Slashdot Mirror
Hidden Codes in Printers Cracked
r84x writes "A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.
"We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen."
Its a good thing that I can't print. [warning: experimental music made from printer noises]
Anyone have a printer friendly version? On second thought.... nevermind. //Tin foil hat on
Before anyone has a conniption, consider this: do you really think that "they" have a database they could reference to find out what printer serial number goes to what citizen? I don't. I know they could, but I choose to believe (most likely for good reason) that they don't.
Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away. That's what I did.
For those interested in a quick summary, the docucolor example is the best place to look. (it has pictures!)
More information can be found on the EFF's printer-privacy webpage.
Also interesting is Andrew Bunnie's flat bed page scanner mod to use blue light instead of white. This made the yellow tracking dots easier to see, and the whole page could be seen at once to determine the pattern they made.
HIV Crosses Species Barrier... into Muppets
I wonder if ink jet manufacturers are doing this or will do this soon? Anyone in the know?
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
"If you can read this, you are about to be busted"
The grass is always greener on the other side of the light cone.
I bet most people's printers will print "Jan-01 1980 12:00" in little blinking dots.
I love conspiracy math: Lets see, conservative estimate of 400 million printers in North America alone, and no method of tracking serial number to location or owner past the original purchase, assuming cash was not used. So, hmmmm a data base with 400 million records, tied to dubious information... yeah, that's useful, but on second thought, it would allow police to figure out if the printer that counterfit documents were created with was in North America or Europe... that would be helpful, but not really worth putting on the tin foil hats.
:)
Anyway, so the government requires each printer manufacturer to maintain a database of all printers sold, so that if needed, they can subpeona the records? No wonder printer ink costs so much
I'm thinking that this would only go so far, and not be much more useful than a database of gun rifling marks?
Support NYCountryLawyer RIAA vs People
In Soviet Russia, anyone who owned a typewriter was required to send a sample page to the government.
The theory of course being that they would use it to try and track down any subversive content.
And now the US government has made it quick, easy and automated to do the same.
I want to know who the bastards are that are adding this technology to their printers so I can avoid them like the plague.
Yes, I know I could just not send in the registration card, but what if the government decided to crack down on those who critisize the war? Suddenly when they confiscate my printer, they can find out if any of the documents they've declared subversive came from my printer.
This is too Big Brother for my tastes.
"Live Free or Die." Don't like it? Then keep out of the USA
now what? Would there be any way to fake it? Until that's not possible - I have mixed feelings about this - we could be worse off with these findings. As long as this system is out-there we can check who printed smth ourselfs if we really want to... Isn't that a more serious privacy issue? Ok - shouldn't have been there in the first place but as long as there's no way to stop this...
You'd think it would be easier to...
:)
A1. scan as normal
A2. separate the channels into CMYK in Photoshop/whathaveyou
A3. inspect the Yellow channel.
B1. scan as normal
B2. separate the channels into RGB in GIMP/whathaveyou
B3. do a difference matte between the channels
B4. inspect the result
C1. replace the yellow toner cartridge with a black one
C2a. stock the other holders with empty cartridges
C2b. or if that causes a printer error/warning, block the cartridges' output
C3. print
D1. get a sheet of blue filter plastic
D2. scan through that
But I guess the array of blue LEDs with soldering involved is a lot more geeky
Great. Now I know what data is in the dots. It includes as expected serial numbers and dates, but not what I had for breakfast, nor the color of my underwear!
What would be interesting is info on how to keep the printers from putting the dots in at all. If it's not possible, then don't buy one of those printers if you care about it that much. There is a list of manufacturers that put *some* info in your printed docs, so why not just avoid those? Do you really care if the date/time is on it? Even the serial number is useless in reality. If I steal the printer from someone's home in Boston, and transport it Houston, where I print my subversive literature for global distribution, the only thing the SS can tell from the dots is "Yep.. It was printed on printer 3437938 at 10am on a friday three months ago"
Now if it had GPS coordinates included, that would be a little more scary..
Just send in the little round yellow guy to eat some of the dots and confuse the feds. No more paranoia!
