Xerox Confirms To David Kriesel Number Mangling Occuring On Factory Settings 163
An anonymous reader writes with a followup to last week's report that certain Xerox scanners and copiers could alter numbers as they scanned documents: "In the second Xerox press statement, Rick Dastin, Vice President at Xerox Corporation, stated: 'You will not see a character substitution issue when scanning with the factory default settings.' In contrast, David Kriesel, who brought up the issue in the first place, was able to replicate the issue with the very same factory settings. This might be a serious problem now. Not only does the problem occur using default settings and everyone may be affected, additionally, their press statements may have misled customers. Xerox replicated the issue by following Kriesel's instructions, later confirming it to Kriesel. Whole image segments seem to be copied around the scanned data. There is also a new Xerox statement out now."
Swapping numbers while copying may seem like bizarre behavior for a copier, but In comments on the previous posting, several readers pointed out that Xerox was aware of the problem, and acknowledged it in the machine's documentation; the software updates promised should be welcome news to anyone who expects a copier to faithfully reproduce important numbers.
Comment removed (Score:5, Informative)
Re:Notify Xerox First (Score:4, Informative)
It isn't a security issue so the only purpose served by his going public without him contacting Xerox is to stroke his ego.
It isn't a security problem? Seriously?
What if a doctor copies a prescription or your medical journal? Government officials copies personal information for use with a visa? Police officers copies statements? Or any other place where you'd want to copy something, that must be copied correctly?
Sure, it's not a computer security issue, but it's definitly, among other things, a security issue.
Re: Do you work for Xerox? (Score:5, Informative)
I am a Xerox technician.
Yes, some models store and compress jobs before printing.
This problem may affect more than just Xerox... (Score:5, Informative)
http://www.dkriesel.com/en/blog/2013/0808_number_mangling_not_a_xerox-only_issue [dkriesel.com]
And one of the comments to that posting says:
I have experimented with the open source jbig2enc library available at http://github.com/agl/jbig2enc [github.com], which has a encoding parameter called the “threshold”, described like this:
“sets the fraction of pixels which have to match in order for two symbols to be classed the same. This isn't strictly true, as there are other tests as well, but increasing this will generally increase the number of symbol classes”
The included command tool accepts values for this parameter between 0.4 and 0.9, with 0.85 as the default.
I have found replaced digits in single-page numerical tables encoded with this parameter set as high as 0.82. As with the other examples you have found, the errors are not in any ways obvious to the eye which is, of course, the real problem.
Since JBIG2 has been supported in PDF since 2001, it would be surprising if only Xerox have fallen into this trap.
Comment removed (Score:5, Informative)
Re:Where does it say that in that article? (Score:2, Informative)
From this file [xerox.com], located on Xerox's site:
Different devices represent different levels of ris
k. It’s axiomatic that as functionality increases
so does the potential risk. For
those devices, countermeasures are built into the m
achine to reduce the risk.
Not all copiers have hard disk drives. Those that d
o not are not at risk.
Some copiers and multifunction devices have hard di
sk drives, but do not use the hard disk drive to sa
ve document images. These are also not a risk.
Those copiers and multifunction devices that do use
hard disk drives to temporarily store images, shou
ld have an "image overwrite" feature that destroys the copied image immediately." That function should be built in, (which Xerox does), or installable via a security kit. If neither solution exists for the product, it is at risk.
Also, most copiers and multifunction devices that have hard disks include a disk encryption feature which encrypts all stored
customer image data with the state-of-the art AES encryption algorithm.
Xerox has developed a disk removal program so that prior to a device being returned a Xerox technician will remove the disks and leave them with the customer. This program charges a flat fee per machine for the service. Contact Xerox Customer Support for information on fees and availability in your geography.
Clearly, some Xerox "copiers and multifunction devices" store image data in non-volatile memory, in the course of their operation. Stop being a jackhole.