Slashdot Mirror
Hidden Codes in Printers Cracked
r84x writes "A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.
"We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen."
Its a good thing that I can't print. [warning: experimental music made from printer noises]
Anyone have a printer friendly version? On second thought.... nevermind. //Tin foil hat on
Before anyone has a conniption, consider this: do you really think that "they" have a database they could reference to find out what printer serial number goes to what citizen? I don't. I know they could, but I choose to believe (most likely for good reason) that they don't.
Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away. That's what I did.
For those interested in a quick summary, the docucolor example is the best place to look. (it has pictures!)
More information can be found on the EFF's printer-privacy webpage.
Also interesting is Andrew Bunnie's flat bed page scanner mod to use blue light instead of white. This made the yellow tracking dots easier to see, and the whole page could be seen at once to determine the pattern they made.
HIV Crosses Species Barrier... into Muppets
"If you can read this, you are about to be busted"
The grass is always greener on the other side of the light cone.
I bet most people's printers will print "Jan-01 1980 12:00" in little blinking dots.
I love conspiracy math: Lets see, conservative estimate of 400 million printers in North America alone, and no method of tracking serial number to location or owner past the original purchase, assuming cash was not used. So, hmmmm a data base with 400 million records, tied to dubious information... yeah, that's useful, but on second thought, it would allow police to figure out if the printer that counterfit documents were created with was in North America or Europe... that would be helpful, but not really worth putting on the tin foil hats.
:)
Anyway, so the government requires each printer manufacturer to maintain a database of all printers sold, so that if needed, they can subpeona the records? No wonder printer ink costs so much
I'm thinking that this would only go so far, and not be much more useful than a database of gun rifling marks?
Support NYCountryLawyer RIAA vs People
In Soviet Russia, anyone who owned a typewriter was required to send a sample page to the government.
The theory of course being that they would use it to try and track down any subversive content.
And now the US government has made it quick, easy and automated to do the same.
I want to know who the bastards are that are adding this technology to their printers so I can avoid them like the plague.
Yes, I know I could just not send in the registration card, but what if the government decided to crack down on those who critisize the war? Suddenly when they confiscate my printer, they can find out if any of the documents they've declared subversive came from my printer.
This is too Big Brother for my tastes.
"Live Free or Die." Don't like it? Then keep out of the USA
now what? Would there be any way to fake it? Until that's not possible - I have mixed feelings about this - we could be worse off with these findings. As long as this system is out-there we can check who printed smth ourselfs if we really want to... Isn't that a more serious privacy issue? Ok - shouldn't have been there in the first place but as long as there's no way to stop this...
You'd think it would be easier to...
:)
A1. scan as normal
A2. separate the channels into CMYK in Photoshop/whathaveyou
A3. inspect the Yellow channel.
B1. scan as normal
B2. separate the channels into RGB in GIMP/whathaveyou
B3. do a difference matte between the channels
B4. inspect the result
C1. replace the yellow toner cartridge with a black one
C2a. stock the other holders with empty cartridges
C2b. or if that causes a printer error/warning, block the cartridges' output
C3. print
D1. get a sheet of blue filter plastic
D2. scan through that
But I guess the array of blue LEDs with soldering involved is a lot more geeky
Just send in the little round yellow guy to eat some of the dots and confuse the feds. No more paranoia!
You see? You see? Your stupid minds! Stupid! Stupid!
I can only imagine the time and date are passed from the host PC - most printers don't know what time/date it is - at least on those I jsut glanced at I can't set it myself. Of course the network attached ones could have an NTP client but that'd be easily blocked at the firewall.
At least if you can make every printout say it happened three decades ago you don't need to worry about proving you were not in the office at the time the printout was made.
Once the code is cracked, anyone can add a pattern of yellow dots that say anything. Assuming someone can tweeze the overlapping codes, they would discover that the document was printed 10/10/05 by printer 2721272 or 5/8/05 by printer 8798798 or 11/2/05 by printer 9813982, etc. If one can get the alignment right, one could even fill-in the printer's native dot pattern so that all pages are printed on FF/FF/FF by printer FFFFFFF.
Two wrongs don't make a right, but three lefts do.
here a guy opened up his HP printer and looked at the chips involved. It appears that all the printers with hidden codes use the Canon print engine board. Changing the pattern might be as easy as reflashing an eeprom.
Let's assume you purchase your color laser printer with cash.
Let's assume you take that home and hook it up to your Windows XP Home Edition printer.
Now, that printer is installed and it requests you "Register" the printer. You decline to do so.