You see? You see? Your stupid minds! Stupid! Stupid!
hehe seen the paranoia already. I feel that your looking at this all wrong.
instead of using a large database to hold every printers details. the authorities will use this information after they have caught a criminal to aid in the conviction. with the evedience of the printer and some sample counterfit examples. it would be very easy to tie that person to the crime.
the other example I can think is to find out how many counterfitters there could be. if they get 10 examples and the codes all match. then they know they are dealing with the same person. if there are codes from 2 or 3 differnt printers. then it could be a ring of people.
I think this is a exelent aid for the autotities and feel that the only people that have things to worry about are the people doing wrong out there.
just my 2 pence worth. Fuas.
I can only imagine the time and date are passed from the host PC - most printers don't know what time/date it is - at least on those I jsut glanced at I can't set it myself. Of course the network attached ones could have an NTP client but that'd be easily blocked at the firewall.
At least if you can make every printout say it happened three decades ago you don't need to worry about proving you were not in the office at the time the printout was made.
That's pretty disgustingly low behaviour. Makes you wonder what other identifying information might be written into seemingly random data.
Improve, or something else....? TCP timestamps too. Just use the LSB, and by making it a 1, or a 0, and you can transmit infomation hiddenly..
Get your own free personal location tracker
Instead of sereptitiously putting in tracking codes in customer's documents, maybe the government should investigate the price gouging practice that ink cartridge manufacturers use to boost their profits?
r idge_Price_Fixing.htm
I want my money back for the ID dots that were printed without my knowledge or consent. A sum of $3000.00 will be sufficient to cover all past and future ink cartridge costs.
From http://www.atlascopy.com/newsletters/Printer_Cart
CNET.com analyzed the cost for inkjet printing and reported that the costs ranged from 14 cents to $1.32 per page. If it costs 21 cents per page and you print only an average of two pages per day, the annual cost of ink would be more than the cost of the printer.
The ink cartridge for a low end HP printer, containing only one tiny ounce of ink, costs a mind boggling $30.00! That's price gouging, and all printer manufacturers are doing it. That's called PRICE FIXING and it's illegal. To add to the rip-off, some of them put all the colors into one cartridge. Then you have to buy a new cartridge when only one color runs out, wasting the remaining ink.
He who knows best knows how little he knows. - Thomas Jefferson
They say the date and time is encoded besides the printer serial number. What I can't grasp, how should a color laser printer know the exact time? It is simply a peripheral and not necessarily network attached.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
Once the code is cracked, anyone can add a pattern of yellow dots that say anything. Assuming someone can tweeze the overlapping codes, they would discover that the document was printed 10/10/05 by printer 2721272 or 5/8/05 by printer 8798798 or 11/2/05 by printer 9813982, etc. If one can get the alignment right, one could even fill-in the printer's native dot pattern so that all pages are printed on FF/FF/FF by printer FFFFFFF.
Two wrongs don't make a right, but three lefts do.
Given all the tin foil hat activity lately, I see this as CBS' next spinoff.
I'm all for it. Especially if you get that MILF Marg Helgenberger. Woohooo!!!
Tracking to the home would be difficult but tracking to an area is more realistic. If there is a serial # embedded in to the code, the manufacturer can track that # to a particular store or warehouse. While this isn't enough to catch anyone alone, it could be used as supporting evidence in an ongoing case. Ofcourse, if a conterfeiter is stupid enough to actually register the printer (like the other 1% of the population) then they deserve to be cought in the first place.
Here's my suggestion: get newspaper or magazine (with big letters preferrably), glue, scissors and some paper. Cut letters of liking, assemble and paste to paper. Oh and wear gloves.
here a guy opened up his HP printer and looked at the chips involved. It appears that all the printers with hidden codes use the Canon print engine board. Changing the pattern might be as easy as reflashing an eeprom.
Let's assume you purchase your color laser printer with cash.
Let's assume you take that home and hook it up to your Windows XP Home Edition printer.
Now, that printer is installed and it requests you "Register" the printer. You decline to do so.
During the normal course of use, a little dialog box pops up stating that there is an update to download from your color laser printer manufacturer's website and the printer application will be more then happy to do so.
