Are Your Peripherals Monitoring You?

An anonymous reader writes " Engadget is reporting that 'Lexmark, makers of printers and scanners, has been caught monitoring users' printer, scanning, and ink cartridge usage.'" Newsgroup comp.periphs.printers readers noticed the software; the Engadget report says that "Lexmark say they're just tracking printer and cartridge usage, but the registration information and packets being sent say otherwise."

Please clarify

First you tell us this:

Lexmark, makers of printers and scanners, has been caught monitoring users' printer, scanning, and ink cartridge usage."

Then you try to tell us this:

"Lexmark say they're just tracking printer and cartridge usage, but the registration information and packets being sent say otherwise."

So the evil Lexmark tells you that they are tracking printer and cartridge usage, which is what you tell us is what you found. Then you claim that the packets being sent tell you something different. Well, spill it! What did you find that Lexmark didn't say they are tracking? It seems that they told you what you'd expect to find if you monitored their packets.

I don't like the idea that some company is building drivers that call home. But it's not because I think my privacy is somehow invaded. I just don't like someone using up my bandwidth without my knowledge.

If I was really concerned with privacy, I doubt I'd be using a computer, much less connecting it to the Internet.

Re:Please clarify

Anything that calls home unasked and silently is a backdoor. Anyone working for a foreign agency is a spy and will be treated as one, no matter if he has blown up that power plant *yet* or whatever his orders were.

Spying is spying, no matter if it happens daily or monthly. And who are you to be sure they don't collect other info, send ascii-only copies of your printed documents, scan for keywords and worse. Calling home once a month is enough to report back every info you hold dear. Plain ASCII, zip compressed doesn't need more bandwidth.

But none of us has a problem with others monitoring what we say or do. I have nothing to hide. I like orange jump suits and cable ties. I like the president. I am a happy citizen and I will go back to work now.

ZoneAlarm

[TVC15]

Interesting, I just installed ZoneAlarm on a PC last week and it gave me an alarm that some Lexmark process wanted to make a network connection. I havnt had a Lexmark connected to that thing in probably 3 years (and can find no obviously labled Lexmark files) but have been too lazy to reformat the drive. Perhaps it's time to break out the install CDs.

Re:ZoneAlarm

[Captain+Chad]

Would that have been the 'PDP RPC server' by any chance? I had the same issue with a Compaq-branded Lexmark printer. It took a bit of google searching just to find out it was from Lexmark and that 'PDP' stands for 'Print Driver Plus'.

Re:ZoneAlarm

[AndroidCat]

I guess we now know what the 'Plus' part is. :)

Posible reason

[coolsva]

I believe Lexmark recentl lost a case where they tried to apply the DCMA against a 3rd party ink cartridge manufacturer. Since now they cannot force he user to buy their high priced cartridges, perhaps this way, they would know that you used one of these cartridges and they can then void your warranty
However, this does not justify them sending the data without your knowing/asking. If they wanted to keep a flag in the printer and when you return the printer for a repair under warranty, they cold check for this flag and refuse to honor the warranty.

And, why would they want to hide their intent and send the data to a wierd sounding URL (lkcc1.com)? I would have first suspected some other scumware trying to phone home, never suspecting lexmark. Well, guess you cannot trust any compan to have honor ro ethics these days.

Newer print drivers only?

I have a Lexmark Optra E+ laser printer. It's several years old. I'm very happy with it as a printer.

I don't see any c:\program_files\lexmark500 directory even though I have the print driver, downloaded from lexmark.com, installed.

I've added the following to my hosts file just in case.

0.0.0.0 www.lxkcc1.com

printing ripoff

[pchan-]

okay, enough of these printing scumbags. printers are getting worse, print quality is crap, ink cartridge prices are obscene while lasting for shorter durations (my gf's printer will not print in black when the color cartridge is empty), DMCA restrictions on refilling ink, spying on users...

bullshit. i will never buy one of these printers again (this means you lexmark, canon, hp, and your friends). when will a manufacturer stand up and sell good quality printers, refillable by the user using just an ink bottle? there is a market of people who are willing not to buy the cheapest piece of shit printer because they know how that turns out. who will fill it?

