Slashdot Mirror
Xerox Confirms To David Kriesel Number Mangling Occuring On Factory Settings
An anonymous reader writes with a followup to last week's report that certain Xerox scanners and copiers could alter numbers as they scanned documents: "In the second Xerox press statement, Rick Dastin, Vice President at Xerox Corporation, stated: 'You will not see a character substitution issue when scanning with the factory default settings.' In contrast, David Kriesel, who brought up the issue in the first place, was able to replicate the issue with the very same factory settings. This might be a serious problem now. Not only does the problem occur using default settings and everyone may be affected, additionally, their press statements may have misled customers. Xerox replicated the issue by following Kriesel's instructions, later confirming it to Kriesel. Whole image segments seem to be copied around the scanned data. There is also a new Xerox statement out now."
Swapping numbers while copying may seem like bizarre behavior for a copier, but In comments on the previous posting, several readers pointed out that Xerox was aware of the problem, and acknowledged it in the machine's documentation; the software updates promised should be welcome news to anyone who expects a copier to faithfully reproduce important numbers.
69 dude!
Now if 6 turned out to be 9, ...if all the hippies cut off all their hair,
I don't mind, I don't mind,
I don't care, I don't care.
Dig, 'cos I got my own world to live through
And I ain't gonna copy you.
“He’s not deformed, he’s just drunk!”
What???? A copier changes numbers? A copier is supposed to copy.
Dude, read the thread linked in the summary, copying doesn't even work right.
Copying is still high quality.
Incorrect. The way these Xerox - machines work is that they first scan the document, then compress it and store it on the storage medium, and then use that compressed file to print out the copy from. It's braindead.
Yes, he did. If you'd care to read the story you would've known the answer without having to ask here and then complain about something that's not even applicable here.
The potential for damage with this kind of error almost can't be overstated. Besides errors in billing, construction, manufacture or products, medicine dosages, etc. already outlined, there are other likely problems:
Publications may contain wrong data.
Scientific conclusions may be based on wrong data.
Government policy may be based on wrong data.
Money may go to wrong accounts or be taken from wrong accounts.
You think you paid your taxes? The government may not agree.
Did this tool try to notify Xerox first or did he just start shouting from the mountain tops?
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
How would any of you like it if someone found a bug in your stuff and instead of notifying you, went to your managers and bad mouthed you?
You'd think he was a prick.
Why does he owe this courtesy to Xerox? Xerox isn't his coworker, Xerox doesn't have feelings. Xerox is a corporation. And corporations don't always fix problems, even serious ones, until they receive wider attention.
So should he have quietly alerted Xerox, then monitored their progress in fixing the problem, keeping the company apprised of how it was doing -- sort of an unpaid QA position? I guess that's an option, but not the only acceptable one.
I am not a crackpot.
Am I the only one who finds this truly frightning; that the photocopier has a bug in a sub system that is basically reading the content of the documents being photocopied?
Yes, you should find that frightening. That's not new, though, pretty much all photocopiers these days don't actually "photocopy" the document, they scan it to memory and then print the scan. Your documents are saved to memory on the photocopier. Yep, that's a security flaw.
http://www.thedailygreen.com/environmental-news/latest/digital-copier-security-461009
http://www.cbsnews.com/8301-18563_162-6412439.html
http://message.snopes.com/showthread.php?t=60313
http://www.geoffreylandis.com
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
It isn't a security problem? Seriously?
What if a doctor copies a prescription or your medical journal? Government officials copies personal information for use with a visa? Police officers copies statements? Or any other place where you'd want to copy something, that must be copied correctly?
Sure, it's not a computer security issue, but it's definitly, among other things, a security issue.
Specifically, the EURion Constellation.
Corporations are people too!
this could really suck if you are copying documentation for a critial process.
medical, aerospace, building construction,,,
Coming soon ... Xerox voting machines.
It's not a security problem in the sense that people knowing about it won't be able to exploit it. In other words, public knowledge of the problem won't hurt security any more than it already has been, which is what the earlier post was talking about.
First, I do understand your point regarding the common usage of "security" in this domain. However, the term "security" can also mean "safety," although in English "security" is more commonly used to freedom or protection from malicious harm or loss and "safety" is commonly taken to mean protection from accident or nature. (Paging pedants to show just how stupid and wrong I am.) Moreover, in some languages, the English words "safety" and "security" translate the same.
I am not a crackpot.
Your are making the mistake of imagining that the person who discovered this flaw owes Xerox something.
He does not.
He discovered the information, and he is free to (a) remain silent (b) tell Xerox (c) tell the press (d) tell everyone (e-z) anything else he likes. He might CHOOSE (b) but he is certainly under no obligation to do so, and it is of course incorrect for anyone to fault him if he does not choose (b).
We see this same mistake being made by the inferior minds who advocate the farsical concept of "responsible disclosure" when it comes to security issues. There is no such thing. There never has been. It's simply a fabrication by the mouthpieces of corporations who fret about bad publicity or negative impact on their stock price. Those who say they practice it are conceited and arrogant: they are making the foolish mistake of presuming that they, and they alone, possess this information, even though that's almost certainly not true. (What one can discover, another can discover.)
In all these cases, what we find are people who are afraid of the truth. They are afraid to speak it, afraid to hear it, afraid to have it propagated, afraid that others may have it: afraid, afraid, afraid. This is antithetical to the scientific method, to free speech, to forward progress: we must have the truth, no matter how inconvenient or unpleasant, if we're going to get anywhere.
I'm sure that some of the people at Xerox are furious about this. That's just too damn bad. If they want to find the root cause of their anger, they should look in a mirror, as it is their incompetence, sloppiness, laziness and negligence that has made all this happen.
