[HN Gopher] Tracing Paper (2020) ___________________________________________________________________ Tracing Paper (2020) Author : reimbar Score : 125 points Date : 2021-03-31 20:12 UTC (2 hours ago) (HTM) web link (logicmag.io) (TXT) w3m dump (logicmag.io) | jimbob45 wrote: | So I guess if you wanted to print something untraceably, the | solution might be to print your message out on newspaper from a | non-local city? | bobbylarrybobby wrote: | Maybe you could 3D print a plate containing the document you | want to print, raised and mirrored (like a printing press, but | without movable type), and then ink the plate and press it onto | a blank piece of paper. | hguant wrote: | Type writer, mimeograph, stencils - if you're just doing text | or intend for large distribution. | | Buy a cheap printer with cash, from a location several hundred | kilometers from you. | | Go to a non-local Staples, FedEx, Kinkos with a USB stick, pay | with cash for copies/printing. Better yet, pay someone else to | do it for you. | rodgerd wrote: | A throwaway printer is probably your best practical option. | | Other than that, using a vintage dot-matrix printer with a low | enough resolution (e.g. a 9-pin head) that it's unlikely to | have either the smarts or the resolution needed to make this | work. | | Of course, this just means that if you are conspicuously buying | a curated collection of vintage printers, you're providing | another type of evidence. | peddling-brink wrote: | Or a non-fancy laser printer? | xiii1408 wrote: | EFF seems to think that all modern laser printers have some | form of tracking dots, whether or not they've actually been | able to detect them [1]. | | They don't say anything about inkjet, though. Unclear if this | is because of a fundamental limitation of inkjet printers, lack | of interest, or just because inkjet printers kind of suck | compared to laser. :P | | [1] https://www.eff.org/pages/list-printers-which-do-or-do- | not-d... | spoonjim wrote: | There was no need to use the yellow tracking dots to track | Reality Winner... the NSA would certainly have the ability to | audit anything printed in their facility and know exactly what | was printed on any given day. | Aeolun wrote: | Hmm, that would only work if they knew exactly which documents | were used to inform the press. | not2b wrote: | The tracking dots certainly made things much faster for the | NSA: they could immediately locate the printer and the date, | without the need to audit the huge number of printers and | employees they have. You say "on any given day" but they | wouldn't know the day, only a rather large possible range of | days. | thewakalix wrote: | Who said she printed it at work? | boogies wrote: | TFA seems to: | | > Maybe she thought physical paper would be safer from | digital surveillance than an email. So she printed the | documents _at her office_ [my emphasis] and then mailed them | mike_d wrote: | This is correct. People are making the mental leap because they | know this technique exists and they want it to be something | cool. | | The reality is even in corporate environments print servers for | sensitive areas will retain audit logs and/or copies of | documents sent to the print spool. Even if that completely | fails, you can do a forensic recovery on the hard drive inside | the printer where all documents are buffered. | formerly_proven wrote: | On some older PS/PECL laser printers the firmware lived in a | small DIMM-like board (for upgrades) with a mask ROM on it. | Pretty much all of these are PowerPC (some might have mips). | There's probably not much in the way of low-level security there. | Just saying. | Simulacra wrote: | That's how they got the spy Reality Winner. | pjc50 wrote: | Odd how HN is often favourable to Greenwald and Assange but not | to Winner, who seems to have no fanbase. She doesn't appear to | be a spy but a straightforward leaker? | rodgerd wrote: | Maybe she's not sufficiently angry at women. | mikestew wrote: | Thanks for pointing that out, saved me reading the first four | sentences of TFA. | tralarpa wrote: | For whom was she spying? | thesimon wrote: | The NSA. | Giorgi wrote: | So, if I am getting it correctly - this is only for color | printing right? Why would they implement it on software level, | would not hardware be easier and harder to remove? | some_random wrote: | I really don't see what the big deal is. We live in an age of | intense, personal, for-profit surveillance, why should I care | about printer watermarks? | avdlinde wrote: | You personally might not, but the article gives plenty reasons | why some might. | some_random wrote: | Well I have no plans to print counterfeit cash or tickets, | commit treason, or raid an FBI field office so I think I'm | good. | WrtCdEvrydy wrote: | Well, make sure you completely destroy your printer before | throwing it away or it's never stolen. | some_random wrote: | What a reasonable and not-at-all unhinged threat model. I | should be kept up at night worried that currency | counterfeiters will break into my house, steal my | printer, use it to print fake money, the cops will find | that money, use these dots to get metadata to find me, | then what no-knock raid me? | | idk I think I'll just accept that risk, it's a lot more | likely that my ex will stab me after all | ttyprintk wrote: | These types of threat models require a bit of creative | flair: | | 0315 am, a drone flies over your house and hovers just | long enough to upload firmware to your WiFi-enabled | printer. Having not memorized your printers