Xerox Confirms To David Kriesel Number Mangling Occuring On Factory Settings 163
An anonymous reader writes with a followup to last week's report that certain Xerox scanners and copiers could alter numbers as they scanned documents: "In the second Xerox press statement, Rick Dastin, Vice President at Xerox Corporation, stated: 'You will not see a character substitution issue when scanning with the factory default settings.' In contrast, David Kriesel, who brought up the issue in the first place, was able to replicate the issue with the very same factory settings. This might be a serious problem now. Not only does the problem occur using default settings and everyone may be affected, additionally, their press statements may have misled customers. Xerox replicated the issue by following Kriesel's instructions, later confirming it to Kriesel. Whole image segments seem to be copied around the scanned data. There is also a new Xerox statement out now."
Swapping numbers while copying may seem like bizarre behavior for a copier, but In comments on the previous posting, several readers pointed out that Xerox was aware of the problem, and acknowledged it in the machine's documentation; the software updates promised should be welcome news to anyone who expects a copier to faithfully reproduce important numbers.
Sucky thing about digital (Score:1)
The old analog process never had this problem.
Re: (Score:2)
this could really suck if you are copying documentation for a critial process.
medical, aerospace, building construction,,,
Re: (Score:3, Insightful)
Dude, read the thread linked in the summary, copying doesn't even work right.
Re:Sucky thing about digital (Score:5, Funny)
Dude, read the thread linked in the summary, copying doesn't even work right.
Says you. I advised one of my clients to get one of these machines when this issue was first made public. This "feature" gives them plausible deniability for the numbers in their documents to be wrong when they submit them to various entities.
I should send a big bouquet of flowers to Xerox. Falsifying documents is not falsifying documents when the copier does it.
Comment removed (Score:5, Informative)
Re:Sucky thing about digital (Score:4, Funny)
Re: (Score:3)
Oh lovely, the copier can not only spy on me, it can actually frame me by number fiddling and handing off bogus evidence to the spooks?
Re: (Score:2)
On the upside, you can always claim your original is innocent. One might imagine a downside where the cops can claim the copy said anything they needed it to say to get a warrant, except: hahahaha warrant. So really no downside.
Re: (Score:2)
"I swear I wasn't involved! My original document was about a massive terrorist plot which was set to take place on 9/12! I'm innocent, damn it!".
Re: (Score:2)
Right, except the feds are at your door because somewhere on your document are 10 digits in sequence that are also the phone number of some guy a terrorist called once. And while "WTF, that was 2 adjacent items on a billing invoice" won't move them, maybe "no, that one digit is a transcription error" will.
Re: (Score:2)
It is not brain dead. It is the only way the copier can efficiently forward the image to the NSA.
Don't laugh, you can't know 100% that isn't the case. Not any more.
Comment removed (Score:4, Insightful)
Re: Do you work for Xerox? (Score:5, Informative)
I am a Xerox technician.
Yes, some models store and compress jobs before printing.
Re: (Score:2)
I have formerly worked for FXA as an analyst and can confirm that most digital copiers now "scan and print" when they "copy".
Re: (Score:2, Informative)
From this file [xerox.com], located on Xerox's site:
Different devices represent different levels of ris
k. It’s axiomatic that as functionality increases
so does the potential risk. For
those devices, countermeasures are built into the m
achine to reduce the risk.
Not all copiers have hard disk drives. Those that d
o not are not at risk.
Some copiers and multifunction devices have hard di
sk drives, but do not use the hard disk drive to sa
ve document images. These are also not a risk.
Those copiers and multifunction devices that do use
hard disk drives to temporarily store images, shou
ld have an "image overwrite" feature that destroys the copied image immediately." That function should be built in, (which Xerox does), or installable via a security kit. If neither solution exists for the product, it is at risk.
Also, most copiers and multifunction devices that have hard disks include a disk encryption feature which encrypts all stored
customer image data with the state-of-the art AES encryption algorithm.
Xerox has developed a disk removal program so that prior to a device being returned a Xerox technician will remove the disks and leave them with the customer. This program charges a flat fee per machine for the service. Contact Xerox Customer Support for information on fees and availability in your geography.
Clearly, some Xerox "copiers and multifunction devices" store image data in non-volatile memory, in the course of their operation. Stop being a jackhole.
Re: (Score:3)
it doesn't happen on high quality though.
why it would copy at other than high quality is anyones guess..
Re: (Score:3)
Re: (Score:2)
You only need to look at a modern photocopier to see that this is a highly plausible method of operation.
There is no direct optical path between the glass on the top of the copier and the drum that is used to print the image.
