The White House wants to ‘cryptographically verify’ videos of Joe Biden so viewers don’t mistake them for AI deepfakes::Biden’s AI advisor Ben Buchanan said a method of clearly verifying White House releases is “in the works.”

  • CyberSeeker@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    178
    ·
    10 months ago

    Digital signature as a means of non repudiation is exactly the way this should be done. Any official docs or releases should be signed and easily verifiable by any public official.

    • mods_are_assholes@lemmy.world
      link
      fedilink
      English
      arrow-up
      83
      ·
      10 months ago

      Maybe deepfakes are enough of a scare that this becomes standard practice, and protects encryption from getting government backdoors.

        • mods_are_assholes@lemmy.world
          link
          fedilink
          English
          arrow-up
          22
          ·
          10 months ago

          Hey, congresscritters didn’t give a shit about robocalls till they were the ones getting robocalled.

          We had a do not call list within a year and a half.

          That’s the secret, make it affect them personally.

          • Daft_ish@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            10 months ago

            Doesn’t that prove that government officials lack empathy? We see it again and again but still we keep putting these unfeeling bastards in charge.

            • mods_are_assholes@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              10 months ago

              Well sociopaths are really good at navigating power hierarchies and I’m not sure there is an ethical way of keeping them from holding office.

              • Natanael@slrpnk.net
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                It really depends on their motivation. The ones we need to keep out are the ones who enjoy hurting others or don’t care at all.

    • Otter@lemmy.ca
      link
      fedilink
      English
      arrow-up
      17
      ·
      10 months ago

      Would someone have a high level overview or ELI5 of what this would look like, especially for the average user. Would we need special apps to verify it? How would it work for stuff posted to social media

      linking an article is also ok :)

      • AbouBenAdhem@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        ·
        edit-2
        10 months ago

        Depending on the implementation, there are two cryptographic functions that might be used (perhaps in conjunction):

        • Cryptographic hash: An arbitrary amount of data (like a video file) is used to create a “hash”—a shorter, (effectively) unique text string. Anyone can run the file through the same function to see if it produces the same hash; if even a single bit of the file is changed, the hash will be completely different and you’ll know the data was altered.

        • Public key cryptography: A pair of keys are created, one of which can only encrypt data (but can’t decrypt its own output), and the other, “public” key can only decrypt data that was encrypted by the first key. Users (like the White House) can post their public key on their website; then if a subsequent message purporting to come from that user can be decrypted using their public key, it proves it came from them.

        • Serinus@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          10 months ago

          a shorter, (effectively) unique text string

          A note on this. There are other videos that will hash to the same value as a legitimate video. Finding one that is coherent is extraordinarily difficult. Maybe a state actor could do it?

          But for practical purposes, it’ll do the job. Hell, if a doctored video with the same hash comes out, the White House could just say no, we punished this one, and that alone would be remarkable.

          • AbouBenAdhem@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            9 months ago

            Finding one that is coherent is extraordinarily difficult.

            You’d need to find one that was not just coherent, but that looked convincing and differed in a way that was useful to you—and that likely wouldn’t be guaranteed, even theoretically.

            • Natanael@slrpnk.net
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              Pigeon hole principle says it does for any file substantially longer than the hash value length, but it’s going to be hard to find

            • ReveredOxygen@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              9 months ago

              Even for a 4096 bit hash (which isn’t used afaik, usually only 1024 bit is used (but this could be outdated)), you only need to change 4096 bits on average. Even for a still 1080p image, that’s 1920x1080 pixels. If you change the least significant bit of each color channel, you get 6,220,800 bits you can change within anyone noticing. That means on average there are 1,518 identical-looking variations of any image with a given 4096 bit hash, on average. This goes down a lot when you factor in compression: those least significant bits aren’t going to stay the same. But using a video brings it up by orders of magnitude: rather than one image, you can tweak colors in every frame The difficulty doesn’t come from the existence, it comes because you need to check 2⁵¹² = 10¹⁵⁴ different images to guarantee you’ll find a match. Hash functions are designed to take a while to compute, so you’d have to run a supercomputer for an extremely long time to brute force a hash collision

              • Natanael@slrpnk.net
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                Most hash functions are 256 bit (they’re symmetric functions, they don’t need more in most cases).

