomy about their future. Very knowledgeable for
high schooler.

------
CM30
He isn't kidding about the state of computer 'science' in the UK being
atrocious.

Up until sixth form college, it's pretty much 'how to use Microsoft Office the
class', with programming being mostly non existent and even coding in HTML
being rare in a lot of cases. So anyone who doesn't study IT past the age of
16 or have an interest in computers outside of school is likely going to be
absolutely clueless in regards to how to use a computer.

Once you're in sixth form college, it's then hardly any better, with the worst
ones literally being 'how to use Microsoft Office, Access and Front Page
edition'. So you could theoretically get away with not writing a single line
of code until university, despite doing 'IT' as much as humanly possible.

Add the lack of extra activities, and well... anyone who's done programming at
all may as well skip GCSE and A level IT altogether, since it's got absolutely
nothing of value to someone with even the simplest computer skills.

Thank god you don't need a degree to get work as a developer in this country.
Otherwise we'd have barely anyone interested in programming at all.

He's also right about the internet of things being a security disaster... but
hey, absolutely everyone with experience in this stuff knew that already.

That said, he should probably get out of this blackhat stuff now rather than
later, since it's very likely he'll be caught and end up facing a pretty long
prison sentence at some point in time if he doesn't. Especially when you
realise most people will see what he's doing here and think it's somehow as
serious as breaking national security.

------
onmobiletemp
I go to a good college in california. Im currently in the dining hall and the
peraon across the table from me was using his laptop. He just walked away,
presumably to get more food, leaving his open and unlocked laptop completely
unattended. This is why there are still printers connected to the internet and
why it wont change for a long time.

~~~
x1798DE
This is really not the same problem. For the most part, the people who are
going to fuck with your shit are pretty rare, so the chances that one of them
will happen to be around and ready to pounce in a dining hall in a good
college (and that no one else around will notice) are reasonably low.

Compare that with the internet where everyone is just as far away as anyone
else, you can automate the malicious actions, and attribution is a pain.

~~~
onmobiletemp
They are the same though because most people have no idea there is even a
difference. They are titally unaware. Would you or anyone else who knows
anything honestly leave your laptop open and unattended?

------
fny
Is it safe for this kid to have a "public" presence about these wonderful
shenanigans? I feel like he's bound to have the feds knocking on his door
pretty soon despite how harmless this is...

A classmate got hosed for doing something very similar years ago.

~~~
nicky0
It's probably not a good idea. Children don't tend to have the best judgement.

------
pavel_lishin
> _I don 't know enough people. I don't talk about any of this stuff with my
> friends. Nobody is interested in it. I've had my fair deal of shit from
> teachers when it comes to computing, too._

What a bummer. When I was a kid, I was nowhere as skilled as this guy, but I
was online a lot and talked to a fair amount of people whom I would consider
friends.

It seems that today, it should be even easier to reach out and connect to
people with your shared interests, especially when those shared interests are
effectively marketable skills and ought to translate into job offers out of
high school.

------
h4nkoslo
Weev's use of every IP-connected printer in the US to publish antisemitic
"samizdat" significantly predates this. There's no real exploit in most cases,
just things connected to the internet doing what they're told.

[https://storify.com/weev/a-small-experiment-
in](https://storify.com/weev/a-small-experiment-in)

[https://storify.com/weev/why-i-am-getting-a-
bowlcut](https://storify.com/weev/why-i-am-getting-a-bowlcut)

------
rhaps0dy
So is this the same as

[https://arstechnica.com/security/2014/02/dear-asus-router-
us...](https://arstechnica.com/security/2014/02/dear-asus-router-user-youve-
been-pwned-thanks-to-easily-exploited-flaw/)

but with printers?

------
mentos
Could anyone see the FTC creating some sort of unit test that crawls IP
addresses in the US and tries to find vulnerabilities like this. Maybe
printing out a message for the owner to contact some authority on the
'Internet of Things' ?

------
mordechai9000
Back in the 90s, the Internet was full of Windows machines with open file and
printer shares. How far we've come...

------
tlow
"Smart" (and in this case home) tech which is basically a form of IoT should
really be a pejorative.

------
jwilk
Get we get "?utm_source=..." removed from the URL?

