Copy Machines, a Security Risk?
May 23, 2010 7:05 AM   Subscribe

Armen Keteyian of CBS News bought four copiers for $300 a piece (video link). He found a great deal of personal data on the copiers' hard drives, easily accessible using free software one could find on the Internet.

As a result of the investigation, there has been some fallout.

Congress and the FTC have now stepped in to see if there is a solution. Ed Markey (D-Mass) is leading the charge.
posted by reenum (62 comments total) 12 users marked this as a favorite

 
“The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas - loaded with secrets on their way to unknown buyers in Argentina and Singapore.”

OH NOES! NOT THE FOREIGNERS!
posted by jaffacakerhubarb at 7:10 AM on May 23, 2010 [8 favorites]


They really hit the jackpot with those police computers.
posted by graventy at 7:11 AM on May 23, 2010


Something tells me this story is going to look read like "YOUR IDENTITY HAS BEEN STOLEN AND YOUR CHILDREN WILL EAT RATS AND STILL WATER PUDDLES" by the time it reaches the Post. This is a horrible security breach but it's going to get much, much worse until it gets better. For one thing, it is going to make a whole lot of jobs absolute hell for a while. Certain laws w/r/t clients filling out Federal paperwork that require IDs state that you either a) do not make copies of anyone's documents or b) make copies of everyone's. Most places, like the company where I work wherein 100+ people a day are processed, do the latter. Now we're going to get a whole bunch of people insisting, nay, demanding we do not so much as TOUCH their documents. Then filing complaints because we cannot process them without taking the damn copies. I'll be emailing these articles to the IT guys on Monday just so we can have a copier privacy policy in place that I can post in GIANT LETTERS in the interview rooms.
posted by griphus at 7:19 AM on May 23, 2010 [1 favorite]


I like how the linked video implies that you have to pay an extra $500 if you want your copier to be capable of deleting data.
posted by magnificent frigatebird at 7:22 AM on May 23, 2010 [1 favorite]


I like how the linked video implies that you have to pay an extra $500 if you want your copier to be capable of deleting data.

I wouldn't be surprised. Most high-end copiers come equipped with a whole lot of features that you need to pay to unlock.
posted by griphus at 7:25 AM on May 23, 2010 [1 favorite]


Why do copiers need a hard drive big enough to store that many documents? Why do they need a hard drive at all? I kind of assumed a copier maybe had a gig or two of flash memory; enough for the large jobs.
posted by graventy at 7:32 AM on May 23, 2010 [4 favorites]


That'll teach me to print out my private key and photocopy it,
posted by Damienmce at 7:38 AM on May 23, 2010 [2 favorites]


Nice! I always just assumed that copy machines just used some sort of flash memory to store that data...

I guess not.
I wouldn't be surprised. Most high-end copiers come equipped with a whole lot of features that you need to pay to unlock.
posted by griphus at 10:25 AM on May 23
Or you could just take your teenaged son and his laptop to the office one Saturday and pay him $50 to open up the copier, take out the HD and wipe its contents. For another $10 you could probably get him to restore whatever filesystem was used on the drive when it was fresh from the manufacturer.
posted by vhsiv at 7:41 AM on May 23, 2010 [4 favorites]


He found a great deal of personal data on the copiers' hard drives, easily accessible using free software one could find on the Internet.

Once again we find that the Internet must. be. banned. (And software strongly regulated.)
posted by DU at 7:44 AM on May 23, 2010 [1 favorite]


Or you could just take your teenaged son and his laptop to the office one Saturday and pay him $50 to open up the copier, take out the HD and wipe its contents.

Or give your toddler a $2 magnet.
posted by DU at 7:46 AM on May 23, 2010 [12 favorites]


Why do copiers need a hard drive big enough to store that many documents? Why do they need a hard drive at all?

I don't have a printer at my desk; there's not a lot of room for one. So I use the office copier.

This is pretty common around the university. It's slightly more cost effective than $150 printers and $75 ink refills.
posted by dw at 7:46 AM on May 23, 2010


Why do copiers need a hard drive big enough to store that many documents?

Most copiers are network-attached now, and run web and mail servers, small apps, manage security, handle authentication against domain credentials, all kinds of other stuff. Basically, you don't have "copiers" anymore, any more than you have "printers". You have network-attached servers, running a full-on OS of some kind, that happen to be able to eat and spit out reams of paper.

