267 comments

[ 2.9 ms ] story [ 265 ms ] thread
Good to know that the world and Hewlett Packard are just as disgusting as I assume they are. I get called cynical but it’s reality.
That's good for espionage and other activities. Even photo copies leave meta data somewhere; that's how one serial killer got caught, iirc.
No it’s fine, HP isn’t a company from Gina, nothing to see here
Some printers/photocopiers can be configured to erase their data.

For HIPAA reasons we have a Kyocera at work that does this. After each job the display shows "Erasing hard disk data" or something like that as it scrubs the buffer.

But how about a printer that just doesn’t have a hard disk? What is it used for anyway?
I wonder if, at this point, it isnt easier to write a service that floods all these companies with random made up telemetry. MS/HP/FAANG wants data? Lets bury them in it. We train some AI so it isn't obviously wrong. We start anti tracking lists like the spam blacklists. We se d GDPR requests to find out what sticks. With some luck, their firewalls block us and we're finally getting privacy.
That's been done already with ads: https://adnauseam.io/

I've heard that in practice it does get you on a blacklist and they'll start ignoring what you send, so perhaps it does have some effect.

Point of caution before using adnauseam: I installed and used it on 3 devices for about 6 months a few years ago. I have seen an increase of about 50 fold in the amount of targeted spam phone calls and physical mailers I receive since that time and they've only started to subside in the last year. I can't prove but highly suspect it's a result of my name getting added to a lot of lead DBs as an interested potential customer due to adnauseum ad clicks.
You took shots for the team. Keep up the good work!

Reading about the tool makes me kinda wanna install it ... that should mess up the targeting profile quite a bit for my ip.

The bloat in HP printer drivers has been well known for a long time, and I'm not surprised "telemetry" is now part of that. I stopped "upgrading" printers when they still used parallel ports and standard drivers the OS already had (no need to even touch the installation CD), so I don't know if the newer ones can also be used without installing the extra crap.

I imagine that a user’s data is exfiltrated back to HP by the printer itself, rather than any client-side software.

To me, that's a good reason (among others) to use a print server and plug the printer into it instead of a printer with its own networking; or if you must, keep it behind a firewall with no access to the Internet. Although I have no interest in owning one, I'd be curious to packet-sniff one of these.

To me, that's a good reason (among others) to use a print server and plug the printer into it instead of a printer with its own networking

That's an excellent idea. I wish I'd thought of it.

I have a couple of old Airport Expresses lying around with USB ports on them. I wonder if one of them could be pressed into service in this manner.

I did this, just needed to torrent and install an old version of 10.6 on a VM so I could configure the airport.

Raspberry pis also make decent print servers

Another option is to a) give your printer a static IP (or setup DHCP to assign it's MAC a consistent IP) and b) add a routing rule to not forward packets from that IP.

(However, a print server is strictly better if only because you just can't know what such a printer is going to do on your network!)

There was a time that I trusted HP and their products and would recommend their business line to friends and family. This has changed over the years.

Crummy software updates (had to install an old version of some Intel tool to get my laptop to sleep in Windows 10) and the crapware they still bundle with Windows has made me take a step back from that position.

With this move I'm done with HP. I would have accepted a simple and clear explanation and toggle to send the same information, but this is just too shitty.

If anyone from HP is reading this, tell your supervisor that you've just lost another guy-that-everyone-goes-to-for-pc-advice. I hope you're happy.

I gave up on them when the inkjet I had bought produced a small mountain of dried ink inside it with it's constant cleaning cycles. There was more money in that dried ink than I had paid for the printer.

This was very a different experience from the monochrome DeskJet 500 that was such a workhorse. And the 7470A plotter that dad used for over a decade.

If you don't need color, try a laser printer. Toner doesn't dry out; you only pay for what you actually print.
That's what I did. Got a Brother HL-5370DW and it's been excellent.
Second this- the really great thing about the brother lasers is awesome Linux driver support. The install process was simpler on Debian than even the windows setup, which is certainly not the case for HP gear (hplip, the less I think about it the happier I am).
This, and for most Brother printers there is a page counter bypass for toner carts.
HP has this as well for the printers I have.
What? I've never had any issues with my HP laser printer in Linux.

I can attest that in Windows 10 I always have to delete and re-add the network printer whenever I want to print something because apparently being offline even once is enough of an upset to send the Windows printing system into paroxysms of fear, where it will tremble mightily, unable to re-try in less than 20 minutes. Don't get me started on how it's impossible to share a cellular connection over Ethernet because plugging Ethernet in turns the cell connection off to "save power" either. That little turd of a feature cost me a couple hours last week.

Same here never had a problem with my HP laser printers on linux
I have the HL-L2360D and it's been great. I love the IPP Everywhere drivers and don't have to worry about anything in particular anymore.

After this I would only get a printer which has IPP Everywhere or at least is supported by foomatic-db. hplip can get lost.

I can also get non Brother branded cartridges as they don't make a habit out of selling the printer so cheap that they have to then rape you on the price of the cartridges when it's time to refill.

The non-Brother branded cartridges work just as well as the official ones and I can go into any major office chain and buy them off the shelf.

Get a laser printer EVEN if you need color.

Color laser printers are slow, but not expensive.

Toner doesn't dry out; you only pay for what you actually print.

Beware, however, that if you live in a very humid climate, toner will clump easily. I suspect this is why inkjets are very common in Southeast Asia, whereas lasers are not as popular there.

One needs to keep in mind that toner dust and ozone may pose a health risk when printers are used close to to where people live/work.

Many printer manufacturers nowadays sell inkjet printers with laser-printer like operating costs, where ink is dirt-cheap, but the printer is correspondingly more expensive. Google for Epson EcoTank or Brother Inkvestment.

Dust from toner clearly provokes cancer. You need to be careful for those who have a lot of printer work.
I have a color laser printer that's 4+ years old, was cheap, and still works great. Color laser is not expensive like it once was.
I once briefly owned an HP inkjet printer that I bought new for some ridiculously cheap price. When I found out what inkjet cartridges cost, I unplugged it, walked to that little room by the elevator in my high rise, and threw it down the dumpster chute.
Telemetry systems are out of control, and really exploded with the smartphone era. Personally, I run application level firewalls on all my devices i) to stop ads & ii) to stop telemetry. Unfortunately, it's too hard/too much trouble for the average user to maintain.

