As far as I know many countries use Digimarc for their money.
EDIT: Here is a source:
Recent versions of image editors such as Adobe
Photoshop or Paint Shop Pro refuse to print banknotes.
According to Wired.com, the banknote detection code in
these applications, called the Counterfeit Deterrence
System (CDS), was designed by the Central Bank
Counterfeit Deterrence Group and supplied to companies
such as Adobe as a binary module. However,
experiments by Steven J. Murdoch and others showed that
this banknote detection code does not rely on the
EURion pattern. It instead detects a digital
watermark embedded in the images, developed by
Digimarc.
An interesting hack is that this Digimarc pattern could be used for a Copy Attack [1]. To my knowledge the mark is not tied to the image of the bank note in any way. So in short:
You could extract the Digimarc pattern and apply it to any other document, which then in turn could not be edited by mentioned software.
The fact that the watermark detection algorithm doesn't seem to require a tremendous amount of processing power unlike most image processing/detection algorithms - apparently it's present in scanners and photocopiers too - implies that it could also be embedded in camera firmware, making it very possible to produce cameras that refuse to take pictures of certain things... I find that more unsettling since scanners/photocopiers are somewhat more specialist equipment today, whereas practically everyone has at least one camera. Imagine not being able to take a picture of something crucial like a crime in progress because there happened to be something watermarked present in the scene. That's why I don't believe in leaving these types of moral decisions to the machine.
I think it's only the legal issues that keep people from RE'ing the algorithm and generating obviously-non-banknote images which get detected, in a similar spirit to this:
Wait, so you are against the new PROTECT system that scans all images for signs of child sexual abuse and blocks and reports any images containing those signs? Why do you love child abuse images so much? Why are you protecting child molesters? Are you are a pedophile?
All said with a /s, but with a serious question. What happens when we reach a point where the software and hardware exist to do this? Many hosting providers are already doing something similar as well. I believe they work by taking a image hash and comparing it to a known database, but the newer hashes work even as the images are slowly modified.
Would there be any way to stand against this trend without being demonized?
Similar is the argument that anyone who wants privacy/freedom is either a criminal, terrorist, or hacker (cracker)... but "think of the children" evokes such an emotive response among most of the population that it's difficult to counter.
I'm just glad we're not at the level of "open-source image processing software and hardware enables banknote counterfeiting" yet...
> Would there be any way to stand against this trend without being demonized?
Every political position is demonized by its opponents. The ones that are successful are championed by people that persevere even though they are demonized. (That is not, of course, to say that all those with such champions are successful, however.)
Note that the Digimarc currency watermark is distinct from the EURion constellation. The latter has been well-documented publicly, the former not yet, as far as I know.
It's interesting hearing complaints about GIMP from Photoshop-using friends. They're mostly the same complaints I had trying Photoshop. It's clear to me the problems are more experience than legitimate issues.
I like how the workaround is to open the file with The Gimp and export to psd. Then Photoshop will open it fine.
I'm assuming this is a case of "the suits told us it couldn't import banknotes", so they made it not import banknotes. Banknotes that were already imported... well you didn't say anything about that.
(The same thing happened for the DVD encryption. Someone asked an engineer for encryption. The engineer just happened to have made it easy to bruteforce the key, negating the entire point of the encryption.)
Remember: you're the software engineer -- write the software you want, not the software you think someone wants you to write.
> (The same thing happened for the DVD encryption. Someone asked an engineer for encryption. The engineer just happened to have made it easy to bruteforce the key, negating the entire point of the encryption.)
The DVD Content Scramble System came out in 1996, at which time the US still heavily regulated the export of "strong" crypto. DVD-CSS uses a LFSR-based stream cipher with a 40 bit key because it could be implemented efficiently in hardware, and the export restrictions did not apply to ciphers with 40 bit keys. Considering the constraints it was designed under I don't think anyone should be inferring that it was weak on purpose.
> Remember: you're the software engineer -- write the software you want, not the software you think someone wants you to write.
That's easier said than done, kudos to those that pull that off but there is this thing called code review and if your co-workers are halfway competent you'll get called on what you built. In some cases that can be a career limiting move.
Better to pick your employers so that you don't end up as an enabler of technology used against the public interest.
Of course if you're going to 'take one for the team' and purposefully gain employment somewhere for the sole reason of messing with the machine that's a laudable strategy but it will likely come at a price in the longer term.
Figuring out how to manipulate the Someone so that they want you to write what you want to write- or at least tell you to write what you want to write, or to compromise on writing something closer to what you wanted to write- seems a useful strategy for mitigating those risks.
I have recent relevant experience in this regard. I'm working on a system for university-level language professors, a large part of which is making it easy for them to use videos for homework assignments. We recently had a meeting with one of the university's copyright lawyers to ensure that the video delivery system was sufficiently "safe", and they'd be legally protected from being sued for copyright violations when professors want to use films in their classes.
