Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!hp4nl!fwi.uva.nl!betty!casper From: casper@fwi.uva.nl (Casper H.S. Dik) Newsgroups: comp.sys.mac.misc Subject: Re: LaserWriter Password Message-ID: <1151@carol.fwi.uva.nl> Date: 21 Jul 90 20:28:56 GMT References: <1216@surf.sics.bu.oz> <10557@batcomputer.tn.cornell.edu> Sender: news@fwi.uva.nl Reply-To: casper@fwi.uva.nl (Casper H.S. Dik) Organization: Faculteit Wiskunde & Informatica, Universiteit van Amsterdam Lines: 71 In article <10557@batcomputer.tn.cornell.edu> mha@tcgould.tn.cornell.edu (Mark H. Anbinder) writes: } }I believe in order to use a LaserWriter that has had its password changed }from 0 to something else, you have to patch your Laser Prep file to tell }it to send the new password. I don't know how to do this... I don't }think it's a feature of the PostScript controller that Apple intended }for people to use, so it is not well documented. I have the same info }you do about setting the password through pure PostScript, but don't know }how the drivers on the Mac end handle it. The feature is well documented by Adobe. Apple is to blame for the not working of the LaserPrep when the password is not 0. They should have done something like: statusdict begin 0 checkpassword %now decide to download LaserPrep permanently %or not We use lwsrv from CAP which never causes the LaserPrep to be downloaded permanently. It also allows the use of several different LaserPrep versions at the same time. }Using the password you set it to, you should be able to get access to the }controller and change the password back to 0 (I strongly recommend this!). }You'll then be able to print without modifying your Laser Prep and those }of all the other users on your network. (Visualize for a moment the chaos }that would ensue next time you upgrade to a new version of the LaserWriter }driver and don't remember the password to patch the new driver files....) We don't have that problem, because we don't have to patch anything. But CAP isn't really an option if you don't have a UN*X box. I have given our laserprinter a password and a different AppleTalk type. Now there's no way a user can print directly to the printer, download fonts permanently or do irreversible damage. (Because Apple LaserPrep assumes a 0 password, downloading requires the password and with the password you can wipe the printer's disk or worse) }That trojan horse you mention is particularly insidious. There is NO way }to return the printer to its default password without replacing the entire }controller board unless you know the password. If a program has set the }password without you knowing it, you're screwed. There are only 65536 }possible passwords, so in theory you could write a program to try them all, }but to prevent unauthorized people from doing just that, the PostScript }controller waits eleven seconds (or was it minutes?) after an unsuccessful }password attempt before letting you try again. Our printer (Apple's printers too, I think) allow 2^32 different passwords. They all wait one second (after a checkpassword). It will take a cracker 136 years to check all passwords. }If that trojan spreads, it will be interesting to see whether Apple will }let people affected by it replace the controller board in their printers }under warranty or AppleCare, or whether they'll say such damage is not }covered... It's just an eeprom that needs to be replaced. So if you have access to an eeprom copier and an identical printer you can replace it. But it might be soldered to the controller board. If this trojan gets around, Apple should: a) tell people to set a password on their LaserWriters b) provide a utility to do so. c) provide a utility to download laserprep with a password. or c2) modify laserprep to enable people to print without the password. -- Casper H.S. Dik VCP/HIP: +31205922022 University of Amsterdam | casper@fwi.uva.nl The Netherlands | casper%fwi.uva.nl@hp4nl.nluug.nl