Are Your Peripherals Monitoring You?

An anonymous reader writes " Engadget is reporting that 'Lexmark, makers of printers and scanners, has been caught monitoring users' printer, scanning, and ink cartridge usage.'" Newsgroup comp.periphs.printers readers noticed the software; the Engadget report says that "Lexmark say they're just tracking printer and cartridge usage, but the registration information and packets being sent say otherwise."

Not clear?

[BoldAC]

Not clear what they are monitoring?

What am I missing? Couldn't somebody just install the program and sniff the information out of the packets?

Gesh, this is slashdot...

Re:Not clear?

So when are some of our state attorney generals going to get off their butts, review their respective computer use laws, and apply the law against these felons?

In Nebraska, it is a class IV felony to use another party's computer resources without their consent. As Lexmark has continued to deny their software is conducting surveillance on its customers, it is pretty clear they've lost an argument that their customers gave them consent to spy on them. This is pretty evident unauthorized use, and needs a few AG's to get busy (please, none of this "overworked/underpaid" crap which I've heard AG offices use before. Everyone is overworked and underpaid. Get used to it or resign so we can find someone competent to work in your office using our money).

Slashdotters using these products should sent registered letters to their state AG office filing a complaint and requesting criminal investigation. Follow up in thirty days if no progress has been made and send letters to your governors office indicating the AG has not proceeded in a corporate criminal investigation. Contact your newspapers and let them know that the AG's office is permitting corporations to spy on state citizens without consequence. Spyware is becoming a significant fear for common people and AGs that ignore it will soon be returned to private practice.

The other thing that needs done is closing up the EULA loophole. Lexmark presumably did not try specifying its right to spy on customers in its EULA, but others do and given increasingly restrictive return policies on technology products by retailers like Best Buy (as reported on /.), burying spying consent in a EULA is unacceptable. Spyware must be opt-in and states need to establish a separate consent agreement that must be used independent of EULA, contract, service agreement, etc. Imagine a separate form that you must sign that states that you have been advised that your product being purchased has spyware and will monitor your activities, requiring your signature and reference to verification documents (e.g. drivers license) to authorize.

Absent this form, vendors using spyware should be *criminally* responsible. This is obviously a wish-list item, but would have an appropriate limitation on corporate spyware. Having AGs enforce existing laws, on the other hand, should be done immediately and informed Slashdotters can have an influence by submitting complaints and following up. As always, send those letters via certified/registered mail - it's the way to let the other party know you're putting them on notice.

Re:Not clear?

[budgenator]

It's stupid because they can't detect the image of a countefit currency, they can only detect a yellowish pattern of 5 circles printed on the currency. If I try to print anything with the pattern, the software fires up my webbrowser to a website that tells me about how counterfitting is wrong. Now If I am a clueless teenager, I see the site and think "OMG they know" and stop doing the stupid shit like scanning currency it's good. If I am somebody who is trying to print out someting completely legal, but happens to have that pattern I think "but this is not money, what are they talking about" and try again, sooner or later the Secret Service see my IP address a shitload of times and comes to call just to say HI, and to let me explain myself before a trip downtown to jail for a little chat.
Another possibility is some printers, if they get more than a certain number of images with the pattern lock-up, requiring an expensive service call from a factory rep, who's policy is when they see that error code, will report it to the Secret Service. Immagine what it could do the the Secret Service's ability to investigate real crimes if I posted some pictures of Sara Michelle Geller nude with the pattern on a P2P network.

Re:Not clear?

[LiquidCoooled]

The pattern placed onto banknotes is called the EURion constellation.

It is a pattern of 5 small circles that is like the Orion constellation.
It has apparantly been included on the back of the new $50 bill. (http://en.wikipedia.org/wiki/U.S._fifty_dollar_bi ll

I even found a program that supposedly adds the marks to your own dowuments, but you iwll have to look for yourself, because I can't view either postscript, or pdf.
link here: http://wildspark.com/eurionize/

Data stealing

[Realistic_Dragon]

Linux can do it just as well as Microsoft and Lexmark! Admittedly, you do have to install it yourself, but the feature is there and just as good as these so called professional vendors can offer!