serial | number, and certainly not checking it every day, you | don't notice the new firmware or orientation of dots. | | Your printer, along with an identical model bought later | and cloned to yours, are now forensically | indistinguishable. Your printer driver phones TonerCo for | a refill. It arrives with the fanfare of fast shipping. | | 11 months later, your address and credit card purchase | are enough to convince the right judge to grant a no- | knock warrant. Your printer has embroiled you, or someone | just as innocent as you, in a very bad time. | tyingq wrote: | The example of reporters unintentionally exposing sources is a | pretty good reason to publicize that it exists. | some_random wrote: | It's something that people who deal with highly sensitive | information and sources should know, absolutely. But it's | still not a big deal for anyone who's not going up against a | well resourced government. | ljm wrote: | Maybe you just want to go about your life without every | innocuous aspect of it being secretly interfered with? You | might be able to ignore it for a long time because it | doesn't harm you, but it only takes one shitty change in | the wider system for it to be turned entirely against you. | some_random wrote: | That's already happened. License plate trackers, cell | sites logs, phone and car location data tracks everywhere | you go. Google analytics inside a google browser running | on google's OS on google hardware, all to gather data on | you to make slightly more money selling ads. Not to | mention other data aggregators who will sell that data to | anyone with a credit card. Every aspect of our lives are | already being overtly interfered with, but no I really | should care a lot about some stupid printer dots. | hguant wrote: | It's really just incredibly shitty op-sec from The Intercept, | which should have known better. This isn't really a novel | technique. | tyingq wrote: | Sure. Publicizing it might inform whistleblowers so they | aren't mistakenly outed by publishers that should know | better. | tehjoker wrote: | Imagine distributing political literature or posting things | around town. Why should the government get to know who is doing | that? | | Of course, document control for government and corporations is | probably the bigger reason they do it. | some_random wrote: | We don't know what all the data is, but it at least used to | be Date-Time-Serial. For governments and corporations with | asset controls that record the serial of devices sent around, | this is actually useful and can be used to sniff out moles | like in the example. For individuals, you either need a | massive amount of background data like purchase history | (which is what you all should actually care about instead of | these stupid dots), or you need to physically raid the place | and get the serial off the printer. | | And anyways in your example, there are far easier ways for | the government to figure out that stuff that doesn't involve | chasing down printers. | rodgerd wrote: | Interestingly enough, back in the early nineties, when I was | working in a print bureau, the vendors would warn us how | traceably colour copiers/printers of the era were, so it seems | like an example of an "open secret". | idownvoted wrote: | Whether it is the Blockchain, Tor or other privacy guards that | wane us in anonimity - we, especially us techies, often | underestimate typical chokeholds which a government can easily | control (eg your ISP, your cell phone tower, your cell phone | maker, payment provider, ...), because it usually does and | government agents usually don't make a fuzz about it because it's | a valuable trap. | | Without the fuzz over enough time passed we, even NSA experts, | seem to forget about those traps. | | The moral of the story for us techies: Don't wane people in | anonimity if they use X or do Y. There will be a percentage of | people who do things, they wouldn't have done without that info, | and some of said percentage will be blackmailable (think miners | having "inciminating pictures" on their machines because they | were stored on the blockchain once). | | Worse than a privacy infringing government are blackmailable | citizens (One could argue the former causes the latter, I argue | the latter steers the former into worse). | erdos4d wrote: | I knew about this aspect of printers more than a decade ago, | before I ever got into tech, so I'm 100% sure it was/is semi- | widely known. It's really sad that the Intercept and other news | orgs are so technically oblivious that they would screw their | source like this. | leephillips wrote: | Is was very widely and publicly known. I usually hesitate to | say things like this, but the conclusion is unavoidable: either | the whistleblower and the people working at the Intercept are | colossal idiots, or the whole narrative is fake. | teagee wrote: | This must result in a non-trivial amount of ink/toner used in the | name of security | xiii1408 wrote: | They didn't go into too much detail about how the dots are | actually printed (what type of ink, how heavy, etc.), but they | imply in the article that at least some tracking dots require a | UV light to detect. | | I'd be curious to know how the dots actually get printed. | z77dj3kl wrote: | I'm not sure if normal scanners detect UV light, but that | would break a good chunk of their tracking purpose these days | if they were not detectable in scans. | imglorp wrote: | And how do they get printed on a monochrome printer like a | laser? | Tuna-Fish wrote: | There