Having worked with these problems for some time now, I can tell you unambiguously that printer software is really bad, but copier software is some of the worst software in the world; it's usually poorly-configured off-the-shelf Apache with a sick joke of UI in front of it, virtually never audited for security or even usability. (Buffer overflow? Security update? Plaintext credentials? What that?)

So the other part of this story is that right now, today, the softest spot on a professionally maintained network is almost certainly the photocopiers. Nobody thinks to audit or firewall their copier, you know? And yet here we are.
posted by mhoye at 7:47 AM on May 23, 2010 [23 favorites]


Good. I'm glad this sensationalistic fucking video is getting wider attention. Now maybe the fucking receptionists in the finance department will quit emailing it to me with breathless all-caps messages about how Xerox is selling my soul to the Chinese mafia.
posted by BeerFilter at 7:53 AM on May 23, 2010 [1 favorite]


I'll be emailing these articles to the IT guys on Monday just so we can have a copier privacy policy in place that I can post in GIANT LETTERS in the interview rooms.

As will many, I suspect, and several will accidentally include every customer and vendor contact's email address in the "To:" field.
posted by hal9k at 7:54 AM on May 23, 2010 [4 favorites]


Nobody thinks to audit or firewall their copier, you know?

I wouldn't say nobody. Military-type places are pretty careful with their copiers. Classified docs can only be copied on a certified copier, etc. And this was even before they had HDs.
posted by DU at 7:54 AM on May 23, 2010 [1 favorite]


I CAN ASSURE YOU THAT THE IT DEPARTMENT HAS ALREADY SEEN IT. IT'S NOT OUR FUCKING FAULT.
posted by BeerFilter at 7:58 AM on May 23, 2010 [22 favorites]


Why do copiers permanently store images on a hard drive?
posted by stbalbach at 7:59 AM on May 23, 2010 [1 favorite]


I know it is not IT's fault, but having a "DON'T WORRY ABOUT IT FOLKS SIGNED IT DEPT." sign is usually enough.
posted by griphus at 8:00 AM on May 23, 2010


I can tell you unambiguously that printer software is really bad, but copier software is some of the worst software in the world; it's usually poorly-configured off-the-shelf Apache with a sick joke of UI in front of it, virtually never audited for security or even usability.

Amen to that.

A couple years ago the hardware guy mentioned that the new copier had a scanner, so I asked if he had the instructions for giving it a try.

Scanning wasn't hard. Getting it off the copier, though, was insane. I had to use a system-issued login -- "003" I think -- and the password couldn't be changed (though I'm not sure if that was because of the software or because the process was insanely tortuous, which I wouldn't put past the copier.)

Once I logged in, I had to find the job (which, luckily, was time-stamped) and click through about 10 screens before I could finally choose between TIFF and PDF. The PDF was essentially the TIFF passed through some Java app to convert it to PDF uncompressed and untagged, so it was usually about 98% of the size of the TIFF. If I wanted both... I had to go back to the beginning, find the job, and click through 10 screens again.

As a result, I don't scan anymore. But what scares me is that all of our employment files are being scanned in one person at a time through this. Never mind the security issues, we have a student devoting her day to scan, click through 10 screens, download file into folder, lather, rinse, repeat. What a disaster.
posted by dw at 8:01 AM on May 23, 2010 [2 favorites]


Why do copiers need a hard drive big enough to store that many documents? Why do they need a hard drive at all? I kind of assumed a copier maybe had a gig or two of flash memory; enough for the large jobs.

They're very handy. I create large InDesign-based brochures, PDF them and send them to the hard drive on the color copier. Our (brand and model obscured) can print, fold and staple full color 2-sided on bright n' shiny to 18"x12". Salespeople (and their ilk) can scroll the touchscreen monitor to a designated user box and print their own brochures as needed.

I've set up user boxes (think folder/directory) for different markets for our products and taught employees how to print their own stuff on demand as needed. Works great. Saves trees. Saves time.

Until it needs servicing and the copier tech accidentally wipes the hard drive. I've had to reload four times now.