We need to come up with a better way to (automatically) hobble this nonsense, probably at the os level.

I think we need laws.
I vote with my money. Laws are lazy, trivial to insert exploits into and stacked with unintended consequences. Eduication is much more effective.
Passing laws is pragmatic. Individual boycotts are idealistic, they go totally unnoticed and the status quo continues.
The "status quo" argument of apathy is self-fulfilling. There are few things that are more effective than market forces, hence the 24x7x365 war for your opinion.

Note how often people say "insert law here". Compare that with how many times they actually propose the text of a law. Our most effective laws are exceptionally simple and short. It's not accidental that "modern" laws are intractably complex.

How about try it? Propose the law.

Some people, dare I say most people, care more about results than dogmatic adherence to libertarian free market ideology. That is why effective regulation is everywhere you look. Regulation is popular and effective, regardless of how badly it offends your sensibilities.
Or? Is it in theory possible that your preception of reality is off?

Government regulation of the net (aka speech) is a non-starter, so the people who think "insert rule" fixes something are forced to rebrand it to "net betterness". More than half of the general public is wise to these techniques.

What "pragmatic" law do you have in mind?

Government regulation of businesses that happen to have websites (aka 'regulation of the net') is already reality. Pretty far from a "non-starter"
Surely you have atleast a sketch of the law in mind?
Hosts file blocklists work well for known domains. https://github.com/StevenBlack/hosts
Each application shipping with its own DoH resolver - spearheaded by browser vendors in the name of security - will put a lid on that.
They are rightly saying that DoH will secure requests from tampering --- but when it's the owner who's doing the tampering, it becomes yet another anti-user security feature.

Personally, I'm less concerned about privacy of DNS queries than the loss of control and need to have another centralised third-party in the process.

It was a bad security feature anyway, easy to bypass
On Firefox it is configurable or even disablable trivially. Much ado about nothing.
That doesn't mean the other apps which use DOH will also be trivially configurable to disable it.
I'm glad I'm not the only one concerned about this.

As far as I'm concerned, Google are only interested in DoH so far as prohibiting DNS level adblocking within their walled gardens.

Everyone thinks they're working toward tamper proof connections for the benefit of users, but it's really for the ad companies IMO.
And manufacturers. I tried to install system-wide cert on my Android to intercept and see exactly what system apps on my old Nokia phone were sending to Chinese servers but couldn't because Google thoughtfully "protects" its users. Tivoization at its worst.
jup, I am concerned as well.

cloudflare DOH fortunately uses it own domain for dns, so you can block it at firewall level.

Google could be evil and make resolver "google.com", so you would have to block whole google.

I was talking to a few people, of creating a list of all public doh servers, so we could all use it on our firewalls to block them.

That doesn't help if ad companies and other attackers set up their own DoH resolvers.
This is exactly correct. The purpose of DoH is two-fold; for Google, to allow themselves to be the endpoint DNS resolver so they can both bypass local ad blocking and collect statistical behavioral data (I am aware that their policy does not permit them to do this; it will certainly not be the first time Google violates their stated policies in the mission of serving advertisements), and for e.g. Cloudflare, to centralize and control additional pieces of previously-distributed Internet infrastructure (and thus permit centralized monitoring not if but when they are compelled or subverted by the intelligence community).

Mozilla I don't understand. The most likely explanation appears to be that they are still in a catch-up-to-Chrome mindset, which is a disservice to themselves and their community.

DNS queries should be encrypted. Centralization-by-default is not the answer and people should look more closely at the incentives in play by those pushing the DoH standard. I appreciate the efforts of e.g. OpenBSD to prevent this side-channel leakage of user data to private corporations: https://undeadly.org/cgi?action=article;sid=20190911113856

A good DoH feature is that it distrusts the local network's services in favor of ones on the local device. Especially with Comcast, Verizon and others doing bad stuff with traffic, not trusting the network providers looks like a good thing.

Ideally one could change to any range of DoH resolvers - right now there's 3 or so.

DoT and running your own recursive resolver is better still.
Or if you work at an ISP, set up an alternative DNS that users can opt out of, for blocking telemetry for everyone except those that really wants it. Invert the playfield so to speak.
That's why I've installed a MITM proxy for all HTTPS connections over my LAN.
Last time I put a large list of blocked domains in my /etc/hosts file, it was causing non-trivial amount of delay (hundreds of ms) to every dns lookup. I guess hosts file is not designed to be scalable. I ended up running a local dns server (which able to use those blocked domains list without noticeable performance hit). These day I just use pi-hole running on a spare raspberry pi.
I think GDPR helps in some cases, but I suspect as the laws are analyzed and tested in court, the old habits will come back.

All OS vendors benefit from this telemetry, so they all have it and support it. Microsoft collects lots of data, but don't be fooled, Apple also collects lots of telemetry.

I think what folks will start to realize is that RMS was right and only free software will be the only way to navigate this mess (since users are not denied access to the source code, which can be analyzed and the idiocy removed, like people do with ubuntu).

I'm reasonably sure this stuff doesn't fly in the EU anyway (hiding away information like this deep within some privacy document is not the clear consent the GDPR requires).

Tools are becoming available though. Projects like PiHole are making it easier to block many malicious trackers. There are even companies selling pre-built PiHole devices. Unless HP is hardcoding IP addresses, it's only a matter of adding the required domains to a tracker blocklist (if they're not already on there) and most of these problems go away nearly instantaneously.

I've noticed my PiHole helping a lot in regards to stuff like mobile apps (Google Analytics, Facebook Graph, etc.) and embedded devices like these are probably no exception.

I can tell you that my UK printer has the same shit!

I went through it with a magnifying glass to make sure it didn't select anything.

In addition, I set up the IP stuff manually on the printer to ensure there was no gateway... can't get out without a gateway.

