SINFO 23 – Thomas Watson (opbeat)

thank you I know it’s really cold and I know you guys probably want to get some beer soon and I like that you’re sitting over there by the by the air-conditioned that’s it’s a nice move maybe instead of beers we should get like hot tea or something so anyway my name is Thomas Watson um I’m Eric just Watson on github and I’m wa7 s 0 n on twitter which is beat for Watson as well so I work for this company called upbeat um and what up it does is it gives you like a nice overview of what’s going on in your i’ll try to see if I can talk louder here with all this noise it gives you a nice overview of what’s going on in your production systems on your server so when you have a web server you can see like the performance and if there’s any errors and nice stuff like that um and i work with javascript every day I work with no chairs in particular and I’m responsible for making sure that if you have an OTS happen production at up feel then you can money to a bunch of that so I’m writing the note case agent that you that you run on your server if you do that anyways when i’m not at the office encoding i’m coding somewhere else I travel a lot I these are some of the places I’ve been in last five years living or traveling and working as a digital nomad and if you notice portugal is actually on the map um it’s because I lived in Portugal last year for about five months so I was really excited to be invited here back to Lisbon um this video isn’t thank you but when I’m not or while I’m traveling I always keep in touch with all my nice cool friends and get up because github is awesome and I do a lot of open source and github a publish shitload of stuff most of it is probably not that useful most of it is in the mad science category I try to try to choose to stuff with reared protocols and stuff that stuff that you probably would take for granted and I try to build it from from just from scratch just because I can and just because why not and so that’s what I’m going to talk about today and I’m going to talk about how you can build your own printer in JavaScript with no hardware and you’re probably thinking why would you want to do that um because printers are awful like paper jam like that like it’s by the way a little secret what’s going on actually is this is what’s going on and you get like weird error messages if you have no idea what what does that even mean right so I decided to to dig into that and before tell you the details about that I want to tell you how I got to that the gut to that idea how I came to that idea in the first place and it all started with a couple years ago I was trying to figure out a way for me to do a play in JavaScript so airplay is basically all your Apple products are they have something called airplay and you can you can have your phone stream a YouTube video to your TV or you can you can play music from Spotify on yours on your system on your loudspeakers at home if you have an airport express and that’s all airplay that’s powering that it makes it really easy to just like open your phone and select TV or select your speakers and say play music or playing this video and it just works you there’s no configuration so while I was trying to do that JavaScript i feel i realized that it’s using this puncture protocol that you guys may be no i believe actually that’s just apples branding of the standard called silicon and silicon is actually just a kind of like a fancy layer on top of multicast minutes so i was like digging through the whole stack getting down to the old

