Turkish Airlines_330

Can you tell if a picture is fake?

Click to see full image.

Click to see full image.

Internet is already full of digital images and more is added every day. Digital pictures have become a cheap way for journalists to tell a story and ordinary people upload tons of them to social media. It’s quicker and easier to snap a shot and upload than to describe where you are and what the place looks like.

Photographs have always been seen as some kind of proof. Like a captured piece of reality. We are however aware of the fact that photographs can be manipulated. Digital image processing has revolutionized this area and brought amazing new techniques to us. But image manipulation has actually been a known technique since photography was invented. It is amazing to see what a skilled person can do to traditional images in the darkroom. Not to mention the fact that you can lie a lot just by taking the picture in a certain way.

This article is about our relationship to the digital images on the net. There’s a lot of manipulated pictures out there, but are you able to recognize a fake? And are you even alert and aware that the picture may not be the full truth? We are all confronted with many pictures a day that aren’t completely real. Objects may be added or removed, or heavy retouching has been used to make models look better. Here’s some concrete hints about how to tell the fakes from the real ones.

  • In what context is the picture presented? Image manipulation is the norm in some contexts, like product and fashion photography, and some kinds of artistic photo. News agencies and nature photographers on the other hand have strict ethical rules against manipulation. First think about if manipulation is to be expected and if it should be accepted. Does it matter if the photo isn’t real?
  • Is the image realistic overall? Some manipulated images are so surrealistic that you can dismiss them as unreal at once, even if they are very well done technically. Ask yourself; can this be real? See the illustration to this article for an example.
  • Do you have access to several shots from the same scene? Are there discrepancies between them?
  • Are light and shadows similar between objects in the picture? Pay attention to which side is lighter, how hard the light seem to be and how the objects cast shadows. Needless to say, objects close to each other get the same light in real life. If they are illuminated differently, they may originate from different photos. Also pay attention to the environment. From what direction is the light supposed to come?
  • Is the perspective right? Getting this right is always a challenge when combining objects from different pictures. Just look at the shot and trust your gut feeling. Pictures with minor perspective errors do often feel wrong even if you can’t tell what the problem is.
  • Does the objects’ edges look right? A lot of work may go into the edges when putting something in front of a new background. They often give away the fake if they are done sloppily or with lacking skills. Pay special attention to people’s hair as that is hard to mask.
  • Image manipulation often requires filling areas to replace removed objects. Patterns that repeat in an unnatural way is a sure sign of sloppy cloning. Cloning can also be used to multiply an object, but several identical object do rarely look exactly identical in a real photo due to differences in perspective and lighting. It’s fishy if they look identical in a picture.
  • Is the color consistent? Do different parts of a human’s body have the same skin color? An object’s apparent color depends very much of the illumination’s color temperature. Do the different objects have a consistent color cast?
  • All digital capture devices leave some kind of structure in the picture. Most notable is the noise produced by digital cameras. You can check that this structure is constant over the whole picture if you have access to a fairly hi-resolution image. It’s futile to try this on small images from on-line news sites.
  • Metadata is data hidden inside the image files. One important piece of data is the software used to save the file. A camera model name would indicate no manipulation at all. Workflow programs like Adobe Lightroom and Apple Aperture are typically used to do moderate adjustments of images, but no real manipulation. The image may be heavily manipulated if it is saved by Photoshop. But this does on the other hand prove nothing as you can do minor adjustments is Photoshop too. Also remember that this data may be lacking or even forged.
  • Even if a picture is totally genuine, it may be misleading if presented in the wrong context. Like someone using a picture of somebody else for a dating site profile. Here Google Image search comes in handy. Click on the camera to the right in the search field to open “Search by image”. Upload a copy of the image or paste in a link to it on the net. Google will search for images that look the same regardless of what context they are published in. This can often reveal that the image was found on the net rather than taken by someone who has posted it as his own.