I used to do the same exact thing.

At some point, though, I noticed that "something" [0] still managed to "get out".

After running some packet captures, it became clear what was going on. Although the device was using the network settings that I had manually configured, I had not specified a default gateway. The device decided it would use DHCP to discover the default gateway for the network and began automatically using it so it could get out to the Internet.

Since then, I've started specifying a default gateway for any devices that I don't want to get out. I give 'em an IP address that isn't in use on the network and, fortunately, I haven't ran into any other instances of crap like this happening.

[0]: I really wish I could remember what device this was but it's been a long time ago and I really have no idea, sorry.

These kinds of concerns are why I put all my "untrusted" devices on a separate VLANs, so I can reliably shut them out of the internet. Simple VLAN-enabled switches don't cost that much any more. Such a switch allows you to treat any port of the switch as a distinct network interface on your main router, where you can just disable forwarding for selected interfaces entirely. It also prevents your untrusted devices from seeing each other, i.e. your printer wont't be physically able to send ethernet frames to your VoIP phone, even if connected to the same switch. Here is some introduction to the concept:

http://corecom.com/external/livesecurity/vlans.htm

VLANs, huh? I'll have to Google that sometime. ;)
True, but assigning it a static IP and blocking egress traffic originating from it should accomplish the same thing.
I think static IPs and blocking egress traffic only keeps well-behaved devices from doing any harm.

It does not protect you from compromised, malicous (IoT) devices. Think about a network printer doing ARP spoofing and MiTM-attacking your VoIP phone or IP cam. E.g. googeling immediately turns up vulnerabilities like this [1] one. A properly configured VLAN setup can help to prevent or limit this threat.

[1] https://www.scmagazine.com/home/network-security/hp-officeje...

New printer next year: "Hmm, I can't contact my telemetry server with these internet settings… time to connect to any open Wi-Fi I can find nearby!"
Are you up for filing a GDPR complaint with the Data Protection Authority? :)
I’d like to see a big hardware company explaining its shareholders that they got a fine of 4% of the company’s worldwide revenue because they wanted data that was supposed to increase sales.
Hey I am interested in application level firewalls. Can you please share how you do this.
Telemetry is fine when it is included with enterprise software with licensing agreements handled by lawyers and corporate security. Telemetry is actually helpful and a good thing in that use case.

It is not in consumer products, period. Unless you are paying me for this information (in actual money, not discounts, not services) telemetry should be banned.

> ... with licensing agreements handled by lawyers and corporate security.

So it's helpful when it's someone else's problem?

It is helpful when the company doing the telemetry really values you as a customer and you have teams of people responsible for understanding and negotiating the details.

It is not helpful when the absence of competition forces you to accept one devil or another and little power (or time) to understand how your information is being gathered and used.

It's helpful when the iSeries calls IBM to get someone out for part replacement. Both parties know the whole deal since there is an actual contract with specifics. Consumers don't have 'contract support' unless they have cash.
> Consumers don't have 'contract support' unless they have cash.

So what do you propose then? Every website have a paywall and block poor people?

This isn't a website, it's a printer. We're already paying customers. If there was a paywall, we passed through it when we went to the store and dropped $100 on their product.

I suppose the big problem is that everyone gets into the data broker business when they get big enough these days. It fundamentally changes the expectations of your relationship with the company.

It's a lot like the Vizio/Samsung/etc Smart TV privacy fiasco. Back when you bought a $699 21" Zenith tube television, their business model was transparently "we make and sell televisions." The up-front cost was sufficient that they weren't too concerned with a trickle lifetime recurring revenue. There's no real place in that business model to focus on a data gathering side hustle, and you as a consumer had no reason to think they'd be interested that you kept the knob on UHF all night.

Similarly, if HP's business model is legitimately selling printers and printer accessories, there's very little information they need but are not getting from their existing "what retailers order for restock" and "direct sales and ink-as-a-service" channels. Even the obnoxious personalized 'you print lots of photos, buy our photo paper' ad doesn't require remote data submission; you could calculate it on the fly locally and pop up a banner, just like with 'you've printed 29 pages, time for a new cartridge!" I could see system and document info for crash log purposes, but even that's a one-time permission request you can make on demand.

I guess what's amazing is how much the tail has come to wag the dog-- they'd rather creep out people and run the risk people finding out losing the $100-plus-years-of-expensive-consumable sale in order to get that sweet sweet consumer-profile data worth a few dozen cents per-user in quantity.

Honestly, I want to replace my arthritic LaserJet 5 with something offering duplexing and more than four real-world pages per minute, but new printers seem to be doing everything they can to be a distasteful purchase instead of an exciting one.

Plenty of people are happy to share information on the Internet and even to pay small sums of money to do so.

If you aren't interested in sharing information without selling visitors data, your service isn't viable without charge, or nobody is willing to pay you, everybody is probably better off without what you're trying to offer.

Corporations with professional legal counsel have more power than individual consumers.
Only when fully disclosed and blockable.
Iftelemetry were so valuable (“data is the new oil”) the would/should pay us for it.

Like all those “We value your opinion” customer feedback surveys. Yeah, you value it at $0.

I absolutely disagree with these data collecting practices, but if your data is e.g. worth $5, that may have been already deducted in the printer's sale price.

If you have two feature-equal printers, but one doing data-collecting and $5 cheaper than the other, which one do you think will be sold out first?

I wish that manufacturers be forced to also show default/required data requirements on their products similar to how they already display minimum/recommended hardware requirements. This would at least increase consumer awareness of the issue, at best maybe abolish it entirely...

Printer hardware is usually sold at a loss or near a loss in order to focus profits on ink/toner sales. That's how you get the ridiculous DRM on ink.

Force manufacturers to allow third party ink and to disclose data collection and you get a much different, better for the consumer, printer market.

I don't want to be paid for it. I just want it to not happen.
Not running any of bad oems specific software and relying on in kernel drivers to talk to whole classes of Hardware seems to work.
Pi hole, and similar, and block all other DNS, would probably be a good start.

