Hidden Codes in Printers Cracked 562
r84x writes "A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.
"We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen."
Before... (Score:5, Insightful)
Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away. That's what I did.
Conspiracy math (Score:5, Insightful)
Anyway, so the government requires each printer manufacturer to maintain a database of all printers sold, so that if needed, they can subpeona the records? No wonder printer ink costs so much
I'm thinking that this would only go so far, and not be much more useful than a database of gun rifling marks?
Re:Before... (Score:5, Insightful)
Re:Before... (Score:3, Insightful)
Re:Conspiracy math (Score:2, Insightful)
Disgusting. (Score:3, Insightful)
Improve, or something else [microsoft.com]....? TCP timestamps too. Just use the LSB, and by making it a 1, or a 0, and you can transmit infomation hiddenly..
Welcome to life in 21st century United States (Score:2, Insightful)
-Eric
Localization (Score:2, Insightful)
Re:Slashdot Delay (Score:1, Insightful)
Re:Before... (Score:2, Insightful)
Not everyone is out to get me, but when I express an unpopular opinion I don't want to risk being labelled a Terrorist (with a capital 'T') and thrown in gaol for an indefinite period with no rights, no contact and no food.
Re:Before... (Score:5, Insightful)
Then along came Senator Joseph McCarthy...
Re:Investigate printer ink price-gouging instead? (Score:2, Insightful)
In fact, you may be surprised to learn that the two are usually at odds with one another.
Re:Disgusting. (Score:2, Insightful)
Re:Before... (Score:4, Insightful)
If you paid with a credit card, then yes, they have it in a database.
The retailer or manufacturer may have it in a database, but whatever shadowy organisations the parent was alluding to probably doesn't. Government agencies have enough trouble keeping track of where people live without having to track their posessions too.
Re:Conspiracy math (Score:2, Insightful)
Re:Before... (Score:4, Insightful)
I don't know that the lack of a database would make the information useless. It may work like running ballistics tests on a shell casing found at a crime scene and matching it to a weapon seized from a suspect.
Even if there ability to find a suspect is limited, they may have the ability to prove, within a court of law, that a document came from the printer in your basement.
Re:Printer Friendly Version? (Score:5, Insightful)
That is true in an uncorrupted system. The question remains what would happen if someone did use their power like J. Edgar Hoover did, and others in history that have got away with abuse of power in such a manner.
And there is the case of just because something is illegal, that doesn't mean that something is a wrong thing to do.
Re:Investigate printer ink price-gouging instead? (Score:4, Insightful)
Re:Before... (Score:1, Insightful)
Re:Before... (Score:5, Insightful)
Who's to say what it takes for them to obtain this information and how they use it? I'm personally not satisfied to just think "they'll only obtain it when they need it, and they will only use it for a Good Cause". It's not paranoia, it's like Murphy's law: if it can be abused, it probably will be.
Re:Printer Friendly Version? (Score:5, Insightful)
The people that do not want their houses randomly searched must be hiding something, after all, why would they not want searched? I know, point taken to the extreme but where do you draw the line?
Re:Before... (Score:5, Insightful)
Re:Before... (Score:2, Insightful)
Since we live in an elective democracy, its usually in the best interest of your politicians to at least make their shady doings HIDDEN (read: not directly effecting you). Spooks showing up to toss you into a van and throwing you into a hole, really isn't something that benefits anyone in the federal or state government no matter what you did, as those responsible would be quickly out of a job and possibly jailed.
However, while a free market is supposed to be economic democracy, I think that the actions taken by large commercial entities (MS, RIAA, MPAA, etc) are indicative that they really don't care what we think, or they rely very heavily on the vast majority of people not caring/noticing.
