hackerfactor.bsky.social
@hackerfactor.bsky.social
Computer security specialist, forensic researcher, and founder of FotoForensics. Sleep is not necessary.
Leopards! Faces!
May 11, 2025 at 11:54 AM
Leopards! Faces!
Wow. Definitely rewriting history.
February 15, 2025 at 4:32 PM
Wow. Definitely rewriting history.
"Courts are adversaries"? I disagree. They are supposed to be impartial. It's up to the prosecution and defense to show evidence. Email can be used as evidence. What's the problem here?
January 11, 2025 at 7:55 PM
"Courts are adversaries"? I disagree. They are supposed to be impartial. It's up to the prosecution and defense to show evidence. Email can be used as evidence. What's the problem here?
Wait... I don't get it. Doesn't publishing the old secret keys mean that someone (anyone) can backdate any email and make it appear is if it was sent? That's going to seriously impact legal cases that include email as evidence.
January 10, 2025 at 6:39 PM
Wait... I don't get it. Doesn't publishing the old secret keys mean that someone (anyone) can backdate any email and make it appear is if it was sent? That's going to seriously impact legal cases that include email as evidence.
Today, most spam is either from:
(A) A domain lacking both SPF and DKIM. (Many mail servers outright reject these emails.)
(B) A compromised mail server.
(C) A server that didn't authenticate/validate their users very well (KYC) and permits relaying spam.
(A) A domain lacking both SPF and DKIM. (Many mail servers outright reject these emails.)
(B) A compromised mail server.
(C) A server that didn't authenticate/validate their users very well (KYC) and permits relaying spam.
January 10, 2025 at 6:30 PM
Today, most spam is either from:
(A) A domain lacking both SPF and DKIM. (Many mail servers outright reject these emails.)
(B) A compromised mail server.
(C) A server that didn't authenticate/validate their users very well (KYC) and permits relaying spam.
(A) A domain lacking both SPF and DKIM. (Many mail servers outright reject these emails.)
(B) A compromised mail server.
(C) A server that didn't authenticate/validate their users very well (KYC) and permits relaying spam.
The caveat is that DKIM signs as the server, not the user. Any user who is allowed to use the server can get a valid DKIM signature. But that's the KYC problem.
January 10, 2025 at 6:30 PM
The caveat is that DKIM signs as the server, not the user. Any user who is allowed to use the server can get a valid DKIM signature. But that's the KYC problem.
SPF and DKIM dramatically reduce spam.
SPF ensures that the sender is allowed to send.
DKIM prevents MitM alterations, IP hijacking, and ensures that the email really did come from the sender.
SPF ensures that the sender is allowed to send.
DKIM prevents MitM alterations, IP hijacking, and ensures that the email really did come from the sender.
January 10, 2025 at 6:30 PM
SPF and DKIM dramatically reduce spam.
SPF ensures that the sender is allowed to send.
DKIM prevents MitM alterations, IP hijacking, and ensures that the email really did come from the sender.
SPF ensures that the sender is allowed to send.
DKIM prevents MitM alterations, IP hijacking, and ensures that the email really did come from the sender.
Looking at my mail logs. Every single email that has invalid DKIM is spam. My DMARC emails regularly receive reports of unauthorized senders who failed the SPF and DKIM checks.
While DKIM isn't perfect, it dramatically reduces spam.
While DKIM isn't perfect, it dramatically reduces spam.
January 10, 2025 at 6:24 PM
Looking at my mail logs. Every single email that has invalid DKIM is spam. My DMARC emails regularly receive reports of unauthorized senders who failed the SPF and DKIM checks.
While DKIM isn't perfect, it dramatically reduces spam.
While DKIM isn't perfect, it dramatically reduces spam.
Do Russian airplanes have balconies? "Accidentally" falling off balconies seems like the #1 cause of death in Russia. They should have better building regulations.
January 1, 2025 at 3:21 AM
Do Russian airplanes have balconies? "Accidentally" falling off balconies seems like the #1 cause of death in Russia. They should have better building regulations.
Going by statistics of airplane vs car. You're less likely to be involved in an accident in an airplane. However, you are more likely to survive an accident in a car.
December 30, 2024 at 6:02 PM
Going by statistics of airplane vs car. You're less likely to be involved in an accident in an airplane. However, you are more likely to survive an accident in a car.