Tackling on edge firewall, looking what goes through, and blocking it there is second step (but since a lot of it is going to various cloud providers and cloud flare) this is often not an option

Automatic blocking doesn't work cos they are constantly coming up with new ways to bypass blocks.

Here's what I use. There's a free tool called Windows Ultimate Tweaker. It'll help with basic settings.

Next, Du Meter - shows network traffic right on taskbar. If I'm not actively using the internet and Du Meter shows 1MB/s, I get suspicious.

Finally BWMeter. I'll say it's little snitch for Windows. It'll alert you any time an application tries to access the internet. You can allow/forbid temporarily or permanently.

They are all light on resources. BWMeter's UI isn't great but it gets the job done.

Anyone know Mac equivalents?
iStat Menus will give you amazing insights on your system in the menu bar. It has a rich choice of views.

There's also Little Snitch for network monitoring.

For the rest, haven't researched much.

Realistically you want it at the router level. Force all traffic through a transparent proxy like mitmproxy with some custom code to strip out the sends you don't like. Stop all those IoT devices.

Its on my plate to make a go at it, with some inspiration from pihole. But really it'd be about enabling myself to use some of this great data without sharing it with a third party.

For example, I'd wear my fitbit if it wasn't reporting in to their servers. But if I force my phone through a VPN, which routes through my transparent proxy, I could feed fitbit junk data while scraping the pieces I want to my own system.

We need apps that take control of these devices and their telemetry away from the third parties.

Philosophically, I completely agree with you. The problem is that this isn't inherently possible because the whole thing could be E2E encrypted.

I know there is a Linux (python?) client that will sync (at least some models of fitbit) to their cloud service. But I've no idea if there is one that will dump the data locally. It's entirely possible that the cloud client is merely passing along an opaque blob.

Why not just block everything the printer sends? When does a printer actually need internet?
Yes, removing Internet access is always an option (although eventually we might have to physically disconnect wifi antennas or use a Faraday cage...).

I was responding to a comment that was talking about creating Free Software to communicate with the device, specifically the idea of proxying access to the corporate server and modifying the communication, rather than implementing the whole protocol from scratch.

I'd guess the Fitbit protocol is encrypted, from a desire to keep people from cheating their activity reports. If a company wants to spend the development time, there is basically nothing that can be done to prevent a device requiring Internet access on a dumb-pipe all-or-nothing basis.

Faraday cage for the win. My printer stays offline - period. If something needs printing, I have to sneakerware it. If I'm unable to do that, I rethink whether it really needs printing in the first place :D
Although this comment may seem a bit extreme: I looked at the rubbish that Fitbit installed on my laptop several years ago. I decided to throw my Fitbit out after scrubbing my hard drive of their software. So, although it's fair to assume their software's probably improved since then, I'm not buying.
That's exactly what I do on my Mikrotik router. I assign a static address to my printer and then disallow any outgoing internet traffic coming from its internal IP.
> Realistically you want it at the router level.

I do both.

I run a firewall on my phone mostly to prevent applications from communicating out without my express permission. I also don't turn on my phone's radios without connecting to a VPN that I run at home, so that all of my phone's traffic gets routed through the defenses I've set up for my home network.

On top of that, I avoid using the web on mobile devices to the greatest degree possible.

Router solutions tend to work only for static/controlled lans. Nearly 100% of my time connected to a network is not under my control (someone else's wifi or telco). Another problem with router and other solutions such as pi hole / hosts is that they apply rules in a generic manner without regard to context. eg. On my Mac I use Little Snitch to disallow any comms with apple, except when it's App Store. Appalled at the telemetry that vscode allows, I've gone back to sublime text 2.

On my Android, (sadly without root) I use NetGuard for similar purposes. I blanket disallow google for many apps. I allow carte blanch to my personal servers for apps that I use, but any telemetry of theirs is stonewalled.

In Firefox I use containers to separate FB/Twitter to their own hole, while I blacklist them in uMatrix for every other circumstance.

That said, things like doubleclick and crashlytics are fine to be black listed throughout a network.

My thoughts were more targeted toward a properly sandboxed os that gives users the chance to control on a port/ hostname level what is being connected to.

HP went down the shitter as far as I was concerned when “the HP way” went. This happened when they spun off Agilent which took it with them.

I have actually physically assaulted several HP products since then. Literally nothing but aggro.

All the agilent test equipment I've worked with is still solid AF. It's sad HP consumer stuff, particularly ink jet printers, is cheap junk. Enterprise stuff is fine though
Yeah same. I just bought a new display for my 20 year old 34401A! That’s service.

Enterprise. Not so good. Arguing with Broadcom NICs and blade chassis switch problems for a decade and a half makes me happy about AWS.

Exactly. And then that Republican philosophy major hag. And then the sex at work CEO.
Former HP employee here. HP made and still makes great hardware products. Ink is the cash-cow and this won't change in the near future. The thing I always hated though was the bloatware. I remember that everyone I was buying a HP laptop, I would back-up the drivers (.inf), then remove all the JUNK, and then reinstall all the drivers. JUST the drivers.

Fortunately for me I have the skills to do so. Unfortunately the majority of users have to suffer the bloatware and weep for the lost CPU and RAM that garbage wastes.

Nope, the hardware was great, back in the 80s,90s then once Compaq was swallows, HP lost their way. The only same answer has been to avoided their products since 2003.

Check our Samsung or Brother for printers that don't involve bullshit. Any Asus beats any HP laptop and HP "server" gear, jajaja

> Any Asus beats any HP laptop

The HP Spectre line runs Linux out of the box with full device support. Asus is hit or miss.

Otherwise, yes, you're absolutely correct.

Oh, yes, I fought for days with the trackpad on my Asus S410U. I forgot about that.
> The HP Spectre line runs Linux out of the box

And guess most of HP ProBook line. Asus sucks here, plus zero chances to get any support.