Or, see what happens when you put a document in the feeder and ask for 10 copies. You get them all nicely collated.
Older analogue copiers can not do this, without a collating output tray, as they can only directly make a copy of whatever's on the glass.
In a digital copier (just about ev
Comment removed (Score:4, Insightful)
Re:Notify Xerox First (Score:5, Insightful)
Did this tool try to notify Xerox first or did he just start shouting from the mountain tops?
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
How would any of you like it if someone found a bug in your stuff and instead of notifying you, went to your managers and bad mouthed you?
You'd think he was a prick.
Why does he owe this courtesy to Xerox? Xerox isn't his coworker, Xerox doesn't have feelings. Xerox is a corporation. And corporations don't always fix problems, even serious ones, until they receive wider attention.
So should he have quietly alerted Xerox, then monitored their progress in fixing the problem, keeping the company apprised of how it was doing -- sort of an unpaid QA position? I guess that's an option, but not the only acceptable one.
Re:Notify Xerox First (Score:4, Funny)
Re: (Score:3)
Re: (Score:2)
Hey, if Soylent Green were made of corporations, I'd buy it!
Re: (Score:2)
And corporations don't always fix problems, even serious ones, until they receive wider attention.
And even if they did, how many people would know about the fix to ask for it? At least now it's gotten enough publicity that a lot of users know about the problem and can use the workarounds until an official fix is available (if one is even possible, given the nature of the problem). If I had one of these copiers, I'd sure be reviewing my recent uses to make sure this wasn't going to substantially affect me. All of that's possible only because he told the world, unless you really believe from the bottom of
Re:Notify Xerox First (Score:4, Informative)
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
It isn't a security problem? Seriously?
What if a doctor copies a prescription or your medical journal? Government officials copies personal information for use with a visa? Police officers copies statements? Or any other place where you'd want to copy something, that must be copied correctly?
Sure, it's not a computer security issue, but it's definitly, among other things, a security issue.
Re: (Score:2)
It's not a security problem in the sense that people knowing about it won't be able to exploit it. In other words, public knowledge of the problem won't hurt security any more than it already has been, which is what the earlier post was talking about.
Re: (Score:1)
But public knowledge of this may save a few lives, when the doctor first checks if all the numbers are copied correctly before handing it to another doctor.
Re: (Score:3)
It's not a security problem in the sense that people knowing about it won't be able to exploit it. In other words, public knowledge of the problem won't hurt security any more than it already has been, which is what the earlier post was talking about.
First, I do understand your point regarding the common usage of "security" in this domain. However, the term "security" can also mean "safety," although in English "security" is more commonly used to freedom or protection from malicious harm or loss and "safety" is commonly taken to mean protection from accident or nature. (Paging pedants to show just how stupid and wrong I am.) Moreover, in some languages, the English words "safety" and "security" translate the same.
Re: (Score:2)
Sorry, I just can't seem to parse your post and grasp the meaning. Could you perhaps elaborate a bit?
Re: (Score:2)
I believe the idea is that making this public knowledge before it is fixed does not increase exposure. All of the risk has already happened and people who know about the issue can't make it happen more.
Re: (Score:2)
You seriously think nobody will be able to exploit this problem?
Re: (Score:2)
Re: (Score:3)
Kudos though for spending so much time thinking of how to validate your horribly thought out position.
They reason that you come forward quietly to a corp before going public on a real security issue is so that the bad guys do not exploit it while the company makes a patch. People knowing about this issue before a patch can only help the issue.
On top of that Xerox knew about this problem al
Re: (Score:2)
Re: (Score:2)
You've got to elaborate a bit more than the short, uninformative sentences that you put up. What are you talking about? What is this "horribly thought out position" that you accuse me of having?
Let me break it down for you. You accuse me of being either:
a) a shill, or
b) an idiot,
even though I've pointed out some of the safety issues that stem from not being able to correctly copy when it would be assumed that you could, and by extension critizised Xerox (the company) for not comming forward with this, when
Re: (Score:2)
Dishevel thought he was replying to the same AC you were replying too, however his nerdrage exceeded his ability to reply to the correct post and not make a public fool of himself. Sad, really.
Re: (Score:2)
I personally know the people who configure aircraft and ATC systems. They do stuff like modelling the runway locations and airspace profiles around airports. Scanning and emailing printed data is something which they would do from time to time. There must be thousands of examples of safety critical data which is handled in this way.
Re: (Score:1)
"How would any of you like it if someone
found a bug in your stuff and instead of
notifying you, went to your managers and
bad mouthed you?"
