Slashdot Mirror
Xerox Confirms To David Kriesel Number Mangling Occuring On Factory Settings
An anonymous reader writes with a followup to last week's report that certain Xerox scanners and copiers could alter numbers as they scanned documents: "In the second Xerox press statement, Rick Dastin, Vice President at Xerox Corporation, stated: 'You will not see a character substitution issue when scanning with the factory default settings.' In contrast, David Kriesel, who brought up the issue in the first place, was able to replicate the issue with the very same factory settings. This might be a serious problem now. Not only does the problem occur using default settings and everyone may be affected, additionally, their press statements may have misled customers. Xerox replicated the issue by following Kriesel's instructions, later confirming it to Kriesel. Whole image segments seem to be copied around the scanned data. There is also a new Xerox statement out now."
Swapping numbers while copying may seem like bizarre behavior for a copier, but In comments on the previous posting, several readers pointed out that Xerox was aware of the problem, and acknowledged it in the machine's documentation; the software updates promised should be welcome news to anyone who expects a copier to faithfully reproduce important numbers.
The old analog process never had this problem.
69 dude!
Now if 6 turned out to be 9, ...if all the hippies cut off all their hair,
I don't mind, I don't mind,
I don't care, I don't care.
Dig, 'cos I got my own world to live through
And I ain't gonna copy you.
“He’s not deformed, he’s just drunk!”
What???? A copier changes numbers? A copier is supposed to copy.
to see Xerox fall to this kind of hand-waving. Mr Rick should either publicly apologize or leave his post. You might say this event does not warrant such a response, however i argue that it does.
from a copied report that changed a 3 to an 8....
Am I the only one who finds this truly frightning; that the photocopier has a bug in a sub system that is basically reading the content of the documents being photocopied? I didn't even know photocopiers did this normally. This is another prime example of how organizations like the NSA can theoretically get their fingers into cracks we didn't even know existed. I would never have thought that something I photocopy could be intercepted, but apparently it can. The bug part of this issue is just a small thing relative to the larger issue, IMHO!
By the way, I read in another comment about the new slashdot ipad app. I'm posting this comment from it. What a breath of fresh air compared to the slashdot mobile site!
Yes, he did. If you'd care to read the story you would've known the answer without having to ask here and then complain about something that's not even applicable here.
The potential for damage with this kind of error almost can't be overstated. Besides errors in billing, construction, manufacture or products, medicine dosages, etc. already outlined, there are other likely problems:
Publications may contain wrong data.
Scientific conclusions may be based on wrong data.
Government policy may be based on wrong data.
Money may go to wrong accounts or be taken from wrong accounts.
You think you paid your taxes? The government may not agree.
Did this tool try to notify Xerox first or did he just start shouting from the mountain tops?
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
How would any of you like it if someone found a bug in your stuff and instead of notifying you, went to your managers and bad mouthed you?
You'd think he was a prick.
Why does he owe this courtesy to Xerox? Xerox isn't his coworker, Xerox doesn't have feelings. Xerox is a corporation. And corporations don't always fix problems, even serious ones, until they receive wider attention.
So should he have quietly alerted Xerox, then monitored their progress in fixing the problem, keeping the company apprised of how it was doing -- sort of an unpaid QA position? I guess that's an option, but not the only acceptable one.
I am not a crackpot.
Am I the only one who finds this truly frightning; that the photocopier has a bug in a sub system that is basically reading the content of the documents being photocopied?
Yes, you should find that frightening. That's not new, though, pretty much all photocopiers these days don't actually "photocopy" the document, they scan it to memory and then print the scan. Your documents are saved to memory on the photocopier. Yep, that's a security flaw.
http://www.thedailygreen.com/environmental-news/latest/digital-copier-security-461009
http://www.cbsnews.com/8301-18563_162-6412439.html
http://message.snopes.com/showthread.php?t=60313
http://www.geoffreylandis.com
Time to buy a Ricoh.
