[HN Gopher] Tracing Paper (2020)
___________________________________________________________________
Tracing Paper (2020)
Author : reimbar
Score : 125 points
Date : 2021-03-31 20:12 UTC (2 hours ago)
(HTM) web link (logicmag.io)
(TXT) w3m dump (logicmag.io)
| jimbob45 wrote:
| So I guess if you wanted to print something untraceably, the
| solution might be to print your message out on newspaper from a
| non-local city?
| bobbylarrybobby wrote:
| Maybe you could 3D print a plate containing the document you
| want to print, raised and mirrored (like a printing press, but
| without movable type), and then ink the plate and press it onto
| a blank piece of paper.
| hguant wrote:
| Type writer, mimeograph, stencils - if you're just doing text
| or intend for large distribution.
|
| Buy a cheap printer with cash, from a location several hundred
| kilometers from you.
|
| Go to a non-local Staples, FedEx, Kinkos with a USB stick, pay
| with cash for copies/printing. Better yet, pay someone else to
| do it for you.
| rodgerd wrote:
| A throwaway printer is probably your best practical option.
|
| Other than that, using a vintage dot-matrix printer with a low
| enough resolution (e.g. a 9-pin head) that it's unlikely to
| have either the smarts or the resolution needed to make this
| work.
|
| Of course, this just means that if you are conspicuously buying
| a curated collection of vintage printers, you're providing
| another type of evidence.
| peddling-brink wrote:
| Or a non-fancy laser printer?
| xiii1408 wrote:
| EFF seems to think that all modern laser printers have some
| form of tracking dots, whether or not they've actually been
| able to detect them [1].
|
| They don't say anything about inkjet, though. Unclear if this
| is because of a fundamental limitation of inkjet printers, lack
| of interest, or just because inkjet printers kind of suck
| compared to laser. :P
|
| [1] https://www.eff.org/pages/list-printers-which-do-or-do-
| not-d...
| spoonjim wrote:
| There was no need to use the yellow tracking dots to track
| Reality Winner... the NSA would certainly have the ability to
| audit anything printed in their facility and know exactly what
| was printed on any given day.
| Aeolun wrote:
| Hmm, that would only work if they knew exactly which documents
| were used to inform the press.
| not2b wrote:
| The tracking dots certainly made things much faster for the
| NSA: they could immediately locate the printer and the date,
| without the need to audit the huge number of printers and
| employees they have. You say "on any given day" but they
| wouldn't know the day, only a rather large possible range of
| days.
| thewakalix wrote:
| Who said she printed it at work?
| boogies wrote:
| TFA seems to:
|
| > Maybe she thought physical paper would be safer from
| digital surveillance than an email. So she printed the
| documents _at her office_ [my emphasis] and then mailed them
| mike_d wrote:
| This is correct. People are making the mental leap because they
| know this technique exists and they want it to be something
| cool.
|
| The reality is even in corporate environments print servers for
| sensitive areas will retain audit logs and/or copies of
| documents sent to the print spool. Even if that completely
| fails, you can do a forensic recovery on the hard drive inside
| the printer where all documents are buffered.
| formerly_proven wrote:
| On some older PS/PECL laser printers the firmware lived in a
| small DIMM-like board (for upgrades) with a mask ROM on it.
| Pretty much all of these are PowerPC (some might have mips).
| There's probably not much in the way of low-level security there.
| Just saying.
| Simulacra wrote:
| That's how they got the spy Reality Winner.
| pjc50 wrote:
| Odd how HN is often favourable to Greenwald and Assange but not
| to Winner, who seems to have no fanbase. She doesn't appear to
| be a spy but a straightforward leaker?
| rodgerd wrote:
| Maybe she's not sufficiently angry at women.
| mikestew wrote:
| Thanks for pointing that out, saved me reading the first four
| sentences of TFA.
| tralarpa wrote:
| For whom was she spying?
| thesimon wrote:
| The NSA.
| Giorgi wrote:
| So, if I am getting it correctly - this is only for color
| printing right? Why would they implement it on software level,
| would not hardware be easier and harder to remove?
| some_random wrote:
| I really don't see what the big deal is. We live in an age of
| intense, personal, for-profit surveillance, why should I care
| about printer watermarks?
| avdlinde wrote:
| You personally might not, but the article gives plenty reasons
| why some might.
| some_random wrote:
| Well I have no plans to print counterfeit cash or tickets,
| commit treason, or raid an FBI field office so I think I'm
| good.
| WrtCdEvrydy wrote:
| Well, make sure you completely destroy your printer before
| throwing it away or it's never stolen.
| some_random wrote:
| What a reasonable and not-at-all unhinged threat model. I
| should be kept up at night worried that currency
| counterfeiters will break into my house, steal my
| printer, use it to print fake money, the cops will find
| that money, use these dots to get metadata to find me,
| then what no-knock raid me?