During the normal course of use, a little dialog box pops up stating that there is an update to download from your color laser printer manufacturer's website and the printer application will be more then happy to do so.
How does your application know that it needs to be updated? Well, it checked with a central server.
If that application checks with a central server, would it be difficult to imagine that the central server would be able to obtain the following?
IP Address, Printer Serial number, timestamp of communication.
With just the timestamp and the IP Address your PC used to communicate with the central server, you can be easily traced. It's easier if you are on broadband, slightly more difficult if you are on a service like AOL or MSN.
I am not being a tinfoil hat wearer here. I am just pointing out that it is actually easier to track down a user of a particular printer then you believe it to be.
The only way to be more anonymous with such a cash paid color laser printer purchase would be to never connect it to a PC that has Internet Access.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
And yes, stores can be required to scan those S/Ns if the feds so desire, and it can be made to stick. Bank tellers don't get paid all that much more than Best Buy clerks, but the threat of 20 years in the federal pen gives them a bit of incentive to follow the money-laundering reporting procedures. Heck, I heard a discussion between two entry-level postal clerks the other day about how much fun they had spotting drug dealers and reporting them.
sPh
Thanks largely to the invention of this nifty thing called a microprocessor adding the serial number on a sticker on each box costs tenths of pennies, not millions, and saves thousands if not millions in dealing with the distribution & maintenance channels.
My Toshiba laptop box not only had the serial number on the box, but when it went in for service the Tohiba rep knew which retailer it was sold through...
feel free to mod this down (-1 mod angry).
If you think imaginary property and real property are the same, when does your house become public domain?
Repeat after me, "Cost does not equal value". No one is forcing you to buy inkjet cartridges. The value of something is what the market will bear. These companies are watching their revenue go up as they raise prices. that's their job, maximize revenue. If there is collusion among printer manufacturers, which I doubt, then it is illeagal. Otherwise, buy a laser.
Spencer Ogden
If I buy a $50 DVD player at wallmart, the register prompts the clerk to scan the serial number barcode. Last year I had a few clerks look very confused. One said "I don't want to type that" and I pointed out that they could use their barcode scanner.
If they track it, everyone does. Everything I mail order has the barcode scanned and printed on the packing slip.
Get a clue.
Of course, this might actually prove useful in the future for historians analyzing our garbage for dating our documents. Assuming, of course, that these tiny dots can survive for a useful amount of time.
To me that's perhaps the biggest issue. At one point this was supposed to be a democracy, now it seems we're sliding into acceptance of secret laws and practices, and a general acceptance that "they" are watching (without even knowing who "they" are). We used to deride "conspiracy theorists" for thinking this kind of stuff was happening. Now we know it is happening, so we just deride the conspiracy theorists for caring.
Speaking as a trained Xerox Docu* operator who can recite his DEEZEROCEE serials in his sleep.....
The DocuColor printers in question are very high end printer/copiers that are installed and maintained by trained technicians known by Xerox as Customer Service Engineers or CSEs. When it breaks or needs parts, you call your CSE. Think "on-site support" but on steroids. You pay a ton for this.
The system clock is set by the installer CSE and possibly updated as needed on subsequent service calls, and there are MANY of those as DocuColors require frequent maintenance and upkeep. It is not uncommon to have service once a week for some models. Or worse. They can be touchy beasts. The machines, I mean. The CSEs can be your pal or your worst nightmare. I like the ones my bosses hate. Go fig.
So what is the clock for? Among other things, time stamps are used by the printshop for tracking when every single print was made including which operator made it. So no more late night "free copies" for your pals. Xerox also uses the logs for all sorts of legit reasons. Nothing evil there.
So what about resetting the clock? First you'd have to get the machine open. This is not like a computer with handy access panels and common PCBs, er, that's PWBs in Xerox-speak. You'd have to know the machine inside-out, have the tools and the skill to take it apart (God help you), and hope that the battery is resettable rather that buried inside a chip. Xerox is very, very aware of people trying to cheat the machine meters to make free copies so stuff like counters and clocks are already armored and protected from prying hands.
Assuming you managed to do all those things and got the machine back together, then it has to be recalibrated because taking it apart will have wrecked the system setup. So you have to call your CSE, who resets the clock straight away, probably by pushing the keys with the bones he removed from your hands for messing with his machine. If you're still alive at this point, you are right back where you started!
Side notes: the vast majority of DocuColors are leased out by Xerox rather than sold, so the machine is normally Xerox property from assembly to reman to reman to reman to junkyard. Why? Some of them can cost half a million and up for new, less for used, but either way these are not something people "buy" when they can simply lease. GE Credit is happy to finance the leases and end users find it much cheaper and they don't end up stuck with obsolete machines.