Samsung printers are owned by HP now. Expect the same within some time.
Using the manufacturer-provided drivers will usually result in junk as well. It is always best to know your hardware and try to find the drivers from each hardware vendor, or sometimes Windows 10 drivers work well too. You can usually get this info from the device hardware vendor ID and product ID if you're using Windows. With Linux, pretty much everything is automatically packaged with the kernel.
This. I simply don't trust manufacturer-provided drivers.
(comment deleted)
In college I worked at the computer support desk for students. Certain models of HP laptops were notorious for the wifi module failing, conveniently just outside of the warranty period. I would never trust HP hardware.
Even if you take trust out of the picture, this sort of nonsense leads to a crummy user experience.

The customer needs to download and run an installer, accept a license agreement and configure a bunch of options that have nothing to do with the primary function of the hardware, then they can configure the actual hardware. In the end the user will usually end up interacting with vendor specific (or even model specific) software to manage the printer or configure print jobs.

None of that is truly necessary. Microsoft can detect hardware and provide plenty of drivers under their operating system. The typical desktop Linux distribution can do the same. In both cases, the key are licensing agreements that allow for it. Those licensing agreements are much more flexible if the software isn't collecting analytics (either for telemetry or marketing).

My epson printer specifically says this when you install the driver. At least they're being upfront.

I don't like it but I don't know how to disable it and don't have the time to look into it.

Arguably much worse than all this is the yellow dots tracking on some colour printers https://www.eff.org/deeplinks/2008/10/effs-yellow-dots-myste...

> I don't like it but I don't know how to disable it and don't have the time to look into it.

They know that almost nobody does, so they bank on it... it needs to be regulated.

It's good that I never trust printers to print my master passwords and just write them by hand. At least my pencil does not send anything yet...
HP pencils record arm movement and the eraser has a wireless transmittor.
Sounds like we need the Raspberry Pi of printers.
I was just thinking more like using a raspberry pi for a home print server.

1. Load up the Pi with Cups, which has a web interface, and all the optional drivers and fonts it needs.

2. make sure ip_forward is off

3. set all your printers to use your Pi as their default network gateway

4. profit?

I do this but, I've missed step 4. There is a little more to the cups config but it "just works" (if you know cups well)
Are HP doing this in GDPR-covered territory?

Possibly the requirement to download stuff is so they can geo-target?

When I got a modern LaserJet at home (my LJ5 lasted forever), I intentionally got one with Ethernet, and without WiFi.

But all the cloud-y firmware features of the new LaserJet looked so sketchy, I decided not to connect the printer's Ethernet to my LAN.

Instead, I set up a separate little print server, which connects to the printer's USB.

Of course there are still vulnerabilities, but at least now it's not as overtly sketchy.

Couldn't you just drop Internet-bound packets in your router?

But yeah, USB is good enough for printers.

Yes, and I could additionally filter the permitted traffic to/from the expected TCP port(s) and directions for each. But my current home routers are OpenWrt, tend to get reflashed, occasionally lose their configs various ways, and aren't documented as well as one would like, so I try not to add much complexity there. A little print server either works, or it fails conspicuously (unlike rules on my plastic router, which are most likely to fail silently). If I ever get time to build a bit different router (e.g., pfSense or atop a normal Linux distro), I'll revisit that.
I found pfSense far easier to setup than OpenWrt. I've been running it on an Atom desktop for about seven years. I've updated more or less annually, and have only needed to tweak the configuration when I've moved.
Good to hear that's worked well. Looks like there's now some Atoms with AES-NI, for future pfSense support.
I did splurge on an Intel server NIC card. Which is why I went with a desktop. And I don't run any VPNs on it.
What I do with untrusted wifi devices like my AV receiver and girlfriend's printer is put them on a separate network that has all Internet access disabled by default.

So if I lose my configs, these devices will simply stop working. There is no way for them to accidentally connect to my real network (since they've never known the passphrase to those).

Wifi is actually kind of better than Ethernet for this use case, since even if you set up certain switch ports to be part of a different virtual interface, if you reset to the default config they'll have full Internet access again.

I like the idea of partitioning by networks, as well as a safe failure mode.

BTW, reportedly, there's already at least one brand-name TV in the wild that will automatically connect to any open WiFi it can find, for the purpose of phoning home. When I upgrade to 4K, I might have to get a commercial monitor instead, or do some Dremeling.

> even if you set up certain switch ports to be part of a different virtual interface, if you reset to the default config they'll have full Internet access again

This is why you usually just blackhole the default VLAN 1, and configure all your trusted devices to be on an non-default VLAN. Then if your switch loses it's config, it defaults to nothing working rather than a free-for-all.

That still doesn't protect you from malicious drivers and bloatware installed on your workstation though.
The relatively svelte "MakeModel HP LaserJet Series PCL 6 CUPS" driver works for my (newer) model, and is faster and much less nonsense than the hplip driver.
Well, it's been several years since I used a printer.

But if I did, I'd use an open-source driver in Linux.

What is a good low-end laser printer or multi-function device to recommend to non-technical friends that "just works" ? I don't like HP for the reasons mentioned in the article and other reasons (blaring WIFI-DIRECT interference from their printers in houses all around me)

We bought a Brother a few years ago, because it supported Google Cloud Print. The idea was that my son, who used a Chromebook, would be able to easily print. The problem came when the GCP worked only for a limited time, and then stopped working a few weeks after we got the printer. I was able to set it up to work via a Linux machine and the "cloudprint" daemon, but this was supposed to be _EASY_ and it wasn't.

Assuming this was just a problem with GCP, I recommended a Brother to an Apple-using friend who was trying to decide between an HP and a Brother. She uses airprint (I'm not a Mac/iPhone person, so I never tried it). And she has the same problems with the printer just not being found as an airprint device.

I personally use Canon Pixma series printers. They work really well with AirPrint and are not super expensive.
I’ve been using a Fuji / Xerox Docuprint M225 for a 5 or so years now. Replacement toner was dirt cheap, and I expect to continue using this printer for another 5 or so years. Works with AirPrint and Google Cloud Print. WiFi can be finicky at times but nothing a restart doesn’t fix.
I've had a Samsung ML1665 for about a decade. I've needed one new toner refill in that period and I've not had any issues dusting it off every few months when I need to print a boarding pass or form. Oem refills are about £20.