|
| idk I think I'll just accept that risk, it's a lot more
| likely that my ex will stab me after all
| ttyprintk wrote:
| These types of threat models require a bit of creative
| flair:
|
| 0315 am, a drone flies over your house and hovers just
| long enough to upload firmware to your WiFi-enabled
| printer. Having not memorized your printers serial
| number, and certainly not checking it every day, you
| don't notice the new firmware or orientation of dots.
|
| Your printer, along with an identical model bought later
| and cloned to yours, are now forensically
| indistinguishable. Your printer driver phones TonerCo for
| a refill. It arrives with the fanfare of fast shipping.
|
| 11 months later, your address and credit card purchase
| are enough to convince the right judge to grant a no-
| knock warrant. Your printer has embroiled you, or someone
| just as innocent as you, in a very bad time.
| tyingq wrote:
| The example of reporters unintentionally exposing sources is a
| pretty good reason to publicize that it exists.
| some_random wrote:
| It's something that people who deal with highly sensitive
| information and sources should know, absolutely. But it's
| still not a big deal for anyone who's not going up against a
| well resourced government.
| ljm wrote:
| Maybe you just want to go about your life without every
| innocuous aspect of it being secretly interfered with? You
| might be able to ignore it for a long time because it
| doesn't harm you, but it only takes one shitty change in
| the wider system for it to be turned entirely against you.
| some_random wrote:
| That's already happened. License plate trackers, cell
| sites logs, phone and car location data tracks everywhere
| you go. Google analytics inside a google browser running
| on google's OS on google hardware, all to gather data on
| you to make slightly more money selling ads. Not to
| mention other data aggregators who will sell that data to
| anyone with a credit card. Every aspect of our lives are
| already being overtly interfered with, but no I really
| should care a lot about some stupid printer dots.
| hguant wrote:
| It's really just incredibly shitty op-sec from The Intercept,
| which should have known better. This isn't really a novel
| technique.
| tyingq wrote:
| Sure. Publicizing it might inform whistleblowers so they
| aren't mistakenly outed by publishers that should know
| better.
| tehjoker wrote:
| Imagine distributing political literature or posting things
| around town. Why should the government get to know who is doing
| that?
|
| Of course, document control for government and corporations is
| probably the bigger reason they do it.
| some_random wrote:
| We don't know what all the data is, but it at least used to
| be Date-Time-Serial. For governments and corporations with
| asset controls that record the serial of devices sent around,
| this is actually useful and can be used to sniff out moles
| like in the example. For individuals, you either need a
| massive amount of background data like purchase history
| (which is what you all should actually care about instead of
| these stupid dots), or you need to physically raid the place
| and get the serial off the printer.
|
| And anyways in your example, there are far easier ways for
| the government to figure out that stuff that doesn't involve
| chasing down printers.
| rodgerd wrote:
| Interestingly enough, back in the early nineties, when I was
| working in a print bureau, the vendors would warn us how
| traceably colour copiers/printers of the era were, so it seems
| like an example of an "open secret".
| idownvoted wrote:
| Whether it is the Blockchain, Tor or other privacy guards that
| wane us in anonimity - we, especially us techies, often
| underestimate typical chokeholds which a government can easily
| control (eg your ISP, your cell phone tower, your cell phone
| maker, payment provider, ...), because it usually does and
| government agents usually don't make a fuzz about it because it's
| a valuable trap.
|
| Without the fuzz over enough time passed we, even NSA experts,
| seem to forget about those traps.
|
| The moral of the story for us techies: Don't wane people in
| anonimity if they use X or do Y. There will be a percentage of
| people who do things, they wouldn't have done without that info,
| and some of said percentage will be blackmailable (think miners
| having "inciminating pictures" on their machines because they
| were stored on the blockchain once).
|
| Worse than a privacy infringing government are blackmailable
| citizens (One could argue the former causes the latter, I argue
| the latter steers the former into worse).
| erdos4d wrote:
| I knew about this aspect of printers more than a decade ago,
| before I ever got into tech, so I'm 100% sure it was/is semi-
| widely known. It's really sad that the Intercept and other news
| orgs are so technically oblivious that they would screw their
| source like this.
| leephillips wrote:
| Is was very widely and publicly known. I usually hesitate to
| say things like this, but the conclusion is unavoidable: either
| the whistleblower and the people working at the Intercept are
| colossal idiots, or the whole narrative is fake.
| teagee wrote:
| This must result in a non-trivial amount of ink/toner used in the
| name of security
| xiii1408 wrote:
| They didn't go into too much detail about how the dots are
| actually printed (what type of ink, how heavy, etc.), but they
| imply in the article that at least some tracking dots require a
| UV light to detect.
|
| I'd be curious to know how the dots actually get printed.
| z77dj3kl wrote:
| I'm not sure if normal scanners detect UV light, but that
| would break a good chunk of their tracking purpose these days
| if they were not detectable in scans.
| imglorp wrote:
| And how do they get printed on a monochrome printer like a
| laser?
| Tuna-Fish wrote:
| There are color laser printers.