Solution: Call tech support and schedule an onsite before you end your lease.
posted by hal9k at 8:07 AM on May 23, 2010 [3 favorites]


I'm sorry, all. I've just been sent this video too many times in the past week accompanied with breathless all-caps demands for action by people who don't give a flying fuck about security and it has stressed me. Something about it really pushes people's buttons. You can talk to them about security until you're blue in the face and it's just in one ear, out the other, but show them this video and it's time for pitchforks and torches. I'm glad something will be done about it. Sorry for the outburst.
posted by BeerFilter at 8:09 AM on May 23, 2010 [4 favorites]


Most don't have hard drives, they had to be careful to pick a model they knew did but they didn't show that part.
posted by floam at 8:12 AM on May 23, 2010 [1 favorite]


Well, most MFPs don't have hard drives that everything getting scanned gets written to, would be a better thing to say.
posted by floam at 8:13 AM on May 23, 2010


People are probably less concerned about actual data security so much as they are afraid someone will discover that they have been making copies of their resumes, mortgage applications, insurance claims, kid's homework, and naked butts on the company copier.
posted by briank at 8:13 AM on May 23, 2010 [5 favorites]


Why do copiers need a hard drive big enough to store that many documents? Why do they need a hard drive at all? I kind of assumed a copier maybe had a gig or two of flash memory; enough for the large jobs.

"Copiers" aren't simply copiers anymore. The big ones are full-on publishing centers. If, say, an office has a core group of documents that it continually prints (client brochures, sales sheets, etc.) these "copiers" can store them on their hard drives for quick output, either remotely or right at the machine itself. My wife's office lives and breathes by just such a system.
posted by Thorzdad at 8:16 AM on May 23, 2010 [1 favorite]


I vaguely remember reading about Stallman, and he getting into opensource due to the proprietary code on printers/copiers. Are there are any copiers out there that are completely open source?

I'm not sure I would benefit from being able to look at the code, but it would be nice to know that there were some; as presumably if the code was available, things like this could be prevented.
posted by a womble is an active kind of sloth at 8:16 AM on May 23, 2010


I like how the linked video implies that you have to pay an extra $500 if you want your copier to be capable of deleting data.

The news piece makes it sound like the files were never deleted at all but my guess is they have been deleted and the guy is using recovery software. The data deletion they are talking about is probably the one that conforms to DOD standards which might also includes a way to print that never hits the disk, and it's all a bitch to do, hence the price.

I kind of assumed a copier maybe had a gig or two of flash memory; enough for the large jobs.

They're not so much 'copiers' as printers with scanner input units attached, and so they need to hold an office's worth of spooled documents; in some offices a 1gig document is not unusual. Also, rendered page rasters can be pretty honking huge at 600dpi; that 1gig might only hold 10 uncompressed pages, and that's probably about how many it wants in memory too, to run at full speed.
posted by fleacircus at 8:22 AM on May 23, 2010 [3 favorites]


dw: "Never mind the security issues, we have a student devoting her day to scan, click through 10 screens, download file into folder, lather, rinse, repeat. What a disaster."

Can't you just fax or e-mail it to your email address? Many modern copiers do something like that.
posted by goodnewsfortheinsane at 8:39 AM on May 23, 2010


Why do copiers permanently store images on a hard drive?
posted by stbalbach at 10:59 AM on May 23


That's easy. So that management can go in to see which employees have been 'stealing' use of the copier for personal business.
posted by AsYouKnow Bob at 8:44 AM on May 23, 2010


WHAT DO YOU PEOPLE HAVE TO HIDE!
posted by cjorgensen at 8:44 AM on May 23, 2010


"Why do copiers need a hard drive big enough to store that many documents? Why do they need a hard drive at all? I kind of assumed a copier maybe had a gig or two of flash memory; enough for the large jobs."

Besides store and print on demand hard drives allow for printing but not actually producing any paper until the job owner releases the job while standing at the copier. Saves paper and is more secure because a printout doesn't sit in the output tray for minutes or forever (if someone either accidentally prints or forgets they printed).

As to "Why so big?"; no one sells small capacity hard drives anymore.
posted by Mitheral at 8:44 AM on May 23, 2010 [1 favorite]


Several years ago I bought a Sharp UX-510 fax machine off eBay. The used thermal roll was still inside and I decided to unroll it and see what it was on it. It was about 100 yards of investigations, personal data (including Social Security numbers), police business, etc, from a New Jersey police department. You could have written a Dexter episode off that thing.
posted by crapmatic at 8:47 AM on May 23, 2010 [1 favorite]


goodnewsfortheinsane: "Can't you just fax or e-mail it to your email address? Many modern copiers do something like that."