Works fine with everything I've connected to it. Very basic, black and white, but it's fast and I see no reason to get a new printer any time soon. Occasionally I wish it had a scanner, but I can get away with photos. Never felt the urge to get a colour printer which pushes the price up significantly.

It doesn't do airprint directly, but most of these things will plug into a router with a USB port for network printing.

Note that Samsung sold their printer business to HP, unfortunately, so they are no longer an option.
There were brilliant until they were sold to HP. Great Linux/MacOS support. I bought one recently not knowing this, and though it works okay, there is no support, no driver updates etc.
I bought a cheapish Samsung laser printer.

I literally print about two pages per month, and it stopped being able to suck the paper up within the first three months. It can still print pages individually if you push the paper into it manually by sticking your hands into it.

It managed to print probably six pages before it stopped working properly.

Fail.

There's a lot of variety within brands. An organisation I work at has a small Canon laser printer (generally no problem with Canon) - we travel around a lot and often don't have internet connectivity. That thing is useless. It doesn't work with generic drivers and the CD is out of date. Every time we want to use a new machine we have to remember to download the drivers in advance.
If you don’t like HP because of the article, why do you like Google Cloud Print? Do you really believe Google is collecting less information about your printing?
I've used brother laser printers, which seem to work without downloading an app or something.

We used the current model with USB, but it has ethernet and wifi and I have not analyzed what it tries to do with an active network connection. If I hook that up, I would give it an internal ip with no outside connectivity and see what happens.

I’ve also used a Brother laser for several years now and am happy with it. It doesn’t appear to try to phone home, but it’s on a VLAN with no internet access and limited connectivity to anything local. Even if devices like this are not phoning home, it’s still sensible to put them on their own isolated network (or network segment if you have an L3 capable switch) because the chances are their firmware doesn’t get frequent security patches so they could make a nice ‘beachhead’ within your network.
I have only good things to say about Brother printers. My old laser printer (actually a bigger printer/scanner/copier all-in-one with the option to autonomously scan to email) died just last year after 18? years of service. If I were to buy a printer today, I'd choose Brother again, but I just don't do much printing these days, and it's just a 2 min walk to Staples from my place where they do all kinds of printing, scanning, and photo services.
Brother makes printers here with giant refillable ink tanks, instead of cartridges. Still on the ink that came with the printer when I bought it almost two years ago. On HP I would've had to replace the cartridge every few months for the same usage.
Except HP also offers printers with giant refillable ink tanks instead of cartridges.
Mine stopped working just after a year and a half. And replacing the printing head costs more than the printer.
We had a HP with replaceable ink tanks before. You still had to replace not just the ink tanks, but the whole printing head assembly because it would still clog up every half year anyway.
> I just don't do much printing these days, and it's just a 2 min walk to Staples from my place where they do all kinds of printing, scanning, and photo services

This is what I've ended up doing. We print maybe... 3-4 times a year? So I just walk down to a convenience store where they have a big multi copier/scanner/printer you can use for 10-20 cents a page. It also does photo printing so I don't have to choose between buying a laser or ink printer.

The only worry is you know the internal harddrives in those things are holding a copy of every thing that's gone through them, and god knows how they're going to be decommissioned...

Many people swear by HPs older large-volume printers, such as the Laserjet 4200 or 4000 series. A toner cartridge lasts 10000 pages, and you can repair the things if the need arises.
I have a HP 4050N that I picked up at an 2008 financial crisis bank bankruptcy auction for 5 Euros.

I've printed thousands of pages and am on the same cartridge that came with the printer.

Amazing printer the way most HP devices were.

There is no USB, just LPT but there are USB->LPT adaptors

I've been using a Brother HL-L2350DW on Wirecutter's recommendation for the last year, and it was just fine.

I don't know if it spied on me, though.

Wouldn’t wire tapping laws apply?
Maybe not once you "accept" the EULA that you never saw or read.
Are there any open-source telemetry detection tools out there to easily identify this sort of thing?
You can probably log traffic in your router.
What is the best "serious" office printer that doesn't have this kind of malware installed? Ideally that has a bay for multi-page document scanning and can print 100 double sided pages without skipping a beat? Bonus points for reasonably priced ink!
We've been using HP's Instant Ink subscription service for about two years now. Basically, you pay $3 a month and can print up to 50 pages. HP remotely monitors your ink levels and sends you replacement cartridges automatically when the cartridges need to be replaced. We tend to print close to 50 pages a month but have never gone over, so it's not a terrible deal.

Obviously, I would prefer to go with lower-cost third-party ink cartridges. But the printer companies tend to be doing more and more to make that a pain. With my last printer, you could use a third-party cartridge, but only after you dissected the original, peeled off its chip, and glued the chip to the new cartridge. And even then, you'd deal with the perpetual warnings about low ink even though you know the new cartridge has plenty of ink.

So Instant Ink is something we've done begrudgingly, sort of like buying overpriced movie popcorn. And in order to work correctly, it needs to be able to track how many pages you've printed, and we get occasional alerts when it gets knocked off wifi and can't communicate with home base.

Please stop supporting that. That business model really needs to die.
> Basically, you pay $3 a month and can print up to 50 pages. HP remotely monitors your ink levels and sends you replacement cartridges automatically when the cartridges need to be replaced.

Ugh dollar shave club for printers or something?

I refuse to engage in thing-as-a-service. The only reason companies do this is because they know if they bleed a little bit out of you each month you're more likely to say "it's only a couple of dollars". It all adds up costing huge amounts in your monthly expenses.

They then also know there's a huge portion of customers paying for this who aren't using their '50 sheets', so wow, they've just built a model where customers pay for a thing they don't use and they don't have to provision for.

> Please stop supporting that. That business model really needs to die.

I would up vote you more than once if I could.

