Slashdot Mirror
Are Your Peripherals Monitoring You?
An anonymous reader writes " Engadget is reporting that
'Lexmark, makers of printers and scanners, has been caught monitoring users' printer, scanning, and ink cartridge usage.'" Newsgroup comp.periphs.printers readers noticed the software; the Engadget report says that "Lexmark say they're just tracking printer and cartridge usage, but the registration information and packets being sent say otherwise."
Not clear what they are monitoring?
What am I missing? Couldn't somebody just install the program and sniff the information out of the packets?
Gesh, this is slashdot...
I don't think anyone or anything could stand the sight of me before clothes or caffeine.
Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
First you tell us this:
Lexmark, makers of printers and scanners, has been caught monitoring users' printer, scanning, and ink cartridge usage."
Then you try to tell us this:
"Lexmark say they're just tracking printer and cartridge usage, but the registration information and packets being sent say otherwise."
So the evil Lexmark tells you that they are tracking printer and cartridge usage, which is what you tell us is what you found. Then you claim that the packets being sent tell you something different. Well, spill it! What did you find that Lexmark didn't say they are tracking? It seems that they told you what you'd expect to find if you monitored their packets.
I don't like the idea that some company is building drivers that call home. But it's not because I think my privacy is somehow invaded. I just don't like someone using up my bandwidth without my knowledge.
If I was really concerned with privacy, I doubt I'd be using a computer, much less connecting it to the Internet.
Linux can do it just as well as Microsoft and Lexmark! Admittedly, you do have to install it yourself, but the feature is there and just as good as these so called professional vendors can offer!
Beep beep.
Interesting, I just installed ZoneAlarm on a PC last week and it gave me an alarm that some Lexmark process wanted to make a network connection. I havnt had a Lexmark connected to that thing in probably 3 years (and can find no obviously labled Lexmark files) but have been too lazy to reformat the drive. Perhaps it's time to break out the install CDs.
However, this does not justify them sending the data without your knowing/asking. If they wanted to keep a flag in the printer and when you return the printer for a repair under warranty, they cold check for this flag and refuse to honor the warranty.
And, why would they want to hide their intent and send the data to a wierd sounding URL (lkcc1.com)? I would have first suspected some other scumware trying to phone home, never suspecting lexmark. Well, guess you cannot trust any compan to have honor ro ethics these days.
I have a Lexmark Optra E+ laser printer. It's several years old. I'm very happy with it as a printer.
I don't see any c:\program_files\lexmark500 directory even though I have the print driver, downloaded from lexmark.com, installed.
I've added the following to my hosts file just in case.
0.0.0.0 www.lxkcc1.com
okay, enough of these printing scumbags. printers are getting worse, print quality is crap, ink cartridge prices are obscene while lasting for shorter durations (my gf's printer will not print in black when the color cartridge is empty), DMCA restrictions on refilling ink, spying on users...
bullshit. i will never buy one of these printers again (this means you lexmark, canon, hp, and your friends). when will a manufacturer stand up and sell good quality printers, refillable by the user using just an ink bottle? there is a market of people who are willing not to buy the cheapest piece of shit printer because they know how that turns out. who will fill it?
Original usenet post from comp.periphs.printers on Google Groups here, or here for a news: link.
Just as long as my Dvd burner isn't monitoring what I am burning...
Somehow I don't believe that Lexmark would install this spyware without having the EULA cover it. This may be another example of people just hitting "AGREE" (effectively signing) without actually reading the EULA (a legally binding agrement). Stupid laws? Stupid people? Both? You decide.
The trouble began when I had to buy new cartridges, I bought 3 in a row, and they were all empty, what the hell is up with that.
You are an engineer for [evil printer company] and are told to increase profits 50%. So you increase i=20 in the cartrige purge program.
Lexmark could also very well instruct the device driver to STOP WORKING if it detects a third party ink cartridge...