ZoneAlarm

[TVC15]

Interesting, I just installed ZoneAlarm on a PC last week and it gave me an alarm that some Lexmark process wanted to make a network connection. I havnt had a Lexmark connected to that thing in probably 3 years (and can find no obviously labled Lexmark files) but have been too lazy to reformat the drive. Perhaps it's time to break out the install CDs.

Re:ZoneAlarm

[Captain+Chad]

Would that have been the 'PDP RPC server' by any chance? I had the same issue with a Compaq-branded Lexmark printer. It took a bit of google searching just to find out it was from Lexmark and that 'PDP' stands for 'Print Driver Plus'.

Didn't the users agree to this monitoring?

[Secrity]

Somehow I don't believe that Lexmark would install this spyware without having the EULA cover it. This may be another example of people just hitting "AGREE" (effectively signing) without actually reading the EULA (a legally binding agrement). Stupid laws? Stupid people? Both? You decide.

Didn't TFA indicate that...

[gargonia]

... the information was being stored in a file? Perhaps someone who has access to a copy of the file can post it somewhere. I'm sure there isn't going to be high security on it, so perhaps someone can crack it open and we'll see what kind of information they're getting.

Xerox network lasers

[prestwich]

We caught a xerox network laser printer trying to send mail, by itself back to xerox; it tried three different outgoing smtp servers that fortunately our gateway blocked.

I don't know what was in those mails - but a google search revealed an article about a large data mining system based on Oracle; I think the main intent was to detect reasons for early failure - but who knows what happened to the data.

Re:Xerox network lasers

[CrystalFalcon]

Xerox printers can be configured to automatically order new supplies when the current ones run low. You're sure it was not something like this?

Also, they can be configured to send out e-mail to supply adminsitrators (in this case, picture Carol, the PHB's secretary in Dilbert) to ask for ordering new supplies with a handy web page served from the printer, if human intervention is desired. You're sure it was not something like this?

As every printer manufacturer...

[Z00L00K]

This is probably only the top of an iceberg. All printer manufacturers are trying by different means to keep up the incomes by secondary sales in some way. Some more intrusive than others.

Personally I dislike inkjet printers since they usually are causing a mess by spreading the ink everywhere, and the printouts are normally not water-resistant either! Another thing is that the ink cartridges tends to dry up and cause messy pritouts if any if you leave the printer unused for some months. Only way out is to buy a new cartridge.

Laser Printers are a little better, as long as you have a decent vacuum cleaner arond to catch any excess toner. At least they don't mind being offline for a year in decent conditions. (maybe you will have to shake down the toner in extreme cases)

In all, tracking printer use should only be acceptable if the user is notified beforehand, and that the data communicated is easy for anybody to check regarding it's content. The user must be able to disallow any usage tracking.

A legitime use of printer usage tracking that I see is actually to let the printer manufacturer find out the most common errors occured with a printer, and which colors that are most frequently used in order to optimize coming models on the market. But as noted beforehand, the user must have his/hers last say in this. Relate this to the error reporting that Microsoft offers for Windows XP. (Not that it actually catches ALL problems)

My 1/2 cent opinion...

Re:Another Posible Reason

[Anomalous+Coward]

More likely they would instruct the driver to go into "crap quality" mode. Then they could point to the lousy print you get with 3rd party ink and say "See! Those other ink cartriges aren't as good as ours! Look how much better the print is when you use genuine Lexmark brand ink cartriges!"

At least, that's what I would do if I was a sleazy, money-grubbing corporation....

broadband routers

[Vladimir]

my router logs all in/out connections and keeps bandwith utilization statistics. Last morning it informed me there is a new firmware update (so it called home). It is also capable to establish VPN tunnels via IPsec so it can send anything it likes without any possibility to examine content. Does it spy on me? Who knows..., but I started to think about installing a normal Linux box instead.

Are yet just, plain, mad?

[steve_l]

I dont understand lexmark. They crossed the boundaries of the sensible with the DMCA suit, now they are up with this spyware print driver thing.

Are they in league with the MPAA or something? Or do they just want to get extra money from users.

The fact is, refill cartridges perform a valuable role: they keep the retail cartridges within bounds. If it wasnt for the refill biz, the vendors would be tempted to charge even more.

As for the spyware stuff -if this is in UK print drivers (as the zdnet UK article implies), then it could be illegal under our data protection laws. It certainly ought to be banned. All spyware should be illegal.