Although, since this is Slashdot, someone would have to notice that the spooks took you, so make sure you crawl out of the basement once a day or so and someone know your still down there
Re:Er, huh? (Score:3, Insightful)
The companies don't have the time or money, but the government definately does. Any company I've worked for, if asked by a semi-anonymous "federal" agency for information, rolls over like a scared puppy. The government has (like Spiegel) nothing but time to spy on its citizens. They are the paranoid ones that we need to be watching out for, they are the crazed mumbling guy on the streetcorner that everybody goes out of their way to avoid. Handing them technology like this is like handing the aforementioned freak an automatic weapon. Sooner or later he'll figure out how to use it to fight off the voices that keep pestering him. Sooner or later, the government will figure out how to use this technology to oppress its citizenry.
Re:Printer Friendly Version? (Score:4, Insightful)
I think it's great that finally, we will be able to frame people we don't like with the greatest of ease. Just user their printer to print something illegal, or burn a CD on their PC!
A new crime, anyone? "Breaking And Entering With Intent To Print"
Re:Conspiracy math (Score:3, Insightful)
Anyway, I think that the customer should at least be warned about it in the manual. And the data should be easily decoded, by anyone, not just the FBI and the printer manufactorer. I think it is quite usefull to be able to know when did you made that copy of your work.
Unexpected historical benefit (Score:4, Insightful)
Re:Who cares... (Score:4, Insightful)
To me that's perhaps the biggest issue. At one point this was supposed to be a democracy, now it seems we're sliding into acceptance of secret laws and practices, and a general acceptance that "they" are watching (without even knowing who "they" are). We used to deride "conspiracy theorists" for thinking this kind of stuff was happening. Now we know it is happening, so we just deride the conspiracy theorists for caring.
Re:Before... (Score:5, Insightful)
Oh, so there's only 0.1% of the world who is interested in what I'm doing?
I'm glad it works out for you, but 6 million people snooping around in my private life doesn't make my paranoia go away.
Re:Before... (Score:1, Insightful)
Re:Printer Friendly Version? (Score:2, Insightful)
Re:Er, huh? (Score:2, Insightful)
very one of the 5,000 or so pieces of computer equipment I have unpacked over the last 10 years has had the serial number barcoded on the outside of the shipping carton.
Tak eoff your tinfoil hat. That is *not* the barcode scanned when you check out the item at your local PC superstore. They scan the UPC code, not the serial number code.
And yes, stores can be required to scan those S/Ns if the feds so desire, and it can be made to stick.
Sure, the feds can do anything they want... *if* they can get it through the lobbiests. Big retal has deep pockets, and they would push back hard against this sort of thing...
And *YES* I have worked in big retail, and I know for a fact that they do not track this kind of stuff currently. In an industry where they lose whole crates of merchandise daily during shipments, you think they can actually correlate a given serial number to a given consumer? Give me a break. They can't even keep track of what is on the shelf vs. what is in the warehouse. (Oh, the website says it is in stock, but we are actually sold out. Sorry, it must not have been updated).
Don't you think that a company that had such an advanced product tracking system would be using it to drive more business?
Conspiracy buts have way too much confidence in big business and the govenment. They aren't as bright and all-powerful as you think they are. Just like any other enterprise, the overwhelming majority of the people running thw show are idiots.
Re:Printer Friendly Version? (Score:3, Insightful)
I don't know but after thinking about it for half a second a good place to start might be that this printer system causes no inconvenience to the user (AFAIK) whereas a house search would.
Re:Before... (Score:2, Insightful)
If you registered it that may be a different story. Still, those same printers were supposedly registered and I continually have to provide contract numbers to have any work done. While that may be on file somewhere, it is unlikely that HP or the govt could locate that info.
odd (Score:3, Insightful)
They have since changed that practice, I believe. (there was an enhancement request logged almost 5 years ago to take care of it)
The more robust CRM/Order Management systems that have serialization tracking would allow you to associate a customer number (and consequently all customer data) with a product serial, but the CC# should be next to impossible to retrieve.
Best practices, and all that.
Re:Quit being clueless. (Score:3, Insightful)
For what it's worth, AOL maintains extensive logs and readily cooperates with law enforcement. I suspect that MSN does as well. I briefly assisted in a fraud investigation (purchasing stuff via our website with stolen credit cards) and the perpetuator was dialing in from an AOL account. AOL was able to take the source IP address and a timestamp and provide his account and billing information, as well as the telephone number he called from.
