Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hidden Codes in Printers Cracked

Posted by CmdrTaco on from the big-brother-pwnz-you dept.

r84x writes "A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document. The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known. "We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen."

19 of 562 comments (clear)

  1. Maybe its not a weakness by suso · · Score: 5, Funny

    Its a good thing that I can't print. [warning: experimental music made from printer noises]

  2. Printer Friendly Version? by OctoberSky · · Score: 5, Funny

    Anyone have a printer friendly version? On second thought.... nevermind. //Tin foil hat on

    1. Re:Printer Friendly Version? by nolife · · Score: 5, Insightful

      Hell, it's not like anyone actually cares what you print unless you're doing something illegal that would warrent them spending a lot of time and money to try and find you.
      The people that do not want their houses randomly searched must be hiding something, after all, why would they not want searched? I know, point taken to the extreme but where do you draw the line?

      --
      Bad boys rape our young girls but Violet gives willingly.
    2. Re:Printer Friendly Version? by LearnToSpell · · Score: 5, Funny

      Not if they search your house when you're not home! No inconvenience for anyone! In fact, you might not even know they've been there. Everybody wins.

      --
      Haida Manga
  3. Before... by trevordactyl · · Score: 5, Insightful

    Before anyone has a conniption, consider this: do you really think that "they" have a database they could reference to find out what printer serial number goes to what citizen? I don't. I know they could, but I choose to believe (most likely for good reason) that they don't.

    Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away. That's what I did.

    1. Re:Before... by Anonymous Coward · · Score: 5, Informative

      do you really think that "they" have a database they could reference to find out what printer serial number goes to what citizen?

      Most laser printers are rather expensive items. If you paid with a credit card, then yes, they have it in a database. (All stores record the serial number of high-ticket items they sell. I've actually gotten recall notices this way, so I know the store shares it with the manufactorer.) Even if you paid in cash, if you filled in the warranty card, they have it. Got a mail-in rebate? On file. Ever had to have it serviced? You're on file.

    2. Re:Before... by Alchemar · · Score: 5, Insightful

      What do you think all the registration cards that are "required" for warrenty are about. It is utterly amazing how much junk they store on individuals in the name of marketing. I will agree that no one will care about most people, but not caring and not having the information in a database are two different things. I have a very unique name derived from a misspelling on a birth certificate. The only two people in the world with my name is me and my father, but I still pull up over 500 hits if I enter it in google. Most of them some kind of goverment or school entery. No one cares about me or my father now, but the information is still there if that ever changes.

    3. Re:Before... by Anonymous Coward · · Score: 5, Interesting

      do you really think that "they" have a database they could reference to find out what printer serial number goes to what citizen?

      Yes, they must, otherwise this tracking information is useless, right? They can't be that dumb. And most high-end color printers are sold to businesses and often have service contracts. It's not that hard. How many people buy a printer for cash?

      And many networked printers "phone home" to the manufacturer via email or web. My Xerox phaser 7750 (great printer, btw) tries to send an email every month to Xerox. They're blocked now.

      Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away.

      I know that. But I prefer that my printer doesn't track what I print.

    4. Re:Before... by Anonymous Coward · · Score: 5, Interesting

      I don't know about the USA, but in the UK the only barcode that gets scanned is the 13-digit EAN product code which does not contain any kind of unique serial number.

      Buy a printer and fail to send the warranty card in and there is no entry in any list.

      The reason they have this stuff is so that they can match the printer to the document in the courtroom after they catch you. It's not a tracking system.

    5. Re:Before... by aug24 · · Score: 5, Interesting

      Yeah, I reckon they do. I work implementing such systems. Read on...

      Modern asset tracking systems use the serial number of each big-ticket item to track it (if it is serialised - most expensive kit is). The asset, whatever it is, is tracked from entry to the system through to exit - with an EPOS transaction being recorded against it as it leaves if sold.