At least they don't monkey with the compression to the level it actually distorts the image.
This signature is lame.
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
It isn't a security problem? Seriously?
What if a doctor copies a prescription or your medical journal? Government officials copies personal information for use with a visa? Police officers copies statements? Or any other place where you'd want to copy something, that must be copied correctly?
Sure, it's not a computer security issue, but it's definitly, among other things, a security issue.
Back when I saw the first scanner based copiers roll out I'd thought we see something similar to this happen. Whenever you eliminate the analog signal path it becomes much easier to corrupt the thing in unnoticeable ways, even unintentionally! It's clearly the way to go, because of how much complexity it removes, but as soon as you start storing data on a medium and read it back you start having these problems, it only gets worse as you try and conserve that storage medium with compression or other tricks/hacks. It's just a fact of life in the digital age: the tradeoffs are still better than the previous way of doing things. (Well that is unless your name was "Mr. Buttle" and the ministry of information drilled a hole in your ceiling).
I am just really glad to see that Xerox is taking the initiative, working with closely with the person who found the problem, and opening it's doors to others who want to help out. It's all too often that a big company has a big obvious problem with a product and not only doesn't admit there's a problem, but refuses to help or work with those experiencing them.
Corporations are people too!
It's not a security problem in the sense that people knowing about it won't be able to exploit it. In other words, public knowledge of the problem won't hurt security any more than it already has been, which is what the earlier post was talking about.
But public knowledge of this may save a few lives, when the doctor first checks if all the numbers are copied correctly before handing it to another doctor.
Coming soon ... Xerox voting machines.
"How would any of you like it if someone
found a bug in your stuff and instead of
notifying you, went to your managers and
bad mouthed you?"
This is exactly what happens in most industries from food service, retail, transport(like my driving? Call...), and manufacturing. I'm sure there are more examples too but these are just some of the fields in which I have been a direct employee or as a manager where I was able to participate in the complaint process as a third-party observer more than a few times as coworkers had complaints placed against them.
Why should IT or large scale industry be any different?
Ever notice that Cobra Commander sounds an awful lot like Star scream?
It's not a security problem in the sense that people knowing about it won't be able to exploit it. In other words, public knowledge of the problem won't hurt security any more than it already has been, which is what the earlier post was talking about.
First, I do understand your point regarding the common usage of "security" in this domain. However, the term "security" can also mean "safety," although in English "security" is more commonly used to freedom or protection from malicious harm or loss and "safety" is commonly taken to mean protection from accident or nature. (Paging pedants to show just how stupid and wrong I am.) Moreover, in some languages, the English words "safety" and "security" translate the same.
I am not a crackpot.
Remember when Xerox commercials featured a monk copying documents? Their ad agency was trying to humanize the company.
So all they've done now is add an algorithm for random human error. Just making the company more human... monks did that as well.
We've got a XEROX 7556 in the office and I scanned several number heavy documents, with fonts as small as 6pt. I tried both the default and low res levels. Every number came out correct. Since we recently moved to paperless records (and we had 100's of thousands of multipage documents) I was a bit worried. I'm less worried than I was when the story first came out. Lets hope the upcoming fix doesn't slow the scanning process noticeably.
Where all think alike, no one thinks very much.
I'm not saying that you're wrong, but I would like to know how reliable your information is.
Do you work, or have you worked, directly for Xerox on these sorts of products?
If you have not, how did you come upon this information? Is it based on actual specifications or design documents? Or is it based on speculation?
Because since Xerox knows they used lossy compression in a copier, they already know to not ever use or buy Xerox copiers. It's the public who still needs to know. ;-)
As if people with the affected equipment might want to know, right? Why does Xerox's "feelings" even matter in all of this?
Sorry, I just can't seem to parse your post and grasp the meaning. Could you perhaps elaborate a bit?
Your are making the mistake of imagining that the person who discovered this flaw owes Xerox something.
