 Herzlich willkommen auch noch mal von mir. Hallo everybody. Nice to be here. So late tonight. I heard this is a prime time at 11. Ich bin David, Computer Science Specialist von Bonn. Und I'd like to start with what was in the past in Bonn. Or when you looked at streams from congress or when you were here. Then afterwards there's always some kind of devices that you don't really like to use anymore. Because of what you heard in the presentations. Like when you were in Starbucks talk, you don't like to use biometric devices anymore. One advice, if somebody has a special relationship with his copy machine. This presentation is not free for you. In this presentation we'll do three things. We'll look at one of the most common and most dangerous bugs of the last years. And we'll try to make it plausible for techies and non-techies. And interesting at the same time. And for activists we'll look at how a single person can deal with going against a big company. So I'll talk about how this developed and which mistakes I made and how it went down. And it's a little bit like a novel. And it starts with a prologue for the conspiracy theorists starting in 2008. In 2008 the primaries in the USA with Obama against Hillary. And there were some anonymous mails that should be useful to Hillary. And it was said that Obama was born in Kenya and asked us not to fit for being a president. Because you need to be a natural born citizen. Which is not actually like a properly defined. The Americans are not really sure themselves. Yeah, at least you need to be American born. Common knowledge is you need to be American and you need to be American at your pet birth. So that Barack Obama's second name is Hussein is also not that optimal in that context. So then he published his short birth certificate that's published behind the speaker. Like if you're a good conspiracy theorist you're not gonna be dispelled by facts. Like immediately there were claims that the birth certificate was false. Like a stamp was not on the right place and stuff like that. Like now you see some license plate stickers or car stickers claiming that your Obama wouldn't fit to be president. This is like the birth movement. They want to prove that Obama is not a real American. So two and a half years later, when Obama was already president, he published the long form of his birth certificate shown right in the picture. So you could think now it would be quite, but again there were claims that the birth certificate would be false. And like let's look at it a bit more in detail. Like the left picture is a strong magnification of the right image. Und uniform durchgefärbt. And you can see that between the different letters, between the one and the four, there's various differences in gradient and sharpness. And how is that that there's such a difference between one in one and the same line. So in this additional example you also see that between the two Boxes, that there's a very strict start, a hard difference between the Boxes and the rest of the text. So in this additional example you also see that between the two Boxes there's a little difference between the two Boxes. So this part of the image is taken from the stamp. So it looks like there was a printing error in the stamp, but that's very unlikely. So maybe even you could say maybe the intern in the White House was too stupid to use Photoshop. Also für Obama war es ein Bisschen, dass er nicht in den USA geboren ist. Er glaubte, dass Obama nicht in den USA geboren ist. Er glaubte, dass er nicht in den USA geboren ist. Und sogar heute bekommen sie noch eine Begründung für die Kommentare. Okay, now we jumped to 2013. On the 24th of July 2013, a company called me, and they have two big Xerox WorkCenters. Xerox WorkCenters, those are huge business copying machines that every company has. They have networks, they can scan, print and fax and mail and print and everything. And they cost as much as a little car. And that's not your grandmother's printer, but they have hundreds of users per machine. And here you can see a blueprint. And the black spaces are not original. I blotted them out because I couldn't have used this blueprint otherwise. But there are three yellow places and these yellow places are standardized blocks, which show the area of room in square meters. And we talk about those now. And the company said, hey David, if we scan the blueprint, there are different scans, there are different numbers after we have scanned them. Can you take a look at that? And on the left side, that's me. Okay, we have to say, there's always a good atmosphere with them and my parents helped me. And this company did IT service for the company and they were very friendly and I thought they were pulling my leg. So, right, yeah, a copy of changing numbers. So, you hear that every day, of course. Yeah, and they said, oh, no, really, look at it, look at it. We need this machine, it has to work properly. Okay, so I went there and took a look and still thinking, hm hm, there. That's just pranked me and they have a Xerox Workcenter 7535 and here are the three original things before the scan. So I can read that and at the top is 14.13 and then there's 21.11 square meters and on the lower one there's 17. something square meters. So put the blueprint into the Workcenter and scanned it. And here the same place is after the scan. And so apparently that's