We quickly discovered that, if we explained things well enough that the copyright lawyer was capable of understanding how decrypted video ended up on the students' screens, and thus how a sufficiently tech-savvy student might possibly pirate it, they would freak out and insist we Do Something More. The obvious solution: stop explaining how things work, 'cause this is just making more work for ourselves. Tell them "other people used this thing and didn't get sued", and deflect all technical questions, on the other hand, and they leave us alone and let us work on something reasonable.
That's easier said than done, kudos to those that pull that off but there is this thing called code review and if your co-workers are halfway competent you'll get called on what you built. In some cases that can be a career limiting move.
And so it should be. We're talking about a technological measure that is being implemented with the intent of preventing an actual crime. There is a real possibility in this case that undermining the measure will increase the amount of that type of crime that is committed. There is also little evidence that the measure is being abused by others on a significant scale with actual negative side effects for anyone.
Now, a developer might not want to implement that measure because they were concerned with other consequences that might not be in the public interest, or with the future potential for such consequences. This might be a perfectly reasonable position morally and/or technically, and as you say, that developer has the choice not to take that job. It's not as if good programmers are starving in the streets for lack of other opportunities, after all.
But if you do take a job as a programmer on a project, typically your authority and responsibility do not extend to setting the requirements and deciding on policies like this. If you presume to deliberately undermine those whose jobs do include making those decisions, you should be treated as a bad employee and dealt with accordingly, and that does include being fired, getting a professional reputation for being unreliable and not a team player, and so on.
All I'm saying is to think about what you want to do, and understand that in the context of employment, business goals, and so on. Don't just take someone's task list, and work on it from top to bottom. Make the task list something you own and want to work on.
Also, if you decide you don't want to try that hard on "anti-counterfeiting" protection, that's fine with me ;)
If you fuck up your goals, yup, you could be fired. Supply of programmers is much lower than demand, so I bet you'll find more work. Or you can retire and repair bicycles for a living. You'll do fine.
"Encryption" of media like that is always just going to be obfuscation, you get protection form the anti DMCA removal law, the actual encryption isn't worth the bits it flips. In fact, if you make it "stronger" from a cryptographic standpoint you simply make it cost more to decode and add no strength to the actual defense it is trying to provide (getting further under DMCA umbrella). If you want to criticize it was probably foolish to include actual encryption in the first place, why waste cycles when you can XOR with 0x69?
write the software you want, not the software you think someone wants you to write.
This brings up the thought of whether some of the developers for locked-down systems like game consoles, phones, tablets, etc., are deliberately introducing vulnerabilities with the intention of enabling users to use them to take control of their devices, and of course they would behave entirely as if it was accidental. It's somewhat far-fetched and optimistic, but certainly a nice possibility to think about...
I feel like it's more of a case of "Never attribute to malice that which is adequately explained by stupidity.".
Even though console/content lockdown is a business line item, it's not as much of a priority to the business to ship a console that will sell well, and to develop it with deadlines that are too short.
"Remember, you're the politician. Pass the laws you want, not the laws you think the electorate want you to pass."
"Remember, you're the soldier. Fight the wars you want, not the wars you think your country's leadership want you to fight."
"Remember, you're the fireman. Fight the fires you want, not the fires you think the person who called 911 wants you to fight."
The idea that you should do whatever you want regardless of the team or management you work with looks pretty dumb when you apply it to situations that actually matter. The world would not be a better place if everyone decided to just assume they're right all the time and ignore everyone else.
The idea that you should do whatever you want regardless of the team or management you work with looks pretty dumb when you apply it to situations that actually matter.
I see that principle as putting the responsibility back into the shoulders of the person carrying the action.
I see it as a way of ignoring the "just following orders excuse".[1][2] So no, I don't think it looks pretty dumb, I think it is as something to consider seriously.
I see it as a way of ignoring the "just following orders excuse".
You're going to Godwin the thread? Really?
If you do want to make that argument, please consider firstly that the Nuremberg defence failed, in that particular context, because it was considered so obviously inappropriate for the defendants to act as they did just because they were ordered to do so that they should have known better and refused to comply.
Secondly, please also consider that the Nuremberg verdicts stand in stark contrast to normal military discipline in basically every armed service in the world, where refusing to follow a lawful order from a superior officer is grounds for a court martial and potentially a severe punishment.
In particular, the current situation recognised by the International Criminal Court and the 100+ signatory states to the Rome Statute lists only genocide and crimes against humanity as manifestly unlawful, potentially admitting the superior orders principle as a defence in other cases where the defendant believed they were complying with a lawful order. This is even noted in one of the links you gave yourself.