That is the nice thing about OSS -you can check the print drivers, and anyway, like linux.org or sf.net cares about your printing. Interestingly, spyware is very rare in the macos world too. There is something about windows that just encourages it. I think it is the fact that Ms effectively ship windows with spyware-to-MS preinstalled, then the home PC vendors join in, giving the green light to everyone else.

I despair.

Re:Are yet just, plain, mad?

[ScrewMaster]

Well, the business model that Lexmark (and HP, Canon, and the rest) follow is that of selling a cheap printer and expensive consumables, with the costly ink subsidizing the initial low price of the hardware. We can all agree on that much, I think. And, honestly, that approach did make a lot of sense when printer technology was improving by leaps and bounds and users were continually tempted to upgrade their equipment. But nowadays, inkjet technology is becoming fairly mature and you really don't see major improvements in price/performance anymore. That being the case, I'd rather pay a hundred bucks more for my printer, right up front, since I'll probably be keeping it for a while, and then pay a more competitive price for the cartridges.

Frankly, I think you may have it backward. Lexmark isn't the crack dealer: we are. They get the first hit (i.e., we give them fifty bucks for the printer) and then they keep getting periodic hits every time we run out of ink. The problem is, printer manufacturers have growned accustomed (nay, addicted) to this way of doing business: they like that unending revenue stream from little boxes filled with ink. It's the way of the modern world, i.e. don't just sell somebody something once, sell it to them over and over and over.

I'd like to know how many ink cartridges you have to buy before you've paid them back for the loss they took on the printer itself (assuming they take such a loss, China makes things pretty cheap nowadays) and when those sales start becoming pure gravy. Hell, if Lexmark wants to use those spyware drivers to help their customers they could do this: keep track of the number of times the cartridge has been replaced, and when the company has made back what it lost on the printer sale, send the user a discount card. The user could then take that card to any store that sells Lexmark cartridges and get some money off. Hell, if Lexmark wants to accumulate personal data in spyware fashion they should give something to their customers for the privilege, much like the major grocery store chains do.

Whatever, I really don't like Lexmark anyway and I'm proud to say I've never owned a Lexmark product. Talk about a company that is ethically challenged ... they wear their unlightened capitalism as a mark of honor. I hope they choke.

Re:Are yet just, plain, mad?

The worse part is that all the printer companies loose money on their printers. HP's got some new really stupid scheme in development that's going to make them loose almost $100 per printer in '06+ and they have to make it up on ink sales, just to break even. Cannon and Epson did it right with the snapper technology. But nooooo! HP's doing some insanely complicated pump delivery system that's going put them over a billion dollars is the hole on the hardware sales and they hope to make it up on ink sales. Can you belive it, a billion dollars in ink sales just to break even. Time to sell your stock. Seems like some pretty bad management to me. What were they thinking?!?!

Slashdot are evil port scanners

The IP 66.35.250.150 is the Slashdot website, type the ip into the browser for slashdot main page.

Here is my firewall log:

11/13/2004 23:14:31 Port Scan Minor Incoming TCP 66.35.250.150 05-00-20-00-05-00 * MY IP *
00-00-05-00-00-00 * My Name * BEAST3 Normal 1 11/13/2004 23:27:33 11/13/2004 23:27:33

Somebody is scanning your computer.
Your computer's TCP ports:
80, 1080, 3128, 8000 and 8080 have been scanned from 66.35.250.150.

2 Computers

[nurb432]

The safest thing to do is have 2 computers:

#1 - for internet useage only...
#2 - for everything else...

Re:2 Computers

[crash24601]

> The safest thing to do is have 2 computers:
>
>#1 - for internet useage only...
>#2 - for everything else...

I've actually recommend this to a couple people lately that had me build them second computers to do things like photo editing. One of them has followed my advice, the other told me it was great advice, then the next time I was at her house, she had plugged it into her cable connection with her other PC.

I run a second PC at home that is off the net, it can be a pain though. Software needs updates, some software makes it difficult to install and register without a connection. So many vendors now assume all pc's are net connected.

Re:Newer print drivers only?