                There are arbitrary length functions (called XOF instead of hash) which built similarly (used when you need to generate longer random looking outputs).

                Other than that, yeah, math shows you don’t need to change more data in the file than the length of the hash function internal state or output length (whichever is less) to create a collision. The reason they’re still secure is because it’s still extremely difficult to reverse the function or bruteforce 2^256 possible inputs.

                • ReveredOxygen@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  Yeah I was using a high length at first because even if you overestimate, that’s still a lot. I did 512 for the second because I don’t know a ton about cryptography but that’s the largest SHA output

          • CyberSeeker@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            2
            ·
            10 months ago

            There are other videos that will hash to the same value

            This concept is known as ‘collision’ in cryptography. While technically true for weaker key sizes, there are entire fields of mathematics dedicated to probably ensuring collisions are cosmically unlikely. MD5 and SHA-1 have a small enough key space for collisions to be intentionally generated in a reasonable timeframe, which is why they have been deprecated for several years.

            To my knowledge, SHA-2 with sufficiently large key size (2048) is still okay within the scope of modern computing, but beyond that, you’ll want to use Dilithium or Kyber CRYSTALS for quantum resistance.

            • Natanael@slrpnk.net
              link
              fedilink
              English
              arrow-up
              3
              ·
              9 months ago

              SHA family and MD5 do not have keys. SHA1 and MD5 are insecure due to structural weaknesses in the algorithm.

              Also, 2048 bits apply to RSA asymmetric keypairs, but SHA1 is 160 bits with similarly sized internal state and SHA256 is as the name says 256 bits.

              ECC is a public key algorithm which can have 256 bit keys.

              Dilithium is indeed a post quantum digital signature algorithm, which would replace ECC and RSA. But you’d use it WITH a SHA256 hash (or SHA3).

      • AtHeartEngineer@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        ·
        10 months ago

        The best way this could be handled is a green check mark near the video that you could click on it and it would give you all the meta data of the video (location, time, source, etc) with a digital signature (what would look like a random string of text) that you could click on and your browser would show you the chain of trust, where the signature came from, that it’s valid, probably the manufacturer of the equipment it was recorded on, etc.

        • wizardbeard@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          10 months ago

          The issue is making that green check mark hard to fake for bad actors. Https works because it is verified by the browser itself, outside the display area of the page. Unless all sites begin relying on a media player packed into the browser itself, if the verification even appears to be part of the webpage, it could be faked.

          • brbposting@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            ·
            10 months ago

            Hope verification gets built in to operating systems as compromised applications present a risk too.

            But I’m sure a crook would build a MAGA Verifier since you can’t trust liberal Apple/Microsoft technology.

          • dejected_warp_core@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            9 months ago

            The only thing that comes to mind is something that forces interactivity outside the browser display area; out of the reach of Javascript and CSS. Something that would work for both mobile and desktop would be a toolbar icon that is a target for drag-and-drop. Drag the movie or image to the “verify this” target, and you get a dialogue or notification outside the display area. As a bonus, it can double for verifying TLS on hyperlinks while we’re at it.

            Edit: a toolbar icon that’s draggable to the image/movie/link should also work the same. Probably easier for mobile users too.

            • Natanael@slrpnk.net
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              9 months ago

              If you set the download manager icon in the browser as permanently visible, then dragging it there could trigger the verification to also run if the metadata is detected, and to then also show whichever metadata it could verify.

        • Natanael@slrpnk.net
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Do not show a checkmark by default! This is why cryptographers kept telling browsers to de-emphasize the lock icon on TLS (HTTPS) websites. You want to display the claimed author and if you’re able to verify keypair authenticity too or not.

          • AtHeartEngineer@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Fair point, I agree with this. There should probably be another icon in the browser that shows if all, some, or none of the media on a page has signatures that can be validated. Though that gets messy as well, because what is “media”? Things can be displayed in a web canvas or SVG that appears to be a regular image, when in reality it’s rendered on the fly.

            Security and cryptography UX is hard. Good point, thanks for bringing that up! Btw, this is kind of my field.

