Hidden Codes in Printers Cracked 562
r84x writes "A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.
"We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen."
Ink Jet? (Score:3, Interesting)
Re:Before... (Score:5, Interesting)
Yes, they must, otherwise this tracking information is useless, right? They can't be that dumb. And most high-end color printers are sold to businesses and often have service contracts. It's not that hard. How many people buy a printer for cash?
And many networked printers "phone home" to the manufacturer via email or web. My Xerox phaser 7750 (great printer, btw) tries to send an email every month to Xerox. They're blocked now.
Just realize that 99.9% of the world doesn't give a shit about anything you do, and all that paranoia just slips away.
I know that. But I prefer that my printer doesn't track what I print.
Old Communist ploy gets updated (Score:5, Interesting)
The theory of course being that they would use it to try and track down any subversive content.
And now the US government has made it quick, easy and automated to do the same.
I want to know who the bastards are that are adding this technology to their printers so I can avoid them like the plague.
Yes, I know I could just not send in the registration card, but what if the government decided to crack down on those who critisize the war? Suddenly when they confiscate my printer, they can find out if any of the documents they've declared subversive came from my printer.
This is too Big Brother for my tastes.
So they "cracked" it... (Score:3, Interesting)
Who cares... (Score:2, Interesting)
What would be interesting is info on how to keep the printers from putting the dots in at all. If it's not possible, then don't buy one of those printers if you care about it that much. There is a list of manufacturers that put *some* info in your printed docs, so why not just avoid those? Do you really care if the date/time is on it? Even the serial number is useless in reality. If I steal the printer from someone's home in Boston, and transport it Houston, where I print my subversive literature for global distribution, the only thing the SS can tell from the dots is "Yep.. It was printed on printer 3437938 at 10am on a friday three months ago"
Now if it had GPS coordinates included, that would be a little more scary..
Codes (Score:2, Interesting)
instead of using a large database to hold every printers details. the authorities will use this information after they have caught a criminal to aid in the conviction. with the evedience of the printer and some sample counterfit examples. it would be very easy to tie that person to the crime.
the other example I can think is to find out how many counterfitters there could be. if they get 10 examples and the codes all match. then they know they are dealing with the same person. if there are codes from 2 or 3 differnt printers. then it could be a ring of people.
I think this is a exelent aid for the autotities and feel that the only people that have things to worry about are the people doing wrong out there.
just my 2 pence worth. Fuas.
How much is in the driver? (Score:5, Interesting)
I can only imagine the time and date are passed from the host PC - most printers don't know what time/date it is - at least on those I jsut glanced at I can't set it myself. Of course the network attached ones could have an NTP client but that'd be easily blocked at the firewall.
At least if you can make every printout say it happened three decades ago you don't need to worry about proving you were not in the office at the time the printout was made.
Investigate printer ink price-gouging instead? (Score:3, Interesting)
I want my money back for the ID dots that were printed without my knowledge or consent. A sum of $3000.00 will be sufficient to cover all past and future ink cartridge costs.
From http://www.atlascopy.com/newsletters/Printer_Cart
CNET.com analyzed the cost for inkjet printing and reported that the costs ranged from 14 cents to $1.32 per page. If it costs 21 cents per page and you print only an average of two pages per day, the annual cost of ink would be more than the cost of the printer.
The ink cartridge for a low end HP printer, containing only one tiny ounce of ink, costs a mind boggling $30.00! That's price gouging, and all printer manufacturers are doing it. That's called PRICE FIXING and it's illegal. To add to the rip-off, some of them put all the colors into one cartridge. Then you have to buy a new cartridge when only one color runs out, wasting the remaining ink.
Printers have RTC and CMOS battery? (Score:2, Interesting)
Re:Before... (Score:5, Interesting)
Buy a printer and fail to send the warranty card in and there is no entry in any list.
The reason they have this stuff is so that they can match the printer to the document in the courtroom after they catch you. It's not a tracking system.
Watermark with extra random patterns (Score:5, Interesting)
Re:Before... (Score:2, Interesting)
Alternatively, steal the printer.
One of the benefits of counterfeitting is that almost any incidental crime you commit is going to have a considerably smaller effect penalty than counterfeitting.
Re:Before... (Score:5, Interesting)
Modern asset tracking systems use the serial number of each big-ticket item to track it (if it is serialised - most expensive kit is). The asset, whatever it is, is tracked from entry to the system through to exit - with an EPOS transaction being recorded against it as it leaves if sold.
