<p>I stare at the sheet of paper before me. My feet propped up as I lay in my lime green hammock I've inherited. The few belongings I've accumulated hanging from the bars. The worn bags β eco-friendly, as they say on the side. The canvas worn but still holding up after months of searching through them.</p>
<p>Others go about their day. Making calls on the remaining smuggled phones the police failed to find during the raid. Some preparing dinner on the double-burner stove in our makeshift kitchen. A stove on a sink.</p>
<p>I hang suspended above, out of the way, left to my own devices. I ponder my life as the epic memories sustain my being. Moments of my past remembered with a twitch of my brow as I question how I made it this far for this long. Avoiding death over and over again. Making life-changing decisions repeatedly in favor of adventure and trial.</p>
<p>My moral compass spinning out of control as I realize I don't much have one. As my current situation can attest to. My home for the past two years β Envigado prison. Another moment in time I can't undo. So many of my decisions holding permanent consequences to my fly-by-the-seat-of-my-pants choices along the way.</p>
<p>I rarely show restraint to the voice in my head. Suggestions of intrigue taking precedence over irrational thought. I live on this crazy ass world the same as everyone else β just trying to survive.</p>
<p>β</p>
<p>One similar moment of irrational thought struck a few years back. As I reclined on my leather sofa in my boxers, nursing a glass of whiskey while I watched the all-time classics β The Simpsons. My mind festering on an unusual dilemma of sorts.</p>
<p>I had just recently returned from a programming conference in Rochester, New York a few days earlier. A very cold excursion in mid-January for a Southern California boy.</p>
<p>A conference on the development of new applications for Xerox. Xerox releasing their new app store consisting of numerous useful applications able to be added to any modern Xerox device throughout America and Europe. Millions upon millions of seemingly meaningless copiers, printers, and production presses. Devices held in every business or office.</p>
<p>β</p>
<p>The Xerox device being one of the most popular choices. A staple in the industry. A device rarely thought of outside the window of use. Networked into secure environments with little thought as the cable moving documents here and there goes unnoticed, plugged into the black.</p>
<p>On average, the default pin is left unchanged β providing access to the system managing those machines.</p>
<p>Xerox had just conducted a contest to stimulate new development of their Conect Key software. Application-based programs displayed on the cell-phone-size screen. Little icons providing unlimited use for these actually complicated devices. Billable upon design. A profitable new tool for competing distributors across the states.</p>
<p>My understanding built on trial and error.</p>
<p>As a new award-winning developer of these Conect Key apps β having placed in all of their contests β meriting my trip to Rochester, New York as a new lead developer of these relatively unknown applications.</p>
<p>The conference: a meet-and-greet of other competing distributors across the nation. A collection of forty or so other programmers sponsored by their corresponding companies. Developers who had been working with Xerox prior to the conference.</p>
<p>Two developers in particular stood out. Their company had been one of the national developing companies originally contracted as the sole producers of these apps. Apps that had been pushed to all the distributors' devices on trial. An example of all that was possible as the company pushed their Facebook feed to the side of the screen. A continual marketing feed available at the request or solicitation of sales reps pitching the benefits of Xerox to their clients.</p>
<p>These two programmers stood as the authority on the development and release of new applications to the market.</p>
<p>β</p>
<p>My understanding only came a few months earlier as my position at Xerox Source consisted of developing the company's website, billing portal, online store, and intranet system β connecting all the branches to the most relevant information from corporate.</p>
<p>I had returned to Xerox Source two years earlier in the contract billing department. Advancing quickly as challenges were issued by my superiors.</p>
<p>The Conect Key Apps, as they were called, was a simple yet extremely customizable platform as I would soon learn. The applications, if native to the device, could trigger a host of services streamlined to the repetitive needs of the users.</p>
<p>For example: if Bob, a simple clerk, was required to scan a set of documents, then print three copies, email seven to the same contacts, and save one copy to an archiving server β every day, multiple times a day β a time-saving application could be developed at a premium. Thus saving the client multiple hours of labor time.</p>
<p>This form of application native to the pre-existing features, built into the device. Non-native applications only require the device to be plugged into the network with internet access. Common in business today.</p>
<p>The corresponding application is only a link to external resources needed. For example: if the need to print directions using Google Maps from one destination to the next, the device will use its integrated keyboard to request departure and destination. Then, without any additional actions, print or email with just a click of the icon on the display.</p>
<p>These are simple examples. Anything accessible on the internet could, in essence, be built into an application for sale as the needs arise.</p>
<p>β</p>
<p>The two developers that I would soon meet at the conference had developed the original applications that were being currently used as examples for distribution across America. At the present time, one of the few apps available on Xerox's newly launched app store. The same application that was available to all distributors of Xerox. The same application I was tasked to investigate.</p>
<p>After connecting the device hard drive to my computer β a Linux-driven machine with the vast capabilities only Linux Kali could provide.</p>
