Just one random comment. Make sure to print the paper backups with laser printers not ink printers, even if you are going to laminate it, humidity will build up inside the plastic and mess with your backups.
@@sparklesparklesparkle6318 yeah no, your back will get whipped and torn if your interrogated by fbi, i advise you to print your backupbackupbackup on contact lenses so if in need you can view it from there
@@sparklesparklesparkle6318 Pitty you that u only got Bluetooth over there, since i got vaccinated i now have 5G + i can sh*t QR codes which scan as the backup codes. Just get an upgrade man, it´s worth it!
All you have to do is run the following from terminal to have it flush these files every day. You can also set them to "no" so that they are never saved, or a different timeout value. "cupsctl PreserveJobFiles=86400 PreserveJobHistory=86400". IMO this is a much better solution than what's described in the video. Also, running "cancel -a -x" will purge the currently saved print jobs.
just like the no button on their phones that actually does not stop the phone from collecting all your searches, websites visits, etc. and sends it to Apple even when turned off !!!?? this company cannot be trusted they are as anti consumer as it gets
Don't forget about that file thumbnail, depending on the OS it may be kept forever or until disk space is needed. Also plenty of PDF viewers will also keep a pre-rendered 'temp' cache of files and embedded images/fonts you've opened or even just navigated to a folder containing it. Some modern PDF viewers and OSes will even upload hashes of files to 'the cloud' or even in some cases the entire file even without you explicitly requesting it often without ever telling you it happened, this happens on cloud connected services like photo viewers with feature recognition as well as virus scanners.
Like others pointed out, this is likely _not_ exactly forever, it is most likely flushed once in a while. But if you're concerned about it being a security problem, I'd consider trying to mount a ramdisk/tmpfs as `/var/spool/cups`. And maybe some other directories in `/var` as well.
This is just a standard feature of cups. It’s something that happens on linux or any Unix machine that uses cups. Though cups is by apple it’s made for unix in general not macos. I have a print server running cups that I use to wifi enable a few old printers and I’m able to see prints going back years through the web panel.
I use Arch Linux for many years and have not reinstalled. I immediately checked /var/spool/cups on my computer and very interestingly, there are no actually saved images or encoded images of the printed documents, but there _are_ a huge number of metadata files that each contain the _filename_ of the document that was printed, the date it was printed, and the name of the printer used, for every document I've ever printed. For my case this doesn't make a difference because the original documents that I printed are all still stored in standard documents folders elsewhere, but I just thought the difference in behavior is interesting
@@tacokoneko I wonder why that info would be needed. Why does the OS think that that’s something that should be recorded for the short term, let alone the long term? Pretty crazy.
This saved me. I was able to recover a file I printed but then closed the tab and couldn't get access to again. I think that if your concern is privacy, just formatting the OS and then selling your device should do the trick, so this is not a concern but rather a life-saver.
As a MDM administrator this does not directly impact me, at least not yet. However, this is something I absolutely plan on looking in to remediating. This was a very good and incredibly informative video.
I think he's mistaken about the timeframe, or it is the case that my macOS Monterey computer is not holding the files of everything I've ever printed. It looks like there some automatic cups server flushing out files older than 60 days. I have certainly printed out files in the winter, spring, and summer of 2022, and these files are not present in /var/spool/cups as of 03 November 2022.
On Linux, I see that the /var/spool/cups directory is cleared when I restart the cups service and, as far as I can tell, this is not done by some Linux specific scripts but by cups itself. If that works the same on Mac then you should not have any files older than your last reboot. Check your 'uptime'. I also noticed that the default value Yes for PreserveJobHistory is documented as «the job history is preserved until the MaxJobs limit is reached». MaxJobs is 500 by default but it could be smaller in your configuration. Anyways, «PreserveJobHistory No» should only be needed if you care a lot about the security of your printed files. If your goal is to save disk space because you almost never reboot then a better alternative is probably to use more reasonable settings such as set «PreserveJobHistory 86400» or «MaxJobs 5» . That way, you will keep the ability to restart your old jobs for a while (e.g. after a pager jam or if you decide that you need more copies)
A little workaround could be to use a small RAM-drive and make that the storage folder... I'm talking from the Linux side here (ah, en please note that in the Linux systems I tested, cups didn't do this crappy behavior... so while the technology is linux based, the settings are completely those of Apple)
I remember being DEVASTATED that my mac had the cups cache disabled out of the box around ~2016 when I desperately needed to reprint a page for a several hunted dollar rebate that expired after I backed out of the page... Of course the company told me that was their policy and couldn't do anything about it 😂 This is actually a feature some people want, but if you're on linux you need to have the foresight to know about how CUPS work and manually switch it on. This is unfortunately something I learned the hard way, although the potential for chaos is much much worse leaving it on by default
It's not just printed files - I found a 1.5 Gb error log there too. ! I'm using an M1 machine with Ventura. The date now is Nov 6 2022, the date on one file is Feb 2021 - older than my machine ! So, files were copied over when I upgraded.
Nearly all USB and many of the network printer have a parallel port emulation. But the problem with that is that you have to know the printer specific commands to switch from Text-print to graphical print and then have to know the supported image formats. It's easier with network printers. They always have a cups compatible net interface that can be addressed directly. All you need is the cups client libs. And I've tried printing binary backups many years ago by designing a custom font that could be scanned in easily. But it never worked reliably, and the scanning was always the problem. That was 25 years ago and I only had an "hand-scanner" you have to drag over the paper. I gave up on it when i switched from my Atari ST to an IBM-PC and Linux.
That's normal for cups and not a mac issue. I have enabled the cups interface (cupsctl WebInterface=yes) and can see all of my jobs and printers (localhost:631/jobs)
I have seen this kind of thing in our office via a network printer. Sensitive files with private information just left laying around on a drive that is on the network because people were printing.