Only if you paid extra for it...
posted by griphus at 8:51 AM on May 23, 2010


I wouldn't say nobody. Military-type places are pretty careful with their copiers. Classified docs can only be copied on a certified copier, etc. And this was even before they had HDs.

20 years govt procurement here, our copiers have always been marked like DU said. Secret, top secret, classified all get copied on a secure copier in a secure location. With that said, we are going away from personal printers, network printers, scanners and fax machines. All are being replaced with networked copiers. They just did the fiber optic drop to the copier across from my desk. The machine had been installed about a year ago. My guess is that when I go in tomorrow they'll have disabled the network stuff in reaction to this.
posted by fixedgear at 9:24 AM on May 23, 2010 [1 favorite]


Several years ago I bought a Sharp UX-510 fax machine off eBay. The used thermal roll was still inside and I decided to unroll it and see what it was on it. It was about 100 yards of investigations, personal data (including Social Security numbers), police business, etc, from a New Jersey police department. You could have written a Dexter episode off that thing.

Disco. You could, more tediously, do the same thing with the generation of high quality typewriters that used a film cartridge rather than a ribbon.

I once installed a RIP (formatter) card in a Lexmark that hadn't been wiped clean before being resold. I printed out the fonts page, and staring back at me was a listing of custom fonts for Holiday Inn. (Or Hilton. I forget.)


They're not so much 'copiers' as printers with scanner input units attached, and so they need to hold an office's worth of spooled documents; in some offices a 1gig document is not unusual. Also, rendered page rasters can be pretty honking huge at 600dpi; that 1gig might only hold 10 uncompressed pages, and that's probably about how many it wants in memory too, to run at full speed.

Exactly. (Presuming that's what they are doing, anyway.) The printing process takes the print job in whatever language it is sent in and converts it to a raster, sometimes called video, signal. This is what is presented to the "guts" of the machine to print out. Just a stream of dots that the print engine places on the paper. This limits printing speed to the conversion speed. So, they install RAM. At some point, a few GB of RAM becomes more expensive than the cheapest HDD they can get, so they use that.

Seeming Derail But Not Really: I had a customer who complained that their old color printer with 64 mb of RAM could handle more complex documents than their newer, faster, better printer with 256mb of RAM. That would seem impossible, until I sat and did some figuring. The old printer was the kind with 4 toner cartridges on a big rotating drum, and was 300 dpi. So for every document, it split the colors and printed a raster 4 times for each page. It had the luxury to re-render the bitmap 4 times for each page, so it needed less memory. Where the newer printer printed all four colors at once, at 600 dpi. To do the exact same job, it needed 16x more memory.

Jump that to the now common 1200 dpi, and now you are talking 64x more memory. Add in the desired features of document scanning, store and print, send once print many, etc, and you see where a HDD becomes a necessity. Leverage that with some bad programming, and you have this issue.
posted by gjc at 9:30 AM on May 23, 2010 [2 favorites]


There's going to be a lot of self-styled security charlatans at DEFCON punching themselves for not seeing this low-hanging fruit.
posted by RobotVoodooPower at 9:31 AM on May 23, 2010 [1 favorite]


With that said, we are going away from personal printers, network printers, scanners and fax machines. All are being replaced with networked copiers.

Some places, in reaction to the "sensitive information sitting on a printer somewhere" and going backwards- cheap desktop printers in addition to the (now underutilized) network printer. Instead of using the secure print options already built into the network printers.
posted by gjc at 9:33 AM on May 23, 2010


Looks like CBS may have picked up the idea from this Canadian news article a month earlier.
posted by RobotVoodooPower at 9:35 AM on May 23, 2010


I only copy printouts of my Facebook data.
posted by william_boot at 9:36 AM on May 23, 2010 [3 favorites]


we have a student devoting her day to scan, click through 10 screens, download file into folder, lather, rinse, repeat. What a disaster.

The browser-based UI for our copier is like that, ridiculously complicated and it takes a huge amount of time to scan anything. But I complained to the copier tech, and they gave me a standalone program to use that offers one-click access to the copier's hard drive and any documents stored there. Might be worth asking if there is something like that for yours.