He does not.
He discovered the information, and he is free to (a) remain silent (b) tell Xerox (c) tell the press (d) tell everyone (e-z) anything else he likes. He might CHOOSE (b) but he is certainly under no obligation to do so, and it is of course incorrect for anyone to fault him if he does not choose (b).
We see this same mistake being made by the inferior minds who advocate the farsical concept of "responsible disclosure" when it comes to security issues. There is no such thing. There never has been. It's simply a fabrication by the mouthpieces of corporations who fret about bad publicity or negative impact on their stock price. Those who say they practice it are conceited and arrogant: they are making the foolish mistake of presuming that they, and they alone, possess this information, even though that's almost certainly not true. (What one can discover, another can discover.)
In all these cases, what we find are people who are afraid of the truth. They are afraid to speak it, afraid to hear it, afraid to have it propagated, afraid that others may have it: afraid, afraid, afraid. This is antithetical to the scientific method, to free speech, to forward progress: we must have the truth, no matter how inconvenient or unpleasant, if we're going to get anywhere.
I'm sure that some of the people at Xerox are furious about this. That's just too damn bad. If they want to find the root cause of their anger, they should look in a mirror, as it is their incompetence, sloppiness, laziness and negligence that has made all this happen.
Soylent Green is people too!
Inheritance is the sincerest form of nepotism.
Kudos though for spending so much time thinking of how to validate your horribly thought out position.
They reason that you come forward quietly to a corp before going public on a real security issue is so that the bad guys do not exploit it while the company makes a patch. People knowing about this issue before a patch can only help the issue.
On top of that Xerox knew about this problem already and were just keeping a lid on it.
If you are a paid Xerox shill then you are a failure at your job. Otherwise you are just an idiot.
Why is it so hard to only have politicians for a few years, then have them go away?
You seriously think nobody will be able to exploit this problem?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
They meant to admit this to the public last week, but their press release got its letters changed around for some reason...
RTFA
I found myself between a rock and a hard place now. On one hand, I did not intend to do any harm to Xerox, so I had to have these findings verified and make sure I was not wrong. On the other hand, I knew this had to be published. As a tradeoff, I have not been publishing the findings right away, but informed Francis Tse, Imaging System Architect at Xerox Corporation first, however I kept nagging stating I wanted to publish within a few hours. As a result, we have been in close contact the last hours (I even ditched a friend of mine on his birthday party) and I sent Mr. Tse
Actually, this is the case when earlier disclosure helps security, because when more people are aware of this problem, more people will take action to prevent it from happening (like setting higher quality setting as default).
At the federal level, our entire legal system is based on the concept that a machine copy of a document is as good as the original. In addition to all the other problems pointed out by other readers -- engineering errors, medical errors, financial errors, this type of error also greatly harms our legal system as well. A problem since the legal system is essentially the operating system for our society. I don't see how Xerox is going to survive the wave of lawsuits that is going to follow. They need to immediately warn everyone to stop using their systems, and then recall all affected units. Going forward, I suspect that the name "Xerox" will now mean: "to mangle or randomly distort".
Numbers are the bedrock of the capitalist regime. They are sacred. Do not transform them when copying them. Better to mangle words cause we all know they have semiotic plasticity anyway. But for the love of the capitalism and all it portends, please keep the numbers pure. That is all.
Time to buy a Ricoh.
At least they don't monkey with the compression to the level it actually distorts the image.
Any compression at all, any modification at all, is unacceptable in a copier. How do you not get that?
How soon until they'll patent this as a feature and try to sue someone else?
I expect a copier to copy an image of the page, not to perform an OCR scan and reprint it.
What's next? An NSA back door so the scanned text can be fired off to the US spy network?
I do not fail; I succeed at finding out what does not work.
Are you sure that you read the article?
Please quote the exact sentence or sentences that describe that the machines operate as you claim they do. I expect to see explicit references to the scanning process, the storage to some storage medium, the compression, and the printing based on that compressed and stored representation.