Re:printing ripoff

[Helix150]

I recommend the canon multipass series... I have a MP730, its a combo printer/scanner (w/ feeder)/fax/copier, very nice machine. A bit expensive ($300) but IMHO well worth it. The Canon ink tanks are clear so you can see the ink inside them, and there are no chips on them. The printer measures the ink level by shining a light through the tank. They are quite easy to refill, and LaserMonks has replacement tanks for IIRC about $5 each. Replacement official tanks are about $7 each. Four colors, CMYK.

Re:printing ripoff

[Timesprout]

I recommend a pencil and paper. One caveat is to always use a single sheet of paper instead of a pad though so spies cant find out what you wrote by rubbing graphite over the pad. Also tell the recipient to eat the page after they have read it.

Re:printing ripoff

[Lisandro]

Get an used (old model) HP Laserjet. They can be found at reasonable prices, with service and replacement parts still available, and it's toner lasts forever. The printer will too, they are some of the most relaiable printers ever built. Too bad HP has been going down the crapper lately.
Laser printers are expensive at a first glance, but the price per page is a fraction of a inkjet. It's overall a much better value.

Still, if you want a cheap one, try the newer Cannon inkjets. You'll still be forced to buy overpriced, half-filled ink tanks, but they work as expected, the printing heads don't clog and the print quality is top notch (for an inkjet). I have a Cannon S1000 at work that has been working perfectly for almost two years now. I wish i could say the same about Epson printers.

Re:printing ripoff

[jridley]

I also recommend Canon printers. I have an i970. While not designed intentionally for refilling, it's about as good as it gets these days. As you say, the tanks are just clear plastic boxes with ink in them, refilling is a snap. I've previously refilled Epson and HP, and the Canon is by far the easiest. After refilling Epson/HP, you have to let the ink settle overnight to eliminate bubbles, and do a lot of fiddling to get it printing right. I've refilled my Canon tanks about 15 times so far and haven't had to even do a nozzle cleaning pass once. The printer does automatically do a nozzle clean if it hasn't for a while during idle time after a print job.

The i970 is a 6 color printer, FWIW. Photo printing is quite nice.

Re:printing ripoff

I prefer the Leeloo Dallas Multipass.....

Usenet post

[nstrom]

Original usenet post from comp.periphs.printers on Google Groups here, or here for a news: link.

That's ok...

[jmcmunn]

Just as long as my Dvd burner isn't monitoring what I am burning...

Re:Lexmark sucks

[dattaway]

The trouble began when I had to buy new cartridges, I bought 3 in a row, and they were all empty, what the hell is up with that.

You are an engineer for [evil printer company] and are told to increase profits 50%. So you increase i=20 in the cartrige purge program.

Another Posible Reason

[Lead+Butthead]

Lexmark could also very well instruct the device driver to STOP WORKING if it detects a third party ink cartridge...

Re:Another Posible Reason

[Anomalous+Coward]

More likely they would instruct the driver to go into "crap quality" mode. Then they could point to the lousy print you get with 3rd party ink and say "See! Those other ink cartriges aren't as good as ours! Look how much better the print is when you use genuine Lexmark brand ink cartriges!"

At least, that's what I would do if I was a sleazy, money-grubbing corporation....

Sites to block

lxkcc1.lexmark.com
www.lxkcc1.com
lxkcc1.com
ww w.lxkcc2.com
lxkcc2.com

ips
192.146.101.0 - 192.146.101.255

Re:Not clear?