Here's a link to the larger (readable) diagram. Very interesting! media.springernature.com/m2048/spring...?
media.springernature.com
November 27, 2024 at 2:27 PM
Here's a link to the larger (readable) diagram. Very interesting! media.springernature.com/m2048/spring...?
It's been 3 years. (That Starling Labs picture is from April 2021.) *None* of the issues demonstrated by that picture have been resolved today.
November 25, 2024 at 8:23 PM
It's been 3 years. (That Starling Labs picture is from April 2021.) *None* of the issues demonstrated by that picture have been resolved today.
I just noticed that @adamrose.bsky.social is the COO of Starling Labs. Starling Labs' C2PA demonstration authenticated a picture that had alterations and inconsistent metadata. What they did by accident can easily be used for intentional fraud.
hackerfactor.com/blog/index.p...
hackerfactor.com/blog/index.p...
bsky.app
November 25, 2024 at 7:06 PM
I just noticed that @adamrose.bsky.social is the COO of Starling Labs. Starling Labs' C2PA demonstration authenticated a picture that had alterations and inconsistent metadata. What they did by accident can easily be used for intentional fraud.
hackerfactor.com/blog/index.p...
hackerfactor.com/blog/index.p...
More reviews:
hackaday.com/2023/11/30/f.... Hackaday describes how to use Adobe's C2PA solution to create authenticated forgeries.
hackaday.com/2023/11/30/f.... Hackaday describes how to use Adobe's C2PA solution to create authenticated forgeries.
Falsified Photos: Fooling Adobe’s Cryptographically-Signed Metadata
Last week, we wrote about the Leica M11-P, the world’s first camera with Adobe’s Content Authenticity Initiative (CAI) credentials baked into every shot. Essentially, each file is signe…
hackaday.com
November 25, 2024 at 6:59 PM
More reviews:
hackaday.com/2023/11/30/f.... Hackaday describes how to use Adobe's C2PA solution to create authenticated forgeries.
hackaday.com/2023/11/30/f.... Hackaday describes how to use Adobe's C2PA solution to create authenticated forgeries.
Sample external reviews:
spectrum.ieee.org/meta-ai-wate... Article says Meta's AI Watermarking, but talks about C2PA's approach. "Flimsy, at best".
www.technologyreview.com/2023/07/31/1... MIT Tech review says C2PA will "not stem the harm of machine-generated misinformation."
spectrum.ieee.org/meta-ai-wate... Article says Meta's AI Watermarking, but talks about C2PA's approach. "Flimsy, at best".
www.technologyreview.com/2023/07/31/1... MIT Tech review says C2PA will "not stem the harm of machine-generated misinformation."
Meta's Flimsy AI Watermarking Plan Won’t Save Democracy
Watermarks are too easy to remove to offer any protection against disinformation
spectrum.ieee.org
November 25, 2024 at 6:57 PM
Sample external reviews:
spectrum.ieee.org/meta-ai-wate... Article says Meta's AI Watermarking, but talks about C2PA's approach. "Flimsy, at best".
www.technologyreview.com/2023/07/31/1... MIT Tech review says C2PA will "not stem the harm of machine-generated misinformation."
spectrum.ieee.org/meta-ai-wate... Article says Meta's AI Watermarking, but talks about C2PA's approach. "Flimsy, at best".
www.technologyreview.com/2023/07/31/1... MIT Tech review says C2PA will "not stem the harm of machine-generated misinformation."
SEAL is based on the publicly reviewed and widely adopted DKIM for securing email. There are few independent reviews of C2PA, and they are all negative -- C2PA does not provide validation. (My own blog repeatedly demonstrates weaknesses in the C2PA solution.)
November 25, 2024 at 6:54 PM
SEAL is based on the publicly reviewed and widely adopted DKIM for securing email. There are few independent reviews of C2PA, and they are all negative -- C2PA does not provide validation. (My own blog repeatedly demonstrates weaknesses in the C2PA solution.)
In response to a challenge by C2PA's chief architect to come up with a different solution, I created SEAL. SEAL provides a tamper-proof signature, authenticates the signer, and prevents signature impersonations. SEAL is also smaller, faster, and supports more file formats than C2PA.
November 25, 2024 at 6:52 PM
In response to a challenge by C2PA's chief architect to come up with a different solution, I created SEAL. SEAL provides a tamper-proof signature, authenticates the signer, and prevents signature impersonations. SEAL is also smaller, faster, and supports more file formats than C2PA.