school stuff and reading a lot of parties and i was implementing this and part of the standard is called dns service discovery or dns st for sure and that basically allows you to have a have a service on your network you just plug in a printer in for example like this one or any like your Apple TV and it just your Apple to be just appears on your phone and it just works in you haven’t believed configure anything you haven’t given it an IP address so you haven’t really Willie’s said anything about it it just appears automatically so I was looking in the in the list of all these different services you can advertise in a network and this one in particular drew my drew my attention is like IPP internet printing protocol and that was hmm normally like printers in my head is something that’s really like horrible and you need to install drivers and I knew that when I was on my mag if you just say install the printer and it usually just worked but I wasn’t really sure why I thought maybe Apple just bundled a lot of drivers with it was 10 or something and maybe that was wide work but then I was like internet printing protocol that sounds interesting let me dig into that and I realized it’s basically just a standard that uses HTTP to send to for your clients for example the operating system to communicate with your printer and as you can see it’s just setting the content type of the heroes here in the head of setting it to app education IPP and that’s that’s basically all that is to it and then down below you will have the body of whatever is being printed but not like a regular HTML value of course this is like binary format so I looked into the binary format and realize that it’s actually just have a list of operations that it can send to the printer so you have stuff like get the list of jobs that’s on the printer or cancel that job or hold the job or restart the job and stuff like that and the way it works is that IPP will always use the HTTP POST method and then it will just post to to the printer every printer have a path on the network but to tell the printer what you want it to do you you specify this operation ID in the third and fourth bite of the body so just to quickly show you what what that looks like yeah we can actually see the top where that’s good so the top there that’s just like saying okay we’re talking IPP version 1.1 so the printer and the client knows that they’re talking the same version of the protocol and here’s the operation I think this is operation at the 11 which was get printer attributes then you have a request idea the quest I to use just basically because HTTP runs on top of TCP of course so it is the client just opens a TCP connection to the to the printer and it can send like a lot of requests and to know it might not get the request back in the right order that is the same order that i sent them so to know what the printer is responding to you you have to just echo back that request ID and then you have a list of of headers these are not HTTP headers these are head as inside the body they’re called attribute groups and attribute groups is a way for the client to tell the printer what I want to know or extra metadata about the print job and you can have multiple of those and it basically just a fancy key value system you guys have good tent builders here I hope anyways so you have a name and a value so all the headers are like that and you can have different types here’s the boolean and at some point you end you get the the end of attributes tag two or three and then after that you get the actual document if you’re printing a document because if you saw as you stole from before a lot of the stuff had not any had hadn’t anything to do with with printing at all it was just getting jobs or getting like how much toner is left on the printer and stuff like that so I implemented a very very low level implementation of because that other stuff is really annoying and hard to read so I don’t want to read that so I’m moving the distance step which is called IVP encoder which is basically just this is JavaScript um and this is actually node so there is other big they require or you can’t even see that so I’m above this I’m requiring the IPP encoder module and I’m just decoding the buffer i get from to the let’s pretend we are server now we are at or a server

a que aprender so let’s pretend be a printer so i get some data in a buffer and I decide to decode it and I get the decoded object which is the nicer way to interact with all these attributes we solve it all I handle the request in some way and then I sent back response to the client and the response is very similar to the requests it also have a it has a status code and you echo back the request ID and then they have the same headers or attribute groups and you can set different stuff like the default charset or you can even have strings in different languages so the printer so sorry so the client can show error messages and Status Messages to the to the user depending on the language of its operating system and then when you’re done with that you just encode it and you get a binary blob bag that we just go back so I thought it would be fun to actually make a printer and I found out that the required the minimum set of stuff you need to do to be like a proper printer if you just need to implement the ability to print a job of course because otherwise not very funny you need to be able to validate the job get the printer attributes so that’s like how much toner do you have left or is is it like what kind of paper is in the lot of bottom tray and all that stuff get the list of jobs that’s currently on the print notes cancel the job or get job attribute to get job attributes could be like the name of the print job or who sent the print job or how many pages are there in the print job stuff like that and I released that on github it’s called IPP printer and I want to show it to you so I couldn’t even spell it was so cold when i was typing this so i couldn’t spell cell phone so so let’s so basically it’s real simple we give em payments call so NP empleos those who don’t know I’m gonna sit down here oops those who don’t know mpm is the node package manager it’s basically just a fancy way to get software onto your computer so I install the IPP predict can you guys see this by the way this is it’s a size whoa yeah hey I guess you can see that let’s clear this so it’s actually a bit of symbol we just make a file and we require the printer it’s always fun when you do live demos like this because you know how the demo guards they tend to not work the way you do so let’s give it a name and this this this time I’m actually trying to spell sinful correctly and it’s what’s called an event diminish so we can just listen for a job on the printer so every time there is a job on the printers every so basically every time somebody sends sense something to be printed we want to do something with it and we could go for example say new print job print that out and it have a name so you can print that and that’s actually let’s in this case let’s write it to the file system spell require and there’s a handy module for that a node called FS so and let’s give it a proper file name so let’s say print job job ID let’s expect that it’s in the PS format the ps4 matt is is postscript so and let’s make a file and like this how many of you guys have a program then no Jess before Oh quite a few nice so and let’s just pipe the job the job is extreme so we can just type the job you spell pipe into the file and let’s when the job ends so babe ends means basically that we had we done printing ah let’s just ride um written file name like this okay so that’s a printer this is 13 lines of code hidden behind a shitload of modules that I wrote and now we run it nothing happened find out of course because we haven’t