quite funny, right? So all the rooms are now 14.13 square meters. No, that's impossible. This isn't happening there. I still thought this was a prank. So just to, I have been asked this a lot of times and there was no OCR. It's really, the replacement of the numbers happens on the pixel level. The company has another Workcenter, the 7570 and so, there are many, many more like this. It's a big family of machines and on the small one there were always the same numbers that came out. On the big one, every time there were different numbers and so it's bigger. So there's more CPU power. So look at those numbers. There's number two on the middle line there. We have 14.13 and in the middle we have 21.11. So that would have been the correct value. So sometimes it's right. And similar in the other lines. So, one of you needs an NSA, a random number generator. So, here's one. Also look at, well, but it's not very funny, but I'm laughing too. Also look, the numbers look absolutely perfect in the layout and they only noticed it because a room that's obviously bigger has a smaller area than the smaller one. So, there's a big ballroom with four square meters and a little chamber by the side that is much bigger. I know that the font is very small, so it's not a very strange French case so that I could piss on them. We have some more examples, but this is the original example where we found it. But here's the next example. This is a register of the cost register. So, you see the two sixes turned into eights. And the joke is really that the picture is, look here, six turned into an eight. Oh, and someone said, oh, there's another one. So, this just looks absolutely clean. It looks perfect. So, why did they notice the error here because the numbers were sorted in ascending order. So, you can't see it really. If the numbers make no sense and you cannot see which ones are wrong. So, you have to have semantic criteria where you can find out what happens so that it becomes implausible. Otherwise, you don't have a chance to find out what it is. So, my neck gets longer and longer, as you can see. So, these are not just random things. So, I tried reproducing it like a good computer scientist. So, I made columns of numbers in ascending order in different sizes in different fonts and scanned them and did some experiments. And lo and behold, I could reproduce the error. So, these are my random numbers. And we will look at them again in the future. So, the ones that are yellow should be sixes and should not be the eights that we can see there. So, we stop for a moment here. And I promised that I'm going to show you the entire interaction with Xerox. And I tell you what I felt at every time. And I stress those things that are very important if you have to fight against a big company. And I will also show you proof about this. And I will tell you one thing up front. In my eyes, what does not help is becoming offensive and hating. And that is not helpful. That's very nice that you applaud now. But I wasn't so sure. And I have no problem with Twitter. But if you want to do something, if you want to achieve something, you make yourself a target. And they will tell you that you really don't want to have a discussion because that wouldn't fit in 140 Characters. And secondly, you can always say that you only want the show. If I don't want you to do these things, what should you do? The best thing to do is to not make it publicly initially. So you could write mails or call them. So I called Xerox Support several times, very often. I called all support levels up to top level in Dublin. And nobody knew a single thing. We wanted personal contact as well. Xerox people who were at the site at the time, they didn't know anything either. Xerox people, they're just working commission. Xerox was shocked. They tried to reproduce it. And they did. We're laughing about this. They were standing there with their pants down. And imagine somebody's coming along and questioning your very existence. So Xerox itself, not the support company, but the company, they were astonished. But they didn't try to help us or the support firm. They respected the problem. So we were so shocked. So thatís just where the goals came from. In fact we studied if we could and invented them as well. But there weren't legs of any signs of bigger interest or any advice of how we could get rid of the problem. So somebody came from Xerox and up Azure software he gave us a new firm. I was like, oh great now we know Ich habe einen Progess auf der Seite von Xerox nach ein paar Wochen gedacht, das ist genug. Ich habe einen Blog-Post in Deutschland und Englisch, über das, was ich gesagt habe. Und ich habe einige Testdokumente geöffnet, um die Prinz, Gann und zu sehen, ob sie effekt waren. Das ist so, wie die Geschichte startet. Ich muss sagen, mein Blog ist nicht großartig. 