My country right or wrong is WRONG (Score:5, Insightful)
The "if you have nothing to hide" apologists for elimination of freedoms is a slippery slope to totalitarianism. Orwell would snicker!
Re:Before... (Score:3, Insightful)
Maybe not, but identifying the purchaser of the printer significantly narrows the search for the person who used that printer to generate the document in question. If it's owned by a business, they may be able to identify the specific user through print server logs (obtained via subpeona or simply "in connection with an ongoing investigation related to terrorist activity"). Even if no such logs are available, they certainly can identify those individuals with ready access to the printer in question and focus their investigative efforts accordingly.
*obviously*, if *you* bought the printer, then everything that this printer has ever printed was made by *you*
If the printer is owned by an individual, I'd imagine said individual would find himself confronted with the choice of naming names or becoming the prime suspect himself. In either case, the authorities have narrowed their search to a small group of people.
Re:odd (Score:3, Insightful)
Granted, it's not easy. But it's also not wildly difficult to use the constrained keyspace of a credit card to generate a dictionary of all possible hashes for valid credit cards (remember, the key space is even further constrained by check digits implicit in the numbers), and store that on a simple lookup table on more or more Blu-Ray DVDs.
Re:Before... (Score:2, Insightful)
If I was going to do some counterfeiting I think I'd use cash if I was actually going to *buy* the printer. Then, maybe I wouldn't go to the CompUSA where they know me...
Anti leaking (Score:2, Insightful)
Jerry
Class Action Lawsuit? (Score:2, Insightful)
That being said, if all the printer problems I had were a few yellow dots I'd be doing well...
Re:Before... (the Patriot Act) (Score:3, Insightful)
Indeed, that's one of the reasons that most sane people are so fearful of technology such as this. Your system itself is flawed, in that nobody is truly representing you, as a citizen. Companies can get away with this, and then others can get away with abusing such information. Were true conservatives or liberals in power, then this would never be allowed to happen, and the companies that did participate in this activity would be punished. Why is that? Because true conservatives and true liberals care about individual rights.
Re:Another Terrible Invasion of Nothing! (Score:4, Insightful)
First of all: there is an intrusion, a loss of freedom, even when the power is not abused. In the 60s, your average hippy could pretty much buy a car using cash and drive to San Franciscoi - now you need a ton of paperwork, legal docs, and so on. You can no longer buy a car using cash - not a new car anyway. Another example: in the 1960s the government did not know what I spent my money on. Now it does. That represents a serious loss of freedom even if the government does not curremtly abuse that new power. These losses of freedom may or may not be necessary, but they need robust discussion and debate before they happen.
The second point: these powers DO get abused. An example. During German occupation in WW2, the Dutch sent more Jews to the concentration camps, as a percentage of the population, than any other nation save Germany. Why? They had a very efficient tracking system that from birth to grave tracked everyone's address, race, relatives' addresses, and so on. Guess what - at the first opportunity, the new people in power abused that power and traced all Jews and sent them to their deaths. Interestingly, in the years leading up to WW2, the Dutch had a debate much like this one, and the consensus was that "if you have done nothing wrong, you have nothing to fear".
Examples abound: when you give away your freedoms you (a) lose those freedoms (and the freedom to buy a printer anomymously may not seem such a big deal to you - but it IS a freedom!), and (b) over time, they sometimes get abused: you can count on a certain percentage of this happening.
Michael
Re:Before... (Score:3, Insightful)
Used to be like this:
<print>
</print>
Official 1: Who printed this?! Track him down now!
Official 2: Sir, it's just an ordinary printout. There is nothing we can do.
Official 1: Damn!
But now, welcome to the brave new world:
<print GUID="......">
</print>
Official 1: Who printed this?! Track him down now!
Official 2: Let's see. This has been printed with HP Color Laserjet 3700n, S/N xxxxxxxxxx. We got information that it was bought by cash from shop XYZ.