I do not see the words "store" anywhere on that page. The words "storage" and "print" do appear, but they are outside of the article in completely unrelated text.
Please just come out and admit that your claims are not reliable, and that they are based on pure speculation, if that is indeed the case (as it does appear to be).
I wonder if this is caused by an anti-copy feature that just hits the innocent.
Nobody learns from others mistakes, eh Xerox?
The copiers are failing to copy numerals properly.
It does seem to me that you would be able to intentionally create specific errors in parts of documents as long as you had carte-blanch control over the contents of other parts of it.
"His name was James Damore."
Could someone explain what the purpose of this compression is? There must be enough memory to copy without the heavy compression since there are high resolution presets with less compression also. Is this compression used as a way to lower the resolution? I don't see the added value of the compression at all.
Sorry, what?
http://www.dkriesel.com/en/blog/2013/0808_number_mangling_not_a_xerox-only_issue
And one of the comments to that posting says:
I have experimented with the open source jbig2enc library available at http://github.com/agl/jbig2enc, which has a encoding parameter called the “threshold”, described like this:
“sets the fraction of pixels which have to match in order for two symbols to be classed the same. This isn't strictly true, as there are other tests as well, but increasing this will generally increase the number of symbol classes”
The included command tool accepts values for this parameter between 0.4 and 0.9, with 0.85 as the default.
I have found replaced digits in single-page numerical tables encoded with this parameter set as high as 0.82. As with the other examples you have found, the errors are not in any ways obvious to the eye which is, of course, the real problem.
Since JBIG2 has been supported in PDF since 2001, it would be surprising if only Xerox have fallen into this trap.
Just as well for Rick, he outsourced this work to HCL. They'll clean up the mess left by those lazy, grasping American engineers in no time at all!
Stick Men
I guess we all know which it is now.
Why is it so hard to only have politicians for a few years, then have them go away?
The U.S. government says it can require companies to do things, and the companies have to keep it secret. There does not seem to be any limitation.
Thirty plus years as a professional engineer - the lifeblood is "blueprints". This has always been a significant issue, regardless of the technology involved, there WILL be reproduction errors. Be it because of dirt on the optics, spilled coffee on the originals, scratches on the mylar / sepia, or bad diazo paper; EVERYBODY with any sense knows to check and double check anything which does "not add up". Hence why checksum was developed for electronic data processing. ... ad infenitum; I WANT the original file translated into the oldest format available, preferrably human readable! With electronic signatures; but the suit weasels in industrial corporations use my PE status to make me the scapegoat for all their deliberate ignorance and just plain stupidity.
The worst is to try to use a pdf of a tiff of a pdf of a jpg of a
Time to Go Galt and let their progeny "pick grit with the chickens" (Sen. Al Simpson).
With memory so cheap, why not just store uncompressed bitmaps? Problem solved.
You've got to elaborate a bit more than the short, uninformative sentences that you put up. What are you talking about? What is this "horribly thought out position" that you accuse me of having?
Let me break it down for you. You accuse me of being either:
a) a shill, or
b) an idiot,
even though I've pointed out some of the safety issues that stem from not being able to correctly copy when it would be assumed that you could, and by extension critizised Xerox (the company) for not comming forward with this, when they, as you put it "sat on the information".
Now, as dos1 pointed out above:
Actually, this is the case when earlier disclosure helps security, because when more people are aware of this problem, more people will take action to prevent it from happening (like setting higher quality setting as default).
So, again I must say: sorry, what?
The fact that this is even POSSIBLE makes me worry that there's covert firmware deliberately tampering with things.
First of all, how does it even know what a number *looks like*?
And how the hell does it SWAP numbers?
I've never known decompression artifacts to do that. It's just plain loony.
Something seems decidedly fishy here.
Unless, as with the hackable door locks, someone sues for a gag order.