What printer do you recommend where the printer doesn’t have a chance of storing information about what is printed at or close to a data forensic level. I’m not talking about the computer storing it, I’m talking about the printer potentially secretly or inadvertently storing data of what was printed.
I’m at a loss as to why this is a big deal in the era of modern OSes which use full disk encryption (FDE) by default. One would simply assume that all kinds of cached bits of sensitive material are going to end up all over the place with normal activity, however this doesn’t in any way mean that it is somehow at risk of unauthorized access due to the access controls and encryption. In fact, when one deletes those cache files on an SSD, the actual underlying physical structure of the data is in NO WAY altered, and without the default use of FDE would be easily readable by a third party, however it just isn’t so these days because of that encryption layer. Much ado about absolutely nothing.
that's exactly what I was thinking, is that some kind of 5 minute craft "life hack" video or a security researcher providing a professional service like "I made a script that clears your spool folder? Am I going to tell him about emails or are you? As a security researcher you shouldn't really be recommending macs for your clients, as an IT consultant you should recommend what ever the client can afford, rich lawyers can afford macs so that's going to work super well for the 99% of people that don't know that there's other folders other then "My desktop, My documents, Pictures... "computer stuff"" The 0.1% that knows how to use a computer should not be working with those files, rather they should be part of the IT staff. If you really didn't wanted that info to be stored on a machine that shouldn't have that document for more then the job, then you should have the client connect to a machine that is authorized to print and view such documents, that way you can control when ever the client can or can not view the information, if anybody got hold of their machine you could revoke that privilege, better yet you should set it up so that the client HAS to get permission every single time they want to interact with the data, that way you can keep track of how the data is being used.... basically don't hire a "police IT" department because they always lose critical information like that. This video could have been summed up in a 3 minutes notepad.exe video with some emo music back in 2009 "Hi Today I'm going to show [scrools down] You how to...." Please like, share and subscribe to randomkid007"
Because we keep running out memory on our hard drives due to mysterious "System" files that can't be deleted. By your logic we should never delete our cache or our browser history. Let's just fill up our hard drives with useless data.
@Dave if this is occurring in your setup then that is a separate issue, my comment was only in relation to the supposed security risks the video brought up (which are not real under a modern OS)
@@MRMsysdotnet The main security risk is that people are unaware their computer is storing everything they have printed. Very concerning if you share your computer or run third-party apps that are not entirely trustworthy. Full disclosure needs to be given to the user that their files are surreptitiously stored in a location they aren't aware of, so they can take further precautions if necessary.
@@davehugstrees In my experience, it's almost always Outlook bloat that fills up Macs in a corporate/work setting. Outlook for MacOS doesn't let you specify a maximum local storage (it can be done, but it's not a simple setting like in the Windows version). You can use daisy disk utility to get detailed information about what's eating up your storage on mac. You wouldn't know it was Outlook without this a 3rd party program. I've seen Outlook use 180GB of a 256GB drive.
about your question: CUPS itself needs to first write to disk in order to work with the task as far as I know. But! you're asking for macos which is able to spin up a ram disk without installing extra packages. afaik cups can use another folder, maybe you could spin up a ram disk via script every boot, use this as spool location and destroy the ram disk automaticly by shutdown. I guess your argument is the forensical traces left on the harddrive even when "deleted". getting those from ram should be more hard if ever possible.
Im curious if this is also true for scanning from a printer. would a copy of what you scanned be saved in this directory as well? Or would it be a different directory and different job history setting?
Interesting video, thanks. I’m surprised that you are using command line instead of Finder, which is so much more user friendly. Are these files viewable in Finder?
Hey Sun, Thank you for the video. I was trying to recover a file on my mac that i do see in the completed Print Jobs list. I tried the method you showed on ventura 13.5.1 but not get it to the desktop. My 2 questions: did they patch this in the new version? Does it maybe not work of the original file was deleted? Would be great to recover this file..!
Most printers nowadays do not print unless you are connected to the Internet. Which means there is good possibility that anything printed is routed via the company servers and recorded for future analysis. How could one securely print something with the confidence that the print data does not leak outside the computer and the printer? for e.g. it could be someone's crypto wallet private keys.
[ Re-comment as my first one got deleted after I linked wikipedia lol ] Most laser printers will apply ‘tiny’ (Usually around 0.1 millimeters, however the size can vary widely from manufacturer to manufacturer) yellow dots to the paper while printing. These are usually called Machine Identification Codes or Printer Steganography By ‘reading’ the encoded data (Which can be a pain as the specifications are not public, requiring us to basically ‘reverse engineer’ the encoding system) you can find information like the printer model and printer manufacturer. Now, I would link wikipedia, however youtube apparently doesn’t like it when we add links.
Might be possible to mount this directory as a RAM disk mount. That way it will be volatile and clean itself upon reboot. But that also sounds overkill if you can just turn off the history. Btw. files that need to be printed absolutely need to be cached. Many drivers do this using RAM but Cups might be coded to use this FS cache to preserve memory or sth. along those lines.
I am a system developer and was fascinated with your video. MacOS does rely on subsystems like CUPS, the Common Unix Printing System. I believe I have a solution which guarantees your temporary file will never be written to the flash media. You seemed concerned that the hardware of flash media may not be secure even for temporary files. My solution ensures the data never gets written to the flash. Maybe you already solved this problem, but if not, please contact me and we can meet to discuss.
On a somewhat related note, I've always wondered why printer companies were so eager to get me to "recycle" my old toner cartridges by sending it back to them. It has always made me suspicious of them storing data in those things. Maybe I'm paranoid but it never made sense to me.
On my machine the files in the cups folder go all the way back to the day I got the computer which was 11/7/2021 (16" Macbook Pro 2021). So at this point it has not purged for over a year. I have not changed any settings related to this.
@@aypfvn PreserveJobHistory controls the preservation of control files (job metadata). Preservation of the actual job data is controlled by PreserveJobFiles.