This is exactly what happens in most industries from food service, retail, transport(like my driving? Call...), and manufacturing. I'm sure there are more examples too but these are just some of the fields in which I have been a direct employee or as a manager where I was able to participate in the complaint process as a third-party observer more than a few times as cowork
Re: (Score:2)
Re:Notify Xerox First (Score:5, Insightful)
He does not.
He discovered the information, and he is free to (a) remain silent (b) tell Xerox (c) tell the press (d) tell everyone (e-z) anything else he likes. He might CHOOSE (b) but he is certainly under no obligation to do so, and it is of course incorrect for anyone to fault him if he does not choose (b).
We see this same mistake being made by the inferior minds who advocate the farsical concept of "responsible disclosure" when it comes to security issues. There is no such thing. There never has been. It's simply a fabrication by the mouthpieces of corporations who fret about bad publicity or negative impact on their stock price. Those who say they practice it are conceited and arrogant: they are making the foolish mistake of presuming that they, and they alone, possess this information, even though that's almost certainly not true. (What one can discover, another can discover.)
In all these cases, what we find are people who are afraid of the truth. They are afraid to speak it, afraid to hear it, afraid to have it propagated, afraid that others may have it: afraid, afraid, afraid. This is antithetical to the scientific method, to free speech, to forward progress: we must have the truth, no matter how inconvenient or unpleasant, if we're going to get anywhere.
I'm sure that some of the people at Xerox are furious about this. That's just too damn bad. If they want to find the root cause of their anger, they should look in a mirror, as it is their incompetence, sloppiness, laziness and negligence that has made all this happen.
Re: (Score:2)
Unless, as with the hackable door locks, someone sues for a gag order.
You might not owe a corporation favors, but they certainly can try to FORCE you to grant them.
responsible disclosure is a myth? (Score:2)
I think everything else you wrote was good but in the case of disclosing security attack vectors, letting everyone know or only letting hackers know, before giving the company a chance to fix the security hole results in a great many more hackers using the attack vector than if it had been reported without public disclosure. We have no idea who figured out the attack vector first, the researcher could very possibly be first, or be one of the first, to discover it. Do hackers always share attack vectors with
Re: (Score:2)
however I kept nagging stating I wanted to publish within a few hours
Has this guy ever worked for a large corporation? They can't decide they need to take a dump within a few hours let alone anything requiring thought and consideration.
Important number (Score:5, Funny)
69 dude!
Now if 6 turned out to be 9, ...if all the hippies cut off all their hair,
I don't mind, I don't mind,
I don't care, I don't care.
Dig, 'cos I got my own world to live through
And I ain't gonna copy you.
Re: (Score:2)
Re: (Score:3, Funny)
If xerox transforms it to 68, they owe you one!
My reaction: (Score:3)
Comment removed (Score:5, Informative)
Re: (Score:3)
It's the scanner bit. Basically it applies a heavy amount of compression to the final result by looking for blocks that match and duplicating them. Which is all fine until the copier sees what it thinks is a 0 but is actually an 8.
This is informative.
Re: (Score:2)
What, an article about a copier that changes numbers, yet no picture zoomed on the before/after numbers? WTF?
Frightning photocopier (Score:1)
Re: (Score:2)
Re: (Score:1)
I'm not sure he should lose the tinfoil. Perhaps still crinkle it in his hands. People are retrieving documents from the copier storage. Considering how often security holes are found in networked devices, it isn't outside the bounds of believability that someone could read copied documents.
(PDF) http://www.willassen.no/svein/pub/copier-en.pdf
Re: (Score:2)
A security flaw [Re:Frightning photocopier] (Score:3)
Am I the only one who finds this truly frightning; that the photocopier has a bug in a sub system that is basically reading the content of the documents being photocopied?
Yes, you should find that frightening. That's not new, though, pretty much all photocopiers these days don't actually "photocopy" the document, they scan it to memory and then print the scan. Your documents are saved to memory on the photocopier. Yep, that's a security flaw.
http://www.thedailygreen.com/environmental-news/latest/digital-copier-security-461009 [thedailygreen.com]
http://www.cbsnews.com/8301-18563_162-6412439.html [cbsnews.com]
http://message.snopes.com/showthread.php?t=60313 [snopes.com]
Re: (Score:2)
It's not the scanning to memory bit that's frightening. It's the "compression" bit that's frightening. And it's a tad surprising I think to most people the way it compresses. Maybe not quite as surprising for computer programmers, but I'd bet that even us wouldn't have exactly imagined this possibility.
Re: Frightning photocopier (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:1)
You can set it to OCR your document but that is not the problem described here.