[mistered]

It's because the inkjet and laser groups behave very differently. From linuxprinting.org:

Lexmark produces two lines of printer: the Optras and the Color Jetprinters. The Optras are business-focused printers with the unique characteristic that every Optra supports Postscript and PCL; no other vendor has such uniform support for standardized printing languages. As a result of this, every Optra is 100% supported by free software. The Color Jetprinters are consumer-focused printers with the exact opposite characteristics: not a one of them supports any standard printing language, and not a one of them is 100% supported by free software.

The two groups in the company are very much separate, although the occasional Optra product is produced by taking a reasonable Color Jetprinter and nailing an Optra-style mainboard onto the back; this produces a Postscript/PCL networkable inkjet (like the Optra 40, for example). Efforts to obtain programming information for the Color Jetprinter protocols have been unsuccessful and will probably remain that way; Lexmark apparently feels that the details of the protocol reveal some of the engineering techniques they use to make the Color Jetprinters so competitively inexpensive.

Re:printing ripoff

[xornor]

I have an HP Laserjet 4MP I think I got in 1995 for close to $1300. I'm on my second toner and it has yet to have any problems printing anything... You get what you pay for I guess.

LaserJet 4 Plus is hard to beat.

[Nick+Driver]

Excellent, sturdy-built printer. Probably one of the best medium-size laser printers that HP ever built. I have one that I found outside sitting next to a garbage dumpster full of old 486 and 1st generation pentium pc's. That's right, I got it for free. Took it home and found all the rubber rollers were nasty and the unit was filled with paper dust and assorted debris. It had never been maintained or serviced since new. I disassembled the unit, vacuumed out all the dust and crap, and carefully cleaned every moving part with isopropyl alcohol, bought a refurbished toner cartridge from OfficeMax for $50 and have had about four years of trouble-free printing at a total investment of some labor and less than the cost of two average inkjet cartridges.

Re:really!

[Barryke]

10 sell printer
20 sell inkcartage
30 disable inkcartage via internet
40 goto 20

Re:printing ripoff

This is probably the best advice if you're only printing B&W. I SOMETIMES wish I had color, but I so rarely need it that I could care less. I used to own an old color inkjet, but when it broke down, I was lucky enough to get a used LaserJet. I got it with 80% toner left in the cartridge, and 35,000 pages printed. So far I have added another 2,000 pages to that, but the cartridge is still cool. I also have a spare cartridge ready, but it may never see action. The printer "just works", exactly the way I want it to, with my PC (Win2K) and Mac (OS X 10.3). Not only is the quality nice, but it's FAST. If I'm just printing a single page, I'd hit "print", and by the time I walk over to the printer in the other room, it's done. It works on a LAN, and really, things couldn't be much better. If you find one like it around, I'd actually pay as much as $400 for one, it really is worth that much, used, if you need to print a lot.

Re:printing ripoff

[Todesmetall]

Maybe then a laser printer instead of one of these crappy inkjet printers is an option for you?

I have bought a Lexmark printer that supports Postscript and I have been very happy with it since it works very well with a relatively simple setup on the Linux side - thanks to the ps support.

However, after these stupid stunts from Lexmark I probably wouldn't buy from them again.

Re:printing ripoff

[Dance_Dance_Karnov]

I have a hp laserjet 4L that had been in my friend's closet underneath 3 feet of stuff, took it out, pluged it in, it worked like a charm, been using it for about 8 months and still haven't had to replace the tonner cartridge that was in it when i debo'd it.

Net Assumption

[nurb432]

When i run into those issues, i call them and they either get me another way to do it, or "i will return the product due to its being unuseable"..

Normally they get me what i need, and I dont have to threaten them with a law suit....

Re:What about Macintosh Drivers

[drinkypoo]

Ha ha ha, you bought a multifunction device and now you're bitching about the driver? You're a fool to even buy one of those pieces of crap. You can get an inkjet printer for $40, a 1200 dpi flatbed scanner for $40 (That's what I paid for the Canon lide scanner I have here) and a modem for about ten bucks. If one of them fails, you only have to replace that device. If the scanner on your printer fails, you're left with a big ugly scanner/faxmodem. Everyone knows those things suck and AFAIK they are all PPA devices, meaning the host generates a bitmap and sends it to the printer. I don't want any printer that doesn't speak PCL and/or PostScript. Both of our printers now are PPA (well, one is, that's what HP calls it - I dunno what to call the dell printer) and they suck, but they were both free.