            • Natanael@slrpnk.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              I run /r/crypto at reddit (not so active these days due to needing to keep it locked because of spam bots, but it’s not dead yet), usability issues like this are way too common

              • AtHeartEngineer@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                I ran /r/cryptotechnology for years, and am good friends with the /r/cc mods. Reddit is a mess though, especially in the crypto areas.

      • Pup Biru@aussie.zone
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        edit-2
        10 months ago

        it would potentially be associated with a law that states that you must not misrepresent a “verified” UI element like a check mark etc, and whilst they could technically add a verified mark wherever they like, the law would prevent that - at least for US companies

        it may work in the same way as hardware certifications - i believe that HDMI has a certification standard that cables and devices must be manufactured to certain specifications to bear the HDMI logo, and the HDMI logo is trademarked so using it without permission is illegal… it doesn’t stop cheap knock offs, but it means if you buy things in stores in most US-aligned countries that bear the HDMI mark, they’re going to work

        • Kairos@lemmy.today
          link
          fedilink
          English
          arrow-up
          8
          ·
          edit-2
          10 months ago

          There’s already some kind of legal structure for what you’re talking about: trademark. It’s called “I’m Joe Biden and I approve this message.”

          If you’re talking about HDCP you can break that with an HDMI splitter so IDK.

          • Captain Aggravated@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            8
            ·
            10 months ago

            Relying on trademark law to combat deepfake disinformation campaigns has the same energy as “Murder is already illegal, we don’t need gun control.”

          • Pup Biru@aussie.zone
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            10 months ago

            TLDR: trademark law yes, combined with a cryptographic signature in the video metadata… if a platform sees and verifies the signature, they are required to put the verified logo prominently around the video

            i’m not talking about HDCP no. i’m talking about the certification process for HDMI, USB, etc

            (random site that i know nothing about): https://www.pacroban.com/en-au/blogs/news/hdmi-certifications-what-they-mean-and-why-they-matter

            you’re right; that’s trademark law. basically you’re only allowed to put the HDMI logo on products that are certified as HDMI compatible, which has specifications on the manufacturing quality of cables etc

            in this case, you’d only be able to put the verified logo next to videos that are cryptographically signed in the metadata as originating from the whitehouse (or probably better, some federal election authority who signs any campaign videos as certified/legitimate: in australia we have the AEC - australian electoral commission - a federal body that runs our federal elections and investigations election issues, etc)

            now this of course wouldn’t work for sites outside of US control, but it would at least slow the flow of deepfakes on facebook, instagram, tiktok, the platform formerly known as twitter… assuming they implemented it, and assuming the govt enforced it

            • brbposting@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              10 months ago

              Once an original video is cryptographically signed, could future uploads be automatically verified based on pixels plus audio? Could allow for commentary to clip the original.

              Might need some kind of minimum length restriction to prevent deceptive editing which simply (but carefully) scrambles original footage.

              • Pup Biru@aussie.zone
                link
                fedilink
                English
                arrow-up
                3
                ·
                10 months ago

                not really… signing is only possible on exact copies (like byte exact; not even “the same image” but the same image, formatted the same, without being resized, etc)… there are things called perceptual hashes, and ways of checking if images are similar, but cryptography wouldn’t really help there

      • General_Effort@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        10 months ago

        For the average end-user, it would look like “https”. You would not have to know anything about the technical background. Your browser or other media player would display a little icon showing that the media is verified by some trusted institution and you could learn more with a click.

        In practice, I see some challenges. You could already go to the source via https, EG whitehouse.gov, and verify it that way. An additional benefit exists only if you can verify media that have been re-uploaded elsewhere. Now the user needs to check that the media was not just signed by someone (EG whitehouse.gov. ru), but if it was really signed by the right institution.

        • TheKingBee@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          10 months ago

          As someone points out above, this just gives them the power to not authenticate real videos that make them look bad…

          • General_Effort@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            10 months ago

            Videos by third parties, like Trump’s pussy grabber clip, would obviously have to be signed by them. After having thought about it, I believe this is a non-starter.

            It just won’t be as good as https. Such a signing scheme only makes sense if the media is shared away from the original website. That means you can’t just take a quick look at the address bar to make sure you are not getting phished. That doesn’t work if it could be any news agency. You have to make sure that the signer is really a trusted agency and not some scammy lookalike. That takes too much care for casual use, which defeats the purpose.