This will get lost but worth a shot. How do I retrieve the files I've printed? The last thing I printed is needed. I tried to copy to desktop but it showed file not found. I used the print history to get the file name. Is there a way to view all the contents inside the file?
Strangely on 13.3.1 (a) I checked /var/spool/cups, and while I have found the c* files, there are NOT any d* files, and the c* files are all about 2-5KB in size, and just contain metadata, not the actual file. Now, I haven't printed recently, so maybe it sticks around there for a few hours/days, but not forever. The c* files do seem to though, I have one going back to Jan 19, 2022. How long have you waited to see if the d* files disappear?
For regular users /var/spool/cups does not have read permissions. Is that a new bug or something? I print a lot and I have nothing in there. Try rebooting your machine and seeing if it does not get cleared out.
I believe /var/spool/cups requires root privileges by design which is great for security. Tried rebooting computer and files are still there. Could others corroborate this?
I wonder why it's on by default, that just wastes storage space. I can't think of a good reason for this to even be enabled , though there definitely are reasons
So in another words, I can recover some printed jobs I didn't save as an PDF on my computer ? I need to recover some older printed jobs (from a month ago), how can I find those files ?
I tried but the folders are very hidden 'sudo cd' does nothing. You have to first display hidden files, then authorize that you can open the folder, which requires entering your password/touchID. Once inside the folder there's files without extension, those that begin with 'd0-' are the files you have printed, copy them then guess which format they were originally. Only the lasts prints are there, no idea what triggers the suppression. Honestly, can it be called security issue?
CUPS originated at Apple and Apple Inc is still the maintainer. On my Macs the spool directory is empty besides some printer information and PPS files for the old Dell 1760 Laser I once had.
nice video though, but as a linux and more or less administrator. But i feel the urge to get some basic context to it. Storing cache while printing and beyond documented default behavior of cups but netherless good that someone speaks about it as macOS does not inform about infinite storaging. this kind of script - more/less just the values stored in the cupsd.conf are delivered to every device we deploy, just to make sure that no prints stay on the device.
I'm confused at what i'd be paying for with this superbacked thing. at first I was excited that it was finally high-density backup storage, as I had been looking for a format that could store larger amounts of data on physical paper to store things like house blueprints, physically within a house, but looking at the site and the use cases... it's just a QR code with max redundancy.
Hey, there is a hard limit at how much data can be stored within a single QR code… Superbacked also encrypt data using one or two layers of encryption (two for distributed backups) which uses some of that space and adds a layer of plausible deniability which uses significant space ( see github.com/sunknudsen/blockcrypt ). As a result, one can store the equivalent following comment in text.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut sem nulla pharetra diam sit amet nisl. Quam adipiscing vitae proin sagittis nisl rhoncus mattis rhoncus. Aliquam ultrices sagittis orci a scelerisque purus semper eget. Arcu cursus vitae congue mauris rhoncus aenean. Sed adipiscing diam donec adipiscing tristique risus nec. Vulputate eu scelerisque felis imperdiet proin fermentum leo. Eleifend donec pretium vulputate sapien nec sagittis. Vestibulum lorem sed risus ultricies tristique nulla aliquet enim tortor. Sed nisi lacus sed viverra. Consectetur libero id faucibus nisl tincidunt eget nullam. Nunc mi ipsum faucibus vitae aliquet. Orci phasellus egestas tellus rutrum tellus pellentesque eu tincidunt tortor. Platea dictumst quisque sagittis purus sit amet. Placerat duis ultricies lacus sed turpis. A diam maecenas sed enim ut sem viverra aliquet. Ac turpis egestas sed tempus urna. Blandit aliquam etiam erat velit. Amet facilisis magna etiam tempor orci. Ultrices sagittis orci a scelerisque. Id faucibus nisl tincidunt eget nullam non nisi est sit. Facilisis mauris sit amet massa vitae tortor condimentum. Lacus luctus accumsan tortor posuere ac ut. Purus in massa tempor nec feugiat nisl pretium. Laoreet id donec ultrices tincidunt arcu non sodales. Enim nunc faucibus a pellentesque.
When I copy some of the files to the desktop they cannot be opened, they are pdfs of a few kilobytes. Is it still dangerous to delete these files inside cup?
This is why a lot of companies have a policy that you can’t wipe your work computer when leaving the company. This allows an employer to see if an employee has been exfiltrating company secrets with a printer. There is nothing to fix here.
It's stupid to say there is nothing to fix when private devices are also affected here. If it's for company security it should only doing this on those company Mac's.
the problem in need of fixing is informing the user, which is addressed in part with the making of this video. not being aware of data artifacts is irrefutably a security dilemma.
This would definitely by a CUPS issue. According to some threads I've seen, the CUPS author (Michael Sweet) claims this has been fixed, but who knows? I print a fair amount on my Mac running Monterey 12.6.1 and, while there are some PDF files in /var/spool/cups, they're only a few days old, so the claim by this poster that it keeps files "forever" may be a bit of hyperbole.
CUPS is CUPS is CUPS whether shipped with macOS or some Linux distro. Assuming the bug is in CUPS (most likely) then switching to some Linux is not going to fix this particular problem.
I'm confused by the fact that you are a privacy and security researcher yet you use a proprietary OS where by definition you can not know what it's doing with your data and what kind of backdoors it might have.
I've printed family pictures 2 months ago and I have 600Mb of files on /var/spool/cups -- that's pretty bad for apple, feels like an oversight but then again, where is the privacy focused features? there is no reason to waste disk space either
I remember noticing this in Mac OS a decade ago. I was able to recover something I had lost. But it's an awful feature. What if you're printing sensitive information?
I have a question, why not use linux as the main operating system instead of mac? I get the preference of mac tho i love mac os (but just up to Catalina )
I'm not sure where... But he already explained thay he uses linux too, but mac is more consumer oriented or something like that, he made a good point, but I can't recall well
I just gotta point out that UA-cam's closed caption translation is crap, and it totally garbled your website name. Sorry but I often watch in simple thumbnail mode while reading closed captioning, my roommate is bothered by the audio which he often doesn't understand.