500-1000 Reader pro Tag. Es ist nicht viel, es ist nichts. Aber die meisten von den IT-Geeks, das weiß ich von den E-Mas, die mich senden. Auf dem Boden meiner Slides kann man jetzt eine Linie sehen. Es ist ein Plot der Pageviews. Es wird weiter und weiter, wie ich immer weiter spreche. Es ist ein Schild, wie viel Aufmerksamkeit ich bekomme. Kannst du es sehen? Das ist ein kleiner Bumper. Das ist ein kleiner Bumper von 3000 Rechern pro Stunde. Die Zahlen kommen aus Google Analytics. Ich habe gesagt, du solltest sie multiple by two. Aber es ist egal, ob du die Idee bekommst. Auf dem 2. und 3. August ist eine Geschichte auf ein paar Tech-Blogs gelesen. Es ist ein Fertig-spann-Nightmare in dem Raum. Ich habe gesagt, dass viele Leute FAFUS-Blogs reden. Die Leute, die du siehst, sind von FAFUS-Blogs. Die Geschichte spritzt und ich bekomme mehr und mehr E-Mails von Menschen, die effektiv sind. Aber das Funneste ist, ich bekomme auch Loads und Loads für Zerox-Work-Centren, die ich nie gehört habe. Es ist eine ganze Produkte, und ich beginne, dass es eine große Geschichte sein könnte. Es war gut für mich, die Dokumente online zu geben. Wenn die Leute nicht für sich selbst reproduzieren, dann könnte es nicht viel werden. 4. August spritzt die Geschichte weltweit auf Tech-Portals. Ich habe viele E-Mails von Menschen, die von Tech-Savvy-Präsidenten kommen. Ich versuche immer, die E-Mails zu verhören. Nur das erlaubt mich, die Geschichte zu verhören. Ich bin nicht allowed to sleep anymore, because I am starting to get loads of E-Mails from US-Reporters, who apparently don't know about time zones. That's another small anecdote. You think they compete with each other, but as soon as one of them had my phone number, all of them had it. So, lesson learned, righted in multiple languages. Important of course is English for the international countries, but also the language of whatever company you're targeting. You may know that Xerox is so widespread in the US that there's actually a verb for it is Xerox. And whenever something is that big in the tech world, what comes next? Mass media. And that's where it starts to get huge. I'll click through it. It's not an exhaustive list at all. There were hundreds of articles worldwide, and I'm just doing it in random order. However, it suits my talk. This is Heise. As an IT-Guy, I like this a lot. ZDF-Hyperland. I'm mainly showing the German press just to illustrate it. Most of it was actually from the US. But as a side note, a journalist told me he wanted to bring it to Tagesschau, a lot, you know, the biggest German news journal. He was, yeah, it's really cool, but we wanted to show it happens when you photocopy things, not just when scanning, because people don't scan. So if someone from the Tagesschau in the audience, that applause was yours. I was like, you heroes, if you print a scan, you have a photocopy. Never mind. You can print a lot in my channel. Lesson learned. Professionell und souveräum bleiben, nicht einfach Sachen aus Aufmerksamkeits. So don't just make it bigger than it is Das ist wirklich... ...smell some blood and then you want to make it bigger. That's not cool. So, Economist, now it gets really serious. Und... And like now it's getting expensive for the companies. Yeah, ABC News, more expensive. BBC, CNBC, dann was everywhere. Das ist ein populäres Wirtschaftsmagazin. Das ist ein populäres Businessmagazin. Und... ...jetzt keine Reaktionen von Xerox. Und bis jetzt war es keine Reaktionen von Xerox. So, wenn man so lange sind reagiert... Wenn man reagiert, ist es sehr... ...ein Problem, die zu schrecklich ist. Es ist sehr unverkürzt. Das sind Dokumenten veränderndes Scanner. Irgendwo oben bei Fleisch-Skinner-Bakterien. On the scale of things too horrible to contemplate. Document altering a scanner is right up there. It's flesh eating bacteria. That's from Peter Koi, economist editor for Business Week. Das schreiben die O-Tonen in der Business Week. That's like original citation from Business Week. Hör mal, du musst dir das durchlesen. Ich stelle euch vor, das ist Peter Koi. Peter Koi, he's edited her there and will... ...we can... ...we geto him a few more times in this presentation. Und es gibt immer noch keine Rückmeldung von Xerox. Now my blog post went up to like 300,000 readers a day. And it's still no reaction from Xerox. Like in the meantime, I managed with some readers to... ...to show what actually happened and... ...now I'm going to tell you about that and... ...it lives a little bit about picture compression. The test build that I did, it's a fly with some text. And they both are part of the text of the test picture. To have different kinds of test pictures. Data transmission is time, money and storage intensive. And it costs a lot of data. So you normally don't want to transfer them uncompressed. Das ist ein Bundestags-Untersuchungs-Ausschuss. Everywhere pictures are transferred and... ...even in the highest offices. Like a few weeks ago, a while ago, there was some... ...a lot of media attention to German AMI... ...MDP that tried to transmit pictures. And of course he doesn't want to get crappy pictures. And doesn't want to wait too long. Jetzt haben wir zwei Ausschnitte meines Testbildes. Einen vom Foto-Teil und einen vom Text-Teil. Parts of the test image, one of the picture and one from the text. So können wir sehen, was bei verschiedenen Kompassionsverfahren so schief ist. So we can look at what goes wrong with different compression algorithms. Irgendwie effizienter gespeichert. There are lossless compression methods. So no information at loss or if you want to get it even smaller... ...we have lossless codex to get the files even smaller. This is a popular GIF format. Wow, das sind viele. Das sind fast alle. GIF ist eine Verlustfreiheit. So that was the show of hands for who shows GIF is lossy. But actually GIF is a lossless compression. But it only supports 256 colors. So the loss