How does your application know that it needs to be updated? Well, it checked with a central server.
If that application checks with a central server, would it be difficult to imagine that the central server would be able to obtain the following?
IP Address, Printer Serial number, timestamp of communication.
With just the timestamp and the IP Address your PC used to communicate with the central server, you can be easily traced. It's easier if you are on broadband, slightly more difficult if you are on a service like AOL or MSN.
I am not being a tinfoil hat wearer here. I am just pointing out that it is actually easier to track down a user of a particular printer then you believe it to be.
The only way to be more anonymous with such a cash paid color laser printer purchase would be to never connect it to a PC that has Internet Access.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
If you're printing out your ransom demands on a color laser printer, send a photocopy of the printout instead.
And yes, stores can be required to scan those S/Ns if the feds so desire, and it can be made to stick. Bank tellers don't get paid all that much more than Best Buy clerks, but the threat of 20 years in the federal pen gives them a bit of incentive to follow the money-laundering reporting procedures. Heck, I heard a discussion between two entry-level postal clerks the other day about how much fun they had spotting drug dealers and reporting them.
sPh
Thanks largely to the invention of this nifty thing called a microprocessor adding the serial number on a sticker on each box costs tenths of pennies, not millions, and saves thousands if not millions in dealing with the distribution & maintenance channels.
My Toshiba laptop box not only had the serial number on the box, but when it went in for service the Tohiba rep knew which retailer it was sold through...
feel free to mod this down (-1 mod angry).
If you think imaginary property and real property are the same, when does your house become public domain?
> Do you know anything baout barcodes?
Yes actually I do (I have worked in the print industry). You don't from your comments. Barcodes do in fact have serial numbers on them. Normally the actual serial number is printed below the barcode in question.
Printing custom serial numbers to boxes is very easy to do and does not have a huge major factor on the pricing of the box. Even if the printer company don't do the boxes in house they can have a conveyor type system that scans the serial on the printer and drops a label onto the box with the serial number. That serial number would have a batching number (so they can determine what load went where).
>The best they could do is identify which store the item was shipped to.
From there they can track where the printer was sold from there. Shops keep records of sales which can be cross referenced against Credit card, CCTV or interviewing people on the day.
>If you honestly think that companies have the time and money to track
> things to that ability, you are crazy. It would cost them *millions*,
> and benefit them zero
Actually any company that doesn't track is stock it probably costing themselves millions.
Do you even work? o_O
To answer your question, (And from the TFA) http://www.eff.org/Privacy/printers/list.php
Yes, there are many on that list.
Yep, I never spell check.
More incorrect spellings can be found he
If I buy a $50 DVD player at wallmart, the register prompts the clerk to scan the serial number barcode. Last year I had a few clerks look very confused. One said "I don't want to type that" and I pointed out that they could use their barcode scanner.
If they track it, everyone does. Everything I mail order has the barcode scanned and printed on the packing slip.
Get a clue.
The companies don't have the time or money, but the government definately does. Any company I've worked for, if asked by a semi-anonymous "federal" agency for information, rolls over like a scared puppy. The government has (like Spiegel) nothing but time to spy on its citizens. They are the paranoid ones that we need to be watching out for, they are the crazed mumbling guy on the streetcorner that everybody goes out of their way to avoid. Handing them technology like this is like handing the aforementioned freak an automatic weapon. Sooner or later he'll figure out how to use it to fight off the voices that keep pestering him. Sooner or later, the government will figure out how to use this technology to oppress its citizenry.
When I bought my GBA SP, a measly $100 piece of equipment, they scanned the serial number along with the item barcode.
I have worked for a couple years in a sister company of a copier distro and have actually had several discussions about this with the techs.. Yea, there is a hidden code embedded in the ones we sell. (of course we sell commercial color machines), and according to the guys who rip them apart on a daily basis, there is a way around it (i haven't verified this tho). For each one of the printers, there is a "US" driver and an "Other" driver. From what I understand, all you do is switch the driver to the non US version and the printers no longer identify. (I would love eff to test this theory, as I already run all mine w the "generic" drivers.