ELOI, ELOI, LAMA SABACHTHANI!?
lxkcc1.lexmark.comw w.lxkcc2.com
www.lxkcc1.com
lxkcc1.com
w
lxkcc2.com
ips
192.146.101.0 - 192.146.101.255
... the information was being stored in a file? Perhaps someone who has access to a copy of the file can post it somewhere. I'm sure there isn't going to be high security on it, so perhaps someone can crack it open and we'll see what kind of information they're getting.
-- Gargonia
Never play leapfrog with a unicorn.
Sadly, the joke, in this case, would be:
In Soviet Russia, you monitor your peripherals!
Lexmark obviously wants to track ink jet cartridge usage because that is where they get their most profit. They probably want to know when consumers start switching to a more viable printing technology so they can jump on the bandwagon.
Powered by caffeine and sugar; BSD
google groups link
I don't find this at all shocking. Lexmark makes those lovely OEM Dell printers that you sometimes can get free with a PC. Not only is the software a commercial to buy ink from Dell but the cartages are keyed so you have to mail order the ink. Now Lexmark can track you by serial number and possibly detect if you've been a naughty user and used 3rd party cartages or refilled you cartages. Can anyone say warranty void? Even better still, they can collect enough information on your printing habits and offer you bigger and better printers.
There are good reasons to object to this. What we need are some solid facts as to what exactly is reported to Lexmark, and how to prevent this. Would adding "www.lxkcc1.com 127.0.0.1" to the hosts file be effective?
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
...your monitor monitors you!
"Ask not what your country can do for you." --John F. Kennedy
A quick search on google groups reveals that this has been going on since as far back as 2001 (google groups). Why am I seeing an article so late?
....buried 500 paragraphs into a EULA that the user "consented" to be monitored?
We caught a xerox network laser printer trying to send mail, by itself back to xerox; it tried three different outgoing smtp servers that fortunately our gateway blocked.
I don't know what was in those mails - but a google search revealed an article about a large data mining system based on Oracle; I think the main intent was to detect reasons for early failure - but who knows what happened to the data.
Personally I dislike inkjet printers since they usually are causing a mess by spreading the ink everywhere, and the printouts are normally not water-resistant either! Another thing is that the ink cartridges tends to dry up and cause messy pritouts if any if you leave the printer unused for some months. Only way out is to buy a new cartridge.
Laser Printers are a little better, as long as you have a decent vacuum cleaner arond to catch any excess toner. At least they don't mind being offline for a year in decent conditions. (maybe you will have to shake down the toner in extreme cases)
In all, tracking printer use should only be acceptable if the user is notified beforehand, and that the data communicated is easy for anybody to check regarding it's content. The user must be able to disallow any usage tracking.
A legitime use of printer usage tracking that I see is actually to let the printer manufacturer find out the most common errors occured with a printer, and which colors that are most frequently used in order to optimize coming models on the market. But as noted beforehand, the user must have his/hers last say in this. Relate this to the error reporting that Microsoft offers for Windows XP. (Not that it actually catches ALL problems)
My 1/2 cent opinion...
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Duly firewalled.
Can they track why their craptastic printers keep breaking all the time? Never buying one of them again.
my router logs all in/out connections and keeps bandwith utilization statistics. Last morning it informed me there is a new firmware update (so it called home). It is also capable to establish VPN tunnels via IPsec so it can send anything it likes without any possibility to examine content. Does it spy on me? Who knows..., but I started to think about installing a normal Linux box instead.
...but the toaster has been laughing at me from time to time.
I dont understand lexmark. They crossed the boundaries of the sensible with the DMCA suit, now they are up with this spyware print driver thing.
Are they in league with the MPAA or something? Or do they just want to get extra money from users.
The fact is, refill cartridges perform a valuable role: they keep the retail cartridges within bounds. If it wasnt for the refill biz, the vendors would be tempted to charge even more.
As for the spyware stuff -if this is in UK print drivers (as the zdnet UK article implies), then it could be illegal under our data protection laws. It certainly ought to be banned. All spyware should be illegal.
That is the nice thing about OSS -you can check the print drivers, and anyway, like linux.org or sf.net cares about your printing. Interestingly, spyware is very rare in the macos world too. There is something about windows that just encourages it. I think it is the fact that Ms effectively ship windows with spyware-to-MS preinstalled, then the home PC vendors join in, giving the green light to everyone else.