When we switched copiers last time, I asked them to wipe the hard drive before taking it away. The copier tech extracted the hard drive from the copier, put it in an external hard drive enclosure, hooked it up to his laptop, and proceeded to run SDelete on it, which should have shredded any data on it to the DoD 5220.22M file deletion standard.

I doubt our copier lease company is more savvy than most other places, we just happened to know what to ask for. If that video gives other small companies/organizations an idea of what to ask for, that would be good in the long run.

Sorry for the IT people who will get lots of copies of it, though. Hang in there, BeerFilter!
posted by gemmy at 9:39 AM on May 23, 2010 [2 favorites]


Sorry for the IT people who will get lots of copies of it, though.

I saw what you did there.
posted by AsYouKnow Bob at 9:46 AM on May 23, 2010 [3 favorites]


Nobody thinks to audit or firewall their copier, you know?

That's why I put the printers in the DMZ. HAMBURGER

But, yeah, printer software is shit. I feel sorry for the IT departments that have to deal with this.
posted by ryoshu at 9:48 AM on May 23, 2010


The piece is important food for thought, and I appreciate the reporting and what it taught me. Having said that, they did so in the most ignorant and incendiary way reminiscent of tabloid slandering and rumour-mongering:

(1) They make it sound like every scanner has this security flaw.

(2) Their claim that it will cost $500 to be safe from the problem is unsubstantiated.

(3) Their rhetorical title "Copy Machines, a Security Risk?" is stupid if not panderingly incendiary.

(4) By saying that the software for retrieving the data is free and doing a report on how they got what is described as what seems to be all the data, they make it sound accessible; "What is next: high-school children hacking the copier to get the exam answers?" We are talking about forensics software, which is likely abstruse to use and an eyesore due to what is most likely a 90s interface. Furthermore, good luck finding said software which they likely don't know the name and digital whereabouts of. Should someone find the program, it will still take a great amount of skill to use; I might have a chisel and a block of marble, but you won't see me carving a replica of the David statue anytime soon.

(5) Their ominous narrative concluding the video with an open ending about the nebulous future of the scanners heading to South America are fear-mongering, at the least stupid and ignorant and at worst racist or xenophobic alluding to the fact that such countries as Argentina are a nexus of evil, crime, terrorism and other anti-American operations.

I don't know how big and far the reach of MSM is in the U.S., but it would create a sh*tstorm of panic and melting phone lines in the politicians' offices.

They may have helped fight one problem, but they are doing their best to create or uphold another one. The fact that they may have done their own awful version of the Canadian investigation makes them look even more amateurish.
posted by blook at 9:54 AM on May 23, 2010


"I don't know how big and far the reach of MSM is in the U.S., but it would create a sh*tstorm of panic and melting phone lines in the politicians' offices."

Should read:

I don't know how big and far the reach of MSM is in the U.S., but it would create a sh*tstorm of panic and melting phone lines in the politicians' offices in my country.
posted by blook at 9:56 AM on May 23, 2010


There's going to be a lot of self-styled security charlatans at DEFCON punching themselves for not seeing this low-hanging fruit.

You mean a speech like "attacking network embedded systems"? That was DC10. There have been other presentations on this subject as well.

Furthmore DEFCON has actual security charlatans, not just the self styled ones.
posted by el io at 10:21 AM on May 23, 2010 [2 favorites]


blook: The software isn't that specialized, and there's a lot of ways to do the job. It's not some master art of hackery. They're just looking for deleted but not unallocated PDFs, basically. A lot of high school nerds can figure that out. The hardest part would be liberating the hard drive, by far.
posted by floam at 10:21 AM on May 23, 2010


> (1) They make it sound like every scanner has this security flaw.

To be fair, the ones that are handling sensitive data, ie insurance companies, police departments, and the so forth most likely have copiers that do have this. Since most of those institutions have switched to a leased system model anyway, where you pay a per page / print cost, that includes the copier and toner and service, etc. And at that point, the cost per page is such that getting one that has a hard drive on it is worth the benefits, since they hadn't realized the downsides.

I've worked with these types of copiers for a long time, and never thought "oh hey, I could probably run a basic unerase on this drive to recover the documents." Because I just never appreciated the devices and tools going on. It makes sense in hindsight, but what they've really found is that companies that already have very strict data and privacy compliance guidelines (and which were following them) forgot about their copiers.