In any case, I would hope we all agree that being instructed to implement a software safeguard against criminal production of counterfeit currency is not on the same scale as being instructed to execute millions of innocent people in gas chambers.
There are multiple dimensions to command and authority. Let's try these:
"Remember, you're the politician. Pass the laws you want, not the laws the party leaders say you should pass."
"Remember, you're the soldier. Complete the mission without unnecessary collateral damage, even though you wouldn't be punished for killing civilians unnecessarily."
"Remember, you're the fireman. Exercise caution the way you want, not how you've seen firefighters in movies act."
Sometimes you should ignore people and pressure to do the right thing.
They mention this was "discovered three years ago", but I was sure I remembered this from years back.
"Adobe adds algorithms to Photoshop that prevent users from opening or printing scanned money. While we've been aware of this feature for quite a while"
Posted by Craig Swanson on May 14, 2006 07:03 PM
http://www.creativetechs.com/iq/how_to_use_scanned_money_in_...
I encountered this error in 2005 on a Photoshop version that was 2 or 3 years old. Also, back then you could mirror the scanned bill in some other app and it would open fine in PS. It is funny how this is still front page news in 2015 :P
Me and a friend tried it with a (UK) bank note while we were at school, way back in the 90's, and received a warning about not being allowed to print scanned currency on screen when the scan finished. It might not have been Photoshop we used (Paint Shop Pro springs to mind), but similar detection techniques have been around for a long time!
I'd download all the rest, but not money. The reason being that the money will exchange for things of greater value than the work you spent on manufacturing the banknotes; while, when it's possible to download and manufacture a car at home, the car will have the same value as the work you spent on making it. In short, making your own money screws the economy; making your own cars doesn't.
If you zoom in, you can see 50 written in many places in a really tiny font, barely visible if you look at it with the naked eye. In number 1, the yellow dots are clearly visible (if I remember correctly these are what Photoshop looks for).
It depends on what you want to use it for. Australia currently has polymer currency that means we've basically forgotten about counterfeiting, but before that we had a $100 note that was greyscale with a bare whiff of colour. Not the best design. You'd occasionally hear stories of people who'd simply photocopy the bill on standard paper, scrunch it up to look used, then find a sleepy clerk at a late night convenience store. Buy a couple of bucks worth of stuff, leave with >$95 real change. You'd have to be pretty inattentive to be fooled by it, but, well, humans have foibles...
Counterfeiting is unfortunately still a thing in Australia. A friend who runs a cafe makes his staff subtly attempt to tear any $50 note they take due to counterfeiting in the past.
They were caught out by scammers (or unknowing people with scammed notes) several times last year and the bank rejected the notes (and of course wouldn't hand them back)
Apparently the counterfeit notes are sometimes on a plastic too, but not sturdy enough to withstand a quick tear. I'm not sure how long that will hold true though.
I stand corrected. I knew there was still a little out there, but it sounds like more than I thought. I remember doing retail in my mother's shop in the paper note days and having to be moderately vigilant, and I've not seen retail staff doing any routine sort of note-checking since the start of the polymer days.
"Printer steganography is produced by laser printers, including Brother, Canon, Dell, Epson, HP, IBM, Konica Minolta, Kyocera, Lanier, Lexmark, Ricoh, Toshiba and Xerox, where tiny yellow dots are added to each page. The dots are barely visible and contain encoded printer serial numbers and timestamps."
There is nothing preventing Adobe from implementing a script that auto forwards your account details (Via Adobe Cloud!) to law enforcement if the CDS detects money. That alone could easily be made into probable cause and based on how easily warrants are being given nowadays, could easily lead to a no knock warrant being issued.
I imagine the legal bill developing that scheme wouldn't be small as there are quite a few countries laws to be considered. Here in NZ the way to get a massively overreaching search warrant is just to say that the FBI are interested, see Kim Ditcom.
The awesome article exploring and testing the protection mechanisms, with pictures, from ~2009 (actually earlier probably, that's the "last modified" date of the article):
Interestingly even Adobe doesn't know what it is, the detection software was supplied to them as a binary. I messed around with it in a similar way to the author out of sheer curiosity and ended up completely baffled by the whole thing, even trying to eliminate parts that aren't triggers is impossible by my measure. I should make it clear I have no desire whatsoever to thwart the system (as others point out, simply using different software does that), but the methods it is using seem to completely defy all of the fingerprinting systems I'm aware of and is therefor incredibly interesting as a result.
Doesn't AFL rely on being able to compile the application with it's hooks? It's been a long time since I've messed with Photoshop, but it's a complete mess of random dead code inside (even includes poems about a dead dog believe it or not), chances are you're looking for a completely obfuscated bunch of assembly in the hundred plus megabyte binary. I love Hopper, but not that much.
According to wikipedia [0], the code that recognizes money was given to Adobe as a binary blob. So no go even if you have acces to the Photoshop source code.