Yeah the print spool, isn't a permanent copy of everything you ever printed. Click bait title, I get it. A simpler solution for you would be to setup the print spool as an in-memory tmpfs mount, this way it will be wiped every time you shutdown.
If you’re a journalist or corporate employee then this may be bad. For the end user this is a nothing burger. The sheer amount of data-paranoia these days with VPNs and encryption is insane. Common sense is to never work with or store critical data on a machine you daily drive.
I knew of the thumbnail issue, but I never suspected macOS would do something so opaque and egregious… Besides the obvious privacy implications, are these files purged if the folder becomes too large? Graphic designers will often print huge .PDF files, so that may also be a concern… Regarding Twitter, I’d love to follow you there, but considering just how much more of a dumpster fire it is becoming, I think I’ll pass.
Cool cool… how much of this channel have you watched? Have you stumbled upon the privacy guides reference material? I like to believe I am the type of person who uses the right tool for the job. sunknudsen.com/privacy-guides?search=debian
Linux is also affected. The folder does have what you printed but not everything only the latest, secondly you need to override permissions in order to access the folder, which requires to enter your password/touchID. At that point a hacker would be more interested on the rest of your drive than trying to get into that folder.
@@stephenkamenar I think you overestimate your average Joe’s interest in operating systems. Most people I know either uses a Mac because they like their iPhone, or has a windows computer because they game or find it cheaper. Very few even know Linux is a thing.
Just one random comment. Make sure to print the paper backups with laser printers not ink printers, even if you are going to laminate it, humidity will build up inside the plastic and mess with your backups.
Great feedback! Laser for sure… and one can also print on acid-free paper.
@@sunknudsen love youtubers that take their time to read trough comments👍
@@sparklesparklesparkle6318 yeah no, your back will get whipped and torn if your interrogated by fbi, i advise you to print your backupbackupbackup on contact lenses so if in need you can view it from there
@@sparklesparklesparkle6318 Pitty you that u only got Bluetooth over there, since i got vaccinated i now have 5G + i can sh*t QR codes which scan as the backup codes. Just get an upgrade man, it´s worth it!
All you have to do is run the following from terminal to have it flush these files every day. You can also set them to "no" so that they are never saved, or a different timeout value. "cupsctl PreserveJobFiles=86400 PreserveJobHistory=86400". IMO this is a much better solution than what's described in the video. Also, running "cancel -a -x" will purge the currently saved print jobs.
hang on, so this entire hysteric is about CUPS logging jobs as it does by default??? holy shit lmao mac os users were a mistake
just like the no button on their phones that actually does not stop the phone from collecting all your searches, websites visits, etc. and sends it to Apple even when turned off !!!?? this company cannot be trusted they are as anti consumer as it gets
@@motherfucker42069 exactly it’s a feature for quotas
Thank you for that solution, much better.
So do most commercial copier-printers. If you make copies at staples etc., a copy is kept, usually on a SATA drive.
Don't forget about that file thumbnail, depending on the OS it may be kept forever or until disk space is needed. Also plenty of PDF viewers will also keep a pre-rendered 'temp' cache of files and embedded images/fonts you've opened or even just navigated to a folder containing it. Some modern PDF viewers and OSes will even upload hashes of files to 'the cloud' or even in some cases the entire file even without you explicitly requesting it often without ever telling you it happened, this happens on cloud connected services like photo viewers with feature recognition as well as virus scanners.
That's why you use a browser like Firefox or Chrome as a PDF viewer, not some shady off-site PDF viewer you got from some advertisements.
@@outrowed even the built in mac os pdf viewer stores a cache, but i guess we can call them shady too lol
macOS user: Why is my device storage full for no reason?
Apple: How many files have you printed?
haha
it only stores the last 500 by default. Which isn't that much space.
Like others pointed out, this is likely _not_ exactly forever, it is most likely flushed once in a while. But if you're concerned about it being a security problem, I'd consider trying to mount a ramdisk/tmpfs as `/var/spool/cups`. And maybe some other directories in `/var` as well.
How often is once in a while? I just checked mine and I have files going back a year to when I got the MacBook.
According to documentation I found it keeps the last 500 prints
Or use an OS that's superior on any level like Mint, Ubuntu or Arch... If you're paranoid you can also use tails ...
This is just a standard feature of cups. It’s something that happens on linux or any Unix machine that uses cups. Though cups is by apple it’s made for unix in general not macos. I have a print server running cups that I use to wifi enable a few old printers and I’m able to see prints going back years through the web panel.
Looks like it purges them on arch Linux so it's a config thing in macos
@@_framedlife Or Arch linux have a job to purge the folder and cups does not by default have that.
Looks like a general feature of CUPS, which also stores on Linux unless if you specifically tell it not to.
On linux they eventually get cleared out in linux maintenance. But I only managed a bunch of linux servers for years.
I use Arch Linux for many years and have not reinstalled. I immediately checked /var/spool/cups on my computer and very interestingly, there are no actually saved images or encoded images of the printed documents, but there _are_ a huge number of metadata files that each contain the _filename_ of the document that was printed, the date it was printed, and the name of the printer used, for every document I've ever printed. For my case this doesn't make a difference because the original documents that I printed are all still stored in standard documents folders elsewhere, but I just thought the difference in behavior is interesting
@@tacokoneko I wonder why that info would be needed. Why does the OS think that that’s something that should be recorded for the short term, let alone the long term? Pretty crazy.
Great video/content, thx
@@MattGreek the OS doesnt think anything, CUPS does and cups is a made by apple
This saved me. I was able to recover a file I printed but then closed the tab and couldn't get access to again.
I think that if your concern is privacy, just formatting the OS and then selling your device should do the trick, so this is not a concern but rather a life-saver.
Thanks for posting this, I was unaware. I have made our security forum at work also aware since we have a large deployment of MacOS.
