hackerfactor.bsky.social's Avatar

hackerfactor.bsky.social

@hackerfactor.bsky.social

Computer security specialist, forensic researcher, and founder of FotoForensics. Sleep is not necessary.

78 Followers  |  6 Following  |  50 Posts  |  Joined: 01.02.2024  |  2.3541

Latest posts by hackerfactor.bsky.social on Bluesky

The Hacker Factor Blog: The Big Bulleted List of C2PA Issues
hackerfactor.com/blog/index.p...
I'm often asked if I have a list of C2PA problems. Yes, yes I do. Here's the current 27-page bulleted list. Any one of these issues should make companies reconsider any C2PA adoption plans and run away.

10.06.2025 16:44 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1

Leopards! Faces!

11.05.2025 11:54 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
LinkedIn This link will take you to a page that’s not on LinkedIn

The Hacker Factor Blog: C2PA and Authentication Updates
hackerfactor.com/blog/index.p...
C2PA won't stop fake IDs, BBC made their bad example worse, Microsoft's validation service is offline, and Truepic's gives bad results. But good news: UMBC is formally evaluating C2PA, SEAL, and related tech.

18.04.2025 20:30 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Safety in Numbers - The Hacker Factor Blog

The Hacker Factor Blog: Safety in Numbers
hackerfactor.com/blog/index.p...
Simple tips to stay safe online when attending a protest.

07.04.2025 17:02 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Sign Here - The Hacker Factor Blog

The Hacker Factor Blog: Sign Here
hackerfactor.com/blog/index.p...
Don't trust signatures in PDF files. They are too easy to forge and alter.

12.03.2025 01:16 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Crashing Arizona's C2PA Pilot - The Hacker Factor Blog

The Hacker Factor Blog: Crashing Arizona's C2PA Pilot

hackerfactor.com/blog/index.p...

The Arizona Secretary of State released a pilot program that demonstrates C2PA signing. Every example demonstrates how C2PA does NOT work.

03.03.2025 15:39 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

πŸ§ͺ #StandForScience

15.02.2025 18:13 β€” πŸ‘ 21    πŸ” 7    πŸ’¬ 2    πŸ“Œ 1

Wow. Definitely rewriting history.

15.02.2025 16:32 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Happy Superb Owl day.

09.02.2025 21:41 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
ShmooCon and C2PA Forgeries - The Hacker Factor Blog

The Hacker Factor Blog: ShmooCon and C2PA Forgeries
www.hackerfactor.com/blog/index.p...
At ShmooCon, Microsoft presented on C2PA but didn't address any of the problems. To demonstrate the ineffectiveness of C2PA, I walk through step-by-step how to create an authenticated forgery.

03.02.2025 18:47 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

"Courts are adversaries"? I disagree. They are supposed to be impartial. It's up to the prosecution and defense to show evidence. Email can be used as evidence. What's the problem here?

11.01.2025 19:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Wait... I don't get it. Doesn't publishing the old secret keys mean that someone (anyone) can backdate any email and make it appear is if it was sent? That's going to seriously impact legal cases that include email as evidence.

10.01.2025 18:39 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 3    πŸ“Œ 0

Today, most spam is either from:
(A) A domain lacking both SPF and DKIM. (Many mail servers outright reject these emails.)
(B) A compromised mail server.
(C) A server that didn't authenticate/validate their users very well (KYC) and permits relaying spam.

10.01.2025 18:30 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

The caveat is that DKIM signs as the server, not the user. Any user who is allowed to use the server can get a valid DKIM signature. But that's the KYC problem.

10.01.2025 18:30 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

SPF and DKIM dramatically reduce spam.
SPF ensures that the sender is allowed to send.
DKIM prevents MitM alterations, IP hijacking, and ensures that the email really did come from the sender.

10.01.2025 18:30 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

Looking at my mail logs. Every single email that has invalid DKIM is spam. My DMARC emails regularly receive reports of unauthorized senders who failed the SPF and DKIM checks.

While DKIM isn't perfect, it dramatically reduces spam.

10.01.2025 18:24 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Do Russian airplanes have balconies? "Accidentally" falling off balconies seems like the #1 cause of death in Russia. They should have better building regulations.

01.01.2025 03:22 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Going by statistics of airplane vs car. You're less likely to be involved in an accident in an airplane. However, you are more likely to survive an accident in a car.

30.12.2024 18:02 β€” πŸ‘ 8    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Here's a link to the larger (readable) diagram. Very interesting! media.springernature.com/m2048/spring...?

27.11.2024 14:27 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

It's been 3 years. (That Starling Labs picture is from April 2021.) *None* of the issues demonstrated by that picture have been resolved today.

25.11.2024 20:23 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I just noticed that @adamrose.bsky.social is the COO of Starling Labs. Starling Labs' C2PA demonstration authenticated a picture that had alterations and inconsistent metadata. What they did by accident can easily be used for intentional fraud.
hackerfactor.com/blog/index.p...

25.11.2024 19:06 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Falsified Photos: Fooling Adobe’s Cryptographically-Signed Metadata Last week, we wrote about the Leica M11-P, the world’s first camera with Adobe’s Content Authenticity Initiative (CAI) credentials baked into every shot. Essentially, each file is signe…

More reviews:
hackaday.com/2023/11/30/f.... Hackaday describes how to use Adobe's C2PA solution to create authenticated forgeries.

25.11.2024 18:59 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Meta's Flimsy AI Watermarking Plan Won’t Save Democracy Watermarks are too easy to remove to offer any protection against disinformation

Sample external reviews:
spectrum.ieee.org/meta-ai-wate... Article says Meta's AI Watermarking, but talks about C2PA's approach. "Flimsy, at best".

www.technologyreview.com/2023/07/31/1... MIT Tech review says C2PA will "not stem the harm of machine-generated misinformation."

25.11.2024 18:57 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

SEAL is based on the publicly reviewed and widely adopted DKIM for securing email. There are few independent reviews of C2PA, and they are all negative -- C2PA does not provide validation. (My own blog repeatedly demonstrates weaknesses in the C2PA solution.)

25.11.2024 18:54 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

In response to a challenge by C2PA's chief architect to come up with a different solution, I created SEAL. SEAL provides a tamper-proof signature, authenticates the signer, and prevents signature impersonations. SEAL is also smaller, faster, and supports more file formats than C2PA.

25.11.2024 18:52 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Hello Adam Rose and Bots Don't Cry,
I just saw this thread.

C2PA is an Adobe-centric solution that does not validate content, metadata, or signatures. Because it is based on "trust", it does nothing to prevent forgeries or false attribution.

25.11.2024 18:52 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

The Old Western

"The Garamond brothers are back and they're going after the Courier," declared Arielle.

"Don't worry," Roman replied. "The New Times reported that there's a new Serif in town."

25.11.2024 00:02 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Signed and SEALed - The Hacker Factor Blog

The Hacker Factor Blog: Signed and SEALed
hackerfactor.com/blog/index.p...
SEAL can now digitally sign over two dozen different common file formats, including images, audio, video, and documents.

22.11.2024 17:28 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Can you make sure it streams on Roku? Sometimes your tech folks forget...

22.11.2024 01:42 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Thank you!

21.11.2024 23:05 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@hackerfactor is following 6 prominent accounts