It is pretty damn easy for a database coder to write a bit of SQL to say 'give me the credit card number that bought this item'. I could do it in minutes.
Provided the Feds wanted to track a given machine, and it had been bought with plastic, there's no reason they shouldn't be able to find that info very easily, given the cooperation of the vendors. Your last para relies on you not being someone the Feds are interested in - and that relies on you assuming they won't be interested in people who haven't broken the law. I hope you are right, but recent events suggest otherwise to me...
Justin.
Re:Blue light scanner mod ? (Score:3, Interesting)
For A and B, the contrast/resolution may not be enough to detect the smallest droplets of yellow ink.
I also thought of C, but that's an expensive process - I'm sure that you would get many messed-up pages afterwards while the new toner feeds through. Or, maybe not - depends on how the toner is fed in. This would be hard to do when you're testing Kinko's printer, though.
D is a good idea, but the idea is to also make it monochromatic light - the blue plastic might let in too many different colored lights, even though it looks the same to the eye.
Quit being clueless. (Score:5, Interesting)
Let's assume you take that home and hook it up to your Windows XP Home Edition printer.
Now, that printer is installed and it requests you "Register" the printer. You decline to do so.
During the normal course of use, a little dialog box pops up stating that there is an update to download from your color laser printer manufacturer's website and the printer application will be more then happy to do so.
How does your application know that it needs to be updated? Well, it checked with a central server.
If that application checks with a central server, would it be difficult to imagine that the central server would be able to obtain the following?
IP Address, Printer Serial number, timestamp of communication.
With just the timestamp and the IP Address your PC used to communicate with the central server, you can be easily traced. It's easier if you are on broadband, slightly more difficult if you are on a service like AOL or MSN.
I am not being a tinfoil hat wearer here. I am just pointing out that it is actually easier to track down a user of a particular printer then you believe it to be.
The only way to be more anonymous with such a cash paid color laser printer purchase would be to never connect it to a PC that has Internet Access.
Re:Who cares... (Score:2, Interesting)
Easy enough to update the printer driver to include your computer's NIC and most recent IP address along with the date and serial number. Not quite as good as GPS but probably enough to track you down (it's enough for the RIAA to track down file sharers).
Hidden Codes In Printers (Score:2, Interesting)
Re:Before... (Score:5, Interesting)
I hear the argument over and over again that "just because they're allowed to, the government doesn't have time to spy on little old you, so quit being paranoid". This is true, and the government realizes it, which is why they are striving for "Total Information Awareness". The idea is that all the information the feds could ever desire is already collected in outrageous detail by private organizations like the phone company, ISPs, bookstores, etc. - so why not just pass laws granting the Feds unrestricted, secret access to this info? That way, the government doesn't have to have been spying on you your whole life. The moment you get caught up in some "suspicious" incident like looking around too much on the subway or criticizing the American government while in an American airport, your whole history is at the government's fingertips (including, now, what documents you printed!), and believe me, they'll find reasons for suspicion.
God bless the PATRIOT Act, my friend.
Re:Printer Friendly Version? (Score:5, Interesting)
Just wait until you get your ass hauled-in by an overzealous cop while you were doing something perfectly innocent or legal (like photographing old buses at a busy intersection - I know, it happenned to me. Two hours of vacation down the drain because some shit-brained bitch thought I was a terrorist - no, don't ask what happenned in her sorry neurons to think that).
Cops think they are above normal civilians and do not hesitate to abuse their powers. For them, making a lowly civilian life hell is just what swatting a fly for you.
The easier it is to abuse their power (like finding out where one photocopy was made), the more likely they will do it.
Now that the EFF has published the "secret" code, everyone can do it, including that jealous spouse, screwey boss or suspicious business associate.).
Cops think they are above normal civilians and do not hesitate to abuse their powers. For them, making a lowly civilian life hell is just what swatting a fly for you.
The easier it is to abuse their power (like finding out where one photocopy was made), the more likely they will do it.
Now that the EFF has published the "secret" code, everyone can do it, including that jealous spouse, screwey boss or suspicious business associate.
Re:Printer Friendly Version? (Score:4, Interesting)
You don't even need to use some's printer to frame them. All you need is to scan anything that they have printed and copy the hidden code on the page and then use image software to overlay that code onto your own page image and print it using a printer that doesn't embed its own code (or hack your printer to change it's serial nomber to match the target's serial number).
You can do the same with a CD, but you'll probably need to patch your CD drive's software to embed the target's CD drive number.