Official 1: Fine. Raid every building on that area and search for such printers. When you'll find those, check their serial numbers. Do not stop you find the right one!
Official 2: Yes, Sir!
Re:Printer Friendly Version? (Score:5, Insightful)
or acting indignent because they got pulled over for speeding;
Or driving while black. Or a personal favorite, driving on the wrong side of the road - On a lineless back road barely wide enough for a single car (the sort where you literally stop and one car pulls totally off the road if you meet another car coming the opposite way).
or drunk and screaming obscenities in public places;
Or ordered to step outside a bar, given a sobriety test, and charged with public drunkenness.
or involved in horrible accidents and shootings.
You mean like when a cop panics over a 2YO kid with a cap gun, and ventilates him? Or when they zealously chase a gas station drive-off at 110mph leading to three deaths over $30 in fuel?
It's even more unlikely that the government is going to use this against you, unless you do something to draw the attention of say, the FBI.
You mean like anonymously distributing a (legal) pamphlet critical of the wrong politician, who wants revenge and has convenient connections?
I appreciate what police do. They keep a bunch of unruly domesticated primates from killing one another.
But don't glorify them - They chose that job because they get to act the most like unruly domesticated primates, and justify it as part of the job. Politicians chose their job because they like power (or money, or both). WE all need to do our part to keep the police, and the government in general, in check.
Re:Legality (Score:2, Insightful)
I'm sure the EFF would *love* for the US Gov't to make a stink over this.
Freedom does not mean lack of accountability (Score:3, Insightful)
Free speech is not free *anonymous* speech.
We all want cheap color printers. Fine. We don't want the world flooded with forged documents -- so we take some barely perceptable measures to curb that. Deal with it.
Re:My country right or wrong is WRONG (Score:3, Insightful)
The EFF document is, characteristically, a bit heavy on hysteria and thin on details, but at least suggests that this is limited to "color laser printers."
Re:Which printers? - found it (Score:2, Insightful)
http://www.eff.org/Privacy/printers/list.php/ [eff.org]
Re:Freedom does not mean lack of accountability (Score:3, Insightful)
How do you figure? If I'm free to speak, but free to get hounded by the FBI/fired/audited by the IRS if I say something that the authorities don't like, that's a pretty thin kind of freedom.
"We don't want the world flooded with forged documents"
Says you. I don't really think that it's as much of a problem as you do.
"Deal with it."
Ah. That must be in the hidden text in the 10th Amendment. You know, the one written in invisible yellow dots.
Re:Printer Friendly Version? (Score:2, Insightful)
Never happen, right?
Re:Printer Friendly Version? (Score:3, Insightful)
I don't care. It's none of their business.
"I certainly would be very suspicious of someone carrying one on to a flight. In fact, I would be sleeping with one eye open."
You sleep however you want. Your sleep habits are none of my business.
"remotely linked to something that people are paranoid about at the time"
I shouldn't have to keep track of the things that you're paranoid about. You, on the other hand, have a handy list of things that I have a right to do. (That is, loosely speaking, almost anything that doesn't cause direct harm to my fellow humans.).
"but how far are you willing to go to ignore behaviour like that?"
Very far. I am not afraid of terrorists. I am very concerned about police states. Historically, police states are much more dangerous than wackos with box cutters/sticks of dynamite/RPG's.
"How do you filter those people out at check in?"
You can't. You also can't be sure you won't get run over by a crazyperson on your way to work. Your odds of being killed by a terrorist are vanishingly small wrt the odds of you being killed by a distracted motorist.
You don't have an inalienable right to safety.
Re:Freedom DOES mean PRIVACY (Score:1, Insightful)
How about if they install them secretly without your knowledge?
How about if they do it to make sure you arn't breaking any laws?
That's basicly what they have done here. They put in a way to monitor who prints any document, secretly, to make sure they can catch you if you break a law.
That's not Freedom. Anyone that can't see why that is wrong is stupid and naive.