            Also, news agencies don’t have much of an incentive to allow sharing their media. Any cryptographic signature would only make sense for them if directs users to their site, where they can make money. Maybe the potential for more clicks - basically a kind of clickable watermark on media - could make this take off.

          • dejected_warp_core@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            I honestly feel strategies like this should be mitigated by technically savvy journalism, or even citizen journalism. 3rd parties can sign and redistribute media in the public domain, vouching for their origin. While that doesn’t cover all the unsigned copies in existence, it provides a foothold for more sophisticated verification mechanisms like a “tineye” style search for media origin.

      • Starbuck@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        Adobe is actually one of the leading actors in this field, take a look at the Content Authenticity Initiative (https://contentauthenticity.org/)

        Like the other person said, it’s based on cryptographic hashing and signing. Basically the standard would embed metadata into the image.

      • Cocodapuf@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        It needs some kind of handler, but we mostly have those in place. A web browser could be the handler for instance. A web browser has the green dot on the upper left, telling you a page is secure, that https is on and valid. This could work like that, the browser can verify the video and display a green or red dot in the corner, the user could just mouse over it/tap on it to see who it’s verified to be from. But it’s up to the user to mouse over it and check if it says whitehouse.gov or dr-evil-mwahahaha.biz

      • Ð Greıt Þu̇mpkin@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        2
        ·
        10 months ago

        Probably you’d notice a bit of extra time posting for the signature to be added, but that’s about it, the responsibility for verifying the signature would fall to the owners of the social media site and in the circumstances where someone asks for a verification, basically imagine it as a libel case on fast forward, you file a claim saying “I never said that”, they check signatures, they shrug and press the delete button and erase the post, crossposts, and if it’s really good screencap posts and those crossposts of the thing you did not say but is still being attributed falsely to your account or person.

        It basically gives absolute control of a person’s own image and voice to themself, unless a piece of media is provable to have been made with that person’s consent, or by that person themself, it can be wiped from the internet no trouble.

        Where it comes to second party posters, news agencies and such, it’d be more complicated but more or less the same, with the added step that a news agency may be required to provide some supporting evidence that what they said is not some kind of misrepresentation or such as the offended party filing the takedown might be trying to insist for the sake of their public image.

        Of course there could still be a YouTube “Stats for Nerds”-esque addin to the options tab on a given post that allows you to sign-check it against the account it’s attributing something to, and a verified account system could be developed that adds a layer of signing that specifically identifies a published account, like say for prominent news reporters/politicians/cultural leaders/celebrities, that get into their own feed so you can look at them or not depending on how ya be feelin’ that particular scroll session.

      • dejected_warp_core@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        9 months ago

        TL;DR: one day the user will see an overlay or notification that shows an image/movie is verified as from a known source. No extra software required.

        Honestly, I can see this working great in future web browsers. Much like the padlock in the URL bar, we could see something on images that are verified. The image could display a padlock in the lower-left corner or something, along with the name of the source, demonstrating that it’s a securely verified asset. “Normal” images would be unaffected. The big problem is how to put something on the page that cannot be faked by other means.

        It’s a little more complicated for software like phone apps for X or Facebook, but doable. The problem is that those products must choose to add this feature. Hopefully, losing reputation to being swamped with unverifiable media will be motivation enough to do so.

        The underlying verification process is complex, but should be similar to existing technology (e.g. GPG). The key is that images and movies typically contain a “scratch pad” area in the file for miscellaneous stuff (metadata). This is where the image’s author can add a cryptographic signature for the file itself. The user would never even know it’s there.

    • Pup Biru@aussie.zone
      link
      fedilink
      English
      arrow-up
      7
      ·
      10 months ago

      i wouldn’t say signature exactly, because that ensures that a video hasn’t been altered in any way: no re-encoded, resized, cropped, trimmed, etc… platforms almost always do some of these things to videos, even if it’s not noticeable to the end-user

      there are perceptual hashes, but i’m not sure if they work in a way that covers all those things or if they’re secure hashes. i would assume not

      perhaps platforms would read the metadata in a video for a signature and have to serve the video entirely unaltered if it’s there?

