Saturday, 29 August 2015

Specialist Printing Equipment and Materials (Offences) Act 2015

I noticed this new law that came in to effect in May this year [here].

On the face of it, it simply makes it an offence to sell specialist printing equipment to people where you know they intend to break any law using it. It allows for a 10 year prison sentence and/or fines.

Sensible law?

Well, I think not. Even if it works entirely as intended then what really is the point of this law? How would anyone selling such equipment actually "know" that the customer is intending to break the law? I cannot see any requirement to "make enquiries" as to the intended use of the equipment. I cannot even see a "might reasonably expect that the intended use is not lawful". The wording is that the seller "knows" the equipment will, or is intended to, be used to break the law. How would you prove, beyond reasonable doubt, that someone selling a printer actually knew the buyer was intending to break the law?

However, in my non legal opinion, the drafting of this is really not very good leading to several other problems.

What is a specialist printer?

I bet you would assume that it is things like the SIM card printer I mentioned, which can even do "invisible" UV printing that only shows under a UV light, and can have attachments to include a hologram laminate layer. Clearly that is a tad "specialist". However, the definition covers printers that can do any ID documents, or Travel documents, or Entry documents. Actually, it is designed, adapted, or simply "capable" of making a relevant document.

Even so, that sounds like "specialist" equipment, i.e. stuff that could print a driving licence or passport. Well, yes, and no. It goes on to describe these, and includes any document that is a travel or entry ticket. So if you can print off your flight eTicket on a normal printer, or print the entry ticket to the beer festival, on a "normal printer", then that means every normal printer is a specialist printer because it is "capable" of printing such a document. OK, many such tickets have a bar code, so maybe the old daisy wheel printer I have in my loft would not count (though it would be capable of printing a QR code using full stops).

Also, the intended criminal use just has to be something using the printer, it does not have to be something using the printer to make these documents. It specifically says any criminal offence under UK (or non UK) law is covered. So if a printer is "capable" of printing any entry or travel ticket, it is covered, and if the seller knows it will be used in an way to commit any offence then they are guilty of an offence by selling it.

Example

If some company ordered a printer using an order form or letterhead which did not include the necessary details as defined in the Companies Act (e.g. company registration number and registered office), and perhaps when ordering or enquiring they even said to the seller that they need a new printer that can print their letterheads, like this one. Then the seller would know that they intend to break the law (Companies Act) using that printer. It is a printer capable of printing entry or travel tickets, so is "specialist printing equipment", so the seller could get a 10 year prison sentence for that?

Not just printers!

It gets worse, the specialist printing equipment not only covers any normal printer, but also "any device, machinery or apparatus and any wire or cable, together with any software used with it".

So just selling software, or a USB lead, that is used with a normal printer to someone that you know is intending to break any law using a printer makes you a criminal.

Even worse, it covers materials used to make such documents, so if you sell paper you could be covered by this!

Conclusion

I can't help feeling that our government like making laws that can, in fact, encompass almost any citizens, just in case they feel like locking someone up.

Or, perhaps, conspiracy theories aside, this may be an example of how technically inept the government are, even in areas as simple as printing!

Friday, 28 August 2015

Printing SIM cards

It turns out that printing on SIM cards is a challenge!

There are many card printers that can print on normal credit card sized plastic cards and do an excellent job. There appear to be two main types :-

Direct Print

This is perhaps the simplest and cheapest and means using a coloured ribbon and a thermal transfer head to transfer some of the colour to the card using die sublimation. This is the same trick used by some photo printers and typically allows good quality 300 dpi with 256 levels of each of Cyan, Magenta, and Yellow. For photo printing the Black is often done the same way, but interestingly for printing plastic card the black us usually a resin of some sort that is either on the card or not (1 bit per pixel printing) at the same resolution. CMY allows full photo colour printing, but the solid resin black creates a really crisp and sharp black text on a card.

This technique works well but is never quite 100% edge to edge. Some are better than others at getting to the edge. This also only really works when you have the standard, good quality, smooth, plastic card stock. It is great for ID cards and the like with a very slight white border.

Retransfer

Retransfer printers are different. I have seen some samples from at least three different makes of retransfer printer now, and they are not all the same. The way this works is there is a transfer film, slightly wider than a card, and you use the same printing technique using CMYK ribbon as above to print on to the transfer ribbon. Then, using heat and pressure, you transfer that print on to the surface of the card.

This allows edge to edge - the artwork is actually slight bigger to allow for alignment of the card.