said anything to the printer we haven’t even installed it so if I go in so there’s my mouse if I go into printers and scanners and I click the little plus icon lo and behold I have a central printer this is interesting let’s print to that let me say add like yeah boom done perfect let’s find something to print let’s print this I can’t even can’t see the top of this mean here this is gonna be interesting there we go this is ready so let’s let’s print this and it selected it here and let’s click print let’s go back and see what happens here why does printing so another operating system is trying to print and boom there we have a print job and you can see even got the name of the page I was browsing or I was printing actually so let’s try to look at this look what this print job one boom there we have a PDF it’s so it’s actually a PS but is but it it whoops I don’t know what I’d selected there but it convert it converted it to a PDF for me for me anyways it works don’t say no quit delete copy whatever yes thank you okay so as it’s not my talk no there’s more so what can you do with this you could for example make your own printer that every time you print something you could print it to your kindle if you own a kindle so it just appears as a book or document on your kindle or you could like print stuff to your accountants so you can like do your taxes for you like every time you have a receipt you buy something else out amazon it is printed and Boop’s goes to print the receipt and it goes to your accountant but you’re like you could print something and it will like make it into a photo and attach it to a tweet and tweet it automatically every time you print something or you can make it you can make something called ncf acp which is a fancy acronym for NSA CIA FBI also centering printer complete to basically before to print something out he just blocks my hand em stuff because you can also actually print stuff out you don’t need to like save it to disk or email later do so you could just like get like a proxy between the actual printer and the client who is trying to print it which opens up the idea version really fancy stuff anyways um I put this online as well so you guys know HTML pin and stuff like that I made something called print bin which is this it’s basically like a public printer is on the internet and everybody can print to it you guys can print to it as well you can actually do it right now and just follow these the guy here so let’s just think maybe I already installed this so let’s just just write print been and what it’s doing is its advertising the print print server on the network but instead of pointing to a local printer it pointed to an internet IP that’s actually on here oh koo sow your operating system just things oh it’s a local printer but in reality it’s a printer that’s hosted an hero so I’m going to add the print print printer and you only need to do this once once you’ve added it it works you don’t need to run this but this is just an easy way to add it basically and so let’s let’s try to print this pace this is really matter let’s select the print printer turnouts printing and it’s it’s sending the same thing the print you up to Hiroko and he Roku is doing stuff with it and it’s putting on s3 and if you reload the page hopefully while I was talking it that is i’m gonna click it and we see so we have to be luckily nobody have printed like nasty stuff to

it but you never know and it is everybody can see every print job that everybody prints just saying ok but that’s all fun and games what about security you ask thank you for asking that question so while i was doing all this this is like this is something i do for fun because i like reading RFC’s and it’s really weird i have a problem with my brain maybe i don’t know so while are we reading all this stuff I couldn’t help thinking like I was reading through the RFC’s and I realized the way the way this works or the way the way that your Apple TV works and the way that the printer works that you just plug in and it just works is that it’s normally when you have a DNS system you have somebody asking for a query saying you’re asking asking making a query asking for something so it will say what is the IP address of sinful org and some dns server will respond back saying oh this is IP address of sin fedora ok cool but in multicast in is instead of just talking directly to the dns server and the dns server just responding back everybody on the local network can see the communication so you just broadcast her but because there is no dns server the whole point is that it you don’t need any configuration so you just broadcast what is the IP address of San forg and then there might be a DNS server somewhere that says oh I know that and it responds back this is IP address and it responds not only to that person but to everybody else so everybody on the network now know what the IP addresses for Stanford or org so there’s actually nothing that inhibits you to be able to just say let’s pretend somebody asked me what the IP address first info dog is let me just like broadcast it out to everybody even though nobody asked me and then now everybody knows the IP address first info or even though nobody asked and then that is how you Apple TV work when you plug it in it boots up and nobody is asking is there an apple TV but the apple TV just says let’s pretend somebody asked and this says hey I’m unable to be and and I’m running this version of the software and you can talk to me and I have these features you can do like screen mirroring and you can like whatever play music on me stuff like that and then the cool thing is that if you have a printer and it boots up and the printer says oh I’m a printer and you install it then if the printer shuts down and you you take the power out and powered up again later it might get a new IP address but you don’t want all your users on your network like having to i reinstall the printer just because you got a new IP address’ because it has the same name so what you want to do instead you want to have all the client just use the name as the key and if they do see another printer or somebody else with a different IP address having the same name they just assume it’s the same printer and this is this is some this this can be a problem i found because oh yeah one one thing one last thing so what happens if two printers on the network are called the same if the name is the key to the 22 connected to it what if two printers are called the same so there’s a rule too so they made that they thought about that when they mate Darcy and there’s a rule that says if you are printer and you have the name sin fo and somebody else on the network say hey I have the name simple you have to change your name so now the original printer that was called sinful is called something else so yeah so the attack vector I’m gonna explain is using your comp and the way it works is that us an attacker you send a malicious emptiness packet on announcement on the network saying help I’m a Colts info I’m a printer and I have this IP and I have this port and then the the actual printer is forced to change the name and then at the same time all the clients on the network just CEO now’s now sinful the central printer I have a new name oh sorry sorry have the same name have a new a IP and port um and if you’re really clever as an attacker what you do is you just now you get all the print jobs but you don’t want everybody to know that so you just forward them to