As a MDM administrator this does not directly impact me, at least not yet. However, this is something I absolutely plan on looking in to remediating. This was a very good and incredibly informative video.
An article was written about this very same point in March 2007, 15 years ago, in Mac OS X Hints. It is nothing new about macOS or Apple or CUPS.
I think he's mistaken about the timeframe, or it is the case that my macOS Monterey computer is not holding the files of everything I've ever printed. It looks like there some automatic cups server flushing out files older than 60 days. I have certainly printed out files in the winter, spring, and summer of 2022, and these files are not present in /var/spool/cups as of 03 November 2022.
On Linux, I see that the /var/spool/cups directory is cleared when I restart the cups service and, as far as I can tell, this is not done by some Linux specific scripts but by cups itself.
If that works the same on Mac then you should not have any files older than your last reboot. Check your 'uptime'.
I also noticed that the default value Yes for PreserveJobHistory is documented as «the job history is preserved until the MaxJobs limit is reached». MaxJobs is 500 by default but it could be smaller in your configuration.
Anyways, «PreserveJobHistory No» should only be needed if you care a lot about the security of your printed files. If your goal is to save disk space because you almost never reboot then a better alternative is probably to use more reasonable settings such as set «PreserveJobHistory 86400» or «MaxJobs 5» . That way, you will keep the ability to restart your old jobs for a while (e.g. after a pager jam or if you decide that you need more copies)
@@cynodont7391, nice, thoughtful, clear comment. Thanks.
He's completely full of shit and desperate for internet attention.
@@richardbennett4365 Clear, but not correct on MacOS. Rebooting does not clear files.
@@toadlguy, okay.
wow this is wild. Thanks for the heads up. Have a great day!
Pleasure!
great to see you making videos on UA-cam again!
Happy to be back!
GREAT THANK YOU. I found a old ETH paper wallet with $920.90 on it.
No way haha… lost printed paper backup?
This is probably the only person that benefited from this weird default value
No he didn’t.
I want to believe!!!🤞🤞🤞🙊🙈🙉💛🧡💚💚💚
Come on super psychic human network of mutually beneficial serendipitous awesomeness..:::💎⚡
@@sunknudsen i bought some eth a long time ago (like 90€) and forgot about it. With your trick I found the old paper wallet.
A little workaround could be to use a small RAM-drive and make that the storage folder... I'm talking from the Linux side here (ah, en please note that in the Linux systems I tested, cups didn't do this crappy behavior... so while the technology is linux based, the settings are completely those of Apple)
Thanks for sharing!
I remember being DEVASTATED that my mac had the cups cache disabled out of the box around ~2016 when I desperately needed to reprint a page for a several hunted dollar rebate that expired after I backed out of the page... Of course the company told me that was their policy and couldn't do anything about it 😂
This is actually a feature some people want, but if you're on linux you need to have the foresight to know about how CUPS work and manually switch it on. This is unfortunately something I learned the hard way, although the potential for chaos is much much worse leaving it on by default
It's not just printed files - I found a 1.5 Gb error log there too. !
I'm using an M1 machine with Ventura. The date now is Nov 6 2022, the date on one file is Feb 2021 - older than my machine ! So, files were copied over when I upgraded.
I can confirm that I have files as old as my computer in there. This is pretty bad. Thanks for sharing!
Thanks for sharing and pleasure!
Can i view files in there. I need to retrieve the last thing I printed.
Nearly all USB and many of the network printer have a parallel port emulation. But the problem with that is that you have to know the printer specific commands to switch from Text-print to graphical print and then have to know the supported image formats. It's easier with network printers. They always have a cups compatible net interface that can be addressed directly. All you need is the cups client libs.
And I've tried printing binary backups many years ago by designing a custom font that could be scanned in easily. But it never worked reliably, and the scanning was always the problem. That was 25 years ago and I only had an "hand-scanner" you have to drag over the paper. I gave up on it when i switched from my Atari ST to an IBM-PC and Linux.
Hi Sun, welcome back! Do you think we should update to iOS16 for privacy and security standpoint? Can you create a content for that?
Will likely publish about iOS16 and macOS Ventura… that said, haven’t upgraded yet (except macOS on one lab computer as seen in episode).
That's normal for cups and not a mac issue. I have enabled the cups interface (cupsctl WebInterface=yes) and can see all of my jobs and printers (localhost:631/jobs)
I have seen this kind of thing in our office via a network printer. Sensitive files with private information just left laying around on a drive that is on the network because people were printing.
What printer do you recommend where the printer doesn’t have a chance of storing information about what is printed at or close to a data forensic level. I’m not talking about the computer storing it, I’m talking about the printer potentially secretly or inadvertently storing data of what was printed.
Will have to check for windows too and this made me think why they cache it .Btw thanks for the informative video
I’m at a loss as to why this is a big deal in the era of modern OSes which use full disk encryption (FDE) by default. One would simply assume that all kinds of cached bits of sensitive material are going to end up all over the place with normal activity, however this doesn’t in any way mean that it is somehow at risk of unauthorized access due to the access controls and encryption. In fact, when one deletes those cache files on an SSD, the actual underlying physical structure of the data is in NO WAY altered, and without the default use of FDE would be easily readable by a third party, however it just isn’t so these days because of that encryption layer. Much ado about absolutely nothing.
that's exactly what I was thinking, is that some kind of 5 minute craft "life hack" video or a security researcher providing a professional service like "I made a script that clears your spool folder? Am I going to tell him about emails or are you?
As a security researcher you shouldn't really be recommending macs for your clients, as an IT consultant you should recommend what ever the client can afford, rich lawyers can afford macs so that's going to work super well for the 99% of people that don't know that there's other folders other then "My desktop, My documents, Pictures... "computer stuff""
The 0.1% that knows how to use a computer should not be working with those files, rather they should be part of the IT staff.