[arivanov]

Lexmark's attempt to use DMCA to prevent thrid party cartridges sank in court a few weeks ago. They are bound to start looking for a different means to achieve the same goal as their printers are sold at dumping prices and they generate profit mostly from cartridges. In order to chose the next move they definitely need some reconnaissance data. Alternatively they are looking to move the grounds of enforcement on what the customer uses from suing competitors to sueing customers (what a novell idea...).

2. Lexmark AFAIK is one of the companies who are participating in the stupid law assistance program where software and hardware should detect common types of currency and refuse to copy or print it. Going from there to ratting on the ones who scan/print it is only one step.

Re:Didn't the users agree to this monitoring?

[jdreed1024]

This may be another example of people just hitting "AGREE" (effectively signing) without actually reading the EULA (a legally binding agrement).

Legally binding? I don't think so. EULAs have questionable legal status at best (I'm sure some lawyer could argue for the fact that the fact that the EULA is not printed on the box and the fact that some say "If you do not agree, you cannot install this software" could very well amount to coercion or something. EULAs have never been tested in court.

I would love to see a EULA with some seemingly innocuous yet annoying clause such as "By agreeing to this license, you give everyone the right to call you 'butthead' for the rest of your life." and then have that tested in court. Ideally, there would be one of two outcomes: EULAs become illega or software vendors are legally obligated to accepted returned opened software if the user did not agree to the EULA. (Which means many software vendors would stop stocking software with crap EULAs, and maybe the software industry would get a wake-up call.

And the older crowd here will remember that EULAs didn't always used to suck. They used to be printed in fine print on envelopes containing the CD or floppies, and said in big letters "If you open this envelope, you agree to the license". Which is much better, because if you didn't agree to the license, you could take the software back and if the diskettes were unopened, the place would almost always accept returns.

Xerox network lasers

[prestwich]

We caught a xerox network laser printer trying to send mail, by itself back to xerox; it tried three different outgoing smtp servers that fortunately our gateway blocked.

I don't know what was in those mails - but a google search revealed an article about a large data mining system based on Oracle; I think the main intent was to detect reasons for early failure - but who knows what happened to the data.

Re:Xerox network lasers

[CrystalFalcon]

Xerox printers can be configured to automatically order new supplies when the current ones run low. You're sure it was not something like this?

Also, they can be configured to send out e-mail to supply adminsitrators (in this case, picture Carol, the PHB's secretary in Dilbert) to ask for ordering new supplies with a handy web page served from the printer, if human intervention is desired. You're sure it was not something like this?

Well then...

[Flizesh]

Can they track why their craptastic printers keep breaking all the time? Never buying one of them again.

Re:As every printer manufacturer...

[mangu]

A legitime use of printer usage tracking ... which colors that are most frequently used in order to optimize coming models on the market

There are two much less intrusive ways to do this:
1) design the printer to use separate cartriges for each color, or
2) offer a used-cartridge trade-in discount and check how much ink is left of each color.

Or just spoof data

[steve_l]

Imagine a perl script to generate spoof statistics. Imagine a million ./ readers running the script as a cron job.

They'd soon stop trying to spy on the users, if the data was all that everyone keep on printing the same url all the time, something with "goat" in the URL...

Within seconds of blocking it in my firewall ...

[sho-gun]

Nov/13/2004 09:48:08 Drop TCP Packet From LAN 192.168.0.2:1654 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:48:00 Drop TCP Packet From LAN 192.168.0.2:1654 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:56 Drop TCP Packet From LAN 192.168.0.2:1654 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:41 Drop TCP Packet From LAN 192.168.0.2:1502 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:34 Drop TCP Packet From LAN 192.168.0.2:1502 192.146.101.142:80 Rule: Lexmark Block
Nov/13/2004 09:47:30 Drop TCP Packet From LAN 192.168.0.2:1502 192.146.101.142:80 Rule: Lexmark Block

and I wonder just how often its trying to phone home.

Re:Are yet just, plain, mad?