<p>Linux Kali: an operating system unknown to most as the majority of the population use Windows or Mac as their daily drivers β operating systems built for the masses. Kali is an operating system designed for the purpose of penetrating anything computer-based. Its available tools for hacking, cracking, and intruding on systems that may show a hint of vulnerability. The ability to dismantle dynamic websites, access routers and servers without the need of a username or password. The ability to penetrate secure personal computers connected to unsecured networks, accessing private personal data of the user. And many more useful features available at the discretion of the user.</p>
<p>A full-force penetration system. Operating system.</p>
<p>The same system I had just plugged the Xerox hard drive into.</p>
<p>β</p>
<p>My screen now displaying the contents. File structure similar to any other computer hard drive as I click through folders to view their content. A mixture of script and unrecognizable files to my untrained eyes. As I work my way through, opening individual files in a text editor, viewing their code. I follow a path unknown. I work my way through, acquainting myself with the system displayed across my screen. I find a constant. A file that is restricted to my access.</p>
<p>After multiple attempts at accessing them with failure, I tried a simple action: renaming the file with a ".zip" file extension.</p>
<p>To my surprise, I could now extract the secure files and view the code in a text editor. Revealing the Conect Key application's makeup. In essence, I was reverse-engineering the apps I set out to understand.</p>
<p>After a few accidental errors that opened more doors of knowledge, I learned that those secure files primarily consisted of an icon only noticed by Xerox devices and a script file that pointed to an external website. A URL that I could follow.</p>
<p>Opening a web browser, I typed in the URL. Revealing, to my surprise, the exact display that showed on the Xerox device display.</p>
<p>β</p>
<p>Without the ability to initiate actions to a device. For example, when I clicked "Scan to E-mail," a screen would open asking for the standard information β like the email address for the recipient of the expecting document. Which I was able to enter with my keyboard, but the corresponding action of "Enter" would initially do nothing as it was not active on any single device.</p>
<p>The website open to any and all that stumble across it β even though they would not know its purpose or use.</p>
<p>Having thorough knowledge of web development, I dug deeper. A simple right-click of the mouse enabled me to view the web page as code β lines of text written for a computer's understanding. These lines of code painting a picture of the structure and resources used to trigger the actions on Xerox devices.</p>
<p>Normally hidden JavaScript files accessible by following additional URLs, all hosted on external servers of external companies β outside of Xerox. This one in particular belonging to the two developers I was soon to meet, unknowingly, at the conference.</p>
<p>Soon I had access to every file needed to reproduce the applications displayed on every device. The website being extremely simple, calling on preset files. Proprietary Xerox technology open to the world. Access to everything needed to produce actions corresponding to the needs of each device.</p>
<p>β</p>
<p>Opening a terminal, I typed a few commands, triggering a program that would, in essence, duplicate any website it was pointed at β scraping a website. This action creates directories of files with the corresponding websites and script pages copied to my computer. A process taking seconds rather than hours of saving every referenced web page or file individually.</p>
<p>A true benefit to my current need.</p>
<p>Soon I was creating a slew of new apps for our sales team. Everything from the theatrical β making the icon on the display a photo of the prospective client, which when triggered printed a photo of that person on all networked devices throughout the office β to placing your Starbucks order with your local Starbucks, securely selecting your complete order by entering your credit card information directly on the Xerox device display.</p>
<p>More of a parlor trick for the teachers and purchasing principals of major school districts than actually useful. But this displayed the vast possibilities of what an otherwise simplistic printer or copier could do.</p>
<p>β</p>
<p>As I moved forward with the development of these relatively unknown applications, Xerox announced a contest for developers. The best applications submitted would place first through third, receiving cash prizes β a plus in my current position β over a three-month period. Three opportunities. A chance at the grand prize the fourth month.</p>
<p>I had about two months of knowledge now on the abilities of the applications.</p>
<p>And municipalities. The new Print Care application, a staple of Xerox Source, was loaded onto every current and new device shipped out of their warehouses for distribution.</p>
<p>The truth of the matter was: Xerox was holding back on the capabilities now open to anyone with a computer and a USB stick. It also may just be blissful ignorance on their part.</p>
<p>β</p>
<p>When Xerox announced the contest, they opened access to the tools needed β sort of. Their new app-building web portal was extremely limited compared to what was actually possible. What it did do was make my current backwards process of development superior to what the other competitors in the field had access to.</p>
<p>There were no restrictions hindering my development because I had no rules to follow at the start. I had learned early on that I could create an application that was just a link β a hyperlink β to whatever website I chose to point it at. And the three new applications I had won awards for were hosted on our private company servers.</p>
<p>For example: when you wanted to order staples for your device, you would click the "Order Staples" icon displayed on the device screen, and everything you see visually is actually just a remote website displayed on the screen in front of you.</p>