Of course, this might actually prove useful in the future for historians analyzing our garbage for dating our documents. Assuming, of course, that these tiny dots can survive for a useful amount of time.
No wonder the yellow always runs out first!
...unlikely conspiracy that turned out to be true. Or do you know of any even more unlikely but true comspiracies?
They have since changed that practice, I believe. (there was an enhancement request logged almost 5 years ago to take care of it)
The more robust CRM/Order Management systems that have serialization tracking would allow you to associate a customer number (and consequently all customer data) with a product serial, but the CC# should be next to impossible to retrieve.
Best practices, and all that.
You better watch out, there may be dogs about . .
The "if you have nothing to hide" apologists for elimination of freedoms is a slippery slope to totalitarianism. Orwell would snicker!
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
There are 3 types of counterfeit artists:
1. The casual home counterfeiter. A guy with an inkjet who is 'having fun.' These guys get caught quickly by the secret service.
2. The black market Wal*Mart, a.k.a. the Mob. They reconstitute $1 bills into pulp, reform the cotton into large sheets, and silkscreen new 'old style' $100 bills. By using the real paper and near-perfect ink in the old style bills, they get past the verification pens and bank scanners. Funny thing is, this style of counterfeit is almost dead as credit card fraud is much more lucrative and far safer. Bank draft fraud and money order fraud is easier, too.
3. The Federal Reserve. Yes, Alan Greenspan and friends is actually the #1 counterfeit organization in the world. Because our currency is no longer backed by hard metal, the FRB is allowed to counterfeit billions of new dollars annually. The is legal by acts of Congress, and is not only the biggest reason for inflation, it is also the cause of the stock market bubble and the housing bubble. It also allows the government to finance off budget programs by introducing new currency into circulation.
Incorporating these security dots only helps catch common criminals, not large scale organizations. And the worst violator, the FRB, counterfeits legally.
Quite frankly, you have no idea what you are talking about. I work in high-end color, and all of our toner devices have this encoding technology. I have talked to plenty of people in the industry, who sell these machines. They are required, by law, to record the serial number and purchaser of every such device. Furthermore, they are required by law to record the sale of any electronic part used in these devices, and yes, all the boards are individually keyed to the serial number of the device. Swap boards with another device, and the machine stops functioning.
This is also true of the mid-range color laser printers you purchase at your local Best Buy or Micro Center. In fact, if you open your eyes at the checkout and actually pay attention, you would notice that after they scan the bar-code, their register prompts them to either scan the serial number bar-code, or hand-key in the serial number. Now, they may not be required to record your name and address, but they most certainly can trace it back to your credit card.
The whole point of this is to catch counterfeiters. It's useless to know the serial-number of a device if you don't know where it was sold.
Mir tut es leid, Menschen daß Einfältigfehlersuchenbaumfolgendenaffen sind.
In the UK the immediate assumption would be that the quid pro quo for the printer manufacturers would be the contracts to supply to government agencies, so the next time an inconvenient government document was leaked to the press they could be straight on to where it leaked from.
Jerry
Is there potential to sue the printer mfgs (esp. outside the US) because the printer is not doing its best to produce a faithful printout (i.e. adding extra information to the page not intended by the user, irrespective of the fact that it's hard to make out). I mean, people who wear blue Beatles specs must be driven nuts :)
That being said, if all the printer problems I had were a few yellow dots I'd be doing well...
now that the code has been publically cracked, the government agencies know that it is unreliable
Courts regularly accept logfiles from ISPs as evidence, yet we all know how "reliable" those are. It's all accepted as contributory evidence, not simply black or white.
So how are you going to defend yourself against a ransom note bearing your printer's serial number and a time and date when you were proveably at home? Good luck hoping that the judge knows that it's "unreliable" and could have been forged by criminals, when the prosecution's well-paid lawyers and experts are telling him that this evidence is very likely to be authentic.
Actually, most intelligent people know that the Democrats and Republicans are all cut from the same pile of shit, and have been for ages. They're not there to help out any regular American citizen. They're out to represent and aide their various business interests, be them the entertainment industry or the petroleum industry.