[ScrewMaster]

Well, the business model that Lexmark (and HP, Canon, and the rest) follow is that of selling a cheap printer and expensive consumables, with the costly ink subsidizing the initial low price of the hardware. We can all agree on that much, I think. And, honestly, that approach did make a lot of sense when printer technology was improving by leaps and bounds and users were continually tempted to upgrade their equipment. But nowadays, inkjet technology is becoming fairly mature and you really don't see major improvements in price/performance anymore. That being the case, I'd rather pay a hundred bucks more for my printer, right up front, since I'll probably be keeping it for a while, and then pay a more competitive price for the cartridges.

Frankly, I think you may have it backward. Lexmark isn't the crack dealer: we are. They get the first hit (i.e., we give them fifty bucks for the printer) and then they keep getting periodic hits every time we run out of ink. The problem is, printer manufacturers have growned accustomed (nay, addicted) to this way of doing business: they like that unending revenue stream from little boxes filled with ink. It's the way of the modern world, i.e. don't just sell somebody something once, sell it to them over and over and over.

I'd like to know how many ink cartridges you have to buy before you've paid them back for the loss they took on the printer itself (assuming they take such a loss, China makes things pretty cheap nowadays) and when those sales start becoming pure gravy. Hell, if Lexmark wants to use those spyware drivers to help their customers they could do this: keep track of the number of times the cartridge has been replaced, and when the company has made back what it lost on the printer sale, send the user a discount card. The user could then take that card to any store that sells Lexmark cartridges and get some money off. Hell, if Lexmark wants to accumulate personal data in spyware fashion they should give something to their customers for the privilege, much like the major grocery store chains do.

Whatever, I really don't like Lexmark anyway and I'm proud to say I've never owned a Lexmark product. Talk about a company that is ethically challenged ... they wear their unlightened capitalism as a mark of honor. I hope they choke.

Re:Not clear?

[rpozz]

As far as I'm concerned, if your still running windows connected to the internet, buying Lexmark gear, and reading this with IE, then you deserve everything you get.

While virtually everyone on slashdot knows to install anti-virus, anti-spyware, firewall, firefox etc, it's all getting way out of control. Who the FUCK (except from a tin foil hat nerd) would expect a PRINTER DRIVER to spy on you? Isn't it great how this sort of crap is legal, but (for example) modding a console isn't?

Re:Not clear?

[h4rm0ny]

Just why is this stupid? Counterfiting is illegal and undesirable. Please explain your opinion.

I'm neither the original poster, nor do I necessarily agree with him. But I think I can do a good job as advocate for the Devil.

The obstensible objection to the hardware and software currency detection would probably be that it does nothing to catch actual counterfeiters but does inconveniance legitimate users. Do you really think that people such as these are going to be bothered by such little measures. In order to procure the equipment, inks and papers to forge modern currency (at least in Europe), you have to be a professional. The only remaining result of this technology is the inconveniance to legitimate users.

Now that said, there is a secondary reasoning behind objecting to the law which is less commonly stated, but often underlies such arguments.

You stated that Counterfeiting is illegal and undesirable. Placed in a criticism, this indicates that you feel the law is essentially a good thing and that legality is an indication that something is acceptable. There are many who would agree that counterfeiting is undesirable (it reduces the value of their own / family's money) but would not instinctively add illegal as a criticism. This is because many now feel the government is an adversary, especially in recent times and especially in the US and the UK. They are heavily concerned about increasingly unjust laws and this is colouring their view of the entire legal process. The relation of something as large as this to something as small as the anti-counterfeiting technology is twofold. Firstly, in foisting this technology on innocent people, they naturally resent the presumption of wrong-doing. Much the same as you would feel about having people come around to search your home for stolen goods without grounds for suspicion, or having someone wire your car so that it couldn't go over 70mph to prevent speeding, or outlawing firearms (in the US). It's insulting to many people who no longer feel the government is their friend. It's especially insulting that this redundant technology was diseminated secretly and sneakily amongst people who did not know that what they bought had that it had been fiddled with by government agencies. Remember, many people no longer regard the government as friendly.