I despair.
The safest thing to do is have 2 computers:
#1 - for internet useage only...
#2 - for everything else...
---- Booth was a patriot ----
Imagine a perl script to generate spoof statistics. Imagine a million ./ readers running the script as a cron job.
They'd soon stop trying to spy on the users, if the data was all that everyone keep on printing the same url all the time, something with "goat" in the URL...
It's just another example of how much control software companies have over you when you use their closed-source software (and drivers): You have no idea what the software really does!
It would be very interesting and fairly easy to find out what the software is doing while it's "phoning home". Won't someone that has a Lexmark printer (Canon myself) please install Ethereal (or whatever floats your boat) and just try to capture whatever the software is sending?
While we may not find out what all of the data is, at least it should be fairly easy to establish whether they are collecting your name, or your username, or your IP. If this is installed quietly, it seems unlikely that they would bother with encryption. They don't seem too interested in privacy in the first place.
As an aside, I can see how real usage information from the field could be extremely valuable to a printer company, but it should say in big red letters "this product phones home". If the consumers are acting as their research lab, they better be volunteers...
No
Nov/13/2004 09:48:08 Drop TCP Packet From LAN 192.168.0.2:1654 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:48:00 Drop TCP Packet From LAN 192.168.0.2:1654 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:56 Drop TCP Packet From LAN 192.168.0.2:1654 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:41 Drop TCP Packet From LAN 192.168.0.2:1502 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:34 Drop TCP Packet From LAN 192.168.0.2:1502 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:30 Drop TCP Packet From LAN 192.168.0.2:1502 192.146.101.142:80 Rule: Lexmark Block
and I wonder just how often its trying to phone home.
And can I claim violation of my right to privacy under a civil rights act?
Any lawyers out there? Ralph Nader? Public Citizen?
When considering the purchase of new hardware, I start by picking something with support already built into my OS. With Linux, this often means the difference between it working or not. With Windows, this means the difference between having to run a dozen tiny third party apps that appear to do nothing at all (beyond take up memory, disk space, and as per this topic, spy on my activities).
It really amazes me when I go to help someone with their PC, and I see a list of startups dozens of entries long. When I see a system tray that stretches halfway across the screen. When their process list requires scrolling down for three pages to see them all.
For a good default policy, when you buy new hardware, throw away any software it came with. You don't need it.
Printers? They all speak PCL or PS (unless you very unwisely bought one that does not, which goes back to "check for driver support first"). End of story.
Scanners? Okay, once upon a time, these could take some work to get up and running. But anything less than five years old (and if older, you can get a better quality replacement literally for around $20)? Free hint - Plug it in, open MS Paint, and check out the "from scanner or camera" menu. Simply amazing, eh? Everything you need to scan, already built in.
Cameras? I had two of my users actually install the software for new cameras we got just this past week. Do you have any idea what a pain it took to remove that software, when they discovered that not only did they not need it, but they couldn't use it due to some vague, irregularly-reproduceable conflict with other software they actually do require? Anyway, point of story - After removing every last trace of Kodak's crappy software (including a very large application, a boot-time driver, and a service! Ack!), I demonstrated to my users that they just need to connect the USB cable and turn the camera on. Poof, all their pictures appear under "My Computer" as a removeable drive named similarly to their camera's model.
How about video cards? Okay, no argument that you would do well to run the newest actual video driver from the manufacturer, but do you have any idea how many people I've see that also have 3Dfx's task manager, NVcpl and Nwiz, or ATi's set of up to half a dozen useless crapware blobs, all loading at startup (I won't even go into startups such as MS Messenger, Office startup, Quicktime, and all the rest that suck memory at the whopping "savings" of 5 seconds the first time you run the relevant program)? Sad. Truly sad, that people let such software steal their memory and CPU cycles.
Okay, I'll grant that more exotic hardware may well require third party support. But that quite simply does not apply to 99% of machines out there.
So I suppose the moral of all this, to stay on-topic... Why do people install Lexmark's own drivers in the first place? Don't ! Use the built-in drivers, and you can get all the same functionality without the spyware or the bloatware.
