HP's CEO stokes fear of cheap ink

Did you see Fiorina’s behavior as a Republican presidential candidate in 2016? I lay some blame on the decline of HP on her just because she’s an awful person, not because she’s a woman, and their turn away from being an engineering-focused company accelerated during her time as CEO.

The evidence points to the decline starting well before her, as the article I posted noted. But people love their just-so narratives, I guess. And yes, she likely didn’t help, but she didn’t start it either. The entire economy was being reshaped by the whims of silicon valley neo-liberal tech-dude-broism before she got the job. This isn’t a defense of her, it’s a defense of facts.

And besides all that, often CEO level jobs will get dropped on diversity hires, precisely to discredit such hires. [ETA: meaning when companies start to have real issues, they get a diversity hire - checking a box and placing the blame all in one go]

I think this is a highly unlikely exploit. I also think the CEO’s statement is BS. When you find an exploit, you patch it. You don’t block 3rd party products.

That said, I have to disagree on this. It’s a nontrivial hack, and it’s not going to be exploited (if it’s exploited at all) but a script kiddie. It’s not “state actors” level difficult, though. A skilled individual hacker with some maker skills could definitely pull this off.

They’re afraid if their ink was cheap there would be people printing off pictures of human sacrifice, dogs and cats living together. Mass hysteria!

No idea what other people have planned, but my last laptop but one was an HP, and trash. I bought an HP printer and it was so comprehensively awful I actually returned it for a refund.

HP is a vulture capital firm masquerading as a tech company. They will never get another cent of my money. I am not likely alone in that.

Hail satan and all that!

I keep hailing Satan, and he still keeps driving past and leaving me at the curbside.

I consider the sheer cost of InkJet cartridges to be parasitic by their nature. The idea that refills could embed viruses on your home computer and network seems to be a design flaw in the way HP makes cartridges. The chip should only really communicate the potential ink levels and the “health” of the printhead. It shouldn’t enable a connected ink cartridge to execute code on the printer itself.

This should serve to compel the government to regulate the way printers work to limit ewaste.

That Satan… he can be a real jerk!

I’m warping space-time right now and I’m not even spinning.

The other day I watched something on Drachinifel’s YouTube channel about one of Drake’s more successful raids. According to him, adjusted not just for inflation but actual purchasing power, today’s equivalent would be about one year’s worth of crude oil production - “or the world’s largest oil tanker filled to about 2/3 capacity with printer ink”.

Edit: redundant word was redundant.

No, no - it will be your IOT toaster who’ll rat you out to the feds.

You have to use the app now.

That’s not necessarily a design flaw of the cartridge, over and above the design flaw itself that is the DRM anyway.

If the printer just accepts what the chip says without sanitizing it, then it’s a flaw in the printer, not the cartridge.

At least they

1. built stuff that worked and lasted
2. funnelled a substancial part of their profits back into R&D
3. valued their employees

back then.
I could live with that.

We can agree to disagree, then. For me a script kiddie level attack is something you can do with minimal effort, which is why most script kiddies do wide swath online attacks using premade recicled hacking tools, which usually come from exploits discovered by state sponsored actors.

I asked a friend of mine who is a computer forensics specialist (they call him to figure out what happened after a hacking attempt) and basically, we need to:

• Access to the printer platform SDK. Most of these printers use custom made processors. They usually are made from prefab pieces so the compiler may be available (ie: Old ones used to incorporate 68k in an embedded form, most modern ones use ARM processors, will bet that 10 years from now they will start using RISCV), but you won’t have datasheets, nor a standard SDK.
• Once you identify the platform, decompile the ROM (Hydra may work well for this, but you probably will need to write a custom interpreter)
• Once you have the ROM decompiled, you need to find something exploitable. Usually the easier points of access are the public interfaces.

And usually you would stop there, as many companies won’t have paranoid sysadmins that routinely harden all interfaces, and monitor low level traffic for suspicious activity. So if you want to cast a wide net, you probably want to target that. Heck, if the vulnerability is accessible via WIFI, you can probably hack the printer without accessing the building!

But this is not the case, this is a big company with military ties, so they will have Bastard Operators From Hell, and probably comission a quarterly pentest. That means anything that public is out.