The second secret reason behind the objection may be that in order for this technology to work there has to be some subversion of people's computer systems. It can't be implemented in The Gimp and if Photoshop or Lexxmark is calling the FBI when it detects a banknote, then this is basically taking control away from the user. He can no longer trust his computer. Who knows what information it's providing to other parties. This will be especially true with technologies enabled by Trusted Computing. The issue about the anti-counterfeiting technology is not the thing in isolation, but that is part of a broader sweep of taking power away from the user and making their computers work for someone else, not their owner.

Okay, that's my analysis. Of course, the OP may not think this way at all, purely basing his comment on the fact that the technology is flawed (which it is) and inconveniances innocents (which it can do); but I think that many people do feel the way that I've described.

For myself, I just want someone to post the pattern so that I can mix it into my own images and mess with people's heads.

LaserJet 4 Plus is hard to beat.

[Nick+Driver]

Excellent, sturdy-built printer. Probably one of the best medium-size laser printers that HP ever built. I have one that I found outside sitting next to a garbage dumpster full of old 486 and 1st generation pentium pc's. That's right, I got it for free. Took it home and found all the rubber rollers were nasty and the unit was filled with paper dust and assorted debris. It had never been maintained or serviced since new. I disassembled the unit, vacuumed out all the dust and crap, and carefully cleaned every moving part with isopropyl alcohol, bought a refurbished toner cartridge from OfficeMax for $50 and have had about four years of trouble-free printing at a total investment of some labor and less than the cost of two average inkjet cartridges.

Re:really!

[Barryke]

10 sell printer
20 sell inkcartage
30 disable inkcartage via internet
40 goto 20

Re:Not clear?

[1u3hr]

Not clear what they are monitoring? What am I missing? Couldn't somebody just install the program and sniff the information out of the packets?

Yes, but nobody has yet. I read this on the newsgroup last week; the two articles in the Slashdot "summary" obviously haven't investigated it beyond quoting these articles.

The news posting in full is:

From: Commander (Commander_rn1@yahoo.com)
Subject: Lexmark Printer Users Beware of Spyware
Newsgroups: misc.consumers, comp.periphs.printers
Date: 2004-11-09 08:17:25 PST

Yes, Lexmark is now in the Spyware business!

Just the other day I purchased a new Lexmark X5250 All-in-one printer.
I installed it as per the instructions and monitored the install with
Norton as I do with all new software.

On reviewing the install log I noticed a program called Lx_CATS had
been placed in the c:\program files directory. I investigated and
found a data log and an initialisation file called Lx_CATS.ini.
Further investigation of this file showed that Lexmark had, without my
permission, loaded a Trojan backdoor on to my computer. Furthermore,
it is embedded into the system registry, so average users would likely
never know it was there and active.

This Lexmark Trojan was programmed to monitor my use of the printer by
way of data collected from two DLLs in the c:\program files\lexmark500
folder. The Trojan would then send information on printer usage,
including types of print activity, scanning activity, OCR activity
etc., back to a hidden URL at 30 day intervals.

The URL, www.lxkcc1.com, is identified as being owned by Lexmark.

When I called and spoke with Lexmark support, they denied all
knowledge of any such program, and suggested I had somehow been
infected by a virus. When I challenged them with the facts, they
ultimately aknowleged that this was indeed activity tracking software
that reported printer and cartridge use back to them for "survey"
purposes. Lexmark said that "no personal data" was relayed by the
program, and that I could not be personally identified by it. However
- the program transmits the printer serial number, and when I
registered the warranty with Lexmark, they recorded my personal
information along with the serial number. How much effort does it take
to match the two?

I call it spying! I was not advised of this part of the installation,
nor was I asked to agree to be part of any such data gathering
activity. I see this as a breach of my privacy, and as deplorable
behaviour by Lexmark.

Lexmark users beware! But, they may not be the only ones stealing your
private information.