Soylent Green is people too!
Inheritance is the sincerest form of nepotism.
Do you work, or have you worked, directly for Xerox on these sorts of products?
No, but I do possess a skill most people in this modern world seem not to possess: I can read stuff.
If you have not, how did you come upon this information? Is it based on actual specifications or design documents? Or is it based on speculation?
http://arstechnica.com/information-technology/2013/08/confused-photocopiers-randomly-rewriting-scanned-documents/
Kudos though for spending so much time thinking of how to validate your horribly thought out position.
They reason that you come forward quietly to a corp before going public on a real security issue is so that the bad guys do not exploit it while the company makes a patch. People knowing about this issue before a patch can only help the issue.
On top of that Xerox knew about this problem already and were just keeping a lid on it.
If you are a paid Xerox shill then you are a failure at your job. Otherwise you are just an idiot.
Why is it so hard to only have politicians for a few years, then have them go away?
They meant to admit this to the public last week, but their press release got its letters changed around for some reason...
At the federal level, our entire legal system is based on the concept that a machine copy of a document is as good as the original. In addition to all the other problems pointed out by other readers -- engineering errors, medical errors, financial errors, this type of error also greatly harms our legal system as well. A problem since the legal system is essentially the operating system for our society. I don't see how Xerox is going to survive the wave of lawsuits that is going to follow. They need to immediately warn everyone to stop using their systems, and then recall all affected units. Going forward, I suspect that the name "Xerox" will now mean: "to mangle or randomly distort".
Numbers are the bedrock of the capitalist regime. They are sacred. Do not transform them when copying them. Better to mangle words cause we all know they have semiotic plasticity anyway. But for the love of the capitalism and all it portends, please keep the numbers pure. That is all.
I am a Xerox technician.
Yes, some models store and compress jobs before printing.
Dude, read the thread linked in the summary, copying doesn't even work right.
Says you. I advised one of my clients to get one of these machines when this issue was first made public. This "feature" gives them plausible deniability for the numbers in their documents to be wrong when they submit them to various entities.
I should send a big bouquet of flowers to Xerox. Falsifying documents is not falsifying documents when the copier does it.
http://www.dkriesel.com/en/blog/2013/0808_number_mangling_not_a_xerox-only_issue
And one of the comments to that posting says:
I have experimented with the open source jbig2enc library available at http://github.com/agl/jbig2enc, which has a encoding parameter called the “threshold”, described like this:
“sets the fraction of pixels which have to match in order for two symbols to be classed the same. This isn't strictly true, as there are other tests as well, but increasing this will generally increase the number of symbol classes”
The included command tool accepts values for this parameter between 0.4 and 0.9, with 0.85 as the default.
I have found replaced digits in single-page numerical tables encoded with this parameter set as high as 0.82. As with the other examples you have found, the errors are not in any ways obvious to the eye which is, of course, the real problem.
Since JBIG2 has been supported in PDF since 2001, it would be surprising if only Xerox have fallen into this trap.
What's really bizarre is that they chose to invent some half-assed lossy compressor instead of using PNG (lossless) or JPEG (lossy, but a helluva lot better than their algorithm apparently).
.: Semper Absurda
it doesn't happen on high quality though.
why it would copy at other than high quality is anyones guess..
world was created 5 seconds before this post as it is.
It is not brain dead. It is the only way the copier can efficiently forward the image to the NSA.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Oh lovely, the copier can not only spy on me, it can actually frame me by number fiddling and handing off bogus evidence to the spooks?
Flawed or sabotaged?
From this file, located on Xerox's site:
Different devices represent different levels of ris
k. It’s axiomatic that as functionality increases
so does the potential risk. For
those devices, countermeasures are built into the m
achine to reduce the risk.
Not all copiers have hard disk drives. Those that d
o not are not at risk.
Some copiers and multifunction devices have hard di
sk drives, but do not use the hard disk drive to sa
ve document images. These are also not a risk.
Those copiers and multifunction devices that do use
hard disk drives to temporarily store images, shou
ld have an "image overwrite" feature that destroys the copied image immediately." That function should be built in, (which Xerox does), or installable via a security kit. If neither solution exists for the product, it is at risk.
Also, most copiers and multifunction devices that have hard disks include a disk encryption feature which encrypts all stored
customer image data with the state-of-the art AES encryption algorithm.
Xerox has developed a disk removal program so that prior to a device being returned a Xerox technician will remove the disks and leave them with the customer. This program charges a flat fee per machine for the service. Contact Xerox Customer Support for information on fees and availability in your geography.
Clearly, some Xerox "copiers and multifunction devices" store image data in non-volatile memory, in the course of their operation. Stop being a jackhole.
Well, the time required, for one. The image bed is essentially a scanner. Higher resolution means a slower scan. Second, even at low qualities, my experience is that a lot of the time, scanning at "low quality" settings will still give you better results than using an analog copier anyhow. Scanning at lower quality is just a tradeoff of quality for speed, with speed being optimized for.
It is pitch black. You are likely to be eaten by a grue.
The copiers are using JBIG2, not JBIG, which is lossless. JBIG2 on the other hand has lossless and lossy modes. In both modes the algorithm employs "similar symbol matching," but in the lossless mode differences for each instance of a symbol from a reference are stored while the lossy mode stores only the reference symbols.
ImageMagick doesn't seem to support JBIG2 so I haven't been able to play around with it at all. I just wonder if even the lossless mode is safe since it sounds bug prone (i.e. unless they have unit tests on many images to guarantee bit-perfect reproduction, all bets are off).
.: Semper Absurda