of information is because of the picture reduction. And that's then save pixel by pixel with all that W. Which is an old compression algorithm kind of like the... So GIF is good for graphics with a few colors. Sharp edges are preserved well. Less suited for photos. Now we have JPEG. JPEG ist lossy. And the original picture is put into 8x8 pixel blocks. And like a process with cosine waves. How exactly this is mathematically done. I won't bother you with. But you can read up on it. So this is really good for photos, images, but very bad for text. You can see that if you look at the text on the right. So different compression algorithms are good for different kind of uses. So that's why you have JPEG 2. Compression-Aggen, in which you can separate parts of the image into various patches. And that can research and then can use different compression algorithms for each of these patches. Which you can see in the red boxes. So you can use GIF for the text patches. Und dann... Und den Fotopatch z.B. mit JPEG. Und Fotopatch, you can use JPEG, for example. And maybe you wouldn't use exactly those, but kind of like this. Wenn man weiß, welcher Patch was enthält, im sauberen Qualität-Eindruck erhält und wahrscheinlich eine kleinere Datei. So, obviously, if you know exactly what kind of content is in which patch, you get a much better result in total. So, obviously, if that works, then you can do it much more advanced. So that in Photox, you do a separate patch for every letter. Und das ist eigentlich also done, das ist nicht... Ich habe das nicht gemacht. Und dann... Ja, du siehst, welche Patches sehr similär sind zu den anderen. Wie die Patches, die ich markte, sind alle kleine E-Pieße. Und sie haben nur sehr wenige Pixel, die anders sind. So, du siehst Gruppen aus all den vergangenen Patches. Und so, du siehst das gleiche Patch in der gleichen E-Pieße. Also, nur eine von ihnen ist actually saved and used for all others. So, du kannst eigentlich save a lot of data. Und das ist ein finaler Result, das sieht gut aus. Du siehst viel weniger data. Und dann, ohne Pattern-Matching. Du siehst es? Pattern-Matching, dass das kleine E ist similär zu dem L. Das ist was, was passiert, wenn Pattern-Matching nicht akkurat ist. Und jetzt siehst du das auch? Das sind sehr gefährliche Fehler. Normale Kompressionen und Effekte sind nicht so problematisch. Vielleicht kannst du es nicht gut hinschauen, aber es ist okay. Aber jetzt hast du perfekt gevisiert, die Daten zu sehen. Das sieht gut aus. Du musst es wirklich hinschauen, um die Fehler zu bemerken. Und dann musst du sie nicht bemerken. Und natürlich, die meisten Leute checken immer die Scans nachher. Die Politiker, der diese Sache schönreden muss, die in einem Pflegeheim muss, die es in positiven Leichen putzen, du kannst sagen, dass, wenn du einen Kurs-Gang von einer Medizinschiefe in einem Retirement-Holm, und in einem Gau über Kropierer, du hast ein Problem mit gravierender Sicherheitsprobleme. Du hast die Betreuung von den Menschen von Berlin geholfen. Wie waren die Pläne für den Erfurt der Erfurt? Wie waren die Pläne für den Erfurt der Erfurt? Sie haben sie eigentlich getroffen. Aber wisst ihr was? Flughafen, Medikamenter, Raketen, Airports, Madison, Airplanes, Rockets, es ist nur ein kleines Fisch, aber wenn es eigentlich als Evidenz in einem Kort verursacht, ist das sehr interessant. So, jetzt, wenn jemand mich mit einem Scanner aus Xerox sucht, ich würde nur sagen, das ist falsch. Und ihr könnt nicht mehr proben, dass ein Teil des Scanners eigentlich von dem Original, wo ihr es wundert, es erwartet zu sein. Das sind Business Applianzen, es sind 100.000 oder 1.000 User, und dann läuft die Postbearbeitung so, wie ich von einem großen Business genannt wurde, und so, wie alle Inkommensmails automatisch skandeln, und von denen nur elektronisch gebraucht werden kann. Jetzt, 5. August, 3 Tage nach dem ersten Impact, und dann wurde Xerox eine Live-Sign von Xerox. Dankeschön. Danke. Und die PR von Xerox in Deutschland hat mich geholfen, und es war, sie konnte nichts ohne die Amerikaner, und sie dachte, es war nur eine Prank. Und sie sagte, nein, es ist nicht ein Job. Und sie sagten, wir halten Kontakt. So, und der Tag danach, 6. August, war der erste, wo ich wirklich Dinge starten konnte. Und in dem Morgen, ich habe ein screenshot von einem User, von dem Setup, und es spricht über die Letterreplacement. Okay, so, there are three PDF-Compression states, they are normal, high and high. So, it's like PR-compatible. Normal is the mode that compresses the strongest. And the reader says normal, the error is there, and in the two other stages, it's not. And as far as I could see at that point in time, that was correct, but I'll tell you more about that later. Ich habe bei Versprochen euch die Stimmung über die Liste zu legen, falls ihr selbst in die Hand zu legen. Told you, I would tell you how I feel doing that. And at first I was afraid, I was really, and I thought I was being portrayed as the idiot who hadn't read the manual. But now there is no official statement from Xerox, but I was tipped off that Xerox was about to write something like that. So, the lesson learned is the internal view and the outside view is, so, what's the problem? Was the problem now, such a problem must never happen. Not even if you know about it, but the inside view is quite interesting. But even if you're freaked out, just