the actual printer and so nobody knows that you’re actually intercepting all their print jobs this is basically a man-in-the-middle attack and this was all theory and I was like I was reading the rfcs and I was thinking had this should be possible unless what wonder if it is so I try to do it at work and suddenly I can read everything that peel were printing and I thought why not publish this to everybody else can do the same thing and it’s it’s on github is called PCC for blind carbon copy and this is going to be interesting now see if the demo garter with me here because I’m going to try to hijack this printer here I which we tried to set it up before and it was really messy and I’m running it off my mobile phone as the essen as a network so I need to just join my phone here on my computer so now that’s done and then I need to see if i can find the printer to know that is dubs don’t do that I was messing about with this before why can’t well me not hard let this which I just tried this once before and let’s see let’s see if it works this time last time I didn’t have to download anything let’s try to do din at it let’s try to what did i do lifetime going to do like this no airprint that’s better pick us crossed okay good it’s not we have a printer and just to show that this works let’s um let’s print this page here and hopefully hopefully this this will starts to spit out stuff soon so what is some you can’t hear that but it’s pretty nice okay so it works good boom so you can still see this good so i made this tool and you install it MPM install bcc and then you run it and it looks on your network to find all the printers on a network and it gives you the possibility to select one of them in this case there’s only one I’ll select that and now it’s just waiting it’s already taking over the printer and my computer here just thought oh a new IP address for the printer cool i’ll use that instead so so when we print something you can see now it’s it’s getting requests it’s intercepting requests the number is now 3 you see it’s printing a job documents printed one the latest one here and is saving it on disk but the clever thing is there’s actually printing still so I don’t know I have no clue that I just intercepted these calls here and now i have a 8 job something something something that bin which is the actual print job that was just printed on the printer so so so so what happened now so what happened was that it forced this printer to change the name and then it took the same name that has one sad side effect if you if you check now the printer before it was called to hear but it changed his name to three because it was like all I can’t be called the same so just like incrementing the number so if I if I take it over now do the same thing again just cancel and try again is you know it’s called for and so so every time you do this the printer is like what the why is somebody always taking my name and just keeps incrementing this number so if you suddenly see that that your print that you have like printers on