[0] http://en.m.wikipedia.org/wiki/EURion_constellation
Yes, you're right. I'm admittedly not at all an expert on this type of thing, but surely some randomised testing, starting from a real banknote and making small mutations, would be doable.
Oh sure, you could make a quick imagemagick script to make random variations and get a pass/fail with AppleScript, or even do some exploring with a debugger while opening one. Main barrier is motivation, I have no desire to counterfeit money (and who would use PhotoShop for that anyway), so I decided to let that rest.
Which means this entire thing can be defeated by Software Cracking 101 - look for the error message that gets triggered when you do the thing you're trying to change, work backwards, and change the JE/JNE assembly instruction or NOP it out.
Somehow I think it's not that simple, but also somehow I think that real counterfeiters will not be deterred by this manner of weak DRM.
It's not meant to deter "real" (professional) counterfeiters -- this, along with the copy machine code, is meant to stop casual counterfeiting. Which is a good thing, as there are quite a number of people who are normally honest, yet could be overcome with a strong enough temptation (getting a free $20 bill), if it appears easy enough.
And of course they will get caught and have their lives ruined. So by making the act of falling into the temptation a bit harder, you are keeping more honest people honest.
I've run into this a couple of times over the last 10 oer so years when scanning documents. Rarely, a document will trigger a false-positive on a network scanner (or printer-scanner-copier) and I have had to manipulate the document by trial/error to trick the device into scanning it properly.
A few months ago, one of our Konica all-in-one units flat out refused to scan a customer invoice, claiming that it's illegal to scan banknotes.
In the Netherlands there is nothing illegal about copying money; what is illegal is spending it (or having it spent by someone else) as real money on purpose.
Idea behind that, I think, is that there is a gradual scale from real money to good counterfeit to lousy counterfeit to images of money printed in a journal or even on a coffee mug to basically whatever can be printed.
Though from what I understand, it's illegal to make copies (electronic or otherwise) of banknotes in both Scotland and the USA.
When I was recently in the US, I bought a novelty pad of oversized $100 bills from the Bureau of Engraving and Printing gift shop. It's obvious they're not real but they have all the hallmarks of a real bill - a serial number, same print, series number and even the phrase "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE". Even a fake (monochrome, scanned and non-reactive) security strip.
My fiancée bought a similar pad of oversized novelty £20 notes here a few years ago which were littered with the word "specimen" and small print stating that they were for novelty use only. Additionally, many government websites with images of banknotes here have the word "specimen" printed quite prominently on their images (except where the image is a photograph of a banknote in some setting, not stand-alone).
In the US you are allowed to create fake banknotes but there are some restrictions on how closely they can resemble real ones. According to the Counterfeit Detection Act of 1992, a reproduced bill must be: a.) either less than 75% or more than 150% the size of a real bill, b.) one-sided, and c.) made with only one color
Photocopiers will keep a count of the number of attempts to copy currency, and the copier leasing company tracks those numbers. I wonder if Photoshop does the same.
Nothing new, and honestly I'm not so worried about Photoshop, as it's some closed-source program, which does whatever it wants and has a bunch of good alternatives anyway (well, for drawing purposes, at least, because I still can't convince myself Gimp is usable).
What is much more disturbing: I still don't know if it's possible to find hardware devices like scanner and printer, that do what they are intended to do, and are not masking banknotes or leaving special marks on printed image.
From the first paragraph of your link: "Research shows that the EURion constellation is used for color photocopiers and is likely not used for computer software."
For a marketing campaign, "bonus cash" was the offer. An image that wouldn't open in Photoshop was able to open in Illustrator, which, dragging that image from Illustrator to Photoshop worked perfectly.
They yellow dots watermark output with printer identification information. I think this serves CDS, but has potential to be used/misused for so much more.
Sorry, I forgot that the printer dots were lingering in the HN consciousness- I was thinking of these things [0] (shown here [1] on the us $10, with little ones next to them to give apparent visual purpose) which I've also seen on non-currency things such as event/movie tickets iirc. Wikipedia suggests a scanning-hardware focus of the circles, as opposed to the software focus of the "Counterfeit Deterrence System" discussed in OP.
Actually I believe it was added to PS 4.0. Probably improved upon since then. So you can dig up an ancient 90s high quality inkjet and PS 3.0 to copy money if you really want to.
Or you could do what the really clever criminals do and just go into banking and finance.
EDIT: Here is a source:
http://en.wikipedia.org/wiki/EURion_constellationAn interesting hack is that this Digimarc pattern could be used for a Copy Attack [1]. To my knowledge the mark is not tied to the image of the bank note in any way. So in short: You could extract the Digimarc pattern and apply it to any other document, which then in turn could not be edited by mentioned software.
[1] https://en.wikipedia.org/wiki/Copy_attack