September 26, 2018

Archives for October 2005

EFF Researchers Decode Hidden Codes in Printer Output

Researchers at the EFF have apparently confirmed that certain color printers put hidden marks in the pages they print, and they have decoded the marks for at least one printer model.

The marks from Xerox DocuColor printers are encoded in an array of very small yellow dots that appear all over the page. The dots encode the date and time when the page was printed, along with what appears to be a serial number for the printer. You can spot the dots with blue light and a 10X magnifier, and you can then decode the dots to get the date, time, and serial number.

Many other printers appear to do something similar; the EFF has a list.

The privacy implications are obvious. It’s now possible to tell when a document was printed, and when two documents were printed on the same printer. It’s also possible, given a document and a printer, to tell whether the document was printed on that printer.

Apparently, this was done at direction of the U.S. government.

The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.

Xerox previously admitted that it provided these tracking dots to the government, but indicated that only the Secret Service had the ability to read the code.

The assertion that only the Secret Service can read the code is false. The code is quite straightforward. For example, there is one byte for (the last two digits of) the year, one byte for the month, one byte for the day, one byte for the hour, and one byte for the minute.

Now that the code is known, it should be possible to forge the marks. For example, I could cook up an array of little yellow dots that encode any date, time, and serial number I like. Then I could add the dots to any image I like, and print out the image-plus-dots on a printer that doesn’t make the marks. The resulting printout would have genuine-looking marks that contain whatever information I chose.

This could have been prevented by using cryptography, to make marks that can only be decoded by the Secret Service, and that don’t allow anyone but the secret service to detect whether two documents came from the same printer. This would have added some complexity to the scheme, but that seems like a good tradeoff in a system that was supposed to stay secret for a while.

A Visit From Bill Gates

Bill Gates visited Princeton on Friday, accompanied by his father, a prominent Seattle lawyer who now heads the Gates Foundation, and by Kevin Schofield, a Microsoft exec (and Princeton alumnus) who helped to plan the university visits.

After speaking briefly with Shirley Tilghman, Princeton’s president, Mr. Gates spent an hour in a roundtable discussion with a smallish group of computer science faculty. I was lucky enough to be one of them. The meeting was closed, so I won’t give you a detailed play-by-play. Essentially, we told him about what is happening in computer science at Princeton; he asked questions and conversation ensued. We talked mostly about computer science education. Along the way I gave a quick description of the new infotech policy course that will debut in the spring. Overall, it was a good, high-energy discussion, and Mr. Gates showed a real passion for computer science education.

After the roundtable, he headed off to Richardson Auditorium for a semi-public lecture and Q&A session. (I say semi-public because there wasn’t space for everybody who wanted to get in; tickets were allocated to students by lottery.) The instructions that came with my ticket made it seem like security in the auditorium would be very tight (no backpacks, etc.), but in fact the security measures in place were quite unobtrusive. An untrained eye might not have noticed anything different from an ordinary event. I showed up for the lecture at the last minute, coming straight from the faculty roundtable, so I one of the worst seats in the whole place. (Not that I’m complaining – I certainly wouldn’t have traded away my seat in the faculty roundtable for a better seat at the lecture!)

After an introduction from Shirley Tilghman, Mr. Gates took the stage. He stood alone on the stage and talked for a half-hour or so. His presentation was punctuated by two videos. The first showed a bunch of recent Princeton alums who work at Microsoft talking about life at Microsoft in a semi-serious, semi-humorous way. (The highlight was seeing Corey in a toga.) The second video was a five-minute movie in which Mr. Gates finds himself in the world of Napoleon Dynamite. It co-stars Jon Heder, who played Napoleon in the movie. I haven’t seen the original movie but I’m told that many of the lines and gags in the video come from the movie. People who know the original movie seem to have found the video funny.

The theme of the lecture was the seamless coolness of the future computing environment. It was heavy on promotion and demonstrations of Microsoft products.

The Q&A was pretty interesting. He was asked how to reconcile his current cheerleading for C.S. education with his own history of dropping out of college. He had a funny and thoughful answer. I assume he’s had plenty of chances to hone his answer to that question.

A student asked him a question about DRM. His answer was fairly general, talking about the importance of both consumer flexibility and revenue for creators. He went on to say some harsh things about Blu-Ray DRM, saying that the system over-restricted consumers’ use and that its content-industry backers were making a mistake by pushing for it.

(At this point I had to leave due to a previous commitment, so from here on I’m relying on reports from people who were there.)

Another student asked him about intellectual property, suggesting that Microsoft was both a beneficiary and a victim of a strong patent system. Mr. Gates said that the patent system is basically sound but could benefit from some tweaking. He didn’t elaborate, but I assume he was referring to patent reform suggestions Microsoft has made previously.

After the Q&A, Mr. Gates accepted the “Crystal Tiger” award from a student group. Then he left for his next university visit, reportedly at Howard University.

Tax Breaks for Security Tools

Congress may be considering offering tax breaks to companies that deploy cybersecurity tools, according to an Anne Broache story at news.com. This might be a good idea, depending on how it’s done.

I’ve written before about the economics of cybersecurity. A user’s investment in security protects the user himself; and he has an incentive to pay for the efficient level of protection for himself. But each user’s security choices also affect others. If Alice’s computer is compromised, it can be used as a springboard for attacking Bob’s computer, so Alice’s decisions affect Bob’s security. Alice has little or no incentive to invest in protecting Bob. This kind of externality is common and leads to underinvestment in security.

Public policy can try to fix this by adjusting incentives in the right direction. A good policy will boost incentives to deploy the kinds of security measures that tend to protect others. Protecting oneself is good, but there is already an adequate incentive to do that; what we want is a bigger incentive to protect others. (To the extent that the same steps tend to protect both oneself and others, it makes sense to boost incentives for those steps too.)

A program along these lines would presumably give tax breaks to people and organizations that use networked computers in a properly secure way. In an ideal world, breaks would be given to those who do well in managing their systems to protect others. In practice, of course, we can’t afford to do a fancy security evaluation on each taxpayer to see whether he deserves a tax break, so we would instead give the break to those who meet some formalized criteria that serve as a proxy for good security. Designing these criteria so that they correlate well with the right kind of security, and so that they can’t be gamed, is the toughest part of designing the program. As Bruce Schneier says, the devil is in the details.

Another approach, which may be what Rep. Lundgren is trying to suggest in the original story, is to give tax breaks to companies that develop security technologies. A program like this might just be corporate welfare, or it might be designed to have a useful public purpose. To be useful, it would have to lead to lower prices for the right kinds of security products, or better performance at the same price. Whether it would succeed at this depends again on the details of how the program is designed.

If the goal is to foster more capable security products in the long run, there is of course another approach: government could invest in basic research in cybersecurity, or at least it could reverse the current disinvestment.