keep calm and never scream and always de-escalate and never become offensive. And if you remain calm from the beginning and then you can really talk about them and you can just ask why didn't support tell me that two weeks ago. So, remain professional and never hate. And I'll tell you again. So, okay, I showed the screenshot as a possible workaround and I recommended to set the compression to high. And I was curious why support couldn't tell me that. And I also criticized that that setup was called normal and the consequences, well, and the problem remains because you can't see in the scan that it is wrong. And so, I wanted to be prepared against what Xerox was going to do. And so, this is Rick Destin and he is the Vice President of Xerox and Francis Tee is one of the chief engineers. And here, the boss is doing the support. So, that's, there is something. Rick Destin ist in der Tat. Rick Destin ist der first one to my talk to who really actually works at Xerox and who confirmed that it was known at Xerox, that it replaced characters. So, if you have a problem with support and talk to them for a week and they can't tell you anything, then ask them for to talk to Rick Destin. And so, they also confirmed that it was correct that the pattern matching is responsible and he also confirmed that pattern matching was only done in normal mode. So, support screwed up and normal was probably a silly name for the settings. So, I recommend it experimental. Okay, so, perhaps now I'm feeling quite good and it's a lot of fun, but at that time I was really scared and don't think I'm any different than you. And then it was a very crystal clear RTFM by Xerox. Well, the normal mode isn't a factory default. So, you are all stupid. Why do you set it to a different setting? And the manual also says that letter replacement may occur. So, you are doubly stupid. Customers are doubly stupid. And for the custom, of course, factory setting is the setup in which they get the machine and they don't get it from Xerox themselves. But there are third-party companies from which you buy those companies and you don't buy it from Xerox and they do consulting for you. And the manual, in some manuals, actually there is on page 107, on 328. Okay, well, how many people read manuals that are 300 pages thick before using a copier? I mean, really, so. And I also found that copiers are not designed in a way that, of the opinion that this should never happen in a copying machine, in whatever setting. And the answer is, of course, oh, yes, that may happen, that's what they say. And the market wants that. And the market demands that. And the arrows, that was really, really what they said, I'm quoting. And they said that about the small documents. And the arrows were very, very rare. But I was right. And you couldn't prove that the document was wrong. And so there was a relaxed atmosphere and they didn't threaten me legally. And they listened to me and it was a long talk. And I really let myself be caught in a trap. And I never did anything of that scale. And Zeroes, of course, they are professionals. And I was wondering why we could talk that long in a relaxed atmosphere. So Rick Dustin is a vice president of a huge global company and he probably had other things to do. So, and now it turned out that during I was on the phone with them, they released their press statement. They are clearly not stupid because that's the time in which I cannot react. And the press release had the title always listening to our customers. And they say, who wants to have original data and use the compression setting of higher or higher. And the lesson learned was, and always have someone else watch the website of your adversary. And I talked an article about the telephone conference. And I also wrote that I don't think they're off the hook. So, well, that was the end, right? No, if a single blogger fights a huge company, either the blogger caves in, when the company shoots back or the public sites with a big company or the public loses interest. So, nothing of that happened. And you can see the huge spike. The head was on the title page of Slash Dot. And the press was on my side. And so his Heise said that I was talking about the workaround before Xerox did. So to set it to high. Also, Dash Beagle also said, so Xerox knew about the problem. So, well, that's really nice. If you're sitting in the PR, and if something like that happens, then you work for the PR of a company, you can screw your holidays for the rest of the year. But now, it really gets funny. If you have ever been in the US, they say, when the shit hits the fan. That's what you say, it really starts getting ugly. And next time, next day, it was on Reddit, on the title page, there was the nicest version of shit hits the fan that I've ever seen. I think it says, if the fecal matter hits the rotating air propeller or something. So, well, it's true. And if a company is specializing in relies on digitization of documents, and almost everyone is, then they all have a problem. They can close the shop if it's really bad. And the National Archive called me. And they made their entire archive with Xerox Machines. And they threw away the originals. And now they are looking that. And they look at the big archive and think that they have to look at all the documents and check them for plausibility. And in other cases, the internet is