You might not owe a corporation favors, but they certainly can try to FORCE you to grant them.
I think everything else you wrote was good but in the case of disclosing security attack vectors, letting everyone know or only letting hackers know, before giving the company a chance to fix the security hole results in a great many more hackers using the attack vector than if it had been reported without public disclosure. We have no idea who figured out the attack vector first, the researcher could very possibly be first, or be one of the first, to discover it. Do hackers always share attack vectors with other hackers immediately after finding them?
Security bugs are very different from functionality bugs and should not be compared. Similarly the disclosure of these bugs should follow different paths.
Think globally but act within local variable scope.
I'm sorry, but this story is absolutely outrageous. Photocopy machines are used in mission critical situations. Users here the word PHOTOCOPY and expect the copies are like photographs- one-for-one duplicates, with the proviso that lowering the resolution causes universal copy degradation. No-one expects SEMANTIC compression, or any form of OCR/repeating pattern compression. The photocopier does NOT have a clue as to the nature of documents being copied, and CANNOT make any assumption about the semantic properties of the document.
The ONLY compression algorithms acceptable are JPG and similar syntactical spatial compression algorithms. Yes, JPG requires a VERY high setting when used in something like a photocopier, so NO document, no matter what its content, is degraded too much by the compression, but this is unavoidable. Such high quality JPGs are no where near as 'small' as those usually encountered, but they will still give significant memory savings over the original bit-image capture.
So called document compression algorithms are ONLY suitable for simple books with straightforward, non-challenging fonts in fairly large sizes. Even then, such algorithms are KNOWN to have major issues, and are only really suitable for documents that are casually read (text ONLY) and NOT for documents where the accuracy of equations or lists of numbers will matter to the reader. You will notice that books you download that contain loads of FINE detail, like equations, tend to be JPG scans of the page (often in a PDF container).
There is ZERO chance that a Xerox software update will fix this problem. Instead, it will simply make the problem less obvious, so that only when the rocket explodes or the plane crashes will accident researchers discover that Xeroxed documents had altered certain details on the copied document. Every mission critical environment is under a legal obligation to throw out ALL their Xerox machines, and to mark the brand as dangerous.
Xerox needs to trash EVERY model that uses semantic document compression algorithms (which stay highly dangerous no matter how high you raise their settings) and design new models with lossless compression, or very high setting JPG like compression. If the level of compression creates files too large for their current storage methods, they'll have to build decent hard-drives into their more expensive models to hold current document runs. For god's sake, HDD costs per TB have been tiny for ages now.
Xerox proves that for too many companies, there are no such things as competent software engineers. An ENGINEER doesn't just know of a technique, he/she understands when the technique is applicable, and also how to do test research proving that a proposed solution is acceptable. How the hell did Xerox EVER authorise compression algorithms that EXPECT certain forms of document, when you can stick ANY form of document into your photocopier?
How is this information worthy of slashdot.... What in the world would make somebody think this is interesting... Somebody who has obviously not called the customer service department of virtually any company.
Whatever, downvote, but good grief.
Hey, if Soylent Green were made of corporations, I'd buy it!
Socialism: a lie told by totalitarians and believed by fools.
Dishevel thought he was replying to the same AC you were replying too, however his nerdrage exceeded his ability to reply to the correct post and not make a public fool of himself. Sad, really.
Socialism: a lie told by totalitarians and believed by fools.
Can you please show some evidence proving that you actually are a Xerox technician?
I personally know the people who configure aircraft and ATC systems. They do stuff like modelling the runway locations and airspace profiles around airports. Scanning and emailing printed data is something which they would do from time to time. There must be thousands of examples of safety critical data which is handled in this way.
http://michaelsmith.id.au
I believe the idea is that making this public knowledge before it is fixed does not increase exposure. All of the risk has already happened and people who know about the issue can't make it happen more.
This explains the shitty character sheet scans.