(comment deleted)
My friends love dollar shave club, and I'm like "buy a safety razor for $20-30 bucks and a bulk pack of razor blades and you will set FOR YEARS.
My grandfather would sharpen his razor blades on his jeans, one would only need one razor blade if maintenance included sharpening the razor.
I use straight razors. With the right care they will indeed last a lifetime but I’d caution that it’s more than ‘sharpen it on your jeans’. For a start most are made of mild steel rather than stainless so you need to store them completely dry otherwise they’ll rust (so keeping them in the bathroom is hard given it tends to be a moist environment).
Nitpick: mild steel is awful for blades as is it is too soft and cannot be hardened. Most likely they are some sort of high-carbon steel.
Sorry, yes you’re right! Carbon steel. I should add that you can buy stainless steel straight razors but they’re much harder to sharpen properly so I think not very popular.
Or buy an electric shaver. Mine probably cost about AU$80, and has lasted at least 6 years. No sign of it going wrong, and I've never needed to replace/sharpen the blades, though apparently replacement blades are a thing.
Depending on how heavy your beard is, an electric shaver does not come close to the cleanliness a "wet" razor will get you. Maybe your mileage/needs vary.
> an electric shaver does not come close to the cleanliness a "wet" razor will get you

As someone who used to use an electric shaver since his teenage years I wholeheartedly agree. I do not grow a beard, hate them in fact and am always clean shaven.

I never ever once got a shave anywhere near as close as I did with a razor. After a while you can do it in the shower blind without a mirror just from feel.

On the other hand you never cut yourself with an electric razor. I used a wet razor for years but recently switched to electric because of this.
Depends on the model. My first electric razor lasted somewhere around 10-12 years with no issues, before it broke and I needed a replacement. The replacement was a newer version of the same model, and caused bleeding around my adam's apple every day guaranteed; I downgraded and haven't had any issues since.
> The replacement was a newer version of the same model, and caused bleeding around my adam's apple every day guaranteed

Those rotary ones are notoriously bad, they will cause pulling. I found the foil based ones like the braun series 3 to be a lot better in that regard, closer shave too, still nothing like a razor though.

It wasn't a rotary one though. The one that caused bleeding was a Braun Series 1-195s, while the good one is a Braun Series 1-190s.

The blades on the 195s are parallel with the foil though, while the 190s are perpendicular, so I'm sure it's the same problem.

Interesting. Mine is an old Philips Philishave, which use the rotary blades.

Pulling isn't really an issue unless my facial hair is extremely overdue for a shave. eg 4-5 days worth of hair.

When that happens, I just use my trimmer to take it back to near stubble, then use the above Philishave to finish things off.

(comment deleted)
> On the other hand you never cut yourself with an electric razor. I used a wet razor for years but recently switched to electric because of this.

I only cut myself very early on when I was new to it. That was about 5 years ago. I have now been using a razor exclusively for years now and cannot remember when I last cut myself.

I also use it for trimming other places too, haven't cut there either.

You definitely should replace the blades at least every couple of years. --The difference after doing so is noticeable.
> My friends love dollar shave club, and I'm like "buy a safety razor for $20-30 bucks and a bulk pack of razor blades and you will set FOR YEARS.

I got given one of these https://getrockwell.com/products/rockwell-6s-gift-set after I mentioned I wanted a stainless steel one and it was given to me as a gift.

Apparently it started from a kickstarter a few years ago https://www.kickstarter.com/projects/rockwellrazors/rockwell...

The person who gave it to me knew I am environmentally conscious. I remember reading that those cartridge razors are really bad for the environment as they are a mix of steel and plastic.

Now I can just use regular razor blades https://www.amazon.com/Feather-Razor-Blades-Hi-stainless-Dou... $22 for 100.

Feels good to not be locked into some proprietary mounting too, kind of the same feeling as using free software. hah.

I prefer it to my old Gillete one. More blades is not better, that is all marketing, and they just get clogged, ugh.

I don't see how being in a "club" that I have to pay any kind of "annual" fees would help me.

The idea is I have reduced my costs significantly and have everything I would want. Occasionally I buy a new tub of shaving cream when I run out. I am adult enough to go "that looks like a nice scent I will try that", and then decide if I want to buy more next time or buy something else.

I absolutely detest "monthly" or "weekly" payments of anything. The only exception I make is for utilities, or service contracts. If it's neither of those things why should I pay more than once? or pay for someone to trickle samples out in the post to me?

Buy a cut-throat and be set for life.

Seriously though, I have a safety razor, but I can't get a satisfactory shave out of something where the head doesn't pivot, so I use the local coops budget razors. They are pretty much the same as dollar shave clubs, but I don't have it here, and I rather not buy shit on subscription.

There are two things in the home that can be reused when I am dead: my model M and the safety razor.

>I refuse to engage in thing-as-a-service.

As a side note, whether one uses it or not, it should be called what it is: thing-as-a-monthly-subscrition (often automatically renewing itself).

Maybe it is just me, but to me something "as a service" is still something I pay "per use" and not something I pay a monthly or yearly fee in exchange for a given limited amount of something that I may or may not use.

There are legitimate advantages to this business model, and even though I'm not a fan of it myself I can appreciate the value proposition. One way to look at it is a form of insurance - it distributes an irregular large payment into a regular smaller monthly payment that makes it easier for budgeting. That can provide significant benefit in some contexts.
I mean - I can see why you would say that but Instant Ink has a free tier, and I actually am OK with selling my infrequent printing data for 15 pages a month + free ink so that I have a home printer for the few occasion when I need it.

There is no minimum usage level, and the fact they might know that some airlines require I print a boarding pass every few months, or some government for needs to be printed, filled out and posted - that's really not so bad for free (+ data).

I'm OK with them receiving that data.

>print up to 50 pages

Is this some economy ultra light printer or something? I get several hundreds of pages from each syringe refill.

What does the syringe refill cost? I also have the instant ink service and I want out
Ink seems to be virtually free at Monoprice. Like, "It costs more to ship this than the ink, so I guess I'll just buy 10 of each color, but now I have a drawer full of ink cartridges and need to find more things to print."
I refill it from the bottle. The bottle costed me under a fiver some years ago.
It’s 50 pages per month. The cartridges they get are probably the 150 or 200 per page ones. In other word they’re paying a monthly fee to get a max of 3 or 4 cartridges a year. Probably less.