      • thantik@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        edit-2
        10 months ago

        You don’t need to bother with cryptographically verifying downstream videos, only the source video needs to be able to be cryptographically verified. That way you have an unedited, untampered cut that can be verified to be factually accurate to the broadcast.

        The White House could serve the video themselves if they so wanted to. Just use something similar to PGP for signature validation and voila. Studios can still do all the editing, cutting, etc - it shouldn’t be up to the end user to do the footwork on this, just for the studios to provide a kind of ‘chain of custody’ - they can point to the original verification video for anyone to compare to; in order to make sure alterations are things such as simple cuts, and not anything more than that.

        • Pup Biru@aussie.zone
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          10 months ago

          you don’t even need to cryptographically verify in that case because you already have a trusted authority: the whitehouse… of the video is on the whitehouse website, it’s trusted with no cryptography needed

          the technical solutions only come into play when you’re trying to modify the video and still accurately show that it’s sourced from something verifiable

          heck you could even have a standard where if a video adds a signature to itself, editing software will add the signature of the original, a canonical immutable link to the file, and timestamps for any cuts to the video… that way you (and by you i mean anyone; likely hidden from the user) can load up a video and be able to link to the canonical version to verify

          in this case, verification using ML would actually be much easier because you (servers) just download the canonical video, cut it as per the metadata, and compare what’s there to what’s in the current video

      • AbouBenAdhem@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        Rather that using a hash of the video data, you could just include within the video the timestamp of when it was originally posted, encrypted with the White House’s private key.

          • AbouBenAdhem@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            9 months ago

            It does if you can also verify the date of the file, because the modified file will be newer than the timestamp. An immutable record of when the file was first posted (on, say, YouTube) lets you verify which version is the source.

            • Natanael@slrpnk.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              No it does not because you can cut out the timestamp and put it into anything if the timestamp doesn’t encode anything about the frame contents.

              It is always possible to backdate file edits.

              Sure, public digital timestamping services exists, but most people will not check. Also once again, an older timestamp can simply be cut out of one file and posted into another file.

              You absolutely must embedd something which identifies what the media file is, which can be used to verify ALL of the contents with cryptographic signatures. This may additionally refer to a verifiable timestamp at some timestamping service.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Apple’s scrapped on-device CSAM scanning was based on perceptual hashes.

        The first collision demo breaking them showed up in hours with images that looked glitched. After just a week the newest demos produced flawless images with collisions against known perceptual hash values.

        In theory you could create some ML-ish compact learning algorithm and use the compressed model as a perceptual hash, but I’m not convinced this can be secure enough unless it’s allowed to be large enough, as in some % of the original’s file size.

        • Pup Biru@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          you can definitely produced perceptual hashes that collide, but really you’re not just talking about a collision, you’re talking about a collision that’s also useful in subverting an election, AND that’s been generated using ML which is something that’s still kinda shakey to start with

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Perceptual hash collision generators can take arbitrary images and tweak them in invisible ways to make them collide with whichever hash value you want.

            • Pup Biru@aussie.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              from the comment above, it seems like it took a week for a single image/frame though… it’s possible sure but so is a collision in a regular hash function… at some point it just becomes too expensive to be worth it, AND the phash here isn’t being used as security because the security is that the original was posted on some source of truth site (eg the whitehouse)

              • Natanael@slrpnk.net
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                No, it took a week to refine the attack algorithm, the collision generation itself is fast

                The point of perceptual hashes is to let you check if two things are similar enough after transformations like scaling and reencoding, so you can’t rely on that here

                • Pup Biru@aussie.zone
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  oh yup that’s a very fair point then! you certainly wouldn’t use it for security in that case, however there are a lot of ways to implement this that don’t rely on the security of the hash function, but just uses it (for example) to point to somewhere in a trusted source to manually validate that they’re the same

                  we already have the trust frameworks; that’s unnecessary… we just need to automatically validate (or at least provide automatic verifyability) that a video posted on some 3rd party - probably friendly or at least cooperative - platform represents reality

  • ryannathans@aussie.zone
    link
    fedilink
    English
    arrow-up
    80
    arrow-down
    1
    ·
    10 months ago

    I have said for years all media that needs to be verifiable needs to be signed. Gpg signing lets gooo

    • NateNate60@lemmy.world
      link
      fedilink
      English
      arrow-up
      37
      arrow-down
      1
      ·
      10 months ago

      Very few people understand why a GPG signature is reliable or how to check it. Malicious actors will add a “GPG Signed” watermark to their fake videos and call it a day, and 90% of victims will believe it.