How would any of you like it if someone found a bug in your stuff and instead of notifying you, went to your managers and bad mouthed you?
Our customers do. They pay out the ass for my employer's product, so I think they have a certain expectation of quality, and I can't say that they're completely wrong. People talking about the problems with your product in public is just part of running or working for a corporation that engineers things.
Can Soylent Green vote too?
Because programming is an art, maaaaaan!
Oh, Rob the Bold Wise Man...
Though shall first read, then think, then excrement your verdicts:
http://www.dkriesel.com/en/blog/2013/0811_comprehension_time_line
He discovered the information, and he is free to (a) remain silent (b) tell Xerox (c) tell the press (d) tell everyone
(e-z) anything else he likes. He might CHOOSE (b) but he is certainly under no obligation to do so, and it is of
course incorrect for anyone to fault him if he does not choose (b).
He first chose (b).
The following week, he had various on-site visits from Xerox support personell and had numerous phone calls with Xerox help desks at all levels. (None of these seem to have been familiar with the now frequently quoted warnings from the Xerox device manuals.
When during this week of crazy activity no satisfactory explanation or solution from Xerox came forward, he did (d) and published his blog article.
Also, it seems that the much quoted warnings from the Xerox device manuals were not present in older editions. Xerox shipped the device line years ago with the flaw first. They (or one of their customers) seem to have discovered the flaw later somehow. Instead of fixing it, the chose the cheap route and simply added the warning to the manual and the web interface of the devices. This was already long before David Kriesel re-discovered the flaw and was forced to publicise it.
Yes, faxes? Remember them?
They're still widely used in many industries today. In fact, I applied for an Apple Developer account in a company name not too long ago and, unlike with an individual account, there is some paperwork involved that Apple insist must be faxed to them. Apparently it's more secure. Anyway, I'm not ranting about that issue today, but more the widespread use of faxes in the area of Law.
Lawyers love faxes. They fax everything they can. A lot of them are using email more and more these days, but faxes are still a critical part of their business.
Most faxes can use JBIG compression. High-end faxes use JBIG2 compression. This compression is what's been blamed in this Xerox issue. How many faxes have been received over the years that have been subject to silent modification of the information?
It's not hard to imagine a legal situation where just one number modified on a page could prove to be very expensive...
Specialist Mac support for creative pros, Melbourne
And corporations don't always fix problems, even serious ones, until they receive wider attention.
And even if they did, how many people would know about the fix to ask for it? At least now it's gotten enough publicity that a lot of users know about the problem and can use the workarounds until an official fix is available (if one is even possible, given the nature of the problem). If I had one of these copiers, I'd sure be reviewing my recent uses to make sure this wasn't going to substantially affect me. All of that's possible only because he told the world, unless you really believe from the bottom of your heart that Xerox themselves would have made this knowledge so public.
Dewey, what part of this looks like authorities should be involved?
One word: Bravo. You spared my lazy bum a comment :)
however I kept nagging stating I wanted to publish within a few hours
Has this guy ever worked for a large corporation? They can't decide they need to take a dump within a few hours let alone anything requiring thought and consideration.
Sara
Designer, Gamer, Macgrrl in an XP World
Did this tool try to notify Xerox first or did he just start shouting from the mountain tops?
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
How would any of you like it if someone found a bug in your stuff and instead of notifying you, went to your managers and bad mouthed you?
You'd think he was a prick.
Why does he owe this courtesy to Xerox? Xerox isn't his coworker, Xerox doesn't have feelings. Xerox is a corporation. And corporations don't always fix problems, even serious ones, until they receive wider attention.
So should he have quietly alerted Xerox, then monitored their progress in fixing the problem, keeping the company apprised of how it was doing -- sort of an unpaid QA position? I guess that's an option, but not the only acceptable one.
He told them and spent a week talking to all kinds of support people to try to find an explanation, with no result. Then he wrote the blog post.
This is actually described very clearly in the original text.