Indeed, that's one of the reasons that most sane people are so fearful of technology such as this. Your system itself is flawed, in that nobody is truly representing you, as a citizen. Companies can get away with this, and then others can get away with abusing such information. Were true conservatives or liberals in power, then this would never be allowed to happen, and the companies that did participate in this activity would be punished. Why is that? Because true conservatives and true liberals care about individual rights.
Cyric Zndovzny at your service.
Afraid I don't share your optimism.
First of all: there is an intrusion, a loss of freedom, even when the power is not abused. In the 60s, your average hippy could pretty much buy a car using cash and drive to San Franciscoi - now you need a ton of paperwork, legal docs, and so on. You can no longer buy a car using cash - not a new car anyway. Another example: in the 1960s the government did not know what I spent my money on. Now it does. That represents a serious loss of freedom even if the government does not curremtly abuse that new power. These losses of freedom may or may not be necessary, but they need robust discussion and debate before they happen.
The second point: these powers DO get abused. An example. During German occupation in WW2, the Dutch sent more Jews to the concentration camps, as a percentage of the population, than any other nation save Germany. Why? They had a very efficient tracking system that from birth to grave tracked everyone's address, race, relatives' addresses, and so on. Guess what - at the first opportunity, the new people in power abused that power and traced all Jews and sent them to their deaths. Interestingly, in the years leading up to WW2, the Dutch had a debate much like this one, and the consensus was that "if you have done nothing wrong, you have nothing to fear".
Examples abound: when you give away your freedoms you (a) lose those freedoms (and the freedom to buy a printer anomymously may not seem such a big deal to you - but it IS a freedom!), and (b) over time, they sometimes get abused: you can count on a certain percentage of this happening.
Michael
---
BDOS ERR ON A:>
Since every government deployment of new technology for law enforcement is supposed to net these awesome reductions in [insert targeted criminal act here], I'd like to see statistics on just how many counterfeiters have been caught using this method of tagging printed documents.
It's a trade-off.
It's a tough call for the end-user oriented sites; if you're selling books and it takes a bunch of hoops to make a purchase. . . chances are they'll shift to a more user-friendly site such as Amazon. (the security minded, perhaps not. But that's probably not your customer base except in niche markets).
Big trade-off to make.
You better watch out, there may be dogs about . .
> Is it legal to do what the EEF did
I'm sure the EFF would *love* for the US Gov't to make a stink over this.
-fb Everything not expressly forbidden is now mandatory.
There seem to be a lot of people who confuse *freedom* with *freedom to do antisocial stuff and remain anonymous*. These are not the same things.
Free speech is not free *anonymous* speech.
We all want cheap color printers. Fine. We don't want the world flooded with forged documents -- so we take some barely perceptable measures to curb that. Deal with it.
Guns are meant to kill, and only operated by qualified personelle, so they should be identified.
No, guns are meant to direct a projectile in a given direction. Not unlike a golf club, actually. And of course, you can kill people with a gun, or with a golf club. And, "qualified"? What do you mean? The only qualification you need in most states, especially for shotguns and rifles, is to not be a criminal. At least we still have that relative freedom.
I use guns all the time, and have never killed anybody. I have, though used a gun to prevent harm from coming to somebody, but you're obviously not interested in hearing about that (since it would ruin your argument).
Same with explosives.
What world do you live in? As I expressly mentioned, those are tools used by farmers (to pull out tree stumps and rocks), construction workers (to help build foundations and roads), etc. Do you know how many thousands of times a day people use explosives in mining, agriculture, and construction... and no one is killed?
How to you figure that a printer's registration of its serial number controls information? Do you have a single bit of evidence that suggests that anyone, ever, has used that feature of those products to in any way prevent anyone from disseminating information (other than "information" in the form of counterfeit documents)? No, you don't.