        • NateNate60@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          10 months ago

          No, it’s not. People don’t use VLC to watch misinformation videos. They see it on Reddit, Facebook, YouTube, or TikTok.

        • TheKingBee@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          And that will in no way be the first step on the road to VLC deciding which videos it allows you to play…

      • Ð Greıt Þu̇mpkin@lemm.ee
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        10 months ago

        Yeah but all it takes is proving it doesn’t have the right signature and you can make the Social Media corpo take every piece of media with that signature just for that alone.

        What’s even better is that you can attack entities that try to maliciously let people get away with misusing their look and fake being signed for failing to defend their IP, basically declaring you intend to take them to court to Public Domainify literally everything that makes them any money at all.

        If billionaires were willing to allow disinformation as a service then they wouldn’t have gone to war against news as a service to make it profitable to begin with.

    • Captain Aggravated@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      1
      ·
      10 months ago

      I just mentioned this in another comment tonight; cryptographic verification has existed for years but basically no one has adopted it for anything. Some people still seem to think pasting an image of your handwriting on a document is “signing” a document somehow.

      • wizardbeard@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        10 months ago

        It doesn’t help that in a lot of cases, this is actually accepted by a shit ton of important institutions that should be better, but aren’t.

          • ryannathans@aussie.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            It’s automated in all mainstream email clients, you don’t even have to think about it if a contact has it set up

            • NateNate60@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              9 months ago

              if a contact has it set up

              Well, there’s your problem.

              The most commonly-used mail client in the world is the Gmail web client which does not support it. Uploading your PGP key to Gmail and having them store it server-side for use in a webmail client is obviously problematic from a security standpoint. Number 2 I would guess is Outlook, which appears also not to support it. For most people, I don’t think they understand the value of cryptographically signing emails and going through the hassle of generating and publishing their PGP keys, especially since Windows has no built-in easy application for generating and managing such keys.

              There’s also the case that for most people, signing their emails provides absolutely no immediate benefit to them.

    • bionicjoey@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      The average Joe won’t know what any of what you just said means. Hell, the Joe in the OP doesn’t know what any of you just said means. There’s no way (IMO) of simultaneously creating a cryptographic assurance and having it be accessible to the layman.

      • NateNate60@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        There is, but only if you can implement a layer of abstraction and get them to trust that layer of abstraction.

        Few laymen understand why Bitcoin is secure. They just trust that their wallet software works and because they were told by smarter people that it is secure.

        Few laymen understand why TLS is secure. They just trust that their browser tells them it is secure.

        Few laymen understand why biometric authentication on their phone apps is secure. They just trust that their device tells them it is secure.

        • bionicjoey@lemmy.ca
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          Each of those perfectly illustrates the problem with adding in a layer of abstraction though:

          Bitcoin is a perfect example of the problem. Since almost nobody understands how it works, they keep their coins in an exchange instead of a wallet and have completely defeated the point of cryptocurrency in the first place by reintroducing blind trust into the system.

          Similarly, the TLS ecosystem is problematic. Because even though it is theoretically supposed to verify the identity of the other party, most people aren’t savvy enough to check the name on the cert and instead just trust that if their browser doesn’t warn them, they must be okay. Blind trust one again is introduced alongside the necessary abstraction layers needed to make cryptography palatable to the masses.

          Lastly, people have put so much trust in the face scanning biometrics to wake their phone that they don’t realize they may have given their face to a facial recognition company who will use it to help bring about the cyberpunk dystopia that we are all moving toward.

  • /home/pineapplelover@lemm.ee
    link
    fedilink
    English
    arrow-up
    59
    arrow-down
    3
    ·
    10 months ago

    Huh. They actually do something right for once instead of spending years trying to ban A.I tools. I’m pleasantly surprised.