|
| On a monochrome printer, I guess you can still to
| steganography by messing with the dithering, I guess?
| However, since the stated aim of the fingerprinting is to
| catch money counterfeiters, I guess they are less
| interested in monochrome.
| minikites wrote:
| Are any major banknotes monochrome?
| snypher wrote:
| Each layer is, but that's probably more advanced than
| just "printing a banknote".
| ce4 wrote:
| That anti feature is absent there. Black instead of yellow
| dots would be very visible
| annoyingnoob wrote:
| I believe, could be very wrong, that its only on color
| printers and uses the Yellow color to print dots too small
| to see with the eye.
| redisman wrote:
| Error: Secret UV ink is empty. Please contact NSA for a new
| cartridge.
| annoyingnoob wrote:
| The last HP Inkjet that I had would go through the Yellow
| cartridge faster than black, even when printing only Black and
| White. Which is how I discovered these fun little dots.
| spicybright wrote:
| EFF got my donation for their resource on yellow dot
| identification on printed documents. Got a cool shirt out of it
| too.
|
| https://www.eff.org/pages/list-printers-which-do-or-do-not-d...
| dylan604 wrote:
| "It's been posited by researchers that tiny discrepancies in the
| spacing between words or even the kerning of letters could be
| used to encode information."
|
| I know some DTP types that this technique would drive them crazy.
| They spend so much time adjusting the leading/kerning to get the
| text appear in the layout they way they want. Having that thrown
| out the window by the printer would absolutely drive them insane.
| For science, I want to try this out now. It would be awesome to
| do it as an April Fools joke.
| tartoran wrote:
| Similar type of thing was used to trace typewriters behind the
| iron curtain before the communism collapsed. All owners of
| typewriters had to register their typewriters with the police and
| they all had peculiarities that would trace back to each
| typewriter. They'd load a page and type all the characters and
| that was it. I guess it had more of an psychological impact as
| the matching would be quite difficult. I guess they were afraid
| of independent people writing manifests or disseminating
| information.
|
| Illegal information was circulating somewhat freely though, maybe
| not very sensitive stuff (people were self censoring very
| political stuff as they were afraid of repercussions from
| authorities), but lots of things from the west were circulating:
| magazines, books, videotapes and so on.
|
| Growing up there it was drilled in us that counterfeit money is
| an extremely grave offense and it is punishable severely, and the
| same story with drugs. I was surprised to find out that
| counterfeit money was circulating in the states and when I
| received such a bill I asked a police officer what am I supposed
| to do with that. He told me to just keep it:) He said I shouldn't
| bother to report it as nobody would really care about it.
| leephillips wrote:
| I guess attitudes toward this crime have changed.
|
| https://www.nytimes.com/2020/05/31/us/george-floyd-investiga...
| ohazi wrote:
| Are there any open-source printer reverse-engineering + firmware
| projects that look promising?
| Wolfenstein98k wrote:
| Welp, that gives a second (and much less cynical) reason for why
| you can't print in pure black n' white without colour being
| topped up.
| tyingq wrote:
| Heh. I have a b/w Brother Laser that cannot do color. I guess
| it would have to use the trickier methods described at the end
| of the post.
| not2b wrote:
| As I understand it, the original rationale for the tracking
| dots was the fear of counterfeiting, which may be less of an
| issue with black and white laser printers. That doesn't mean
| that I can say with any consequence that your printer doesn't
| have any tracking mechanism, but it might not.
| read_if_gay_ wrote:
| Less cynical?
| afrodc_ wrote:
| I'm assuming the more prevalent cynical belief is that it's a
| money grab to sell more ink
| Jedd wrote:
| Technically you're not printing in 'black n white', only black,
| hence monochromatic printer.
|
| The white is, of course, the areas on the paper that you're
| _not_ printing, assuming you 're feeding in white paper.
| hguant wrote:
| I think that "because the corporations that make printers have
| a secret agreement with intelligence agencies to track printed
| papers, going back decades and based ultimately on coercive
| threats outside the rule of law" is a more cynical truth than
| "because the companies that make printers want to sell you more
| ink."
| boogies wrote:
| > The DEDA toolkit allows anyone to anonymize documents by
| removing the tracking dots at the software level
|
| Sounds like the tracking tech is implemented in the proprietary
| drivers. If only the free software movement had filled its
| original purpose (freeing printer drivers1) for more models...
|
| 1https://www.fsf.org/blogs/community/201cthe-printer-story201...
|
| Edit: looks like it may be in the firmware on the printer itself,
| not drivers on computers, as h-node warns of tracking even on
| printers with full compatibility with blobless, FSF-endorsed
| distros eg. Trisquel GNU/Linux-libre:
| https://h-node.org/printers/view/en/2215/HP-DeskJet-2700-ser...
| runemadsen wrote:
| Logic Magazine is a lovely magazine and I highly recommend
| everyone to subscribe!
___________________________________________________________________
(page generated 2021-03-31 23:00 UTC)