That’s a quick list of things that help you spot the fakes. Using these hints require some training, but you will soon start seeing the manipulations if you keep them in mind when looking at images. But is it possible to make a perfect fake that is undetectable? Yes, especially if a skilled artist can work on a high resolution image and the result is scaled down to be published on the web. That down-sampling can hide the signs of manipulation effectively and make the fake practically undetectable for laymen. Scientific analysis methods are more capable, but they are not available to us mortals. And they may also fail to detect good fakes.

So the moral of the story is really that a photo shouldn’t be trusted too much unless its background is known and we know what ethical principles the photographer and publisher adhere to. News agencies typically pay attention to this and promise us authentic news pictures. These pictures are typically trustworthy, even if scandals do occur.

Safe surfing,Micke

PS. This funny video is one of my favorites on YouTube.

More posts from this topic


Why Cameron hates WhatsApp so much

It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks. It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this: “In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.” David Cameron Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four. But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them? The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to. More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break. But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before. WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality. WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default. Apple's iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either.   Safe surfing, Micke   PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret.   Image by Sam Azgor

November 26, 2015
Secure Wordpress site, mobile blogging, tablet by the bay

This is why you need to protect your WordPress username and password

If you run a Wordpress site, you know that criminals around the world would love to use it to spread malware. Last month, F-Secure Labs spike in "Flash redirectors" that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites -- specifically Wordpress sites. This isn't a new find for the Labs but what is unique is one of the tactics of the attack -- seeking out Wordpress usernames. Why? "After obtaining the username, the only thing that the attacker would need to figure out is the password," Patricia from The Labs explains. "The tool used by the attacker attempted around 1200 passwords before it was able to successfully login." If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you. Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your Wordpress username AND always use a unique, strong password. "Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything," Patricia notes. You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog. It's pretty amazing what people can figure out about you with just your login and password. But when you're running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can't be figured out by anyone but you. And turn on two-step authentication if you haven't already. Cheers, Jason

November 26, 2015

POLL – Is it OK for security products to collect data from your device?

We have a dilemma, and maybe you want to help us. I have written a lot about privacy and the trust relationship between users and software vendors. Users must trust the vendor to not misuse data that the software handles, but they have very poor abilities to base that trust on any facts. The vendor’s reputation is usually the most tangible thing available. Vendors can be split into two camps based on their business model. The providers of “free” services, like Facebook and Google, must collect comprehensive data about the users to be able to run targeted marketing. The other camp, where we at F-Secure are, sells products that you pay money for. This camp does not have the need to profile users, so the privacy-threats should be smaller. But is that the whole picture? No, not really. Vendors of paid products do not have the need to profile users for marketing. But there is still a lot of data on customers’ devices that may be relevant. The devices’ technical configuration is of course relevant when prioritizing maintenance. And knowing what features actually are used helps plan future releases. And we in the security field have additional interests. The prevalence of both clean and malicious files is important, as well as patterns related to malicious attacks. Just to name a few things. One of our primary goals is to guard your privacy. But we could on the other hand benefit from data on your device. Or to be precise, you could benefit from letting us use that data as it contributes to better protection overall. So that’s our dilemma. How to utilize this data in a way that won’t put your privacy in jeopardy? And how to maintain trust? How to convince you that data we collect really is used to improve your protection? Our policy for this is outlined here, and the anti-malware product’s data transfer is documented in detail in this document. In short, we only upload data necessary to produce the service, we focus on technical data and won’t take personal data, we use hashing of the data when feasible and we anonymize data so we can’t tell whom it came from. The trend is clearly towards lighter devices that rely more on cloud services. Our answer to that is Security Cloud. It enables devices to off-load tasks to the cloud and benefit from data collected from the whole community. But to keep up with the threats we must develop Security Cloud constantly. And that also means that we will need more info about what happens on your device. That’s why I would like to check what your opinion about data upload is. How do you feel about Security Cloud using data from your device to improve the overall security for all users? Do you trust us when we say that we apply strict rules to the data upload to guard your privacy?   [polldaddy poll=9196371]   Safe surfing, Micke   Image by balticservers.com  

November 24, 2015