Not to imply that Microsoft doesn't pull similar crap as Lexmark (time.windows.com, anyone? Which if you run your own NTP server, you will notice does not speak plain ol' NTP). But just because one company likes riding us bareback doesn't mean we need to spread for the rest.
Excellent, sturdy-built printer. Probably one of the best medium-size laser printers that HP ever built. I have one that I found outside sitting next to a garbage dumpster full of old 486 and 1st generation pentium pc's. That's right, I got it for free. Took it home and found all the rubber rollers were nasty and the unit was filled with paper dust and assorted debris. It had never been maintained or serviced since new. I disassembled the unit, vacuumed out all the dust and crap, and carefully cleaned every moving part with isopropyl alcohol, bought a refurbished toner cartridge from OfficeMax for $50 and have had about four years of trouble-free printing at a total investment of some labor and less than the cost of two average inkjet cartridges.
10 sell printer
20 sell inkcartage
30 disable inkcartage via internet
40 goto 20
Hivemind harvest in progress..
did you know that printer ink is one of the most expensive liquids that common consumers buy in the world?
i looked at work a while ago for the cheapest non-generic printer cartridge with the most ink for your buck. if you were to fill you car with printer ink from this cheapest of ink cartridges, it would be about $3,059 dollars a gallon. (how much is my tuition again?).
lexmark needs to stop being so greedy. they already make money hand over fist. the common printer company tactic of making cheap cheap printers that eat cartridges like candy that cost $35 a piece (mind you, printers have a color and a black ink cartridge) should be enough for those guys. shoot, i already feel dirty enough shelling out that money, but having my computer sniffed is going too far.
--no sig.
Please allow me to hate the creator of the 120-character limit: *HATES*. Thank you.
Hey, I am sure they are doing it in the name of national security!
Their plan to catch Osama was to flood Afghanistan with cheap Lexmark printers and hope that he or one of his buddies buys one. Then wait until Osama or one of his followers prints his digital camera pics on one of those printers. [Assume anyone in Afghanistan who can afford such a printer has Internet access as well] It should not be that hard to match and existing [reference]photo of Osama's face (embedded in that DLL file) with one in a solo or group photo.
It's not that hard to track someone down once you have their IP address.
Don't forget about the $20million reward!
The right way to do this would be to trigger data upload only if match was found, otherwise sit quiet.
OK, that was movie-of-the-week fantasy, but what they could have really done is monitor anyone scaning or printing $20 or $100 dollar bills.
Doesn't Photoshop alert you if you are trying to scan US currency? (or is that another urban legend?)
I'm concerned with privacy, so I use free software. Sure, my ISP can log my web habits but I don't have to worry about them selling information about what I do inside my own network to spammers. Nor do I have to worry about being compromised by some kind of email worm or malicious web site, which are just as large a threat to privacy.
You might be a little more concerned if you think about how any business can function without internet connected computers and what information your company might want to protect. All of that gets thrown out the window with M$ junk.
Friends don't help friends install M$ junk.
When i run into those issues, i call them and they either get me another way to do it, or "i will return the product due to its being unuseable"..
Normally they get me what i need, and I dont have to threaten them with a law suit....
---- Booth was a patriot ----
Ha ha ha, you bought a multifunction device and now you're bitching about the driver? You're a fool to even buy one of those pieces of crap. You can get an inkjet printer for $40, a 1200 dpi flatbed scanner for $40 (That's what I paid for the Canon lide scanner I have here) and a modem for about ten bucks. If one of them fails, you only have to replace that device. If the scanner on your printer fails, you're left with a big ugly scanner/faxmodem. Everyone knows those things suck and AFAIK they are all PPA devices, meaning the host generates a bitmap and sends it to the printer. I don't want any printer that doesn't speak PCL and/or PostScript. Both of our printers now are PPA (well, one is, that's what HP calls it - I dunno what to call the dell printer) and they suck, but they were both free.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Any moderately current HP printer or multifunction device has the same kind of monitoring software. There was a number of executables and services that would install right after the printer finished Plug-n-Playing, one of which is called HPScout, or something like that. That application monitors ink useage and printer stats just like the Lexmark app. I can't tell you what information was sent: I wasn't privy to that. I can, however, tell you that I had to disable that app along with a few others that get installed automatically to keep the amount of system resources that the printer was using down to a reasonable level. Also, I worked for the Windows side of support, so I can't tell you what it looks like on the Mac side.
