Students does it, your co-workers does it. What? Printing of course. With the paperless society we live in the need of printing documents has not really decreased. Rather – for myself – it has increased. The reason why is is that the various corporations I’ve been employed at has been tech savvy – the customers not so. So to accomodate this the corporations had to setup their printers with keycard access and each employee got a fixed amount of paper to spend. Well – it isn’t exactly true that only the corporations did this. At college we had a similar setup – but the students had to pay a fee twice a year for access. Many institutions does this since they have to pay copyright fees based on amount of paper printed.

One day I inherited a position to administrate these systems I found something interesting. On a routine checkup for one of the printers I found something odd – the control panel wasn’t pin code locked. So I kinda touched myself through into the control panel of the machine and printed out the configuration page. For those who has never encountered such a page it is basically just a paper page showing the health of the printer along with various statistics – and the IP address. The IP address was a major clue here. I went to my laptop and added this printer using its IP address and BAM! I could print without touching my paper balance. I brought this issue forward to the chief administrator – and the response? This issue never got resolved. I suppose the admin had a secret agenda. Along with the rumored download server tucked away somewhere under a desk …

Now several years later at various corporations the issue is still the same. The IT policy states that you must access the printers with your key card to get the physical print out. Or? Actually no. Some guy  figured out that the printers showed when scanning for them in Windows. Instead of using the dedicated driver software he used the built in Windows driver and BAM! Instant access.

But – anyways. Doing exploits like this will backfire on you later or sooner. There are internal logs not as easily accessible that logs where the printing jobs originate. In my server setup I know exactly which machine got the IP lease. Yes – even for DHCP. I wont hesitate to confront you with evidence. With that said – for future aspiring administrators, and old timers: we all make mistakes now and then. Be sure to cover the basics – put that pin code lock on your printers and make sure that you cannot circumvent access to them using either stock or dedicated driver. Uhm – and I haven’t even mentioned the built in web server many printers got. Yet.

Advertisements