    • CyberSeeker@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      10 months ago

      Bingo. If, at the limit, the purpose of a generative AI is to be indistinguishable from human content, then watermarking and AI detection algorithms are absolutely useless.

      The ONLY means to do this is to have creators verify their human-generated (or vetted) content at the time of publication (providing positive proof), as opposed to attempting to retroactively trying to determine if content was generated by a human (proving a negative).

    • Ð Greıt Þu̇mpkin@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      11
      ·
      10 months ago

      I mean banning use cases is deffo fair game, generating kiddy porn should be treated as just as heinous as making it the “traditional” way IMO

      • General_Effort@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        5
        ·
        10 months ago

        Yikes! The implication is that it does not matter if a child was victimized. It’s “heinous”, not because of a child’s suffering, but because… ?

        • Ð Greıt Þu̇mpkin@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          12
          ·
          10 months ago

          Man imagine trying to make “ethical child rape content” a thing. What were the lolicons not doing it for ya anymore?

          As for how it’s exactly as heinous, it’s the sexual objectification of a child, it doesn’t matter if it’s a real child or not, the mere existence of the material itself is an act of normalization and validation of wanting to rape children.

          Being around at all contributes to the harm of every child victimised by a viewer of that material.

          • General_Effort@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            2
            ·
            10 months ago

            I see. Since the suffering of others does not register with you, you must believe that any “bleeding heart liberal” really has some other motive. Well, no. Most (I hope, but at least some) people are really disturbed by the suffering of others.

            I take the “normalization” argument seriously. But I note that it is not given much credence in other contexts; violent media, games, … Perhaps the “gateway drug” argument is the closest parallel.

            In the very least, it drives pedophiles underground where they cannot be reached by digital streetworkers, who might help them not to cause harm. Instead, they form clandestine communities that are already criminal. I doubt that makes any child safer. But it’s not about children suffering for you, so whatever.

            • Ð Greıt Þu̇mpkin@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              9
              ·
              10 months ago

              Man imagine continuing to try and argue Ethical Child Rape Content should be a thing.

              If we want to make sweeping attacks on character, I’d rather be on the “All Child Rape Material is Bad” side of the argument but whatever floats ya boat.

              • Fly4aShyGuy@lemmy.one
                link
                fedilink
                English
                arrow-up
                6
                arrow-down
                1
                ·
                10 months ago

                I don’t think he’s arguing that, and I don’t think you believe that either. Doubt any of us would consider that content ethical, but what he’s saying is it’s not nearly the same as actually doing harm (as opposed what you said in your original post).

                You implying that anyone who disagrees with you is somehow into those awful things is extremely poor taste. I’d expect so much more on Lemmy, that is a Reddit/Facebook level debate tactic. I guess I’m going to get accused of that too now?

                I don’t like to give any of your posts any credit here, but I can somewhat see the normalization argument. However, where is the line drawn regarding other content that could be harmful because normalized. What about adult non consensual type porn, violence on TV and video games, etc. Sliding scale and everyone might draw the line somewhere else. There’s good reason why thinking about an awful things (or writing, drawing, creating fiction about it) is not the same as doing an awful thing.

                I doubt you’ll think much of this, but please really try to be better. It’s 2024, time to let calling anyone you disagree with a pedo back on facebook in the 90s.

      • TheGrandNagus@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        3
        ·
        edit-2
        10 months ago

        Idk, making CP where a child is raped vs making CP where no children are involved seem on very different levels of bad to me.

        Both utterly repulsive, but certainly not exactly the same.

        One has a non-consenting child being abused, a child that will likely carry the scars of that for a long time, the other doesn’t. One is worse than the other.

        E: do the downvoters like… not care about child sexual assault/rape or something? Raping a child and taking pictures of it is very obviously worse than putting parameters into an AI image generator. Both are vile. One is worse. Saying they’re equally bad is attributing zero harm to the actual assaulting children part.

        • Ð Greıt Þu̇mpkin@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          9
          ·
          10 months ago

          Man imagine trying to make the case for Ethical Child Rape Material.