"Sometimes you have fun, and sometimes the fun has you"
Not clear what they are monitoring?
What's confusing is that the original post: Wrong: the Engadget report doesn't say that the packets being sent say otherwise -- there's no reference to packet sniffing: As you suggest, packet sniffing is the next thing to do.What am I missing? Couldn't somebody just install the program and sniff the information out of the packets?
-kgj
-kgj
I worked at hewlett-packard's All in One division and we wrote software that did the same exact thing and sent the data back to HP over http.
This software would be installed within the gigantic 120MB setup file. Somewhere deep in the EULA is a sentence about HP being able to process user activity data.
If you think
What? No one remembers the printer embedded logic bomb which kept taking out the computer system of a certain power facility some decades ago when a disgruntled employee knew he was being fired/laid off and write a program into the memory of the printer unit which could initiate a communication to the main computer and wipe it out?
By sending packets out like this, Lexmark is opening up a can of worms.
All this means to me is:
A driver that goes out to a website to upload data could just as well go out to a website and download code. Someone who can hijack that domain will probably find a way to screw with the system.
Winged Power Photography
Printer consumables (e.g. ink & paper) generate a lot of revenue for the retail outlets as well as the manufacturer. Companies that sell cheaper ink and more expensive printers will have difficulty placing their printers in retail outlets. The cost per page of large photocopiers is very low, but you don't see them sold at big-box stores.
While retails outlets were the primary source of printers this was a stable situation. What has changed recently is that companies like Dell have enetered the direct sales market and so cut out the retail vendor. Retail can still make some money on consumables since there is some compatibility (e.g. Dell OEMs Lexmark).
But manufacturer's have no forced commitment to retail stores and if the Internet allows them to bypass the middleman and do direct sales, they will attempt to do so. In fact they must in order to compete with companies like Dell. At the same time Dell can't completely undercut the existing price regime because Lexmark still needs to see positive economics for their own printers even though they also build printers for Dell. Cut price ink would cannibalize their own sales more than the benefit of the increased hardware sales.
In order to make up for the loss of retail sales - and the loss of retails sales information - both Dell and Lexmark have created software that tracks usage and directs the user to the manufacturer's website *before* they run out. Otherwise, people will tend to impulse buy from retail rather than wait a week for delivery.
So the manufacturer's want the information, they need it in advance of ink exhaustion to bypass retail, and they can collect all sorts of information that they probably don't need but might find useful.
It's the 'might find useful' category that causes the greatest privacy concerns, and are probably not necessary for the immediate purposes, but it's easy to collect and few people complain. So far.
If I had a Lexmark printer, I'd fight back. Write a program to send bogus packets with false data to screw up their data. Distribute it to other pissed-off Lexmark owners. Release another program to disable Lexmark's spyware.
It's nasty and somewhat immoral, but sadly it seems like the only way companies will learn.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Sorry, but I really don't think that's a very constructive attitude.
There is simply too much small print in an average person's life for them to read and absorb all of it. That would probably still be true even it it were written in plain $LANGUAGE, and not deliberately obfuscated by lawyers. Hence it is unrealistic to expect anyone to understand and, if necessary, challenge everything that they might not agree with if asked in isolation.
To protect society from the unscrupulous behaviour of those who would capitalise on this systematic weakness, we have a legal system. We elect people to form a government that can spend its full time in administration on our behalf, so we don't have to. Their remit is to look after our interests for us in cases like this.
The problem with a lot of technology is that it takes a fairly long time for the elected government's knowledge and views catch up with informed professionals (who, of course, can dedicate their whole working life to the technology industry, an advantage the lawmakers don't have). Consequently there is a fairly large window of opportunity for profitable spamming, spyware, adware, etc. that aren't really in the general public's interests before it becomes illegal.