If you really didn't wanted that info to be stored on a machine that shouldn't have that document for more then the job, then you should have the client connect to a machine that is authorized to print and view such documents, that way you can control when ever the client can or can not view the information, if anybody got hold of their machine you could revoke that privilege, better yet you should set it up so that the client HAS to get permission every single time they want to interact with the data, that way you can keep track of how the data is being used.... basically don't hire a "police IT" department because they always lose critical information like that.
This video could have been summed up in a 3 minutes notepad.exe video with some emo music back in 2009
"Hi
Today I'm going to show
[scrools down]
You how to...."
Please like, share and subscribe to randomkid007"
Because we keep running out memory on our hard drives due to mysterious "System" files that can't be deleted. By your logic we should never delete our cache or our browser history. Let's just fill up our hard drives with useless data.
@Dave if this is occurring in your setup then that is a separate issue, my comment was only in relation to the supposed security risks the video brought up (which are not real under a modern OS)
@@MRMsysdotnet The main security risk is that people are unaware their computer is storing everything they have printed. Very concerning if you share your computer or run third-party apps that are not entirely trustworthy. Full disclosure needs to be given to the user that their files are surreptitiously stored in a location they aren't aware of, so they can take further precautions if necessary.
@@davehugstrees In my experience, it's almost always Outlook bloat that fills up Macs in a corporate/work setting. Outlook for MacOS doesn't let you specify a maximum local storage (it can be done, but it's not a simple setting like in the Windows version). You can use daisy disk utility to get detailed information about what's eating up your storage on mac. You wouldn't know it was Outlook without this a 3rd party program. I've seen Outlook use 180GB of a 256GB drive.
about your question: CUPS itself needs to first write to disk in order to work with the task as far as I know. But! you're asking for macos which is able to spin up a ram disk without installing extra packages. afaik cups can use another folder, maybe you could spin up a ram disk via script every boot, use this as spool location and destroy the ram disk automaticly by shutdown.
I guess your argument is the forensical traces left on the harddrive even when "deleted". getting those from ram should be more hard if ever possible.
Great feedback… have to look into RAM disks.
If ever you put together a reliable RAM disk implementation on macOS, please submit PR on github.com/sunknudsen/privacy-guides.
Im curious if this is also true for scanning from a printer. would a copy of what you scanned be saved in this directory as well? Or would it be a different directory and different job history setting?
Funny this used to not be the case. I’ve manually turned it on (my preference on my laptops) at least twice in earlier OS X versions!
Interesting video, thanks. I’m surprised that you are using command line instead of Finder, which is so much more user friendly. Are these files viewable in Finder?
Pleasure… directory is not accessible through Finder given it requires root privileges.
@@sunknudsen that’s helpful, thanks.
Hey Sun, Thank you for the video. I was trying to recover a file on my mac that i do see in the completed Print Jobs list. I tried the method you showed on ventura 13.5.1 but not get it to the desktop. My 2 questions: did they patch this in the new version? Does it maybe not work of the original file was deleted? Would be great to recover this file..!
just checked my macbook, my social security number was in a large majority of them so this was actually helpful LOL
what is your daily driver m1 or still using mid 2015 macbook pro?
I switched to a M1 MacBook Air a while back… amazing computer except for limited ports and single external display connectivity.
Most printers nowadays do not print unless you are connected to the Internet. Which means there is good possibility that anything printed is routed via the company servers and recorded for future analysis. How could one securely print something with the confidence that the print data does not leak outside the computer and the printer? for e.g. it could be someone's crypto wallet private keys.
Does this affect CUPS printing on Linux
Superbacked 😮🎉
PreserveJobHistory in the cupsd conf file is not present in Big Sur
[ Re-comment as my first one got deleted after I linked wikipedia lol ]
Most laser printers will apply ‘tiny’ (Usually around 0.1 millimeters, however the size can vary widely from manufacturer to manufacturer) yellow dots to the paper while printing.
These are usually called Machine Identification Codes or Printer Steganography
By ‘reading’ the encoded data (Which can be a pain as the specifications are not public, requiring us to basically ‘reverse engineer’ the encoding system) you can find information like the printer model and printer manufacturer.
Now, I would link wikipedia, however youtube apparently doesn’t like it when we add links.
Might be possible to mount this directory as a RAM disk mount. That way it will be volatile and clean itself upon reboot.
But that also sounds overkill if you can just turn off the history.
Btw. files that need to be printed absolutely need to be cached. Many drivers do this using RAM but Cups might be coded to use this FS cache to preserve memory or sth. along those lines.
I am a system developer and was fascinated with your video. MacOS does rely on subsystems like CUPS, the Common Unix Printing System. I believe I have a solution which guarantees your temporary file will never be written to the flash media. You seemed concerned that the hardware of flash media may not be secure even for temporary files. My solution ensures the data never gets written to the flash. Maybe you already solved this problem, but if not, please contact me and we can meet to discuss.
On a somewhat related note, I've always wondered why printer companies were so eager to get me to "recycle" my old toner cartridges by sending it back to them. It has always made me suspicious of them storing data in those things. Maybe I'm paranoid but it never made sense to me.
Windows 11 as well. It has a keylogger as well.
Nice Find ! I wonder if Apple knows this is the default ?
This evidently applies to Linux too.
According to cupsd.conf(5) the default value of PreserveJobFiles is 86400, which causes job files to be preserved for 24 hours. Not forever.
Thanks for sharing… have you checked on your Mac is that default is actually used?
On my machine the files in the cups folder go all the way back to the day I got the computer which was 11/7/2021 (16" Macbook Pro 2021). So at this point it has not purged for over a year. I have not changed any settings related to this.
@@lizardspock4746 Assuming you're up to date I would report this to Apple !
@@staticyrro The saved copies in /var/spool/cups seem to be controlled by PreserveJobHistory (defaults to Yes, up to 500 jobs), not PreserveJobFiles.
@@aypfvn PreserveJobHistory controls the preservation of control files (job metadata). Preservation of the actual job data is controlled by PreserveJobFiles.