~~~
OJFord
I wonder if there's a FF add-on that can strip query parameters by default on
a cross-domain request?

~~~
jessaustin
I edited the bookmarklet:

    
    
      javascript:window.location="http://news.ycombinator.com/submitlink?u="+encodeURIComponent((document.location+'').replace(/.utm_.*$/,''))+"&t="+encodeURIComponent(document.title)

~~~
jwilk
Shouldn't you replace before URL-encoding?

~~~
jessaustin
It doesn't seem to matter. It's not as if "utm_" encodes to anything other
than "utm_".

~~~
jwilk
But encoded "?" is "%3F".

~~~
jessaustin
Hmmm, I have seen an extra '%3' occasionally... it never hurt anything so I
didn't bother fixing it. Thanks dude now I'm going to be totally tormented
until I fix my bookmarklet.

[EDIT:] ok moving that parenthesis and avoiding the update of
document.location didn't take me _too_ long...

------
234dd57d2c8dba
I hope this guy realizes that school was designed to churn out factory workers
in 1900s Prussia. The education system is so broken because of this, and it
will never change. There's way too many people's job-security and momentum
riding on this system.

He's not broken, the school system is.

------
pen2l
I apologize in advance for making a meta-comment.

I hate news organizations using curse words. Don't get me wrong, using curse
words is completely fucking fine, but it's weird in the worst way seeing
_news_ organizations using these words, they're supposed to carry a voice of
impartiality. It's extremely unprofessional, and it seems overly emotional and
petulant to use curse words. The Vice is absolutely one of the worse offenders
of this.

~~~
cr1895
This criticism seems a bit misplaced levied against Vice. Their whole deal is
edginess, defying the norms you think they should embody. Ignore them if you
like, but it seems weird to say they should be fundamnentally something else.

[https://en.wikipedia.org/wiki/Vice_(magazine)#History](https://en.wikipedia.org/wiki/Vice_\(magazine\)#History)

------
cominous
Something that really presses my buttons is this mentality of lots of people
to just jump on the complain-train and blame the world that certain
technologies for beeing not "as good" as others. And even worse are the people
using that to create cheap articles to generate clicks.

"Javasript is sooo broken.. the world is unfair", "Iot is sooo shit...",
"Language X is soo bad.. thanks Obama", "Framework Y is soo 2016...".

Thousand people are trying to make a difference in the world and the ones just
writing articles about "XY is shit" do mostly nothing. News about bad, bad
"IoT", are so low hanging fruits to click-bait. There is almost never a
constructive appraoch. Just complain and generate clicks.

Where are the leading ideas to make "IoT" better? Where is the
differentiation, that open printers installed by stupid users are not a prove
how "shit" IoT is?

You might also say the "internet is shit" because there is major dataleak
happens every week.

... just my 2 cents...

~~~
gens
Thing is that.. JS _is_ usually broken, the world _is_ usually unfair, IoT has
proven itself to be usually shit and most frameworks _are_ bad.

Xerox is not a small startup that just wants to make printing easier. Even if
it was, at least _some_ basic security practices _should_ be considered.

I mean i'm here writing a dinky little website using SQL and golang (i am a
newbie at bout) and _I_ am sterilizing inputs to make sure that SQL injection
can't happen. Meanwhile the _United Nations_ (!!) website has been exploited
by same. There's even a defcon(?) talk about how a firm was hired to asses the
security of that UN website and when the guy sent them an email saying that it
is vulnerable to SQL injection, they responded by threatening him to never do
that (year later it wasn't fixed). Wish i could find that talk.. it was great.
Then there is the Technicolor router (big company) that my cousin has, that i
just googled to find it vulnerable to all kinds of things and just horrid in
general. Then there is ...

------
patcheudor
Hacking, IMHO is finding something cool about a thing & then taking that
something and mixing it up. Make the thing do something never intended. In
this particular case a kid found that he could print to printers which were
connected to the Internet and then decided to start printing to printers using
what amounts to a script. This isn't hacking. It's not novel. People connect
printers to the Internet and he abused those connections. This is therefore a
prank, not a hack.

~~~
Dayshine
Hacking is gaining unauthorized access to a system or computer...

~~~
pavelmelnichuk
Your ellipsis suggests to are disagreeing with the original comment, else what
you wrote is just a truism. The point of the original comment was that it was
authorized by default as intended by design, and thus not a "hack."

~~~
patcheudor
Yup. Sending a print-job to an open printing port isn't special and IMHO
doesn't rise to be anything remotely close to "Hacking" or "Hacked".
Everything is essentially working as designed, but just poorly implemented.
It's similar to how DDoS isn't "Hacking".

