> My Brother printer is not allowed to talk to the internet. Here's hoping a windows machine on my network doesn't accidentally update it.
Same here.
I keep my HP LaserJet isolated from the Internet (both directions), as well as from LAN devices that haven't been allowlisted for it. Only devices that are limited to generic open source drivers can print to it, since you can't trust the battleship-sized HP "driver" packages not to update firmware.
My Brother color laser printer, I don't use very often, so I just carry the Debian laptop over to it, and plug in the USB cable, as needed.
This isn't perfect, and I can still think of sneaky ways to update the firmware of the small fraction of the installed bases that do isolation like this.
But it's the best reasonable compromise I can find right now, without spending hundreds of hours on what I suspect is the next step of protection. (Which would be "data diode"-like filtering that's aware of application layer protocols and file formats, and only passes validated-safe bytes to the printer. I suspect that an even harder approach would be trustworthy open source replacement printer firmware, unless someone finds and pursues a GPL legal attack, like the situation that birthed the wonderful OpenWrt.)
AFAIK, Brother seemed to have pretty universal word-of-mouth goodwill among techies until the last maybe couple years. But even if that goodwill had significant effect on the balance sheet (relative to the primary marketing methods), my layperson impression is that it'd be a rare CEO who didn't cash in goodwill (especially goodwill built up by a predecessor). And with US government being sabotaged right now, maybe regulators like the FTC will also not be barriers to brands doing whatever a CEO wants, even more than in recent decades.
Same here.
I keep my HP LaserJet isolated from the Internet (both directions), as well as from LAN devices that haven't been allowlisted for it. Only devices that are limited to generic open source drivers can print to it, since you can't trust the battleship-sized HP "driver" packages not to update firmware.
My Brother color laser printer, I don't use very often, so I just carry the Debian laptop over to it, and plug in the USB cable, as needed.
This isn't perfect, and I can still think of sneaky ways to update the firmware of the small fraction of the installed bases that do isolation like this.
But it's the best reasonable compromise I can find right now, without spending hundreds of hours on what I suspect is the next step of protection. (Which would be "data diode"-like filtering that's aware of application layer protocols and file formats, and only passes validated-safe bytes to the printer. I suspect that an even harder approach would be trustworthy open source replacement printer firmware, unless someone finds and pursues a GPL legal attack, like the situation that birthed the wonderful OpenWrt.)
AFAIK, Brother seemed to have pretty universal word-of-mouth goodwill among techies until the last maybe couple years. But even if that goodwill had significant effect on the balance sheet (relative to the primary marketing methods), my layperson impression is that it'd be a rare CEO who didn't cash in goodwill (especially goodwill built up by a predecessor). And with US government being sabotaged right now, maybe regulators like the FTC will also not be barriers to brands doing whatever a CEO wants, even more than in recent decades.