I’ve grown to hate the modern ink jet printers with a passion. I moved on to the consumer laser printers. I’m sure I’ll hate them too soon enough.

In my family we use Instant Ink and actually love it. We're on the largest plan (300 pages/mo). We spend less on ink now than we used to, and it is a huge relief to not have to make a late-night run to the big box store because the school project is due the next day and the stupid magenta has run out. The ink is always there, waiting to be swapped out, then you recycle the used cartridges when they're done. It's incredibly convenient for us, is a cost-savings, and I am reasonably okay with the fact that they know how many pages I print and the types of documents.

HOWEVER, I was recently looking at the bandwidth stats from my network switch, and was pretty shocked to see the printer has sent out several hundred megabytes of data back to HP over the past month. I knew it had to communicate with the mothership so they could charge me for my usage, but that should be a packet that says something like "User XYZ just printed 7 pages," which would reasonably be 5kb per job. I have no idea why hundreds of megs of data need to go out, and so I'm planning of on doing some DPI investigation the to set what on the world it feels like it needs to be sending.

3 cent per page is surprisingly competitive, especially for an inkjet. I'm using a Color Laserjet 3600, a toner cartridge for which is about 40 dollars on Ebay. A colour cartridge lasts ~ 4000 pages, black ~ 6000 pages, that's 4 cents per page. Even though that is with second-hand supplies off Ebay it's still more than the official automatic ink in the mail.
>"User XYZ just printed 7 pages," which would reasonably be 5kb per job

Actually (of course IMHO) that should reasonably be (including the percentage of ink covered/black and a validation hash) below 150 bytes.

Sure, but let's face it, I don't think HP's top priority here is actually trying hard to make it small... :|
Yep, I surely agree :), the point is only on the use of reasonably , by allowing everyone to "grow" data (both when actually needed and when it is not) shifting everytime the range of "reasonable" we have today's monsters (web sites, OS's, you name it).

And surely I am (more than a bit) old-fashioned, but when you can use the Doom as a unit of measure, JFYI:

https://news.ycombinator.com/item?id=13211120

then it isn't reasonable anymore.

Thats $360 over 10 years. Spend that right now to get an excellent color laser printer that will last that long. Whereas your inkjet is very likely to fail sometime in the next two years (4~5 year typical lifespan). And with the amount of printing you're doing you probably won't even run out the toner that comes included with the printer.
$3 (I'm assuming USD) will buy you more than 100mL of black ink:

http://www.3000rpm.com/acatalog/Epson-Continuous-Ink-System-...

I have a CIS printer and dilute even further, usually a 5:1 ratio (it becomes slightly bluish beyond that point), but even as-is 100mL will print far more than 50 pages -- probably closer to 5000 if not more. At that point the cost of paper becomes more significant.

Edit: it looks like the other colours are the same price (when I last bought ink, which was a long time ago, CMY was slightly more expensive):

http://www.3000rpm.com/acatalog/Epson-HP-Canon-Brother-Conti...

> But the printer companies tend to be doing more and more to make that a pain

It's actually the opposite, recently all the brands have been introducing "ink tank" style printers (e.g. Epson EcoTank, Canon MegaTank) where you just squirt ink into the printer from a bottle, no DRM involved.

I bought my printer for immigration purpose, I would be way over on some months.
I don't print much. I bought an HP printer with Instant Ink strictly for the free tier (10 free pages p/m). This privacy issues concern me.

That aside, I've been thinking about what is the minimum amount data needed to identify what's being printed. For example, if you knew tbe lenght of the first X words, how many words would be necessary to identify a source? If you added the awareness of periods, how many words?

Long to short, it seems to me, simple and basic meta data used wisely could be used as a fingerprint (or sorts) to identify what's being printed without actually needing to capture the actual content.

As an aside, I found the opening paragraph amusing and painful in equal measure, given how I've often been treated by relatives because I, "work with computers."
Give me an old HP 32S calculator or LaserJet III. Not this post Fiorina crap.
Guess I might as well keep running my old HP printer which uses a parallel interface.
For anyone else looking to quickly block internet access from their printers (note this is IPv4 only):

  iptables -t filter -I FORWARD -m mac --mac-source "${macaddr}" \! -d "192.168.0.0/16" -j REJECT
Replace 192.168.0.0/16 with your subnet. You may also want to manipulate chains besides FORWARD as necessary.
neighbor bought a wifi hp aio printer; 30eur, ink included. They must make money somewhere.. of course.
This:

I don’t think that “is it OK if we have your printer collect metadata about your devices and what you print, and then use it online advertising?” is a question that HP should even be asking. They already know the answer, and all they’re really doing is giving people who have already paid them several hundred dollars for a cheap but functional printer the opportunity to make a mistake.

...is so true, and HP are far from the only culprits here.

It needs to be a lot easier to detect this is happening and stop it from happening, in the router.

I almost never visit my router's web interface, and when I do it's either to reboot it because it's acting funky, or check if it needs a firmware update. There's just nothing useful there. It's absolutely packed full of totally useless information.

And yet such a golden opportunity to provide actually helpful management functionality of all the devices on the network.

I'm not saying there aren't good products out there that do this, just sort of lamenting that routers differentiate on the colorful plastic molding instead of actually helping to manage, monitor, speed up, secure, and protect my devices, and when needed, protect me from my devices.

Last small office system I ended up using Draytek Vigor ADSL as it had a sensible max device limit, the ISP one would crap out at around 30 MAC addresses. The device management was pretty good and I wish I had the same kit at home (currently using an ISP provider router).

https://www.draytek.co.uk/products/business/vigor-2862#scree...

It's so sad that every company seems to be willing to do shady stuff like this just to grab a couple of extra cents from selling their users out.

Technology companies should be leading the way for privacy.

You'd think it'd be very bad for business for a company like HP to demonstrate that they don't care about their user's privacy.

But they all seem to do dodgy stuff like this, selling people's privacy for cents.

The only HP device I own is an oscilloscope from 1994, thankfully.