What is happening here is the image compression that is done, which compares pieces of the image together, when it find something that looks similar enough it only stores one of those pieces and duplicates the rest. An 8 and a 6 look alike enough for the compression algorithm to only store the image of a 8 once, en copy it anywhere it finds an 8 and a 6. It will also happen with other shapes, like symbols on a construction drawin
Re: (Score:1)
Re: (Score:2)
We used Xerox WorkCentre copiers heavily where I used to work, using them to scan/transmit change documents back and forth for signatures before doing anything to FDA validated systems. And the folks at work used to wonder why I would always set the image quality to the highest setting -- something like "SuperFine" -- before pressing "Send" (and then requesting others to do the same). I always did it because I hated trying to read the blurry quality you got from "Normal" ("Low" was not even an option for me
Everything you thought you knew... (Score:5, Insightful)
The potential for damage with this kind of error almost can't be overstated. Besides errors in billing, construction, manufacture or products, medicine dosages, etc. already outlined, there are other likely problems:
Publications may contain wrong data.
Scientific conclusions may be based on wrong data.
Government policy may be based on wrong data.
Money may go to wrong accounts or be taken from wrong accounts.
You think you paid your taxes? The government may not agree.
Re: (Score:2)
The potential for damage with this kind of error almost can't be overstated. ...
You think you paid your taxes? The government may not agree.
Exactly. I photocopy a lot of documents and put them in my files to substantiate finances. So, the numbers may have been changed and my photocopies aren't accurate.
Re: (Score:2)
Doesn't this therefore render the copier as "unfit for purpose" and you can get a refund? The whole point of copiers is to make copies. The average user doesn't care how it does it, only that it does what the sales blurb says it does.
In any case, who would buy a copier knowing it doesn't actually copy? You wouldn't buy a phone that can't make calls until it gets a software update.
Re: (Score:2)
Re:Everything you thought you knew... (Score:5, Insightful)
Doesn't this therefore render the copier as "unfit for purpose" and you can get a refund?
I doubt it as the work-around is so easy: just change quality-settings from normal to high and the problem disappears. The factory default settings are obviously bad, but since the settings can be changed so easily I don't think it qualifies for the "unfit for purpose" - claim.
You misunderstood the new findings:
Re: (Score:2)
Doesn't this therefore render the copier as "unfit for purpose" and you can get a refund? The whole point of copiers is to make copies. The average user doesn't care how it does it, only that it does what the sales blurb says it does.
In any case, who would buy a copier knowing it doesn't actually copy? You wouldn't buy a phone that can't make calls until it gets a software update.
At the very least it warrants a "YOU HAD ONE JOB" meme pic featuring a xerox copier.
Re: (Score:2)
Anticipating a WOOSH, but Xerox haven't made 'Copiers' for a long time now. They make Multi Function Devices (MFDs), so by very definition, they have more than one job.
Re: (Score:2)
Anticipating a WOOSH, but Xerox haven't made 'Copiers' for a long time now. They make Multi Function Devices (MFDs), so by very definition, they have more than one job.
good point...
and ...
whoosh!
Re: (Score:2)
Re: (Score:2)
Yes, it can be overstated. Normal sized print will not get altered by these compression algorithms. Substitutions only occur in data that a human would have trouble reading reliably to begin with. That kind of poor photocopy should never be used for any kind of important task, no matter what.
They always "may contain wrong data", that's why you need to triple-check and verify for anything that matters.
Re: (Score:2)
Government policy may be based on wrong data.
Ahahaha - government policy based on data. Nice one.
Re: (Score:2)
and apparently every assembly manual for chinese products or Ikea furniture was produced on these machines....
Re: (Score:2)
Re:Everything you thought you knew... (Score:4, Funny)
"Sure, but can it substitute feet for meters?"
No, It's a copier, not rocket science.
Doing it wrong. (Score:2)
Time to buy a Ricoh.
At least they don't monkey with the compression to the level it actually distorts the image.
Re: (Score:2)
Any compression at all, any modification at all, is unacceptable in a copier. How do you not get that?
That is an absurd position. There's no issue with lossless compression, and it's beneficial to the customer, because it allows you to scan and copy much larger documents without memory issues. The reason that this is a problem is that it's lossy compression algorithm that clearly is flawed.
Re: (Score:3)
Re: (Score:2)
Invent some half-assed lossy compressor, such as JBIG [wikipedia.org] which is an ISO standard that was ratified so long ago that the patents applying to it have all expired?
One thing of note is that JBIG is very commonly used in higher-end faxes as it's significantly quicker than previous lossless compression algorithms. I wonder how many faxes have been silently modified in transit by this compression?