SIM cards

SIM cards pose at least two problems for printing. Well, more than two really, but the main two are that the material is not perfect. It is not a smooth plastic, but typically slightly textured. It also has an area where the chip is located that is not quite flat. It also has more of an issue with "over the edge" printing than normal as it will have a cut out, or more than one, for the SIM. It also has an area of electrical contacts. Finally, it may have some printing already (hard work to get supplier to provide truly blank cards!).

The Zebra ZXP 8 we use allows for this to some extent using an "Inhibit" panel on the ribbon. What this does is pulls the transfer material off its ribbon leaving a gap. You use this over the cut edges and the contacts. Sadly the alignment is not perfect so you have to have an unprinted area over the edges. If you don't use the inhibit then you get a cellophane type material in the air gap and on the contacts. It does wipe off, but sticks to everything, and is a mess. So you have to use inhibit.

However, two other makes of printer we have tried has no such issue, and the cut out in the card is simply, well, not printed! The contacts end up clean and unprinted too. This is much nicer and avoids alignment issues. The inhibit can also tear the ribbon which is a pain in the arse.

The other issue of the material itself not being smooth is that you need pressure and heat to transfer. The SIM cards we use are not under our control. They are provided by the big SIM card makers but are different materials, and we find the data SIMs are the worst.

In fact, in the Zebra ZXP 8, we have found we need near max temperature to make it work, and that quickly (in a few cards) buggers the transfer rollers. A lower temperature and speed is the only way we have managed so far.

The other big issue is that too much heat causes the card itself to warp and bend.

We are at the end of our patience with the Zebra, sorry, and looking to others. They are really good for plain plastic cards but not good enough for SIMs.

So we tried DataCard. They are nice, but cannot go hot/slow enough to work with the data SIM cards. Again, love on plan white card stock, and actually nice on the material that makes our voice SIM cards, but not up to doing the data SIM cards. Shame.

Result!

I am pleased to say that the samples I got today are stunning, and we'll get a proper demo next week. A new printer which is working on data and voice SIM cards nicely, has no cellophane effect and so needs no inhibit, and is even 600 dpi print. I'll post more in a week or two once we have one, and I have sorted linux drivers. We'll upgrade the web site for card ordering for 600 dpi images. We offer card printing now, mainly for ID cards for schools and the like, but if these printers can maintain this quality we'll expand on that and confidently offer bulk SIM card printing.


P.S. Even something as simple as card printing has nanny state legislation which is totally pointless. The Specialist Printing Equipment and Materials (Offences) Act 2015 makes it an offence to sell printing equipment to people knowing it will be used for illegal purposes - but how would any supplier know. It does not even say that suppliers have to ask. What a pointless law.

Thursday, 27 August 2015

Man Cave: Day 0

This is the first day that I really think that the garage conversion project is actually starting - workmen have been here all day clearing out the old dry lining, and stud work, and getting it ready to start work on Tuesday.

Of course, the BT fibre runs directly through one of the old bits of stud work, which is a slight snag, but we can sort that on Tuesday. The wasps nest was old/dead, thankfully. The garage door still opened, but no runners, so left on until Tuesday. I have ripped out all of the old cabling, some of which was installed around 17 years ago. The old worktops and benches were dismantled, and a whole skip was filled today.

So, picture is boring today - looks like a garage again - and "no" to each of my kids that has said "we should make it a garage again", seeing as they all have cars.

Wednesday, 26 August 2015

Times change

I don't recall the date, but when we first moved in to this house I personally installed some cabling.

Internet back then was dial-up which I had just managed to progress to ISDN.

I installed good quality 5 pair external jelly filled telephone cable to every room in the house with a double phone socket initially. This involved a lot of crawling through the loft, drilling holes, and hammering in cable clips whilst at the top of a ladder. It was hard work.

I neatly terminated all of the pairs on a 40 way DP, so 8 rooms each with 5 pairs. It was very tidy.

My kids all had an analogue phones with their own personal direct phone numbers in their rooms. The numbers are still used by some of them now, but VoIP and Mobile connected.

Over the years the use of the pairs ended up being 10baseT and even 100baseT as well as analogue telephone. It was not until much more recently that I ran actual cat5 from the loft down to every room along with multiple coax for satellite TV which is what we use now.

Much of the original wiring has been taken down off the walls, and all of the old sockets removed, but until today that DP still remained on my garage wall - neatly terminating all 40 pairs but connecting them to nowhere.

Now, I am tidying up, clearing everything out of the garage I don't need, and removing all of the old cabling, so it has finally been removed. I have also ripped out the old ISDN sockets and the old DSL/phone sockets.


All ready for the builders to start, even if that is delayed now to next week.

Received Packets With Error

This is driving me nuts.

I have changed a switch to a new HP 1820-24G, which seems quite a nice switch.


