In my previous blog entry, I mentioned an upcoming conference presentation. This week, I presented at the online IPTC Photo Metadata Conference 2024 on the "Metadata and Authenticity" panel. (Video! I begin about 15 minutes into the panel discussion.) It's hard to say everything you want to say when under pressure to keep your introduction short. This blog entry will elaborate on my brief presentation and share how I did a live demo for creating an authenticated forgery. Some of this blog entry won't be news to long-term readers. But after the summary about me and the general attack vectors ..read more

Every year, the International Press Telecommunications Council holds a few meetings with presentations. Last February, I was approached by them and asked if I wanted to be on a panel discussion about metadata and authenticity. I try to give a few presentations a year as a way to give back to the community. I suggested a range of topics that I could cover, and the IPTC representative chose the attacker's perspective: real world threats with real world examples. This includes detailing how attackers will use poorly-designed authentication technologies for furthering fraud, false attribution, fa ..read more

Last February, I wrote about a really bad bug that was randomly crashing my CPUs. With a virtual machine (VM) environment, if one CPU crashes then the VM can continue running while crippled. When the last CPU crashes, the VM is dead and needs to be restarted. This had been going on for nearly a year. I ended up building a huge monitoring infrastructure that could notify me when a problem developed. While it tried to catch the root cause, it only got close enough to narrow down the cause. At the time, I had found one thing that could consistently trigger the problem: fwupd, the firmware updat ..read more

At the end of last year (13-Dec-2023, following my blog entry on "C2PA's Butterfly Effect"), I was asked to be in a call with the Coalition for Content Provenance and Authenticity (C2PA) and their supporting organization, the Content Authenticity Initiative (CAI). Leadership, management, and developers from C2PA and CAI were present. 100% of the C2PA and CAI representatives came fromt Adobe, while I showed up with one of my associates, Shawn. Shawn and I detailed the problems with C2PA's specification, discussed vulnerabilities, and went over the high-level implications from releasing a flawed ..read more

Today, April 1st, I'm proud to announce another Hacker Factor product: The Brick! Total Network Security! Are you TIRED of those pesky INTERNET WAVES sneaking into your office? Do you crave the PURE, UNADULTERATED SILENCE of a DIGITAL DEAD ZONE? Well, step right up, folks, because "Network Neal" has got the solution for you! Introducing "The Brick" -- the ultimate firewall! This ain't your momma's Wi-Fi router, folks! This bad boy is built with the same government-grade shielding used to protect Area 51 from those nosy aliens! The Brick won't just block your ads, it'll block your neighbor's ..read more

Last week, one of my mail systems died. It was the system that I used to read and send emails, not the main office mail server. According to the last logs, it went down at around 2am. No failure notices. No error messages. It was just powered off. When I came into the office, I tried to turn it on, but it never even got to the post-on-self-test (POST) stage. This is a serious hardware failure. The good news is, I was able to open the case and pull the hard drive. The entire file system was intact. I spun up a new isolated computer for reading and sending emails, copied over my old mail archiv ..read more

I'm not a close follower of the British Royal family or their related dramas. But when a single picture floods my FotoForensics service as people around the world determine whether it is real or fake, well, that gets my attention. This is a small sample of the literally thousands of variants of the image that FotoForensics received on March 10th. While these pictures are visually the same image, they differ by dimensions, compression, cropping, coloring, annotations, and more. It's not just one picture from Instagram; it's viral copies from Instagram to WhatsApp to Facebook to BlueSky and b ..read more

I hadn't planned to write about more C2PA problems so soon, but my last few blog entries on C2PA's problems has struck a chord with readers and some of their feedback is very time critical. (This time sensitivity is ironic since my last blog pointed out C2PA's problems with timestamps.) IEEE The first feedback I received mentioned a recent article (4-March-2024) at IEEE Spectrum. IEEE's David Evan Harris and Lawrence Norden reviewed Meta's proposed solution to AI-generated media. The article's title nailed the problem (their bold for emphasis): Meta's AI Watermarking Plan Is Flimsy, at Best ..read more

Throughout my review of the C2PA specification and implementation, I've been focused on how easy it is to create forgeries that appear authentic. But why worry about forgeries when C2PA can't even get ordinary uses correct? Just consider the importance of the recorded timestamps. Accurate time records can resolve questions related to ordering and precedence, like "when did this happen?" and "who had it first?" Timestamps can address copyright assignment issues and are used with investigations to identify if something could or could not have happened. At my FotoForensics service, I've seen an ..read more

Recently, the buzz around security risks has focused on AI: AI telemarketing scams, deepfake real-time video impersonations, ChatGPT phishing scams, etc. However, traditional network attacks haven't suddenly vanished. My honeypot servers have been seeing an increase in scans and attacks, particularly from China. Homemade Solutions I've built most of my honeypot servers from scratch. While there are downloadable servers, most of the github repositories haven't been updated in years. Are they no longer maintained, or just continuing to work well? Since I don't know, I don't bother with them. W ..read more