also very, very nice. You have one job, Xerox, eight job. Manchmal sagen die Beteiligten für den Humor auch seltsam. They are really funny, the company themselves created a joke. And this is something I'll just read it for you. And that's for the BBC. And Dustin said, well, it's not really that bad. Nobody, the normal compression mode can create errors. But nobody uses it except the military or oil platforms. So, well, what can happen? What's the worst that can happen, right? Jetzt haben wir alle mitbekommen, dass das Fehler auf Ölwohrinsen in den USA in letzter Zeit ein bisschen mehr gesehen hat. Problems on oil platforms. I've not really looked upon very kindly in the US now. So, and I really tell you, laughing is nice. But just imagine your industrial shoes. And if you really have to talk about it on the phone for 14 hours, then really something may slip and you may let slip something. And maybe he has been quoted out of context. And he may be right, I have no reason not to believe him. And he has a tech portal that is happy that cat pictures are not affected. And so, so, but maybe it's about cat pictures, so who knows. But there's a new press release from Xerox. There was big public pressure. And now, well, maybe yes, perhaps we are going to make a patch in which we don't do pattern matching. But they never admitted to a mistake or to a problem. But so it's the same thing always. There's they always have to cover theirs. So telling in the menu for microwaves not to put the cat inside. But if they wait that long, then not even announcing a patch doesn't save you, even if the press release is now have some sometimes errors in it. But now, and it says now, you will not see replacement of characters if you put the compression, set the compression to higher and at least 200 dpi. And they also said that pattern matching is only done in the normal compression mode and not in the higher modes. And I always thought I was quite sure that I had seen the problem in higher modes. And other readers told me as much. And I didn't manage to do it in my own devices that I had access to. But if it does that in other modes, then everyone would be affected. And Xerox had been lying. And we had a huge, much bigger global problem. So I'm just not putting out any rumor. But a friend of mine in Bonn, where I was living at the time, he took his work center of another number, which I said 7545 and was where I lived. So we went there and we used my test numbers and we used the mode higher and even 300 dpi for 300 dpi, for text that is quite. And now look at this, the yellow numbers, the yellow numbers have errors. And I just marked some of them. I don't look good all of them. But so you can see how frequent this problem is. And there was a mode higher and with 300 dpi. You can't quite make it out, but the pixels are exactly the same, these red rectangles. And that's very unlikely. It's always going to look a bit different if you scan it naturally. And lots of digits that look exactly the same pixel by pixel. That's a clear sign of this pixel, not pattern matching. So contrary to what Xerox was saying, they really were performing pattern matching even here. One of my readers built a visualization that marks equal digits in red. All equal digits are marked when I hover them with the mouse. Here you can see how many digits could possibly be wrong. At this point I knew there are hundreds of thousands of devices affected in fact to read defaults. With something like that you can really damage a big company. I did not want to publish that without trying to talk to them in before. Also I wanted to make sure that I did not make any mistake and could be sued on billions of loss in shareholder value. So I recorded the whole process of producing wrong digits on video and uploaded it non-public on YouTube. I sent the link to Francis, the principal engineer, and they were shocked. Francis told me on the phone that I did everything correctly. Xerox was cooperative, but they wanted me to wait until they could reproduce the error by themselves. I remedied that I felt a little bit fooled after the last conference call and told them. This time we do this differently. I told them, I've already written my blog article and the video is done. And don't take this the wrong way, but I want to be contacted all the time now. So a lot of phoning back and forth ensues. We call ourselves all the time. I'd really spend the night in the office and I only had stupid biscuits. And finally Francis calls me and tells me, yep, we've reproduced it. Patternmatching on factory defaults, everyone was shocked. And do you know what they found out later? The code for the compression kernel is eight years old. That's how long this bug has been in the wild. And they've been a bit surprised. So I told them, have a look at my article and make sure that I've got legal safety and I can... ...I can push it out. That mistake is really dangerous and I don't want to wait much longer for this. They did it and they allowed me to publish it before them too. So that's why you shouldn't hate on them. Lesson learned, negotiate at the right moment. Xerox, right afterwards, brought their own statement. They retracted their previous communication and thanked me. And actually noticed how big this whole thing is. And that's why they started to be really nice in their press statements and the whole climate