• You find the serial exploit and, hoping HP doesn’t patch it before you finish the exploit, craft an interface that can be fitted inside a cartridge (not that difficult, lots of empty space in a cartridge). This interface will need to rewrite parts of the OS, which, as you don’t have an SDK, can be very easy (ie: they use a licensed RTOS you can buy separatedly), to moderate (everything is contained in a monolithic app) or very hard (they use an in-house RTOS so you have to map the system calls)

• Now you have to deliver it. That means the cartridge needs to pass at least a cursory visual inspection. No reworking visible from the outside, keeping the marks intact. Being able to print is optional. It may be even desirable to report inmediately as non-working, so they put it, apply the exploit, and swap it out (and probably throw it away). But to deliver the cartridge, you need collaboration, ideally not from the inside of the company (because, again, if you can bribe someone from inside, why bother at all?). So you target weaker links like, let’s say, a part time employee on the company that won the supplies contract for the printers. And wait.

When I say this is state-actor level is not just the complexity, more like… who would need to go through all that effort!?

For a real example that happened to my friend, a state company (in Spain) was targeted by chinese-backed hackers to get some confidential data. They sent the CEO a USB powered gadget aquarium; the payload relied on certain (now patched) vulnerabilities of the Windows HID driver, and executed automatically once it was plugged to the computer. The payload downloaded a trojan, sent passwords and tried to download data from the shared folders. The sysadmin noticed the spike in traffic and pulled the plug.

Windows machines are an easier target because the OS is well known, and SDKs readily available. So basically… why go through the effort described above unless you really are determined, and well funded?

That’s the point. You probably won’t disguise it as a third party cartridge… you will want to disguise as the real thing

And, moreover, if I wanted to hack a printer, with all that I said above… who better than HP that can provide datasheets, sdks and all that I need to find the exploits?

Fiorina’s tenure is generally considered disastrous by bouth insiders and outsiders alike.

For insiders, she was very against all “the old HP” went for, and she did not care much. She killed or sold many profitable divisions because it was not “aligned with HP vision” of making computers, servers and printers (surprise: turns it never was). Losing what would become Agilent technology was a bleedout, as it was source of most of HP innovation and talent. Merging with Compaq was terrible, and did not bring anything close to the cost it took back in revenue.

For outsiders (ie: the shareholders), she did not deliver at all - missing most economic objectives she promised would be achievable -, spent too much time doing publicity stunts and not enough time managing the company. I think it did not help everyone’s eyes were on her… basically a bit like musk some years ago. She was someone very keen on tooting her own horn; this is something that can be positive if you’re good… not that much if you’re not (again, we can see that with Musk).

In comparison, Platt’s tenure was not that terrible. He was not good with the shareholders, who think he had too modest ambitions. Basically he wanted to keep maintaining the route of the original founders. Old guard engineers loved him (he was “one of them”), but growth was too slow and the board demanded a replacement.

I have to say though, most people don’t remember that while Fiorina was already interim CEO and advisor, ultimately was Platt’s decision to split HP. So probably my old engineer friends from HP were wrong to accuse Fiorina of all evils… only the ones commited after she took reign (like gutting R&D and merging with Compaq).

And entering speculative territory: Some say the split was to preserve “the HP way” as Agilent was much more like the old HP than HP ever was in the 00’s and 10’s.

ETA: I cannot speak about the CEO pre-Platt. HP Spain was opened in 1985 so whoever was before platt was considered the “standard baseline”.

Yes, I’m aware…

ONCE AGAIN, my point isn’t that she was a “good” CEO… she objectively was not. My POINT is that she did not CAUSE the downfall of HP single-handedly.

I would really appreciate if you guys could read what I wrote and respond to that…

Well… They could do that.

But that does assume they have any real interest in securing their consumer/business grade shit.

The evidence tends to suggest that manufacturers just don’t give a shit about security other than as a way of justifying whatever enshittification they have dreamed up.

As here.

I always got the impression Fiorina was brought in precisely because she was going to deliver a set of aims the company had already set its eyes on. She certainly never came across as a person with the imagination and skill set needed to change the direction of a monolith like HP.