Slashdot Mirror
Hidden Codes in Printers Cracked
r84x writes "A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.
"We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen."
do you really think that "they" have a database they could reference to find out what printer serial number goes to what citizen?
Yes, they must, otherwise this tracking information is useless, right? They can't be that dumb. And most high-end color printers are sold to businesses and often have service contracts. It's not that hard. How many people buy a printer for cash?
And many networked printers "phone home" to the manufacturer via email or web. My Xerox phaser 7750 (great printer, btw) tries to send an email every month to Xerox. They're blocked now.
Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away.
I know that. But I prefer that my printer doesn't track what I print.
In Soviet Russia, anyone who owned a typewriter was required to send a sample page to the government.
The theory of course being that they would use it to try and track down any subversive content.
And now the US government has made it quick, easy and automated to do the same.
I want to know who the bastards are that are adding this technology to their printers so I can avoid them like the plague.
Yes, I know I could just not send in the registration card, but what if the government decided to crack down on those who critisize the war? Suddenly when they confiscate my printer, they can find out if any of the documents they've declared subversive came from my printer.
This is too Big Brother for my tastes.
"Live Free or Die." Don't like it? Then keep out of the USA
now what? Would there be any way to fake it? Until that's not possible - I have mixed feelings about this - we could be worse off with these findings. As long as this system is out-there we can check who printed smth ourselfs if we really want to... Isn't that a more serious privacy issue? Ok - shouldn't have been there in the first place but as long as there's no way to stop this...
I can only imagine the time and date are passed from the host PC - most printers don't know what time/date it is - at least on those I jsut glanced at I can't set it myself. Of course the network attached ones could have an NTP client but that'd be easily blocked at the firewall.
At least if you can make every printout say it happened three decades ago you don't need to worry about proving you were not in the office at the time the printout was made.
I don't know about the USA, but in the UK the only barcode that gets scanned is the 13-digit EAN product code which does not contain any kind of unique serial number.
Buy a printer and fail to send the warranty card in and there is no entry in any list.
The reason they have this stuff is so that they can match the printer to the document in the courtroom after they catch you. It's not a tracking system.
Once the code is cracked, anyone can add a pattern of yellow dots that say anything. Assuming someone can tweeze the overlapping codes, they would discover that the document was printed 10/10/05 by printer 2721272 or 5/8/05 by printer 8798798 or 11/2/05 by printer 9813982, etc. If one can get the alignment right, one could even fill-in the printer's native dot pattern so that all pages are printed on FF/FF/FF by printer FFFFFFF.
Two wrongs don't make a right, but three lefts do.
Yeah, I reckon they do. I work implementing such systems. Read on...
Modern asset tracking systems use the serial number of each big-ticket item to track it (if it is serialised - most expensive kit is). The asset, whatever it is, is tracked from entry to the system through to exit - with an EPOS transaction being recorded against it as it leaves if sold.
It is pretty damn easy for a database coder to write a bit of SQL to say 'give me the credit card number that bought this item'. I could do it in minutes.
Provided the Feds wanted to track a given machine, and it had been bought with plastic, there's no reason they shouldn't be able to find that info very easily, given the cooperation of the vendors. Your last para relies on you not being someone the Feds are interested in - and that relies on you assuming they won't be interested in people who haven't broken the law. I hope you are right, but recent events suggest otherwise to me...
Justin.
You're only jealous cos the little penguins are talking to me.
Let's assume you purchase your color laser printer with cash.
Let's assume you take that home and hook it up to your Windows XP Home Edition printer.
Now, that printer is installed and it requests you "Register" the printer. You decline to do so.
During the normal course of use, a little dialog box pops up stating that there is an update to download from your color laser printer manufacturer's website and the printer application will be more then happy to do so.
How does your application know that it needs to be updated? Well, it checked with a central server.
If that application checks with a central server, would it be difficult to imagine that the central server would be able to obtain the following?
IP Address, Printer Serial number, timestamp of communication.
With just the timestamp and the IP Address your PC used to communicate with the central server, you can be easily traced. It's easier if you are on broadband, slightly more difficult if you are on a service like AOL or MSN.
I am not being a tinfoil hat wearer here. I am just pointing out that it is actually easier to track down a user of a particular printer then you believe it to be.
The only way to be more anonymous with such a cash paid color laser printer purchase would be to never connect it to a PC that has Internet Access.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
God bless the PATRIOT Act, which among many other things, grants law enforcement agencies broad privileges to private corporate information in the name of investigating "terrorism". Fact is, neither the FBI nor Xerox would have to (or in Xerox's case, be allowed to) tell you that they had shared their serial number database with the government.
