[canvascritic]

SnipVex clipjacking wallets is almost beside the point, the real failure is a printer vendor treating software like a side gig. Printer and hardware companies get a pass on basic infosec hygiene that would be unacceptable for open source maintainers.

until that changes, airgap your weird hardware setups I guess

Also this is a perfect storm for lateral movement. USB-borne worms still work frighteningly well in small biz environments, especially ones with no centralized IT and people plugging printers directly into Windows desktops with admin perms. Here SnipVex is just a cherry on top-a nice, opportunistic payload for the growing class of infostealers targeting crypto wallets

[ChrisMarshallNY]

> a printer vendor treating software like a side gig

This is a chronic problem with hardware vendors.

Source: Software developer for hardware companies, for over 30 years.

[throw903332]

> basic infosec hygiene that would be unacceptable for open source maintainers

Opensource printer stack is a legacy mess. There is critical vulnerability almost every year. There are not enough money or developers to fix that!

[juliangmp]

The printer stack as a whole is a legacy mess.. I have an easier time getting a 3D printer to work than any inkjet machine

[diggan]

Maybe I got lucky, but in 2017 I bought a Brother DCP-L2520DW laser printer. No matter what OS, computer or network I connect it to, it seems to just work for everyone involved, always, and I don't think I've had a single issue with it since I got it nor did anything at all to set it up, basically installed CUPS on my desktop to get it to work and for Windows/macOS it just works.

Not affiliated, just happy user, at least some companies seem to be able to deal with it, regardless if it's open source (my stack) or not (my wife's Apple-stack).

[anticodon]

I've bought almost the same model but a few years later. I also enjoy how effortless is connecting this printer to Linux. I have to install brlaser driver manually though.

But I did some research before buying (including here on HN) and Brother printers were praised for being reliable and having no problems with Linux drivers.

[Avamander]

There has been a strong push by OS makers to unify and simplify printer interfaces to the point that they should not require special drivers.

But this process is still ongoing and lazy hardware vendors will continue to be lazy in their switch, if they have the option.

[barbazoo]

What’s that “switch” you’re referring to?

[oasisaimlessly]

"IPP Everywhere" [1][2]

[1]: https://wiki.debian.org/CUPSIPPEverywhere

[2]: https://www.pwg.org/ipp/everywhere.html

[Avamander]

IPP Everywhere linked in the other comment, but there's also Mopria certified printers (https://mopria.org/certified-products). Which use WPP drivers on Windows.

[Suppafly]

Brother lasers are the cheat mode for cheap quality prints with no BS.

[indrora]

Don't speak too quickly: https://www.tomshardware.com/peripherals/printers/brother-ac...

[Suppafly]

Luckily the old ones last forever, so it won't be a problem for another 20 years lol.

[aaviator42]

> Opensource printer stack is a legacy mess.

I don't necessarily disagree, but isn't this because of extremely bad firm/soft/hardware design by the printer companies that then have to be supported by the open source stack?

[ajross]

> Opensource printer stack is a legacy mess. There is critical vulnerability almost every year. There are not enough money or developers to fix that!

Maybe true, but no live trojans either, so it's ahead of the game already as I see it.

[Avamander]

What are we talking about here?

[mcv]

Unintentionally spreading malware is bad enough, but blindly dismissing reports as false positives is really bad. Verify first.

[AStonesThrow]

No, you do not understand Help Desk Level I Troubleshooting.

The steps are invariably:

- Turn it off then turn it back on again

- Force stop, clear your cache and cookies

- Disable AV and firewall then reinstall

If the user cannot be induced to follow this simple script, then we can never move past the most basic of troubleshooting sessions.

Because everyone knows that troubleshooting is about covering up the symptoms rather than diagnosing the root cause.

[shermantanktop]

Have you worked at a Help Desk? It’s shocking how often those dumb questions reveal what’s really going on. Fake but realistic examples:

- chrome doesn’t work! (It was actually Microsoft word)

- my printer won’t print! (Out of paper)

- your program keeps crashing! (No, that’s the os reminding you of a security update)

[rcxdude]

They do happen all the time, though. One piece of software I work on frequently fails in CI when a dependency updates because it often triggers defender's automated "new threat" detection system some days after it's released. After another week or so it's fine, but it's a pain the neck.

[TheDong]

Verify how?

Go look at the "build log" in your compromised jenkins server and download the (already compromised) build artifact and make sure it matches the mega.co.nz file?

Do you expect the average software engineer to be able to look at a .exe, pull up a disassembler, and know that all the assembly maps back to the source code?

[hnlmorg]

The person who originally reported it was not super technical so if your software engineer can’t reproduce the customers steps to see the same error then you probably need better software engineers.

[duskwuff]

You say "Jenkins server" as if there's a CI setup involved.

I wouldn't be surprised if, in many cases, these companies just have whoever touched the code last run a build on their computer and ship that. (Which probably explains how some of the malware got there.)

[lores]

It's not hard to replicate downloading a zip archive from the official location and find someone knowledgeable to look at it if you aren't yourself. A non-software-engineer did just that.