Why dont people get this?
controling guns = good
controling instructions on building a gun = bad
Do you even hear yourself? People don't get that because it's irrational and impractical. You want freedom (of communication) but not the freedom to use your freely obtained information to defend yourself? How about a more sane (and constitutionally valid) take on it:
controlling information about guns = bad
holding people accountable for their actions = good
Did you know that the rate of murder in the country was actually down last year? In my county, it has actually gone up. And that's not people being shot by other people with guns: it's people being stabbed by people with knives. Do you recommend that only "trained personnel" have access to sharp metal things? Are knives only meant to kill people? If you don't think so, then don't you see the ridiculous double standard? Further, don't you think that people who don't want to be stabbed to death should have the means by which to defend themselves? Or, are you recommending (since you're not a big one on holding people accountable for their actions) that we have police officers at every house to make sure that everyone is safe from throat-cutting gang members, all the time? I'd rather not live under those circumstances, thank you, but I'd also like the option of preventing an idiot with a knife from hurting my family. You control the information in society, you control alot more than knowing whether your vehicle has been in an accident 5 years ago
I absolutely guarantee that your privacy is at much greater risk from the information about your car than it is from the serialization of your printer output. Your tag numbers are recorded by databases as you pass through toll stops, your registration of your vehicle (and its type, the insurance you have on it, the work you've had done on it, including the mileage you've used, and much else) is easily cross referenced. On most newer vehicles, data recorders know how fast you've been going lately (including how you were accelerating or braking, etc., at the time of an accident). Fancy new nav systems in cars leave a lengthy trail of GPS-based information about where you've been lately, and how fast you were driving when you went. That type of information is being gathered and chewed on way, way more often and by more parties than your hardcopy laser printer output ever will be (especially if you're not faking official documents).
Don't disappoint your bird dog. Go to the range.
http://www.eff.org/Privacy/printers/list.php/
Actually, I bet it does have an internal clock. New fancy laser printers have new fancy computers inside. Many even have a built in webserver for changing setting and doing maintenance. Just go to the designated IP and you can do all sorts of things. Many printers can even keep a detailed printing log. These printers used for coutnerfeiting aren't your HP Deskjets from Wal-Mart.
"There seem to be a lot of people who confuse *freedom* with *freedom to do antisocial stuff and remain anonymous*."
Ahh. Spoken like a true facist. You are taking the right of free expression in a democratic society and chaining it to the dungeon wall with the use of another as yet to be defined term, "antisocial stuff". Would that be "antisocial" as defined by the ruling political party, whichever religious sect is currently in vogue, or perhaps as determined by a public poll?
"Free speech is not free *anonymous* speech."
What a crock! One of the basic rights any citizen of a democracy has is the right to vote, PRIVATELY. No other person, group of persons, or government entity is granted the right to know how an individual votes -- without such privacy protections the entire foundation of democracy is open to the social, political or financial pressure to vote a particular way.
And only in a democracy falling to the continued pressures of fascist stateism would the government redefine the ephemeral and undefined term "free press" only as persons engaged in journalistic activities employed by corporate media moguls.
I would suggest that you spend a few years in the "new and improved" fascist USSR, being run by an ex-KGB general, and experience the fruits of your specious argument firsthand.
Working in big box retail sales, specifically in warranty repair, I do know what I'm talking about.
It is astoundingly rare for cashiers to actually scan the serial numbers off product boxes, even when they're available as barcodes. Far more often they simply scan the normal UPC a second time or scan the model number UPC.
If they have to actually read the serial number and type it in they generally either skip the serial or fat finger the keyboard to make it look as if they've entered a serial number, creating no end of problems for warranty reimbursement.
If the security of the nation is coming down to cashiers who make six dollars an hour... well then, I guess we're up the creek.
I can't believe it has taken 9 years for this to make it to the public...
I work for Xerox, we actually tell customers about this as a security feature of the machines. The article mentions that Xerox devices are more common in offices rather than homes (true) but company suits want to know that their employees aren't going to be making copies of currency (or stamps, bonds, etc.) on office equipment, thereby making them liable in some way, shape or form.
If you try to copy a US $ bill on a Xerox, you get a smudgy black blob anyway. It works with a few currencies, but it has the security dots on it (invisible to the naked eye) all over the page. We have been asked to identify the source a few times, and it is usually guys working in pay-for-print copy stores that get busted for conterfieting.
Other than that, there is no way we can track anything other than the time and place of the copy. So quit stressing.
Dan. -- So what if it's spelt wrong, nobody's perfect