And the security flaw is really that an office that is disposing a machine should secure wipe their hard drives makes sense, no one just made the connection that needed to do it to their copiers. Since they are provided by a leasing company, in most cases those copiers aren't the companies property anyway, which makes it a grey area for some businesses on who can nuke the drive. Just wiping the data won't prevent it from being re-read, you would need to do a secure erase.

I've actually just discovered these standalone disk wipers, which are drive docks you can plug a drive into and it will nuke it for you, without having to attach it to your computer to do the job (and wait for 24 hours as it wipes the drive 7 times or whatever).
posted by mrzarquon at 10:29 AM on May 23, 2010 [1 favorite]


Juntunen's Sacramento-based company Digital Copier Security developed software called "INFOSWEEP" that can scrub all the data on hard drives.

And he charges $700 to run it for you. Jeez, people, DBAN is free. What I'm getting out of this article is that there's a market for me to charge exorbitant amounts for taking a laptop, a $30 USB to SATA/IDE cable, and a copy of DBAN out to a site and letting it run for a while. Maybe I could just make the money by selling "become a copier data security technician" kits.
posted by hades at 10:40 AM on May 23, 2010 [5 favorites]


Maybe I'm buying into the hype, but it sometimes boggles my mind that every person's identity in the USA isn't compromised.
posted by codacorolla at 11:26 AM on May 23, 2010


It's possible that a manufacturer might implement more or less parts of SE, and that one of the parts they might leave out is the bad blocks wipe. There is a tremendous amount of contradictory information about this, however. I fear that the only way to be completely sure is to physically destroy the disk platters. Comparing the cost of the drives with the cost of data insecurity makes this seem like an easy choice.
posted by SteelyDuran at 11:29 AM on May 23, 2010


BeerFilter: "I CAN ASSURE YOU THAT THE IT DEPARTMENT HAS ALREADY SEEN IT. IT'S NOT OUR FUCKING FAULT."

I am printing this out and hanging it outside my cube. I had already heard about this several times BEFORE the video came out. I sent out an e-mail alert telling everyone that it was okay, we owned the copiers and that I'd put a nail through the hard drives when we were done with them if I had to. Then a few days later I got an e-mail asking about this issue.

I can only guess what will be in my inbox when I come in Monday.
posted by charred husk at 11:46 AM on May 23, 2010


Can't you just fax or e-mail it to your email address? Many modern copiers do something like that.

I remember talking about that with the hardware guy, and he said in order to do it required the copier's SMTP server to be able to work on a secure port, and it wouldn't for some insane reason.

But I complained to the copier tech, and they gave me a standalone program to use that offers one-click access to the copier's hard drive and any documents stored there. Might be worth asking if there is something like that for yours.

Huh. Didn't know that. I'll mention it and see if they have anything.
posted by dw at 1:14 PM on May 23, 2010


Maybe I'm buying into the hype, but it sometimes boggles my mind that every person's identity in the USA isn't compromised.

They have medical professionals for that.
posted by gjc at 4:07 PM on May 23, 2010


We have a couple of these networked uber-copier/printer/scanner/faxes @ work and they have hard drives. I don't think we can wipe the drives as we don't own the copiers. We pay a per page fee every month and supply the paper, the vendor takes care of the rest. I'm thinking that when it comes time to replace the machines we'll just have to take the vendor's word on the security of our data or pay stupid money to have the drives wiped.
posted by MikeMc at 7:36 PM on May 23, 2010


I used to consult at a Major Defense Contractor, and their approach was much what gjc describes. We had networked color copiers with individual access codes and a daily print quota, but on our desks we had HP LaserJets.

I was working on a project that required some people involved to have security clearances, and it always hung up our timelines when someone needed to make copies on the classified copier because it was often awaiting a service visit. The whole thing was often imperiled by the printer/copier end, which nobody really thought about. [I also liked the locked plastic garbage can for classified recyclable material, a lock which could be cut out with a carpet knife if you were quick about it.]
posted by catlet at 8:18 PM on May 23, 2010



Maybe I'm buying into the hype, but it sometimes boggles my mind that every person's identity in the USA isn't compromised.

They have medical professionals for that.