The only realistic solution to this problem is to educate the lawmakers and draw their attention to new problems faster so they can act against them. Expecting to educate everyone in society about every potential threat to their finances, privacy, security, work-life balance, etc. just isn't a realistic possibility, which is why comments like the parent post aren't very helpful.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The thing about those things is that they really do have three drivers, but typically only one driver installer. If you're particularly unlucky the drivers only ever unpack themselves to ao temp directory, and you have to use that winhandle program to even figure out where it is half the time.
People buy a multifunction device for the same reason they use to buy macs - and I'm talking about when there was only one reason here, and that was because anything else confused them. The thing about that is that multifunction devices are more complicated, not less. They're harder to support (if something goes wrong you will have more trouble) and if your network should ever grow, well, you can't hook them up to a print server and still use their scanning and modem functions. And believe me, even people with no computer knowledge and/or experience end up asking people who do to set up stuff like print servers for them in their house so they can have two computers print to the same printer without having to make sure one is on :P
Multifunction devices are not cheaper, they're not easier, so what's left? The belief that they take up less space? Multifunction printer/scanners are almost all huge, because they have a flatbed built into them and a large printer mechanism underneath so there's an excuse for the ridiculous physical size. We have a 720dpi inkjet that's about one third the size of the average scanner/printer/fax. It and my scanner together, maybe one-half. My scanner is USB-powered, about 1.5" thick, and provides a pretty good 1200dpi scan, although not very rapidly. Won't be any worse than a combo box, though. It came with a cute plastic stand that will keep it upright on a desktop, but I usually put it on a shelf or something. When I'm not using it I unplug it from the front panel USB connector, but it's got a USB B jack on it, so you can just leave the cable connected all the time.
Postscript isn't about cool, and it doesn't have to be postscript, it can be PCL. The important part is to minimize the amount of data you send to the printer, which improves your print speed. Fast printing is convenient, much as fast CD burning is.
Being able to upgrade the individual components that are provided in one of those units is worth buying them separately all by itself. Being able to decide that the inkjet isn't working for you and move up to a laser without having to get a new scanner is the way things should be to say the least. We aren't getting modular devices where you could just replace the printer part of the combo unit, so it only makes sense to just buy the separate devices.
There is just one reason I can see to buy one of those things: If you wanted an inexpensive copier/fax machine. I wouldn't even want to hook it up to a PC, although I would consider hooking it up to one that did nothing but act as a print server.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I remember an old Gomer Pyle show... (OK - I know - all Gomer Pyle episodes are old...)
Anyway, there was an episode where he would use a particuliar jeep. Everytime he had the jeep, his buddies would keep filling it with gas for fun, and not tell him. He thought that he was getting like 100 miles per gallon. When the sargent had the jeep, they'd siphon off the gas...
You could really screw with their numbers. Your Lexmark printer could report 200 reams per ink cartridge. Depending on the detail of their reporting back, you could make it look like you printed 1000 sheets all red, then all blue. You could mess with their metrics. Worse yet, if you falsify your registration number, you could fill their databases with fake data and even collide with other numbers already registered. How do they interpret data when the same printer is being reported numerous times with different behaviors. They shouldn've used strong crypto to ensure data integrity...
They probably should have had a click-to-authorize this activity as on option with their driver, with some benefit attached. Most would click it anyway, or not read the advisory...
http://www.iamsam.com
Use Linux (or a *BSD) and CUPS to run your printers. Since you don't have to run any printer-company applications (because Linux has its own drivers for everything, all thoroughly vetted by the open source community), it is impossible for manufacturers to spy on you.
I'd include OS/X in that, but unfortunately, I'm using a Hewlett-Packard print manager on my iBook, which could possibly be spying on me right now. It's a bummer, but I paid 1800 bucks for this thing (the iBook, not the printer), and I don't want to quit using it until it dies of old age. Sigh...
In the meantime, I have a couple of old mil-spec laptops running Slackware that can take over when the iBook dies, so I guess that's pretty cool.
Farewell! It's been a fine buncha years!