And, before you ask, there are many industries where faxes are still heavily used, such as in law - where silent modifica
Re: (Score:3)
The copiers are using JBIG2 [wikipedia.org], not JBIG, which is lossless. JBIG2 on the other hand has lossless and lossy modes. In both modes the algorithm employs "similar symbol matching," but in the lossless mode differences for each instance of a symbol from a reference are stored while the lossy mode stores only the reference symbols.
ImageMagick doesn't seem to support JBIG2 so I haven't been able to play around with it at all. I just wonder if even the lossless mode is safe since it sounds bug prone (i.e. unless they
Re: (Score:2)
Yes, the mistake was mine. I did mean to say JBIG2 [wikipedia.org] which is, as you say, lossy. It's also been an ISO standard since 2001.
Re: their lossless mode - if they can mathematically guarantee that the output == the input under all input conditions, then we're safe with it. If it uses pattern matching and substitution (like the lossy mode does) then all bets are off.
I wonder why ImageMagick doesn't support JBIG2 - from the wikipedia article, Patents for JBIG2 are owned by IBM and Mitsubishi. Free licenses should b [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
You can generally pay some amount and get an ISO document - for the JBIG2 standard document I think it was something like 180 CHF.
According to JPEG [jpeg.org] (the standards group, not the file format)
Re: (Score:3)
Flawed or sabotaged?
Just glad to see them respond! (Score:1)
In Development (Score:5, Funny)
xerox was not in denial (Score:3, Funny)
They meant to admit this to the public last week, but their press release got its letters changed around for some reason...
Say goodby to Xerox (Score:5, Interesting)
Its not good to fxck with numbers! (Score:2)
Re: (Score:2)
Numbers are the bedrock of the capitalist regime. They are sacred. Do not transform them when copying them. Better to mangle words cause we all know they have semiotic plasticity anyway. But for the love of the capitalism and all it portends, please keep the numbers pure. That is all.
Science and engineering rely on the numbers being "pure" too, jackass. It's not always about money.
I prefer to not be injured or killed because altered numbers mean a structure is unstable, or that I get an incorrect dosage of medication.
I expect a copier to copy an image (Score:2)
I expect a copier to copy an image of the page, not to perform an OCR scan and reprint it.
What's next? An NSA back door so the scanned text can be fired off to the US spy network?
Pedant point (Score:2)
The copiers are failing to copy numerals properly.
This problem may affect more than just Xerox... (Score:5, Informative)
http://www.dkriesel.com/en/blog/2013/0808_number_mangling_not_a_xerox-only_issue [dkriesel.com]
And one of the comments to that posting says:
I have experimented with the open source jbig2enc library available at http://github.com/agl/jbig2enc [github.com], which has a encoding parameter called the “threshold”, described like this:
“sets the fraction of pixels which have to match in order for two symbols to be classed the same. This isn't strictly true, as there are other tests as well, but increasing this will generally increase the number of symbol classes”
The included command tool accepts values for this parameter between 0.4 and 0.9, with 0.85 as the default.
I have found replaced digits in single-page numerical tables encoded with this parameter set as high as 0.82. As with the other examples you have found, the errors are not in any ways obvious to the eye which is, of course, the real problem.
Since JBIG2 has been supported in PDF since 2001, it would be surprising if only Xerox have fallen into this trap.
HCL to the Rescue! (Score:2)
Just as well for Rick, he outsourced this work to HCL. They'll clean up the mess left by those lazy, grasping American engineers in no time at all!
wtf?! (Score:2)
The fact that this is even POSSIBLE makes me worry that there's covert firmware deliberately tampering with things.
First of all, how does it even know what a number *looks like*?
And how the hell does it SWAP numbers?
I've never known decompression artifacts to do that. It's just plain loony.
Something seems decidedly fishy here.
Re: (Score:2)
Simple example: fonts. You have a 8.5 x 11 sheet of paper @ 300 dpi. 90,000 dots per square inch, and 8,415,000 dots per page
What about fax machines? (Score:2)
Yes, faxes? Remember them?
They're still widely used in many industries today. In fact, I applied for an Apple Developer account in a company name not too long ago and, unlike with an individual account, there is some paperwork involved that Apple insist must be faxed to them. Apparently it's more secure. Anyway, I'm not ranting about that issue today, but more the widespread use of faxes in the area of Law.
Lawyers love faxes. They fax everything they can. A lot of them are using email more and more these da
Re: (Score:2)
With compression you can store more bitmaps for longer, and transmit them for less.
Re: (Score:2)