your network with like a number after them then you know I’ve been at your network sorry so do you guys have any questions there’s one there you’re gonna get a mic so everybody can hear it so have you actually use this in your office yes any special things you want to tell us about it any special what story the things that you seen or something yeah well I I I don’t want to get fired okay uh-huh so I did it while nobody was at work and just see I just wanted to see if it would work and tested it with one of my colleagues he knew what was going on I know that’s a really really boring answer to that so that’s Christian but I then I went in and I and i renamed the printer afterwards to to the original name server because otherwise he when I’m when I’m shutting down this this man in the middle program now everybody can’t friend anymore because they still their configuration is still trying to use the old name but the printer now changed his name no actually I can I can’t just unplug the printer and turn on again because this is action this is true this is in the RFC standard you it says specifically that whenever you change your name because of this this naming collision you are forced if you want to follow the standard to keep the new name even after reboot so any other questions while we were adding the new printer first it was appearing by akan option that was downloading drivers yeah and then he selected the other option when it appeared why um does does it always work or you have the pre interest we have it like in a special way that allows for your tool to work um so so what was going on there was that for some reason I don’t know if it was to set up with my phone as something that it’ll probably related to some packet loss so my computer couldn’t figure out that the printer was capable of of I PPG or something like that so yeah I think yeah so so so it is that okay this this printer the dust does not talk IDP so I need to download some printer it some drivers to make it work then when I tried again it figured out out its support IPP so it would do it okay so it just works with any IP printer yeah it works with with any any IPP printer that uses puncture or steer conf to advertise myself on the network and my experience is that that most printers today who have like either Wi-Fi or network most printers today support that standard because it’s like every every time you just you you add an office or at the school and and click add a printer and it just appears is usually because it’s using bonjour do to make it appear okay thank you so any other questions um I have some stickers and I have a t-shirt that does anybody here won a t-shirt whoa already have one t-shirt I’m gonna give it to you because you asked a good question there you go and if you guys like coffee I have some awesome coffee stickers oh did you come up and get afterwards any other questions see oh oh yeah you can’t get another one too caustic yo dije already got one t-shirt that’s okay I also wanted to ask like what was the feedback you got online when you publish this tool like is this actually used in a nanotech or I don’t know if anybody used it i published it because this is technically not a security for this is not a flaw in the standard it’s that’s an important point so normally when you discover it security vulnerability what

you’re obliged to do is you have to contact the people who can fix fix it before you disclose it but this is not this is not a security vulnerability well it is technically one ability but it’s not a bug it’s not like it somebody wrote some bats software made a buffer overflow or something it’s just like that’s how the standard works to be able to have this easy configuration we have these drawbacks so the way to fix it would be to use something like DNS SEC as Paul was talking about earlier if you were the first talk today so that’s why that’s why I published it and I don’t know if to get back to your question if anybody used it it has like forty three stars and github so somebody like it but I don’t know I haven’t heard anything yeah all right any other questions okay hi what was what is the most challenging thing in your work in my what in what you do what is in your well what my question is what is the most challenging thing that’s your face when you are working oh good question most challenging thing a I face wit when I’m working arm so it is like yeah dealing with undefined stuff no it’s so at my job at I show my tail job when I’m not doing this crazy stuff it’s working at upbeat and i’m writing this node agent this piece of code that runs at all our juices and all our customers infrastructure sits on their server on their production servers it’s running their websites and everything and it sits there and it monitors what’s going on and if i write something that’s like broken i can take down their service um and if it’s slow their service are low so and it’s easy to if you owned all the hardware or if you do if its own website is easy to handle because hey you control entire environment but if your code is going to run at the same in the same way no matter if people are running this version of node or they have this load balancer in front or they are like running on this weird architecture and then you get like a bug report saying it doesn’t work or it’s saying weird things you like what the it’s that that is that is that is really challenging it’s really challenging that to write software that runs on somebody else’s computer and if you can debug easily I don’t know if that’s a good answer but when I do open source software like that’s not for the company in the in the beginning the challenging thing was to just be able to publish it and say okay hey I made this software like do you guys want to use it and then I got like zero stars and github it’s like what the nobody like my stuff or I was so maybe I was afraid that that the people were going to read my source code and figure out that I don’t know how to program or something say hey you’re using this thing wrong or um but that’s totally wrong because first of all nobody ever beats your source code anyway so and and and people are I usually know my source community extremely good at at giving positive feedback Pablo no one so i mean i would encourage everybody to just like get involved in open source i know that there’s nothing to do with your question but this doesn’t make sense all right any more questions so like how I’m just like pluck open source software that yeah I just so let’s give a big round of applause to Thomas oh and remember stickers thank you if you want to take ur stay up here so everybody I don’t know if anyone’s signed for the workshop tonight just to give you a heads up it’s going to be like in those rooms I think probably most of you already know yeah the cake you live cake

okay who wants cake okay okay so thank you everyone this was the great addition of sinful so hope you like it