This will get lost but worth a shot. How do I retrieve the files I've printed? The last thing I printed is needed. I tried to copy to desktop but it showed file not found. I used the print history to get the file name. Is there a way to view all the contents inside the file?
Hello Sun, I use Linux, does this apply to Linux using cups, and if it does, this commands apply to Linux as well?
Not sure about Linux… my gut feeling is Linux would clear cache once printing jobs complete. Does path exist on your system?
@Josué Yuman if possible mention me in your answere to Sun im curious!!!
Strangely on 13.3.1 (a) I checked /var/spool/cups, and while I have found the c* files, there are NOT any d* files, and the c* files are all about 2-5KB in size, and just contain metadata, not the actual file.
Now, I haven't printed recently, so maybe it sticks around there for a few hours/days, but not forever.
The c* files do seem to though, I have one going back to Jan 19, 2022. How long have you waited to see if the d* files disappear?
For regular users /var/spool/cups does not have read permissions.
Is that a new bug or something? I print a lot and I have nothing in there. Try rebooting your machine and seeing if it does not get cleared out.
I believe /var/spool/cups requires root privileges by design which is great for security. Tried rebooting computer and files are still there. Could others corroborate this?
I wonder why it's on by default, that just wastes storage space. I can't think of a good reason for this to even be enabled , though there definitely are reasons
Government agencies like backdoor options to destroy people's lives.
Where is this folder located? I know you showed the path, but I don't know how to get there. Can it be seen in finder?
Would this also apply to Linux? Since that also uses CUPS for printing
How do I open the windows to see the var/spool/cups? I'm confused as to how to view this.
an update for macOS Sonoma?
So in another words, I can recover some printed jobs I didn't save as an PDF on my computer ? I need to recover some older printed jobs (from a month ago), how can I find those files ?
imagine if he puts a rickroll link on the qr code and someone scans it lmao
Hey Sun, can this be applied on Catalina also?
Good question… if you see a bunch of files in “/var/spool/cups”, likely yes.
I tried but the folders are very hidden 'sudo cd' does nothing. You have to first display hidden files, then authorize that you can open the folder, which requires entering your password/touchID. Once inside the folder there's files without extension, those that begin with 'd0-' are the files you have printed, copy them then guess which format they were originally. Only the lasts prints are there, no idea what triggers the suppression.
Honestly, can it be called security issue?
Is there any way to undo the changes made in the terminal?, in case there are problems in the future. Thanks and best regards Sun!
Good question… yes… I will add steps to remove patch to guide when a have spare time. Stay tuned!
Done 👉 sunknudsen.com/privacy-guides/how-to-disable-cups-pinter-job-history-on-macos#want-things-back-the-way-they-were-before-following-this-guide-no-problem
@@sunknudsen Thanks!!
You create create a ramdisk with rclone and then create a symlink
CUPS originated at Apple and Apple Inc is still the maintainer. On my Macs the spool directory is empty besides some printer information and PPS files for the old Dell 1760 Laser I once had.
Cups actually is an apple application, then we on Linux get to use it as well, not the other way around
nice video though, but as a linux and more or less administrator. But i feel the urge to get some basic context to it. Storing cache while printing and beyond documented default behavior of cups but netherless good that someone speaks about it as macOS does not inform about infinite storaging. this kind of script - more/less just the values stored in the cupsd.conf are delivered to every device we deploy, just to make sure that no prints stay on the device.
Interesting🤔 I own photo studio and I daily print at least one image per day and wonder if the files cumulatively ate up disk space
relocate cups to a ram drive?
I'm confused at what i'd be paying for with this superbacked thing. at first I was excited that it was finally high-density backup storage, as I had been looking for a format that could store larger amounts of data on physical paper to store things like house blueprints, physically within a house, but looking at the site and the use cases... it's just a QR code with max redundancy.
Hey, there is a hard limit at how much data can be stored within a single QR code… Superbacked also encrypt data using one or two layers of encryption (two for distributed backups) which uses some of that space and adds a layer of plausible deniability which uses significant space ( see github.com/sunknudsen/blockcrypt ). As a result, one can store the equivalent following comment in text.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut sem nulla pharetra diam sit amet nisl. Quam adipiscing vitae proin sagittis nisl rhoncus mattis rhoncus. Aliquam ultrices sagittis orci a scelerisque purus semper eget. Arcu cursus vitae congue mauris rhoncus aenean. Sed adipiscing diam donec adipiscing tristique risus nec. Vulputate eu scelerisque felis imperdiet proin fermentum leo. Eleifend donec pretium vulputate sapien nec sagittis. Vestibulum lorem sed risus ultricies tristique nulla aliquet enim tortor. Sed nisi lacus sed viverra.
Consectetur libero id faucibus nisl tincidunt eget nullam. Nunc mi ipsum faucibus vitae aliquet. Orci phasellus egestas tellus rutrum tellus pellentesque eu tincidunt tortor. Platea dictumst quisque sagittis purus sit amet. Placerat duis ultricies lacus sed turpis. A diam maecenas sed enim ut sem viverra aliquet. Ac turpis egestas sed tempus urna. Blandit aliquam etiam erat velit. Amet facilisis magna etiam tempor orci. Ultrices sagittis orci a scelerisque. Id faucibus nisl tincidunt eget nullam non nisi est sit. Facilisis mauris sit amet massa vitae tortor condimentum. Lacus luctus accumsan tortor posuere ac ut. Purus in massa tempor nec feugiat nisl pretium. Laoreet id donec ultrices tincidunt arcu non sodales. Enim nunc faucibus a pellentesque.
Enough to hold many secrets which can be used to encrypt data stored in the cloud.
i just ran that through a latin translator and it was a trip.
When I copy some of the files to the desktop they cannot be opened, they are pdfs of a few kilobytes. Is it still dangerous to delete these files inside cup?