was entirely constructive. And the whole thing becomes more and more surreal. Here again is Peter Koi from Business Week. Oh, I've got one more for you. One compression mode. No, it might not. But on the 11th of August, I can actually prove that it happens in highest mode as well. So even people creating massively beautiful PDS for ages couldn't escape this issue. But to be honest, it doesn't happen with TIFFs. On the 12th of August, Xerox admits that it's a bug that's eight years old and announces the patch another time. And they're really affected on the legal side. In the middle of the night, my time, Daphne and C called me on my mobile to be the first to tell me that they found the bug and they'd be rolling out new software to all devices. That's a patched download page from Xerox. That shows you how many devices are affected by this. And look at the Xs, those are families. So the press reports again, the computer magazine in CT has a report and called it Scannegate. And here there's a final clip from Peter Koi. It may sound sarcastic, but he is completely right. 80 Productions of archived scan documents can contain these errors and damage things forever. We live in a society that right now, as we speak, is doing its transition from paper to digital. And the translators between two words are devices like Xerox WorkCenters. And the rest of the thing, I told you, Xerox has cells its devices through third parties. And that's why I think patches haven't reached too many devices at all. So spread the word. Beside all the lessons learned, there's one lesson I haven't told you yet. I've always gathered incredulous looks when I told people that I hadn't earned a single cent from this. A manager even told me I was an idiot. Two things. Firstly, it's really hard to earn money with this. If you don't, if you can't prove it, you people are not going to take you seriously. And secondly, companies, corporations don't know friends. If I had wanted money, they would no longer have. They would have shot me down for it. I would do it again like this. But at the end of the day, everybody has to decide for themselves. If you want to do it differently, that's fine. I just want to tell you, you're weak in your negotiation position. These are all the lessons learned. I'm not going to go through them again. But if you don't, the slides here, they are. And this is how the circle closes to the introduction. That was a prologue with Barack Obama's birth certificate. Here it is again. Shortly afterwards, Journalist from Reality Check in the US asked me if the Xerox Barg might not be the cause for these. And they've done detective work already. For instance, the Obamas had published their tax work. It had been scanned with a Xerox WorkCenter 7655. They asked me if I could ask Xerox, because I had connections. And I understand it would be Xerox said, no, we've really got different things on our mind right now. And now I look back at the PDF. And will you have a look at this? They contain exactly the same characters that had caused the bug in the first place. Here are two boxes that look exactly the same. I mean, make up your own mind. But I think this shoots down the conspiracy theory. And all I have to say now is thank you for spending this hour with me. So. This concludes, never trust a scan that you didn't forge yourself. Thank you very much for listening. And if you have feedback to the translators, tweet at C3Translate or use the hashtag C3T. For more information, consult the wiki page translation. This is Philipp Bock, Bernd and Florian Frömmel. And Florian from the translators booth. Thanks again and goodbye. Mit den Fragen würde ich zunächst mit denen aus dem Internet anfangen von unserem Signal Angel. Vielen Dank. Auch ein Riesen Applaus aus dem Internet. Das konntest du jetzt nicht hören, aber es war sehr viel positives Feedback da. Auch die Bitte, die Folien zu veröffentlichen. Insbesondere diese Bowlbilder. Das wird passieren auf meiner Seite spätestens morgen. Sehr schön. Vielen Dank. Zwei Fragen habe ich. Die erste Frage ist, gibt es bei Xerox Technischen Unterschied zwischen Scannen und Drucken und Kopieren? Oder ist das intern immer das Gleiche? Ja, also Scannen, da geht das Papier rein, und beim Drucken kommt es raus, ne? Nein, also beim Drucken werden einfach Druckdaten entgegengenommen. Da ist mir nicht bekannt, dass überhaupt noch mal irgendwas nachkoprimiert wird. Scannen, da gibt es verschiedene Modi, die PDF-Modi. Das sind die drei, wovon ich gesprochen habe. Und Kopieren, meine Ansicht nach, ist es nicht so. Das ist genau, dass es beim Kopieren auch passiert, weil da nicht komprimiert wird, so wie ich das sehe. Also ich bin mir sicher, ich hätte Berichte bekommen, wäre dem so. Deswegen denke ich nicht, dass der Kopiervergang an sich betroffen ist, aber das ist auch nicht so krass schlimm, denn da werden auch keine Dokumente archiviert. Okay, und die zweite Frage, gibt es irgendwelche handfesten Schädigungen, die aufgrund dieses Bucks passiert sind? Hast du da irgendwelche Rückmeldungen bekommen? Ich habe Rückmeldungen, die ich gerade gesagt habe, und natürlich noch ein paar andere, und bin natürlich angehalten, hier keine Namen zu nennen. Aber ihr müsst euch mal in die, also ich will nur so viel sagen, ihr müsst euch in die Lage vom Konzern versetzen, der da betroffen ist. Eure Daten sind also vielleicht im Arsch. So, werdet