LOL! There are records management professionals out there though that should be able to prevent this sort of thing and see that records and equipment are properly disposed of. In fact, there's a league of information destruction professionals out there as well called NAID - National Association of Information Destruction.
posted by Calzephyr at 8:29 PM on May 23, 2010


Can't you just fax or e-mail it to your email address? Many modern copiers do something like that.

If it's like the copier at my workplace, you have to drill down through just as many asinine menus to e-mail it to yourself as you do to save the PDF to a network folder. The software is just mind-bogglingly bad.
posted by straight at 9:21 PM on May 23, 2010


No mention of any cats.
posted by unliteral at 9:27 PM on May 23, 2010 [1 favorite]


I heard about this when someone on an IT listserv on my campus sent the CBS piece around about a week or so ago. It seemed to be news to most if not all of the people who responded; I made a comment to the effect that I considered myself fairly cognizant of IT security issues but that this had totally gone under my radar (and I was deeply involved in the process of evaluating and recommending our office MFP), and my comment was me too'd by a couple of other experienced IT folks on campus.

Contrary to most GRAROMGEVERYBODYPANIC news stories, this one actually raises a valid issue that's only becoming more common. And yeah, extracting the stuff wouldn't take complicated forensics software. I'm pretty sure my machine's interface has a "wipe hard drive" option, but, as stated above, there's always DBAN.

hades: "What I'm getting out of this article is that there's a market for me to charge exorbitant amounts for taking a laptop, a $30 USB to SATA/IDE cable, and a copy of DBAN out to a site and letting it run for a while."

Um, I think I just met my consulting partner. Josh, you wanna take Northern California, OR & WA, I'll take the rest of the West Coast? I'm gonna go sleep on it and I'll have a name and tag line for our wildly successful business in the morning. 8-)
posted by yiftach at 10:29 PM on May 23, 2010


dw wrote: "As a result, I don't scan anymore. But what scares me is that all of our employment files are being scanned in one person at a time through this. Never mind the security issues, we have a student devoting her day to scan, click through 10 screens, download file into folder, lather, rinse, repeat. What a disaster."

Wow, your copier sucks. All of the ones my clients have installed in the last 10 or so years dump scanned documents into PDF in a configurable directory on the file server (and can do different directories for different users, thus maintaining some semblance of access control)

And they staple, collate, bind, etc. They're great for printing manuals.

The first one I ran across had an external Linux box that hooked to the copier and did all the network stuff. It could email PDFs, it had a built-in Samba server that one could browse to and retrieve the PDFs, and there was some Windows software that could be used to retrieve one's documents. There was essentially no security, since it only had one master password for all users. The "users" were just a way to tag the owner of the document.
posted by wierdo at 1:31 AM on May 24, 2010


No mention of any cats.

Damn, just when I thought we might be close to solving the mystery...
posted by UbuRoivas at 4:59 AM on May 24, 2010


At my large company, our primary printing hardware vendor (rhymes with "Kate's Wee") gave us a number of security recommendations in managing our vast fleet of printers and MFP devices (we have no more dedicated copier-only units, only networked MFPs). One of the recommendations was to configure a setting on each of the print devices that contained a hard drive which would cause the printer to over-write any stored data once it had been "deleted."

When the time inevitably came to return these leased devices to the vendor in exchange for new replacements, we found that the MFP devices also had a feature that allowed us, remotely, to have the entire HDD over-written when we chose to do so. This was very handy, but we had a large number of printer-only devices which did NOT have that total-over-write feature. We set up a recovery process and worked out an agreement with the vendor. We now own scores of surplus 20 gb printer hard drives, which are destined to be wiped by tech aids and re-used as spare parts or recycled.

Because of our own diligence in asking questions, and our vendor's commitment to assisting in finding the answers to these questions, I was able to respond to the several inquiries this CBS story prompted (one from the head of IT security, one from the CIO's office, one from the head of Corporate Auditing, and one from the head of the Legal department) , without breaking a sweat. I can state with confidence that not one unwiped disk left our custody.

This is not a new problem, just because some newsies are sounding the alarm.
posted by BigLankyBastard at 9:57 AM on May 24, 2010 [2 favorites]


« Older WE HAVE DECIDED NOT TO DIE [previously]...  |  Yes as a matter of fact, 50,00... Newer »


This thread has been archived and is closed to new comments