Many of the older machines can and do end up on the sale market and it is possible to buy one and own it, but it will still require service (lots for an old machine), toner, supplies, parts, and preventive maintenance. Xerox controls almost all the DocuColor parts, supplies, ink, and most of the trained CSEs so you pretty much have no choice but to sign on for a Xerox service contract even when you own the thing free and clear.
Yes, there ARE trained key operators who can get in and do SOME maintenance chores but only Xerox can get parts and has the technical knowledge to use them.
Sig for hire.
The "if you have nothing to hide" apologists for elimination of freedoms is a slippery slope to totalitarianism. Orwell would snicker!
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
Quite frankly, you have no idea what you are talking about. I work in high-end color, and all of our toner devices have this encoding technology. I have talked to plenty of people in the industry, who sell these machines. They are required, by law, to record the serial number and purchaser of every such device. Furthermore, they are required by law to record the sale of any electronic part used in these devices, and yes, all the boards are individually keyed to the serial number of the device. Swap boards with another device, and the machine stops functioning.
This is also true of the mid-range color laser printers you purchase at your local Best Buy or Micro Center. In fact, if you open your eyes at the checkout and actually pay attention, you would notice that after they scan the bar-code, their register prompts them to either scan the serial number bar-code, or hand-key in the serial number. Now, they may not be required to record your name and address, but they most certainly can trace it back to your credit card.
The whole point of this is to catch counterfeiters. It's useless to know the serial-number of a device if you don't know where it was sold.
Mir tut es leid, Menschen daß Einfältigfehlersuchenbaumfolgendenaffen sind.
Afraid I don't share your optimism.
First of all: there is an intrusion, a loss of freedom, even when the power is not abused. In the 60s, your average hippy could pretty much buy a car using cash and drive to San Franciscoi - now you need a ton of paperwork, legal docs, and so on. You can no longer buy a car using cash - not a new car anyway. Another example: in the 1960s the government did not know what I spent my money on. Now it does. That represents a serious loss of freedom even if the government does not curremtly abuse that new power. These losses of freedom may or may not be necessary, but they need robust discussion and debate before they happen.
The second point: these powers DO get abused. An example. During German occupation in WW2, the Dutch sent more Jews to the concentration camps, as a percentage of the population, than any other nation save Germany. Why? They had a very efficient tracking system that from birth to grave tracked everyone's address, race, relatives' addresses, and so on. Guess what - at the first opportunity, the new people in power abused that power and traced all Jews and sent them to their deaths. Interestingly, in the years leading up to WW2, the Dutch had a debate much like this one, and the consensus was that "if you have done nothing wrong, you have nothing to fear".
Examples abound: when you give away your freedoms you (a) lose those freedoms (and the freedom to buy a printer anomymously may not seem such a big deal to you - but it IS a freedom!), and (b) over time, they sometimes get abused: you can count on a certain percentage of this happening.
Michael
---
BDOS ERR ON A:>
"Free speech is not free *anonymous* speech."
How do you figure? If I'm free to speak, but free to get hounded by the FBI/fired/audited by the IRS if I say something that the authorities don't like, that's a pretty thin kind of freedom.
"We don't want the world flooded with forged documents"
Says you. I don't really think that it's as much of a problem as you do.
"Deal with it."
Ah. That must be in the hidden text in the 10th Amendment. You know, the one written in invisible yellow dots.
Why yes, I AM a rocket scientist!
"There seem to be a lot of people who confuse *freedom* with *freedom to do antisocial stuff and remain anonymous*."
Ahh. Spoken like a true facist. You are taking the right of free expression in a democratic society and chaining it to the dungeon wall with the use of another as yet to be defined term, "antisocial stuff". Would that be "antisocial" as defined by the ruling political party, whichever religious sect is currently in vogue, or perhaps as determined by a public poll?
"Free speech is not free *anonymous* speech."
What a crock! One of the basic rights any citizen of a democracy has is the right to vote, PRIVATELY. No other person, group of persons, or government entity is granted the right to know how an individual votes -- without such privacy protections the entire foundation of democracy is open to the social, political or financial pressure to vote a particular way.
And only in a democracy falling to the continued pressures of fascist stateism would the government redefine the ephemeral and undefined term "free press" only as persons engaged in journalistic activities employed by corporate media moguls.
I would suggest that you spend a few years in the "new and improved" fascist USSR, being run by an ex-KGB general, and experience the fruits of your specious argument firsthand.