Digital Photocopiers Loaded With Secrets

skids writes 'File this under "no, really?" CBS news catches up with the fact that photocopiers, whether networked or not, tend to have a much longer memory these days. When they eventually get tossed, few companies bother to scrub them. Couple this with the tendency of older employees to consider hard-copy to be "secure," and your most protected secrets may be shipped directly to information resellers — no hacking required. "The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas — loaded with secrets on their way to unknown buyers in Argentina and Singapore."'

Thats supposed to be obvious?

[EricX2]

I never would have guessed the copy stayed in memory on the device. When I copy, scan to email or, scan to file it doesn't give me the option to 'scan again without reinserting original'... or does that imply the ones we have don't have this 'feature'?

Re:Thats supposed to be obvious?

[Jaysyn]

Security thru lack of features, maybe.

Re:Thats supposed to be obvious?

[drooling-dog]

Well, the original submission says,

Coupled with the tendency of older employees to consider hard-copy to be "secure"...

...so it looks like this is only a problem for the geezers; after all, digital photocopiers are like magic to them. There's virtually no chance that any of the savvy young hipsters in your organization could fail to be aware of this threat.

Re:Thats supposed to be obvious?

[wjousts]

In the same way that a wall is more secure than a door. It has less features to start with.

Some people don't listen

[bfmorgan]

I have pointed this out to my company's computer security guy and his response was, "I don't worry about copiers, that is a human resource issue". I have sent him this story. Maybe that will get him worried. Oh, and I cc'd the CEO.

Re:Some people don't listen

[Red+Flayer]

Why didn't you email the local head of HR? The guy told you who is responsible...

Instead now you have a situation where you're calling someone out on something that is not their responsibility... that's not the nicest (or most effective!) way of handling it.

Re:Some people don't listen

[vbraga]

Better write 'Pro golf tips at the bottom' in the subject or the CEO isn't going to read it.

From the article

[Itninja]

Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine.

Having worked in the digital industry up until 2007 I can tell you, that is a laughably inaccurate statement. We had half a dozen industrial-class copiers, all from 2004 or newer. The only one with a 'hard drive' in it was the high end color copier/printer; and we had to specifically add that option. I think it would be accurate to say that nearly all digital copiers might be configured to use a hard drive, though many are external and often separated from the device when it's sold.

Re:No one will bother

[rhsanborn]

No one is going to go dumpster diving and digging through reams of discarded employee picnic announcements just to try and find some corporate secrets, wait... shoot.

Ok, let's try this again. No one is going to go through piles of keylogger data most of which is filled with lols and a\s\l?s to try and find a persons banking credentials, wait ... frick.

No one will do it, except the people that do. There is a buck to be made, people will do it.

Re:No one will bother

[bdsesq]

No one is going to sort through millions of pointless memos about employee picnics and birthday party announcements on the off chance that there's something potentially valuable to someone somewhere.

Want to bet? Oh, that's right you already are betting. If no one goes through your copier data you win -- nothing. If someone finds a password or credit card number you lose -- big time.

So nothing to gain and everything to lose. Sounds like wiping the copier disk is a "must do"!

that's an interesting bank statement, mr salesman

[wfmcwalter]

My company recently bought a used copier/scanner/printer, which had supposedly been reconditioned and cleaned. It included a "document server" feature, whereby jobs could be scanned to its internal disk (or print jobs could be stored in the printer for later printing). The salesman who sold it to us had helpfully left scans of his current account statement in the document server, together with some placating letters to other customers. After thinking about what uses we'd actually have, I decided just to turn the document server feature off for everyone. I did leave the deferred-jobs part on (as it's useful when someone is printing on weird stock or printing something confidential) - thus ensuring that anything left on the copier (the company is now defunct, the copier presumably resold) is guaranteed to be juicy.

Re:No one will bother

[_Sprocket_]

Data is valuable. Labor is cheap.

Re:Why?

[Corporate+Drone]

Why did they start designing copy machines to have long term storage, and to keep a copy of everything ever copied?

The news report is being sensationalist, and leading you to believe that it's keeping the data. Listen to the report again: they use a forensic program to get at the files. In other words, unless you tell the device to save the image, it's deleted. (The catch is that "deleted" means "entry deleted", not "file wiped off the drive".)

In other words, companies aren't wiping the hard drives of leased copiers. (Then again, are companies wiping the drives of leased PCs? Of PCs they owned, then threw away?)

Sun rises in east. Water is wet. Files that aren't wiped are able to be recovered from hard disks. Yawn...

Re:S/N

[interkin3tic]

the criminals will have to wade through a sea of lolcats and fail posters to get to any actual business information

Unless they find a way to make the text searcheable and just search for "social security number" or "credit card number" and look at what's written right next to it. And while I don't know how to do that personally, it seems like the type of thing that would take about 10 minutes to figure out and then another 10 minutes to actually do.

Re:No problem

[Scarletdown]

I always take care to disguise my ass before photocopying it.

Well in my day...

"People wrote books and movies, movies that had stories so you cared whose ass it was and why it was farting. And I believe that time can come again!"

Re:No one will bother

I'm surprised nobody's mentioned Office Space yet.

Re:Why?

[CAIMLAS]

It probably comes down to cost.

If a printer has a 22ppm rate and has 64MB of RAM, you're not going to be able to print more than one or two larger print jobs at a time - particularly if they're RAW jobs. You'll need a print server for that, and you'll have a significant bottleneck before getting to the printer/the printer accepts the job. This leads to user agitation.

So, while 128MB costs $100 (at the time), a 40G disk costs roughly the same amount - and you can cache to disk with marginal overhead and provide a more seamless user experience than the RAM would provide - all while increasing how many jobs can be accepted to queue at a time.

Do ALL ATA HDs support secure erase?

Your statement that "Every HDD out there, as part of the ATA standard, supports a secure erase command" seemed overbroad; I didn't think that was part of the earlier standards.

I checked www.t13.org to get a copy of the earliest ATA standard, but discovered:

1. It has been "withdrawn" and no longer available from that source;

2. You have to pay money to get the docs (no problem for corporations, more of a problem for individuals);

3. Following the link on the t13.org web page to "Antitrust Policy" results in a "404" error; and,

4. According to the the logo at the bottom of the t13.org home page, t13.org is "Powered by WD" (Western Digital).

Hmmmm...

ALL hard drives