# The Lexmark lesson--make more noise



## mimo2005 (Oct 2, 2004)

*The Lexmark lesson--make more noise*


By Rupert Goodwins
November 18, 2004, 12:36 PM PT

Lexmark's printers are smarter than they look. Perhaps a little too smart--a recent story showed that the printer drivers for a recent model were surreptitiously relaying information over the Internet back to base. Users were mystified, and more than a little outraged. Spyware, they said. Lexmark was stung. 'It's not spyware, it's remote reporting about printer parameters,' the company said after a marked pause. We told you all about it when you installed the drivers. It's even got a name--Lexmark Connect. 

Remote reporting is nothing new. Mainframes and minicomputers did it back in the 1970s, using a modem to dial up a service agent when something was amiss. More recently, printers on LANs have done it to warn the system administrator of paper problems or other mishaps. It's a simple enough task: the printer's internal microcontroller spots the error and sends a code down the communications link. 

With PCs on broadband, it's just a matter of the printer driver parceling up data collected from the printer, establishing an HTTP link--thus bypassing any firewalls--with a remote server, and sending the message. There's virtually no extra load on the connection, and the printer manufacturer gets valuable usage information that can be used in designing the next generation of products. 

So what went wrong? The problem is that such behavior is identical to that of spyware--stuff you don't want--which earns its crust in exactly the same way by quietly passing data back to a third party. The only difference is that users are supposedly informed about the Lexmark software. That clearly didn't happen, at least not in every case: if you don't know, then it's spyware.

That knowledge may be easy to miss. Not every user installs their own printer. Some systems come with printers pre-installed; some are set up by technicians on delivery; some by passing help. Not everyone reads all the disclaimers, end-user license agreements, warnings, copyright statements and other densely worded legalese that habitually demands our clicks of allegiance when we load new software. This is partially the fault of the companies that rarely take the time to clearly, simply and unambiguously say what's happening and why--and sometimes give the impression of omitting this deliberately. We have learned to think of this stage of installation as a pointless annoyance, to be got through as quickly as possible. 


Users do have some responsibility. It is a commonplace in consumer electronic companies that you could print "*READ ME FIRST*" in the biggest, reddest letters available, on every part of the packaging, handbook, installation notes and CD covers, and the user wouldn't even glance at it until they'd plugged stuff in and failed to make it work. Even here, though, that's what people do--manufacturers have to assume the worst and design their products accordingly. 

Finally, people forget. They read something, click on OK, and move on. Life is too short to remember that an obscure piece of software attached to your printer will sometimes do something you'll never see. The company may well have made 'full disclosure' of Lexmark Connect during installation, but it patently wasn't full enough to prevent people from interpreting the subsequent behavior of the software as underhand and unexpected. 

Lexmark is also the architect of its own misery in other ways. It has got a rotten reputation for obstreperous behavior with third parties. An ongoing case in the United States has seen it try and use the controversial Digital Millennium Copyright Act (DMCA), a badly worded piece of legislation that exists to protect intellectual property, to prevent anyone making alternative ink cartridges. 

The Lexmark parts have a chip that tells the printer "I'm kosher": anyone wanting to build their own cart has to replicate the actions of that chip. Such replication is against the DMCA, says Lexmark as it unfurls its lawyers. So far, the case isn't going Lexmark's way--and neither is the publicity. If people suspect that Lexmark is being underhand in collecting data, they'll be predisposed to believe it. 

It is not unreasonable for Lexmark to want to know how its printers are being used. There are some good, solid commercial arguments for knowing this, even for using the data to remind the user when supplies are running low. It's possible to run a fully automatic delivery service: once you've signed up, you get new cartridges popping through your letterbox without any further effort on your part. Dell likes the idea of this--it is using Lexmark technology to just this end--but it's arguable whether this book club approach will really give users the full benefits of choice and competition. In the end, it's up to the users.

And this is where the Lexmark scheme falls down. By hiding the process of reporting from the user except at one easy to miss point, it disguises itself too well and removes the user from the process. Compare this with Microsoft's error reporting scheme--when it wants to report home, it pops up windows, asks questions, offers to disclose everything that's being sent and provides links for further investigation. There has to be a balance--nobody wants to be ticking boxes for every page of A4--and doubtless the amount of data passed back will be less, as more people choose to disable the reports either temporarily or permanently. 

Proper social engineering is the answer for anyone seeking to avoid Lexmark's woes. The chance to know more about users is too good to pass up, and is just one of the ways that the connected enterprise can make good, effective use of the new opportunities of the Internet. Without a good understanding of how users will perceive the process, remote data collation can backfire: get it right, and everyone benefits.


http://news-reader.org/article.php?group=comp.periphs.printers&post_nr=326130


----------



## mimo2005 (Oct 2, 2004)

Lexmark 

--------------------------------------------------------------------------------

Author: Commander 
Subject: Lexmark Printer Users Beware of Spyware 
Body: Yes, Lexmark is now in the Spyware business! 

Just the other day I purchased a new Lexmark X5250 All-in-one printer. 
I installed it as per the instructions and monitored the install with 
Norton as I do with all new software. 

On reviewing the install log I noticed a program called Lx_CATS had 
been placed in the crogram files directory. I investigated and 
found a data log and an initialisation file called Lx_CATS.ini. 
Further investigation of this file showed that Lexmark had, without my 
permission, loaded a Trojan backdoor on to my computer. Furthermore, 
it is embedded into the system registry, so average users would likely 
never know it was there and active. 

This Lexmark Trojan was programmed to monitor my use of the printer by 
way of data collected from two DLLs in the crogram fileslexmark500 
folder. The Trojan would then send information on printer usage, 
including types of print activity, scanning activity, OCR activity 
etc., back to a hidden URL at 30 day intervals. 

The URL, www.lxkcc1.com, is identified as being owned by Lexmark. 

When I called and spoke with Lexmark support, they denied all 
knowledge of any such program, and suggested I had somehow been 
infected by a virus. When I challenged them with the facts, they 
ultimately aknowleged that this was indeed activity tracking software 
that reported printer and cartridge use back to them for "survey" 
purposes. Lexmark said that "no personal data" was relayed by the 
program, and that I could not be personally identified by it. However 
- the program transmits the printer serial number, and when I 
registered the warranty with Lexmark, they recorded my personal 
information along with the serial number. How much effort does it take 
to match the two? 

I call it spying! I was not advised of this part of the installation, 
nor was I asked to agree to be part of any such data gathering 
activity. I see this as a breach of my privacy, and as deplorable 
behaviour by Lexmark. 

Lexmark users beware! But, they may not be the only ones stealing your 
private information. 



http://news-reader.org/article.php?...&post_nr=326130


----------