Re:Not clear? - profit of course !

[Alain+Williams]

All that we know is that it is making a connection, so how about something like this:

1. Read serial number from ink jet cartridge
2. Send serial number back home
3. Check with home 'has the cartridge been used before ?'
4. If it has been used before then it has probably been refilled, so degrade print quality and squirt ink all over the place.
5. User sees: poor quality and blots on the page
6. User never buys refilled cartridges again
7. Profit for Lexmark!

What? No one remembers the Printer sourced...

[digital+photo]

What? No one remembers the printer embedded logic bomb which kept taking out the computer system of a certain power facility some decades ago when a disgruntled employee knew he was being fired/laid off and write a program into the memory of the printer unit which could initiate a communication to the main computer and wipe it out?

By sending packets out like this, Lexmark is opening up a can of worms.

All this means to me is:

• Continue to use Gimp-Print+CUPSd to handle my printing needs.
• Avoid Lexmark products just like I avoid Belkin products.
• If I NEED a windows based print server, put them on restricted segments of the network.

A driver that goes out to a website to upload data could just as well go out to a website and download code. Someone who can hijack that domain will probably find a way to screw with the system.

Economics of Printer Cartridges

[hross]

We know that the printers are sold at a loss and the consumables are more expensive than Dom Perignon. But the reasons for this are not only due to the choices of the manufacturer.

Printer consumables (e.g. ink & paper) generate a lot of revenue for the retail outlets as well as the manufacturer. Companies that sell cheaper ink and more expensive printers will have difficulty placing their printers in retail outlets. The cost per page of large photocopiers is very low, but you don't see them sold at big-box stores.

While retails outlets were the primary source of printers this was a stable situation. What has changed recently is that companies like Dell have enetered the direct sales market and so cut out the retail vendor. Retail can still make some money on consumables since there is some compatibility (e.g. Dell OEMs Lexmark).

But manufacturer's have no forced commitment to retail stores and if the Internet allows them to bypass the middleman and do direct sales, they will attempt to do so. In fact they must in order to compete with companies like Dell. At the same time Dell can't completely undercut the existing price regime because Lexmark still needs to see positive economics for their own printers even though they also build printers for Dell. Cut price ink would cannibalize their own sales more than the benefit of the increased hardware sales.

In order to make up for the loss of retail sales - and the loss of retails sales information - both Dell and Lexmark have created software that tracks usage and directs the user to the manufacturer's website *before* they run out. Otherwise, people will tend to impulse buy from retail rather than wait a week for delivery.

So the manufacturer's want the information, they need it in advance of ink exhaustion to bypass retail, and they can collect all sorts of information that they probably don't need but might find useful.

It's the 'might find useful' category that causes the greatest privacy concerns, and are probably not necessary for the immediate purposes, but it's easy to collect and few people complain. So far.

Fight back

[AmiMoJo]

If I had a Lexmark printer, I'd fight back. Write a program to send bogus packets with false data to screw up their data. Distribute it to other pissed-off Lexmark owners. Release another program to disable Lexmark's spyware.

It's nasty and somewhat immoral, but sadly it seems like the only way companies will learn.

Lexmark P2P???

[DogsBollocks]

Try opening LEXPPS.EXE in Resource Hacker.

The information is as follows for those who are fortunate enough not to have any Lexmark products.

VALUE "Comments", "MarkVision for Windows '95 New P2P Server (32-bit)"

VALUE "CompanyName", "Lexmark International, Inc."

very very scary!!!

Easy 1-2-3 solution...

[crazyphilman]

Use Linux (or a *BSD) and CUPS to run your printers. Since you don't have to run any printer-company applications (because Linux has its own drivers for everything, all thoroughly vetted by the open source community), it is impossible for manufacturers to spy on you.

I'd include OS/X in that, but unfortunately, I'm using a Hewlett-Packard print manager on my iBook, which could possibly be spying on me right now. It's a bummer, but I paid 1800 bucks for this thing (the iBook, not the printer), and I don't want to quit using it until it dies of old age. Sigh...

In the meantime, I have a couple of old mil-spec laptops running Slackware that can take over when the iBook dies, so I guess that's pretty cool.