-
Re:Who cares... (Score:3, Interesting)
Where I come from (Germany) people have been executed because their anonymous printings could be traced back to them.
Eg: Read http://en.wikipedia.org/wiki/White_rose [wikipedia.org]
Now imagine how easy this would have been if they used one of these laser-printers for the leaflets and for their homework.
If you give away your personal freedom to this regime a future fascist regime isn't likely to give it back to you.
k2r
I think this gets the score for the most... (Score:2, Interesting)
Re:Printer Friendly Version? (Score:2, Interesting)
The REAL counterfeit artists (Score:3, Interesting)
1. The casual home counterfeiter. A guy with an inkjet who is 'having fun.' These guys get caught quickly by the secret service.
2. The black market Wal*Mart, a.k.a. the Mob. They reconstitute $1 bills into pulp, reform the cotton into large sheets, and silkscreen new 'old style' $100 bills. By using the real paper and near-perfect ink in the old style bills, they get past the verification pens and bank scanners. Funny thing is, this style of counterfeit is almost dead as credit card fraud is much more lucrative and far safer. Bank draft fraud and money order fraud is easier, too.
3. The Federal Reserve. Yes, Alan Greenspan and friends is actually the #1 counterfeit organization in the world. Because our currency is no longer backed by hard metal, the FRB is allowed to counterfeit billions of new dollars annually. The is legal by acts of Congress, and is not only the biggest reason for inflation, it is also the cause of the stock market bubble and the housing bubble. It also allows the government to finance off budget programs by introducing new currency into circulation.
Incorporating these security dots only helps catch common criminals, not large scale organizations. And the worst violator, the FRB, counterfeits legally.
Re:Before... (Score:2, Interesting)
They probably could do so, eventually, if they needed to. But it's also a surefire to track all of the counterfeit bills back to a single machine, and therefore a single counterfeiter. If you have a run of phoney bills showing up all over the state within a couple months of each other, how do you know if it is a single counterfeiter or several different counterfeiters working separately (or together)? Just connect the dots.
What if you have a batch of counterfeit bills show up? How can you tell whether they're from a "new" counterfeiter operating in the area or just leftovers from someone who may have already been arrested (or is under investigation)? Just check the "signature" from the printer.
Granted, it will probably be abused at some point, but even without a database tying the printer to an individual it would still be extremely useful.
Re:This plays into the hands of organized crime (Score:2, Interesting)
Courts regularly accept logfiles from ISPs as evidence, yet we all know how "reliable" those are. It's all accepted as contributory evidence, not simply black or white.
So how are you going to defend yourself against a ransom note bearing your printer's serial number and a time and date when you were proveably at home? Good luck hoping that the judge knows that it's "unreliable" and could have been forged by criminals, when the prosecution's well-paid lawyers and experts are telling him that this evidence is very likely to be authentic.
Re:Printer Friendly Version? (Score:4, Interesting)
Re:Before... (Score:3, Interesting)
It really is a question of where you draw the line. The problem is, no one can ever agree where the line should be drawn. Maybe we crossed it already. If so, how long ago? A year? A decade? Two decades? Half a century? It depends on who you ask.
Some would say the line was crossed (in the U.S. anyway) when the CIA was formed, or the FBI, or even when Constitution was written. It depends on whether the speaker is an anarchist, or an authoritarian, or somewhere in between. With such a wide distribution of philosophies, how can we come to a satisfying agreement? This is a perpetual battle, because someone will always feel the status quo is either unjust or insufficient.
Maybe I'm just stating the obvious, though.
Re:Technology and Law (Score:3, Interesting)
Since every government deployment of new technology for law enforcement is supposed to net these awesome reductions in [insert targeted criminal act here], I'd like to see statistics on just how many counterfeiters have been caught using this method of tagging printed documents.
Re:Printer Friendly Version? (Score:5, Interesting)
Or even worse...you buy and register a printer, and six months later sell it to some registered sex offender. It's a cash deal with no records. Six months and one day later that printer is used for some kidnapping randsom note or some shit. Who would believe it wasn't you? Your mom?
I just had this convo w/a client (Score:3, Interesting)
It's a trade-off.
It's a tough call for the end-user oriented sites; if you're selling books and it takes a bunch of hoops to make a purchase. . . chances are they'll shift to a more user-friendly site such as Amazon. (the security minded, perhaps not. But that's probably not your customer base except in niche markets).
Big trade-off to make.