      It is pretty damn easy for a database coder to write a bit of SQL to say 'give me the credit card number that bought this item'. I could do it in minutes.

      Provided the Feds wanted to track a given machine, and it had been bought with plastic, there's no reason they shouldn't be able to find that info very easily, given the cooperation of the vendors. Your last para relies on you not being someone the Feds are interested in - and that relies on you assuming they won't be interested in people who haven't broken the law. I hope you are right, but recent events suggest otherwise to me...

      Justin.

      --
      You're only jealous cos the little penguins are talking to me.
    6. Re:Before... by DjReagan · · Score: 5, Insightful

      "Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away"

      Oh, so there's only 0.1% of the world who is interested in what I'm doing?

      I'm glad it works out for you, but 6 million people snooping around in my private life doesn't make my paranoia go away.

      --
      "When I grow up, I want to be a weirdo"
  4. more links by morcheeba · · Score: 5, Informative

    For those interested in a quick summary, the docucolor example is the best place to look. (it has pictures!)

    More information can be found on the EFF's printer-privacy webpage.

    Also interesting is Andrew Bunnie's flat bed page scanner mod to use blue light instead of white. This made the yellow tracking dots easier to see, and the whole page could be seen at once to determine the pattern they made.

    --
    HIV Crosses Species Barrier... into Muppets
  5. Date and time? by Anonymous Coward · · Score: 5, Funny

    I bet most people's printers will print "Jan-01 1980 12:00" in little blinking dots.

  6. Old Communist ploy gets updated by doublem · · Score: 5, Interesting

    In Soviet Russia, anyone who owned a typewriter was required to send a sample page to the government.

    The theory of course being that they would use it to try and track down any subversive content.

    And now the US government has made it quick, easy and automated to do the same.

    I want to know who the bastards are that are adding this technology to their printers so I can avoid them like the plague.

    Yes, I know I could just not send in the registration card, but what if the government decided to crack down on those who critisize the war? Suddenly when they confiscate my printer, they can find out if any of the documents they've declared subversive came from my printer.

    This is too Big Brother for my tastes.

    --
    "Live Free or Die." Don't like it? Then keep out of the USA
  7. Quit being clueless. by cnelzie · · Score: 5, Interesting

    Let's assume you purchase your color laser printer with cash.

        Let's assume you take that home and hook it up to your Windows XP Home Edition printer.

        Now, that printer is installed and it requests you "Register" the printer. You decline to do so.

        During the normal course of use, a little dialog box pops up stating that there is an update to download from your color laser printer manufacturer's website and the printer application will be more then happy to do so.

        How does your application know that it needs to be updated? Well, it checked with a central server.

        If that application checks with a central server, would it be difficult to imagine that the central server would be able to obtain the following?

        IP Address, Printer Serial number, timestamp of communication.

        With just the timestamp and the IP Address your PC used to communicate with the central server, you can be easily traced. It's easier if you are on broadband, slightly more difficult if you are on a service like AOL or MSN.

        I am not being a tinfoil hat wearer here. I am just pointing out that it is actually easier to track down a user of a particular printer then you believe it to be.

        The only way to be more anonymous with such a cash paid color laser printer purchase would be to never connect it to a PC that has Internet Access.

    --
    If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
  8. Re:Watermark with extra random patterns by Mccavity91k · · Score: 5, Funny

    "What's this? This ransom note was printed in 1455 on printer number 1! Okay men, I think we need to have a little chat with Mr. Gutenberg"

  9. Re:Printers have RTC and CMOS battery? by RubberDogBone · · Score: 5, Informative

    Speaking as a trained Xerox Docu* operator who can recite his DEEZEROCEE serials in his sleep.....

    The DocuColor printers in question are very high end printer/copiers that are installed and maintained by trained technicians known by Xerox as Customer Service Engineers or CSEs. When it breaks or needs parts, you call your CSE. Think "on-site support" but on steroids. You pay a ton for this.