I hear the argument over and over again that "just because they're allowed to, the government doesn't have time to spy on little old you, so quit being paranoid". This is true, and the government realizes it, which is why they are striving for "Total Information Awareness". The idea is that all the information the feds could ever desire is already collected in outrageous detail by private organizations like the phone company, ISPs, bookstores, etc. - so why not just pass laws granting the Feds unrestricted, secret access to this info? That way, the government doesn't have to have been spying on you your whole life. The moment you get caught up in some "suspicious" incident like looking around too much on the subway or criticizing the American government while in an American airport, your whole history is at the government's fingertips (including, now, what documents you printed!), and believe me, they'll find reasons for suspicion.
God bless the PATRIOT Act, my friend.
Just wait until you get your ass hauled-in by an overzealous cop while you were doing something perfectly innocent or legal (like photographing old buses at a busy intersection - I know, it happenned to me. Two hours of vacation down the drain because some shit-brained bitch thought I was a terrorist - no, don't ask what happenned in her sorry neurons to think that).
Cops think they are above normal civilians and do not hesitate to abuse their powers. For them, making a lowly civilian life hell is just what swatting a fly for you.
The easier it is to abuse their power (like finding out where one photocopy was made), the more likely they will do it.
Now that the EFF has published the "secret" code, everyone can do it, including that jealous spouse, screwey boss or suspicious business associate.).
Cops think they are above normal civilians and do not hesitate to abuse their powers. For them, making a lowly civilian life hell is just what swatting a fly for you.
The easier it is to abuse their power (like finding out where one photocopy was made), the more likely they will do it.
Now that the EFF has published the "secret" code, everyone can do it, including that jealous spouse, screwey boss or suspicious business associate.
I think it's great that finally, we will be able to frame people we don't like with the greatest of ease. Just user their printer to print something illegal, or burn a CD on their PC!
You don't even need to use some's printer to frame them. All you need is to scan anything that they have printed and copy the hidden code on the page and then use image software to overlay that code onto your own page image and print it using a printer that doesn't embed its own code (or hack your printer to change it's serial nomber to match the target's serial number).
You can do the same with a CD, but you'll probably need to patch your CD drive's software to embed the target's CD drive number.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Actually, it could cause a lot of inconvenience. Suppose a dirty printer head leads to the code being misprinted. A printed document, with the incorrect information, is involved in a murder or child rape investigation. Suddenly you become a suspect, even though you had no involvement, and the problem was with the printer. You could potentially be stuck defending yourself against baseless charges. That can take a massive financial toll, not to mention ruin your reputation. Hardly without inconvenience, indeed.
Cyric Zndovzny at your service.
Actually, it could cause a lot of inconvenience. Suppose a dirty printer head leads to the code being misprinted. A printed document, with the incorrect information, is involved in a murder or child rape investigation. Suddenly you become a suspect, even though you had no involvement, and the problem was with the printer. You could potentially be stuck defending yourself against baseless charges. That can take a massive financial toll, not to mention ruin your reputation. Hardly without inconvenience, indeed.
Or even worse...you buy and register a printer, and six months later sell it to some registered sex offender. It's a cash deal with no records. Six months and one day later that printer is used for some kidnapping randsom note or some shit. Who would believe it wasn't you? Your mom?
You'll have that sometimes...
"There seem to be a lot of people who confuse *freedom* with *freedom to do antisocial stuff and remain anonymous*."
Ahh. Spoken like a true facist. You are taking the right of free expression in a democratic society and chaining it to the dungeon wall with the use of another as yet to be defined term, "antisocial stuff". Would that be "antisocial" as defined by the ruling political party, whichever religious sect is currently in vogue, or perhaps as determined by a public poll?
"Free speech is not free *anonymous* speech."
What a crock! One of the basic rights any citizen of a democracy has is the right to vote, PRIVATELY. No other person, group of persons, or government entity is granted the right to know how an individual votes -- without such privacy protections the entire foundation of democracy is open to the social, political or financial pressure to vote a particular way.
And only in a democracy falling to the continued pressures of fascist stateism would the government redefine the ephemeral and undefined term "free press" only as persons engaged in journalistic activities employed by corporate media moguls.
I would suggest that you spend a few years in the "new and improved" fascist USSR, being run by an ex-KGB general, and experience the fruits of your specious argument firsthand.