Re:Caxton (Score:3, Interesting)
No, guns are meant to direct a projectile in a given direction. Not unlike a golf club, actually. And of course, you can kill people with a gun, or with a golf club. And, "qualified"? What do you mean? The only qualification you need in most states, especially for shotguns and rifles, is to not be a criminal. At least we still have that relative freedom.
I use guns all the time, and have never killed anybody. I have, though used a gun to prevent harm from coming to somebody, but you're obviously not interested in hearing about that (since it would ruin your argument).
Same with explosives.
What world do you live in? As I expressly mentioned, those are tools used by farmers (to pull out tree stumps and rocks), construction workers (to help build foundations and roads), etc. Do you know how many thousands of times a day people use explosives in mining, agriculture, and construction... and no one is killed?
How to you figure that a printer's registration of its serial number controls information? Do you have a single bit of evidence that suggests that anyone, ever, has used that feature of those products to in any way prevent anyone from disseminating information (other than "information" in the form of counterfeit documents)? No, you don't.
Why dont people get this?
controling guns = good
controling instructions on building a gun = bad
Do you even hear yourself? People don't get that because it's irrational and impractical. You want freedom (of communication) but not the freedom to use your freely obtained information to defend yourself? How about a more sane (and constitutionally valid) take on it:
controlling information about guns = bad
holding people accountable for their actions = good
Did you know that the rate of murder in the country was actually down last year? In my county, it has actually gone up. And that's not people being shot by other people with guns: it's people being stabbed by people with knives. Do you recommend that only "trained personnel" have access to sharp metal things? Are knives only meant to kill people? If you don't think so, then don't you see the ridiculous double standard? Further, don't you think that people who don't want to be stabbed to death should have the means by which to defend themselves? Or, are you recommending (since you're not a big one on holding people accountable for their actions) that we have police officers at every house to make sure that everyone is safe from throat-cutting gang members, all the time? I'd rather not live under those circumstances, thank you, but I'd also like the option of preventing an idiot with a knife from hurting my family. You control the information in society, you control alot more than knowing whether your vehicle has been in an accident 5 years ago
I absolutely guarantee that your privacy is at much greater risk from the information about your car than it is from the serialization of your printer output. Your tag numbers are recorded by databases as you pass through toll stops, your registration of your vehicle (and its type, the insurance you have on it, the work you've had done on it, including the mileage you've used, and much else) is easily cross referenced. On most newer vehicles, data recorders know how fast you've been going lately (including how you were accelerating or braking, etc., at the time of an accident). Fancy new nav systems in cars leave a lengthy trail of GPS-based information about where you've been lately, and how fast you were driving when you went. That type of information is being gathered and chewed on way, way more often and by more parties than your hardcopy laser printer output ever will be (especially if you're not faking official documents).
Re:Freedom does not mean lack of accountability (Score:2, Interesting)
Hell, the whole American revolution was started by anonymous antisocial people.
Re:Freedom DOES mean PRIVACY (Score:5, Interesting)
Ahh. Spoken like a true facist. You are taking the right of free expression in a democratic society and chaining it to the dungeon wall with the use of another as yet to be defined term, "antisocial stuff". Would that be "antisocial" as defined by the ruling political party, whichever religious sect is currently in vogue, or perhaps as determined by a public poll?
"Free speech is not free *anonymous* speech."
What a crock! One of the basic rights any citizen of a democracy has is the right to vote, PRIVATELY. No other person, group of persons, or government entity is granted the right to know how an individual votes -- without such privacy protections the entire foundation of democracy is open to the social, political or financial pressure to vote a particular way.
And only in a democracy falling to the continued pressures of fascist stateism would the government redefine the ephemeral and undefined term "free press" only as persons engaged in journalistic activities employed by corporate media moguls.
I would suggest that you spend a few years in the "new and improved" fascist USSR, being run by an ex-KGB general, and experience the fruits of your specious argument firsthand.
Re:Printer Friendly Version? (Score:3, Interesting)
This is so old... (Score:3, Interesting)
I work for Xerox, we actually tell customers about this as a security feature of the machines. The article mentions that Xerox devices are more common in offices rather than homes (true) but company suits want to know that their employees aren't going to be making copies of currency (or stamps, bonds, etc.) on office equipment, thereby making them liable in some way, shape or form.
If you try to copy a US $ bill on a Xerox, you get a smudgy black blob anyway. It works with a few currencies, but it has the security dots on it (invisible to the naked eye) all over the page. We have been asked to identify the source a few times, and it is usually guys working in pay-for-print copy stores that get busted for conterfieting.
Other than that, there is no way we can track anything other than the time and place of the copy. So quit stressing.