    The system clock is set by the installer CSE and possibly updated as needed on subsequent service calls, and there are MANY of those as DocuColors require frequent maintenance and upkeep. It is not uncommon to have service once a week for some models. Or worse. They can be touchy beasts. The machines, I mean. The CSEs can be your pal or your worst nightmare. I like the ones my bosses hate. Go fig.

    So what is the clock for? Among other things, time stamps are used by the printshop for tracking when every single print was made including which operator made it. So no more late night "free copies" for your pals. Xerox also uses the logs for all sorts of legit reasons. Nothing evil there.

    So what about resetting the clock? First you'd have to get the machine open. This is not like a computer with handy access panels and common PCBs, er, that's PWBs in Xerox-speak. You'd have to know the machine inside-out, have the tools and the skill to take it apart (God help you), and hope that the battery is resettable rather that buried inside a chip. Xerox is very, very aware of people trying to cheat the machine meters to make free copies so stuff like counters and clocks are already armored and protected from prying hands.

    Assuming you managed to do all those things and got the machine back together, then it has to be recalibrated because taking it apart will have wrecked the system setup. So you have to call your CSE, who resets the clock straight away, probably by pushing the keys with the bones he removed from your hands for messing with his machine. If you're still alive at this point, you are right back where you started!

    Side notes: the vast majority of DocuColors are leased out by Xerox rather than sold, so the machine is normally Xerox property from assembly to reman to reman to reman to junkyard. Why? Some of them can cost half a million and up for new, less for used, but either way these are not something people "buy" when they can simply lease. GE Credit is happy to finance the leases and end users find it much cheaper and they don't end up stuck with obsolete machines.

    Many of the older machines can and do end up on the sale market and it is possible to buy one and own it, but it will still require service (lots for an old machine), toner, supplies, parts, and preventive maintenance. Xerox controls almost all the DocuColor parts, supplies, ink, and most of the trained CSEs so you pretty much have no choice but to sign on for a Xerox service contract even when you own the thing free and clear.

    Yes, there ARE trained key operators who can get in and do SOME maintenance chores but only Xerox can get parts and has the technical knowledge to use them.

    --
    Sig for hire.
  10. My country right or wrong is WRONG by Analogy+Man · · Score: 5, Insightful
    Where do we stop using intrusive technologies.

    • Felonious use of technology (e.g. counterfieter)
    • Legal use by felon (e.g. mail from murderer)
    • Illegal use as civil disobediance (e.g. printing document that is improperly classified secret for political reasons)
    • Constitutionally protected but anti-establishment use (e.g. hand distribution of fliers of "Top 10 Reasons to Impeach Congressman Blowhard")

    The "if you have nothing to hide" apologists for elimination of freedoms is a slippery slope to totalitarianism. Orwell would snicker!

    --
    When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
  11. Re:Er, huh? by Teilo · · Score: 5, Informative

    Quite frankly, you have no idea what you are talking about. I work in high-end color, and all of our toner devices have this encoding technology. I have talked to plenty of people in the industry, who sell these machines. They are required, by law, to record the serial number and purchaser of every such device. Furthermore, they are required by law to record the sale of any electronic part used in these devices, and yes, all the boards are individually keyed to the serial number of the device. Swap boards with another device, and the machine stops functioning.

    This is also true of the mid-range color laser printers you purchase at your local Best Buy or Micro Center. In fact, if you open your eyes at the checkout and actually pay attention, you would notice that after they scan the bar-code, their register prompts them to either scan the serial number bar-code, or hand-key in the serial number. Now, they may not be required to record your name and address, but they most certainly can trace it back to your credit card.

    The whole point of this is to catch counterfeiters. It's useless to know the serial-number of a device if you don't know where it was sold.

    --
    Mir tut es leid, Menschen daß Einfältigfehlersuchenbaumfolgendenaffen sind.