ihr das öffentlich machen? Nein, ihr werdet in aller Stille von Xerox-Schadenersatz verlangen und möglichst nichts davon auf eure eigene Webseite schreiben, weil das nämlich auf euch zurückfällt, dass eure Daten kaputt sind. Da fragt doch keiner danach, ob das jetzt ein Xerox-Kopierer war. Also, ich erwarte auch nicht, dass es da größere Enthüllungen gibt, sofern sie nicht vermeidbar sind. Wenn da jetzt irgendwie eine Autobahnbrücke zusammenbricht, ist natürlich was anderes. Okay, vielen Dank noch mal. Gerne. Gut, dann würde ich vorschlagen, wir machen bei Mikrofon 2, bei der ersten Person weiter. Ja, nur eine kurze Frage. Das ist ja eine Technik, die wahrscheinlich von vielen eingesetzt wird. Habt ihr das mit groß geräten anderer Hersteller schon mal ausprobiert? Ich hatte eine Latte von Meldungen über andere Hersteller. Aber wenn man eine Sache dieser Größenordnung macht, wird man sofort kümmern von Spinn-Dr. Ring. Wir haben einfach die Fragen und Ansätze erinnern. Entschuldigung, wir haben das nicht erinnern, weil alle weggekommen sind. Aber nicht publishen irgendwelche Räume, und weil man ein Target macht, könnte es in dem Ende nur etwas anderes sein. Und immer... Hallo? Ja, publishe die Probe. Danke. Das war sehr schön. Und ich bin froh, dass der Bug 8 Jahre alt war. Und du hast... Ich kann mir nicht vorstellen, dass das... Ich habe die Surgen angeschaut. Ich meine, ich habe wirklich keine Ahnung, dass für 8 Jahre niemand das gesehen hat. Und die Leute sagen, wer das früher gesehen hat, oder ich habe das jahrelang gesehen, und hohe Kompressen. Und eine Sache ist, dass es sehr schwer zu detectieren. Und es war bekannt für den normalen Modus. Und es war... Sie wussten, dass es passiert war. Es war schwer, den realen Bug zu finden, weil die Leute, die es wussten, einfach gesagt haben, nicht normal zu setzen. Also normal, dass es passiert ist. Man hat gesagt, es ist rarer auf einem anderen Level. Vielleicht bist du glücklich. Aber ich glaube, es war wirklich das erste Mal, dass der Bug gefunden wurde. Aber niemand kontaktete mich und sagte, ich habe das schon gesehen. Und also von Nummer 2. Hi, und vielen Dank für das Gespräch. Schallt die Frage, du hast es nicht von Geld gemacht, aber das finde ich sehr gut. Und haben sie dir was angeboten? Nein, nein, das haben sie nicht. Und ich habe es wirklich... Zerrucks war wirklich gut da, und es handelte sehr, sehr gut. Es war wirklich... Es war eine lange Nacht, in der wir telefonierten. Und es war wirklich... Es war wirklich um mich zu fliegen. Und ich konnte wirklich nicht so was fixen. Aber wenn ich dich fliege, und wenn du... Du könntest dich kooperieren, um den Bug zu fixen. Aber ich kann wirklich nichts tun. In meinem eigenen Kopf, ich muss den Bug finden. Und ich kann es nicht helfen. Ich war einfach da, ja, es macht Sinn, ja. Und zwei Intercontinental-Trips für das, das ist wirklich nicht... Wenn sie das payen würden, dann... Ja, und ich habe es wirklich gedacht, wenn sie das payen würden. Aber ich hätte es einfach nicht in mein Schedule finden, also ich könnte es nicht tun, okay? Nummer 3, ich habe einen Home-Copier zu Hause, und ich habe eine sehr close Relationship mit dem, und ist es da... Hat es da any reports that it happened on Home-Copiers? But no, I don't know anything about that. It's only these work centers, the series that I just showed, the work center, and it's just the big business machines, really, so far as I know. This J-Beak 2 compression algorithms is quite expensive to implement. Und nochmal drei, bitte. And number three again, please. Ein ne, vielleicht ganz coole... Just a crowd-research. There was a cool crowd-research task, is perhaps to look through these manuals and collect them, whoever can get them, and look at, in which year it appears in the documentation, is that as old as the bug, or so eight years old, did it only happen after four years, or maybe they thought it would just print new manuals, because cheaper, and we leave the software as that. And we... There are suspicions that they called a bug feature, and so, I mean, whoever would design a copy, that changes numbers, even if only the military uses it. Okay, one last question. It's not really a question, but maybe a suggestion for the talk. It was really a great talk, thank you. And you have this scale there with the access history. Can you perhaps do that superposedly, the stock of the Xerox stock price? But Xerox managed that pretty well. There was such a problem that it could really be the end of the company, but that didn't happen. So maybe, yeah, I should really put the life stock exchange rates here. Yeah, that's a nice thing. We have a question from the Internet. Yes, from the Internet. Is there any statistics or numbers about the probability of the error? But you've seen the page, and it was just the thing with the font size seven or eight. And it was just only numbers, but that happens also with similar letters. But I have no statistics about that. And the numbers six and eight, the highest probability, but I really have no hard data for the probabilities. And I didn't have to try around for hours. I just scanned one page and it was like that. So it's really, you don't have to search for it for very long. Okay, thank you. Wären wir, glaube ich, soweit? So, dann wir haben einen Applaus für unseren Vortragenden. And another round of applause, please, for the talk.