Re: Xerox DocuTech problems

[Ken Weaverling <weave () hopi dtcc edu>]

What a interesting coincidence. My joint just got two of these puppies
about two months ago.  My own experiences and comments follow...

On Fri, 17 May 2002 kikaiju () kikaiju com wrote:

> The Scan workstation does not need to have totally open shares.  Done 
> correctly, all it needs to share is the printer driver and even that can be 
> moved to another NT server if needed.

Well, there's always C$ and with the default password, anyone can poke 
into it that can get to it, packet wise.

OK, here's *my* beef.  It's a corporate-sized copier. They were
replacements for our other big giant copiers. So, no one told me this
thing was being purchased. I heard about it a week before it was to be
delivered when I was told "We're getting a new copier, and it requires two
network lines." No one thought to pass it by me before it was purchased
because "it's just a copier."

Of course, alarms immediately go off. 

Now, how many of these things get installed out there without any idea of 
what kind of security risk it might be to an organization?  After all, 
it's "just a copier." 

If I left it as it was installed, then the old days of students having to
break into the copyroom at night to get a copy of the final exam would no
longer be necessary. Now all they'd need to do is easily grab the saved
scan of the exam from the copy machine's server.

> It is not meant to be a totally secure machine.  A hardware firewall
> should be employed between the printer and public internet or even the
> rest of the lan for that matter.

So, it's wide open. There's a doc for locking it down -- somewhat. It 
should be behind a firewall.  Was any of this told to us when it was 
installed?  No, nothing, not a thing. No warning about the risk it might 
provide.  This machine costs several hundred thousand dollars yet they 
can't provide some simple firewall appliance to throw between the 
components and the network drop.

> > ...states that the
> > ultimate responsibility for security lies with the customer.

Wonderful. Don't touch it, but if it gets hacked, it's ultimately your
fault.

> > Kudos to Xerox for setting a new standard of incompetence.

I can imagine a lot of sensitive stuff gets run through a corporate copy
room. Even if it's installed inside a company that isn't on a public net,
it's still a big risk from the inside employees.

Well, our units are currently not connected to our network. I'm still 
trying to figure out what to do with them. So far, nothing. All of my 
staff are tied up on other projects until at least August. I guess we'll 
have to throw up a firewall at each location between these things and the 
rest of our network. :(

Disclaimer: Speaking for myself, not my employer, of course. For god's
sake it's Saturday night and I'm home and not at work -- and should be at
Star Wars but Fandango wasn't working tonight (server too busy, so much
for scalibility planning) and when I got to the theater, damn shows were
all sold out...