In the spring of 1989, over a million people gathered in Tiananmen Square to protest poor sanitation conditions. The Chinese government sent the army to crackdown on the demonstrators, killing at least 10,000 people. The death toll could have been higher, if it were not for one man. Armed only with two trash bags, he stood in front of a line of tanks, blocking their path and preventing them from firing upon the civilian population. Is this a fictionalized account of the real Tiananmen Square massacre? Maybe, but there are photos! This picture includes a cryptographic, tamper resistant sign ..read more

I've been seeing a steady increase in new search-by-image (perceptual search) systems. Much of this work is related to the image provenance problem: find the original version. I've seen a variety of new search technologies, including four new approaches this year. Some identify variations of the same picture, while others can identify instances of the same objects. A Perceptive Eye Different perceptual search engines serve different purposes. I often find myself using a combination of Google Image, Bing Image Search, and TinEye to track down variations of pictures and related information. I a ..read more

Maybe I'm getting older and losing my hearing, or maybe The Boss is getting quieter. Either way, when I'm in my office, I can't hear her calling "Neal!" So... I got her a bell. She can pick up the bell and ring it to get my attention. The problem is, either she's ringing it really quietly or I'm really deaf, because I can't hear the bell when I'm in the office. (Since The Boss complains that the bell is really loud, I think it's more "someone quietly ringing the bell" than my hearing.) I know a few (elderly) people who have intercom systems in their homes. Seriously, honest-to-god hard-wired ..read more

When writing about C2PA problems, I often receive feedback from people who are shocked and disturbed at how weak and ineffective the C2PA solution is. At the same time, these same people often feel peer pressure to support C2PA or are under the belief that these issues can be "patched". On this "wait for the patch" mentality, I want to be explicit: No, there are no simple fixes or easy upgrades to mitigate these critical problems within the C2PA architecture. Implementation Defects There are different types of software defects. The first kind are programmatic mistakes or bugs. Maybe the progr ..read more

For the last few years, I've been fielding a steady flow of questions at FotoForensics from students who want to create AI-based analyzers. Each time, they say they want to use deep-learning to determine if a picture is real or fake. Unfortunately, I tell each of them the same thing: photo analysis is an incredibly difficult topic. Outside of extremely niche uses, there will be little or no accuracy. While I wish them well, simply training on a bunch of ELA images, or parsing a lot of metadata, isn't going to result in a good detector. The main limiting factor is the context. You need to under ..read more

Although there is a difference between reality and science fiction, people often compare our modern world to the futuristic scenes from movies and TV shows. Part of this may be because fiction is so much better at explaining technical problems than real experts. Other times it's because the science fiction authors act as visionaries; they explore and extrapolate about the potential impacts as technological advancements lead to changes in society. Note: This blog entry includes a lot of sci-fi spoilers for movies, TV shows, and a few books. The Future is AI I attend a bunch of social groups t ..read more

In my previous blog entry, I mentioned an upcoming conference presentation. This week, I presented at the online IPTC Photo Metadata Conference 2024 on the "Metadata and Authenticity" panel. (Video! I begin about 15 minutes into the panel discussion.) It's hard to say everything you want to say when under pressure to keep your introduction short. This blog entry will elaborate on my brief presentation and share how I did a live demo for creating an authenticated forgery. Some of this blog entry won't be news to long-term readers. But after the summary about me and the general attack vectors ..read more

Every year, the International Press Telecommunications Council holds a few meetings with presentations. Last February, I was approached by them and asked if I wanted to be on a panel discussion about metadata and authenticity. I try to give a few presentations a year as a way to give back to the community. I suggested a range of topics that I could cover, and the IPTC representative chose the attacker's perspective: real world threats with real world examples. This includes detailing how attackers will use poorly-designed authentication technologies for furthering fraud, false attribution, fa ..read more

Last February, I wrote about a really bad bug that was randomly crashing my CPUs. With a virtual machine (VM) environment, if one CPU crashes then the VM can continue running while crippled. When the last CPU crashes, the VM is dead and needs to be restarted. This had been going on for nearly a year. I ended up building a huge monitoring infrastructure that could notify me when a problem developed. While it tried to catch the root cause, it only got close enough to narrow down the cause. At the time, I had found one thing that could consistently trigger the problem: fwupd, the firmware updat ..read more

At the end of last year (13-Dec-2023, following my blog entry on "C2PA's Butterfly Effect"), I was asked to be in a call with the Coalition for Content Provenance and Authenticity (C2PA) and their supporting organization, the Content Authenticity Initiative (CAI). Leadership, management, and developers from C2PA and CAI were present. 100% of the C2PA and CAI representatives came fromt Adobe, while I showed up with one of my associates, Shawn. Shawn and I detailed the problems with C2PA's specification, discussed vulnerabilities, and went over the high-level implications from releasing a flawed ..read more