But I started seeing rx packet errors in the stats. Now, there is a fibre involved in the uplink on this, and I had moved the endpoint of that fibre to the loft and put an extension fibre patch lead in line, so naturally, seeing rx packet errors, I assume I have screwed up.

I have spent hours on this, new fibre patch leads, cleaning fibre ends, and so on. No joy. Still packet errors. I am coming to the conclusion the switch is lying to me, especially as, finally, it is getting to the point that it shows 1/3 of all Rx packets are in error, and that would be visible in other ways. Pings are clean, and no signs of issues with traffic apart from the reported errors.

But it is not as simple as Rx packet errors.

First off, I did not have a lot on the switch - an "uplink" on port 24, and a "downlink" on port 22 going to the switch in the loft and APs and a load of other stuff in the house. What was especially odd is that the error count for Rx errors on both (port 24 and 22) stayed the same!

So, I moved the uplink from 24 to 23. The count on 23 started going up but the total of 23+24 was the same as the Rx errors on 22!!!

I did the same the other way, moving 22 downlink to 21, but again the total Rx errors from the downlink port was the same as the Rx errors from the uplink.

This really made no sense, and the error rates were low. If I disconnected the downlink I did not see any errors from the uplink. I had an AP and a laptop connected on another port so could confirm all was working. It seemed to matter for the Rx count on the uplink as to whether the downlink was connected.

I spent ages checking and re-crimping cat5 cables, and cleaning the fibres, and changing patch leads and so on - no luck.

Eventually I decided it was clearly the switch being silly, and went on to the other job - reconnecting my neighbour on port 1 on the switch!. This involved a lot of messing about drilling holes and James crawling around in the loft to see where I was poking it through and so on. Eventually I connected port 1.

Now things changed, the uplink Rx errors went through the roof, but the downlink did not - it was still low, and was no longer the same as the uplink. Port 1 showed no Rx errors. But if I disconnect port 1 then the uplink Rx errors go back as before, quite low. If I disconnect port 1 and 22, then the uplink errors stop completely.

I have to say WTF?

Update: If I send packets with no VLAN tag that are 1500 byte payload (so 1518 total) then no errors. If I send packets with a VLAN tag that are 1500 byte payload (so 1522 total) then errors count up. This is even when the switch is set to allow jumbo frames. A clue is that if I set not to jumbo it says the MTU is 1518 on all ports, not 1522. It is clearly a bug in the switch.

Sunday, 23 August 2015

0000

I have a friend who has a lock PIN on his phone of 0000.

What does that mean? Well, for a start, it means he does not really care too much about the data on the phone being used by someone else, but it means more than that.

It is about boundaries.

He has in fact "locked' his phone. Someone trying to get in, even if they know or guess 0000, is breaking through that lock.

I think morally, and possibly even legally, "breaking in" is massively different to being let in. The lock says that you are "not authorised", so things like Computer Misuse Act kick in if you go passed that point.

If someone wanders in to your house through an open door, it is not the same as someone using a very simple lock pick to get passed a really poor quality lock and opening your front door.

I started wondering if this had wider implications. E.g. if someone like Apple have a backup of your data, including a backup of your private keys used by iMessage and the like, protected by a relatively low entropy key like a 4 digit PIN for example, what happens if asked for that data. Well, they can honestly say they do not have the data as it is encrypted. I am not sure if existing laws allow authorities to request that they "hack" what they have (e.g. trying all 10,000 four digit PINs). Expecting a company to hack in to their customer's data would be a heck of a step legally and morally, but having a good reason not to disclose it because of the protection may be enough?

We can only hope that laws do maintain some concept of boundaries in the future - not just in the real world, where it matters if you invite a bailiff in to your house or he forces his way past you, and the same in the computer world where it matters if you break passed a 0000 PIN or do not try to.

Saturday, 22 August 2015

Back door keys

One of the big issues with a "back door" for authorities to use is that these common keys have to be simultaneously kept secure, and made available to a wide range of people in authority.

No, for a change I am not actually talking about "back doors" in encryption, which is for what David Cameron and Theresa May seem to be asking.

No, in this case I am talking about the TSA master keys for TSA approved luggage locks so that they can inspect baggage. There are several pictures floating around the Internet now, with high enough resolution to allow copies to be easily made.


This is a very clear example of the problem with any sort of "back door", and don't be fooled that for encryption systems the "keys" could be kept securely in one place - the "access" to make use of those keys will be wanted one way or another by every police force and authority entitled to use them under RIPA or similar legislation. Bribing someone with official access won't be any harder than photographing physical keys.

Back doors undermine security - full stop.