<p>If you unplugged the network cable from the back of the device, the application would fail to respond or work. Not a problem in the states. Owning one of these very expensive machines guarantees it will be utilized to its native features β scan to email, etc.</p>
<p>Every application I had built was housed in individual corresponding folders on Xerox Source's servers or web servers. This was also true for the two developers that provided the original apps.</p>
<p>β</p>
<p>By finding the link directing me to their demo app provided for distributors, I was able to view all their applications built for every client they had designed for β open to the public. They had provided everything needed to develop all of their past custom apps by not placing them behind a wall of security.</p>
<p>Over the few months prior to the upcoming developers' conference in New York, I had replicated and improved or redeveloped every app I could find of theirs β free on the web. All held on their servers open to the public. Once a link was found, I would just open the terminal on my computer, type the necessary commands, and Kali would duplicate their entire website or application to my computer's folders.</p>
<p>Just that simple.</p>
<p>β</p>
<p>Right or wrong, I held the position that Xerox corporate provided the necessary tools needed for a fair competition. Any proprietary code was now available to all developing distributors. These were the original scripts, triggers enabling the device to respond to corresponding actions needed to be included in the packaging of each individual application created.</p>
<p>This was not proprietary to any sole distributor. Without the provided scripts, the device would fail to respond.</p>
<p>For example, the digital keyboard displayed on the screen would not open or initiate if the Xerox-provided files were not present on the corresponding server.</p>
<p>All this is important because little did I know β I had now revealed many vulnerabilities around Xerox's new app store and applications. Their lack of security or protocol is built on a continually evolving platform accessible to anyone with a computer or USB stick.</p>
<p>β</p>
<p>When you walk up to a printer to make a copy of your confidential paperwork, you rarely think of anything else. The truth is: if the device is connected to a network, that document you just printed could instantly be saved without your knowledge to a remote server. External servers collecting every document scanned, emailed, or printed on that Xerox device.</p>
<p>I say this because I have a clear understanding that this has been done before. Having developed similar applications to replace the "copy, scan" icons on devices.</p>
<p>On every Conect Key Xerox device display, you will find "Print, scan, email" icons you press to produce the corresponding action. If, for example, a person simply took that exact application and added an FTP (File Transfer Protocol) URL with anonymous credentials β meaning no need for a username or password β to the print, scan, and email icons displayed on your device, from that point on, a copy of every document ever processed on that device would be saved to any location of their choosing.</p>
<p>To add the applications to any device, it can be done with a USB stick by walking up, plugging the USB stick into the device, and flashing the new app directly to the device β or by accessing the device's broadcasted IP address on the network without the knowledge of those around. A process that takes less than a minute to complete.</p>
<p>The corresponding company would not be the wiser. There are no additional notifications.</p>
<p>So let's say someone walked into a school, college, or courthouse, opened their laptop, and asked to print a document β connecting to their network β not an uncommon practice. That person then could flash the new app, print their document, and move on in less than five minutes. No one ever being the wiser.</p>
<p>That person now receiving a copy of every document from that point on.</p>
<p>A task that is even more successful with any business without a full-time cybersecurity tech. And even then, most would not notice anything amiss as it goes unnoticed by nearly everyone. The device could be sending copies unnoticed for months or years β depending on the next time its software is updated and only if the icons receive an update.</p>
<p>More often than not? Never.</p>
<p>It could be added to hundreds of thousands of devices without notice. Thousands upon thousands of documents saved as ".tif" images, archived under corresponding IP addresses and email addresses. Sitting idle on unknown servers. Medical, legal, and private documents unknowingly accessible to third parties.</p>
<p>Food for thought β as I've seen it done with my own two eyes. The applications not a threat as they unknowingly send the packages silently.</p>
<p>β</p>
<p>So as the conference approached, life was good.</p>
<p>β</p>
<p>I wrote this on January 3, 2023. I was in cell #2 at the time. The lime green hammock was my throne. The stolen phone was my connection to the outside world. And the memories of reverse-engineering Xerox apps and winning coding contests felt like they belonged to another person entirely.</p>
<p>Maybe they did.</p>
<p>That man β the one in the boxers on the leather sofa, nursing whiskey, watching The Simpsons, breaking into proprietary code with Linux Kali β that man was free.</p>
<p>This man β the one in the hammock, suspended above a makeshift kitchen in a Colombian prison β is not.</p>
<p>But the mind is the same. The curiosity is the same. The willingness to poke at locked doors and see what happens β that has not changed.</p>
<p>Xerox never found out. Or if they did, they never said anything. The contest went on. I won. The apps were deployed. The sales team was happy. The company made money.</p>
<p>And somewhere out there, right now, there are probably still Xerox devices running code I wrote. Icons I designed. Links I pointed at servers I controlled.</p>
<p>It's a strange legacy β a few lines of code scattered across millions of office printers, quietly doing their jobs, never asking who put them there or why.</p>
<p>Like me, I suppose.</p>
<p>Never asking why. Just moving forward. Just pressing the button. Just seeing what happens next.</p>