Printer identification has only been seen in color lasers (and some weird inkjets).
Lasers, especially cheaper ones, naturally DO have laser variances, etc. There isn't enough data in a b&w laser to leave a serial.
But let's say that you mess up and do leave a serial number... that's not useful. How many people register their printers? How many people buy printers from third parties or, gasp, second hand?
The printer serial code is useful only when you have the printer already and want to ask if it produced a given document. "This came from a Xerox printer with serial number xyz" isn't useful information for identifying a leaker from your corporate staff.
If you are worried about it, buy a crappy thrift store printer and donate it somewhere else.
For starters, if some how the leakers becomes a person of interest and still has the printer that matches the serial number present in leak documents, that would obviously link them to the leak.
Claim that data is able to be hidden in black & white laser prints is obviously false; for example, printer could intentionally embed information by make small algorithmic changes to the fonts that are unnoticeable to an untrained human eye.
Again, sure, possible this is over kill, but then so is SecureDrop. Anyone that’s worried about OpSec needs to understand their threats and related risks, then decide what to do, not just say do X just because Y said so. If mailing in documents was safer, why is that not presented as an alternative?
> For starters, if some how the leakers becomes a person of interest and still has the printer that matches the serial number present in leak documents, that would obviously link them to the leak.
Your adversary doesn't need to be logical. You assume they need good evidence that is true - they don't. They can decide they don't like your face and that makes you guilty (and that has been the default for a lot of human history). They can also decide you are just nervous. Or that you seem like the leaking sort. They can jump to whatever conclusion they want, including the "let's hit them with a $2 wrench until they admit guilt".
If they are in your house and sampling your printer, they are also going to pull your electronic storage, physical storage, etc. SecureDrop doesn't help you here either - and a bunch of demag'd harddrives is pretty smoking gun.
> printer could intentionally embed information by make small algorithmic changes to the fonts that are unnoticeable to an untrained human eye.
The printer could have a secret implant, or broadcast a vhf beacon of what it prints, or have left an imprint on a second page of paper or....
But those things are unlikely. That you can theoretically think of some potential gotcha is not "opsec". That isn't risk analysis. That is you playing secret agent. That's fine - but don't confuse it with risk analysis.
> Anyone that’s worried about OpSec needs to understand their threats and related risks
Correct, the REAL actual threats, and the CHANCE of those threats happening.
You can not zero out a risk. Risk does not go to zero. You can only reduce a risk to a mission tolerable degree.
> possible this is over kill
The point is to achieve the goal. "OpSec" helps reduce risk. Let me repeat this.
There will always be risk. You can not remove the risk. The goal is not to remove the risk. The goal is to reduce the risk to a tolerable degree such that the goal can be achieved.
"But I can hallucinate a theoretical attack!" - Great, write a spy thriller. That has no bearing on "Opsec" or even risk analysis. At the very least you have to show the attack CAN happen, your threat actor CAN (theoretically) execute it, and ideally they are willing to (resourcing).
Give people practical advice. Prepare them for reasonable scenarios.