Did you append .pdf file extension? Yes, files can be purged by running “cancel -a -x”.
@@sunknudsen Yes, I add the pdf extension. Thanks!!
This is CUPS being CUPS
This is probably done by apple on purpose. I already see how 95% of regular users did not know about this, but cops probably do know...
Same here and the CleanMyMac X doesn't clean this folder too.
Likely because folder requires root privileges…
This is why a lot of companies have a policy that you can’t wipe your work computer when leaving the company. This allows an employer to see if an employee has been exfiltrating company secrets with a printer. There is nothing to fix here.
It's stupid to say there is nothing to fix when private devices are also affected here. If it's for company security it should only doing this on those company Mac's.
the problem in need of fixing is informing the user, which is addressed in part with the making of this video. not being aware of data artifacts is irrefutably a security dilemma.
@@TheJacklikesvideos by that same token, the user’s failure to read the EULA is not Apple’s fault.
Just noticed that my CUPS on Arch does the same thing
Is this a macOS problem or the common Unix printing system problem though?
This would definitely by a CUPS issue. According to some threads I've seen, the CUPS author (Michael Sweet) claims this has been fixed, but who knows? I print a fair amount on my Mac running Monterey 12.6.1 and, while there are some PDF files in /var/spool/cups, they're only a few days old, so the claim by this poster that it keeps files "forever" may be a bit of hyperbole.
You can use Linux on macs now ..I'd recommend that .. none of this stuff surprises me ..great video
This appears to also affect Linux, and probably fixable the same way
It’s a Unix thing so also can effect Linux as cups is also available there
CUPS is CUPS is CUPS whether shipped with macOS or some Linux distro. Assuming the bug is in CUPS (most likely) then switching to some Linux is not going to fix this particular problem.
CUPS isn't always CUPS, CUPS "shipped" with Linux is a Fork of CUPS. And remember, Linux Isn't BSD.. close.. but not exact.
I'm confused by the fact that you are a privacy and security researcher yet you use a proprietary OS where by definition you can not know what it's doing with your data and what kind of backdoors it might have.
I agree this might be confusing… have you watched ua-cam.com/video/84sCLhy-rw8/v-deo.html
I've printed family pictures 2 months ago and I have 600Mb of files on /var/spool/cups -- that's pretty bad for apple, feels like an oversight but then again, where is the privacy focused features? there is no reason to waste disk space either
Thanks for sharing… strange hey?
Most printers do that on their own.
now, that brings up a few questions about for whom apples data recovery really works.
my printer does not have updated drivers so i use linux through UTM so i guess no problem for me
I remember noticing this in Mac OS a decade ago. I was able to recover something I had lost. But it's an awful feature. What if you're printing sensitive information?
oh man! you really look and speak like Ryan Reynold
Wait… I have a used MacBook Pro. Where is this? I wanna check what they had before. Edit: just to be safe that I don’t have anything I don’t want.
There’s another way. 🔨🔨🔨
I have a question, why not use linux as the main operating system instead of mac? I get the preference of mac tho i love mac os (but just up to Catalina )
I'm not sure where... But he already explained thay he uses linux too, but mac is more consumer oriented or something like that, he made a good point, but I can't recall well
Thanks for helping out @EdrumSense… episode is ua-cam.com/video/84sCLhy-rw8/v-deo.html.
That question has multiple answers, for example, photoshop, vegas, office, and many many more
Linux uses CUPS too.
@Ronit I love the mac os too but just up to Snow leopard.
Ah, so it stores a grand total of nothing for me
Turns out Apple OSes are a security nightmare
I just gotta point out that UA-cam's closed caption translation is crap, and it totally garbled your website name.
Sorry but I often watch in simple thumbnail mode while reading closed captioning, my roommate is bothered by the audio which he often doesn't understand.
Yeah the print spool, isn't a permanent copy of everything you ever printed. Click bait title, I get it. A simpler solution for you would be to setup the print spool as an in-memory tmpfs mount, this way it will be wiped every time you shutdown.
Interesting alternative… have you ever tried implementing it on macOS?
If you’re a journalist or corporate employee then this may be bad.
For the end user this is a nothing burger.
The sheer amount of data-paranoia these days with VPNs and encryption is insane.
Common sense is to never work with or store critical data on a machine you daily drive.
same and worst with windows
life hack
use linux
I knew of the thumbnail issue, but I never suspected macOS would do something so opaque and egregious… Besides the obvious privacy implications, are these files purged if the folder becomes too large? Graphic designers will often print huge .PDF files, so that may also be a concern…
Regarding Twitter, I’d love to follow you there, but considering just how much more of a dumpster fire it is becoming, I think I’ll pass.
So a boorly chocen defauly,oh well thank upu forbtellingbus aboutbit
Sus
No disrespect but you look like the type of person who would use a mac.
Cool cool… how much of this channel have you watched? Have you stumbled upon the privacy guides reference material? I like to believe I am the type of person who uses the right tool for the job. sunknudsen.com/privacy-guides?search=debian
I cannot understand why people bother about MacOS. Just use Linux and everything will be fine.
Linux is also affected. The folder does have what you printed but not everything only the latest, secondly you need to override permissions in order to access the folder, which requires to enter your password/touchID. At that point a hacker would be more interested on the rest of your drive than trying to get into that folder.
the most surprising thing about this video is the fact that someone still uses a mac
What do you use?
@@macb.631 SerenityOS
@@stephenkamenar I think you overestimate your average Joe’s interest in operating systems. Most people I know either uses a Mac because they like their iPhone, or has a windows computer because they game or find it cheaper. Very few even know Linux is a thing.
Oooohhh. You're so edgy...
He is says he is starting a company and doesn’t know tab Auto complete exists 😂😂
Hey Cedric, tab completion doesn’t work for root-restricted paths hence why it didn’t work and I had to fallback to copy paste.
Couldn't you also symlink /usr/local/sbin/cups to /dev/null?
"for some reason" - they probably prioritized user experience