are color laser printers. | | On a monochrome printer, I guess you can still to | steganography by messing with the dithering, I guess? | However, since the stated aim of the fingerprinting is to | catch money counterfeiters, I guess they are less | interested in monochrome. | minikites wrote: | Are any major banknotes monochrome? | snypher wrote: | Each layer is, but that's probably more advanced than | just "printing a banknote". | ce4 wrote: | That anti feature is absent there. Black instead of yellow | dots would be very visible | annoyingnoob wrote: | I believe, could be very wrong, that its only on color | printers and uses the Yellow color to print dots too small | to see with the eye. | redisman wrote: | Error: Secret UV ink is empty. Please contact NSA for a new | cartridge. | annoyingnoob wrote: | The last HP Inkjet that I had would go through the Yellow | cartridge faster than black, even when printing only Black and | White. Which is how I discovered these fun little dots. | spicybright wrote: | EFF got my donation for their resource on yellow dot | identification on printed documents. Got a cool shirt out of it | too. | | https://www.eff.org/pages/list-printers-which-do-or-do-not-d... | dylan604 wrote: | "It's been posited by researchers that tiny discrepancies in the | spacing between words or even the kerning of letters could be | used to encode information." | | I know some DTP types that this technique would drive them crazy. | They spend so much time adjusting the leading/kerning to get the | text appear in the layout they way they want. Having that thrown | out the window by the printer would absolutely drive them insane. | For science, I want to try this out now. It would be awesome to | do it as an April Fools joke. | tartoran wrote: | Similar type of thing was used to trace typewriters behind the | iron curtain before the communism collapsed. All owners of | typewriters had to register their typewriters with the police and | they all had peculiarities that would trace back to each | typewriter. They'd load a page and type all the characters and | that was it. I guess it had more of an psychological impact as | the matching would be quite difficult. I guess they were afraid | of independent people writing manifests or disseminating | information. | | Illegal information was circulating somewhat freely though, maybe | not very sensitive stuff (people were self censoring very | political stuff as they were afraid of repercussions from | authorities), but lots of things from the west were circulating: | magazines, books, videotapes and so on. | | Growing up there it was drilled in us that counterfeit money is | an extremely grave offense and it is punishable severely, and the | same story with drugs. I was surprised to find out that | counterfeit money was circulating in the states and when I | received such a bill I asked a police officer what am I supposed | to do with that. He told me to just keep it:) He said I shouldn't | bother to report it as nobody would really care about it. | leephillips wrote: | I guess attitudes toward this crime have changed. | | https://www.nytimes.com/2020/05/31/us/george-floyd-investiga... | ohazi wrote: | Are there any open-source printer reverse-engineering + firmware | projects that look promising? | Wolfenstein98k wrote: | Welp, that gives a second (and much less cynical) reason for why | you can't print in pure black n' white without colour being | topped up. | tyingq wrote: | Heh. I have a b/w Brother Laser that cannot do color. I guess | it would have to use the trickier methods described at the end | of the post. | not2b wrote: | As I understand it, the original rationale for the tracking | dots was the fear of counterfeiting, which may be less of an | issue with black and white laser printers. That doesn't mean | that I can say with any consequence that your printer doesn't | have any tracking mechanism, but it might not. | read_if_gay_ wrote: | Less cynical? | afrodc_ wrote: | I'm assuming the more prevalent cynical belief is that it's a | money grab to sell more ink | Jedd wrote: | Technically you're not printing in 'black n white', only black, | hence monochromatic printer. | | The white is, of course, the areas on the paper that you're | _not_ printing, assuming you 're feeding in white paper. | hguant wrote: | I think that "because the corporations that make printers have | a secret agreement with intelligence agencies to track printed | papers, going back decades and based ultimately on coercive | threats outside the rule of law" is a more cynical truth than | "because the companies that make printers want to sell you more | ink." | boogies wrote: | > The DEDA toolkit allows anyone to anonymize documents by | removing the tracking dots at the software level | | Sounds like the tracking tech is implemented in the proprietary | drivers. If only the free software movement had filled its | original purpose (freeing printer drivers1) for more models... | | 1https://www.fsf.org/blogs/community/201cthe-printer-story201... | | Edit: looks like it may be in the firmware on the printer itself, | not drivers on computers, as h-node warns of tracking even on | printers with full compatibility with blobless, FSF-endorsed | distros eg. Trisquel GNU/Linux-libre: | https://h-node.org/printers/view/en/2215/HP-DeskJet-2700-ser... | runemadsen wrote: | Logic Magazine is a lovely magazine and I highly recommend | everyone to subscribe! ___________________________________________________________________ (page generated 2021-03-31 23:00 UTC)