          You are not going to get anywhere with this line of discussion, stop now before you say something that deservedly puts you on a watchlist.

          • TheGrandNagus@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            2
            ·
            edit-2
            10 months ago

            I’m not making the case for that at all, and I find you attempting to make out that I am into child porn a disgusting debate tactic.

            “Anybody who disagrees with my take is a paedophile” is such a poor argument and serves only to shut down discussion.

            It’s very obviously not what I’m saying, and anybody with any reading comprehension at all can see that plainly.

            You’ll notice I called it “utterly repulsive” in my comment - does that sound like the words of a child porn advocate?

            The fact that you apparently don’t care at all about the child suffering side of it is quite troubling. If a child is harmed in its creation, then that’s obviously worse than some creepy fuck drawing loli in Inkscape or typing parameters into an AI image generator. I can’t believe this is even a discussion.

  • DrCake@lemmy.world
    link
    fedilink
    English
    arrow-up
    50
    arrow-down
    3
    ·
    10 months ago

    Yeah good luck getting to general public to understand what “cryptographically verified” videos mean

    • patatahooligan@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      1
      ·
      10 months ago

      The general public doesn’t have to understand anything about how it works as long as they get a clear “verified by …” statement in the UI.

      • kandoh@reddthat.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        10 months ago

        The problem is that even if you reveal the video as fake,the feeling it reinforces on the viewer stays with them.

        “Sure that was fake,but the fake that it seems believable tells you everything you need to know”

        • go_go_gadget@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          edit-2
          10 months ago

          “Herd immunity” comes into play here. If those people keep getting dismissed by most other people because the video isn’t signed they’ll give up and follow the crowd. Culture is incredibly powerful.

    • BradleyUffner@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      10 months ago

      It could work the same way the padlock icon worked for SSL sites in browsers back in the day. The video player checks the signature and displays the trusted icon.

    • Funderpants @lemmy.ca
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      3
      ·
      10 months ago

      Democrats will want cryptographically verified videos, Republicans will be happy with a stamp that has trumps face on it.

      • wizardbeard@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        edit-2
        10 months ago

        I mean, how is anyone going to crytographically verify a video? You either have an icon in the video itself or displayed near it by the site, meaning nothing, fakers just copy that in theirs. Alternatively you have to sign or make file hashes for each permutation of the video file sent out. At that point how are normal people actually going to verify? At best they’re trusting the video player of whatever site they’re on to be truthful when it says that it’s verified.

        Saying they want to do this is one thing, but as far as I’m aware, we don’t have a solution that accounts for the rampant re-use of presidential videos in news and secondary reporting either.

        I have a terrible feeling that this would just be wasted effort beyond basic signing of the video file uploaded on the official government website, which really doesn’t solve the problem for anyone who can’t or won’t verify the hash on their end.


        Maybe some sort of visual and audio based hash, like musicbrainz ids for songs that are independant of the file itself but instead on the sound of it. Then the government runs a server kind of like a pgp key server. Then websites could integrate functionality to verify it, but at the end of the day it still works out to a “I swear we’re legit guys” stamp for anyone not techinical enough to verify independantly thenselves.


        I guess your post just seemed silly when the end result of this for anyone is effectively the equivalent of your “signed by trump” image, unless the public magically gets serious about downloading and verifying everything themselves independently.

        Fuck trump, but there are much better ways to shit on king cheeto than pretending the average populace is anything but average based purely on political alignment.

        You have to realize that to the average user, any site serving videos seems as trustworthy as youtube. Average internet literacy is absolutely fucking abysmal.

        • technojamin@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          10 months ago

          People aren’t going to do it, the platforms that 95% of people use (Facebook, Tik Tok, YouTube, Instagram) will have to add the functionality to their video players/posts. That’s the only way anything like this could be implemented by the 2024 US election.

        • beefontoast@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          In the end people will realise they can not trust any media served to them. But it’s just going to take time for people to realise… And while they are still blindly consuming it, they will be taken advantage of.

          If it goes this road… Social media could be completely undermined. It could become the downfall of these platforms and do everyone a favour by giving them their lives back after endless doom scrolling for years.

        • Strykker@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          Do it basically the same what TLS verification works, sure the browsers would have to add something to the UI to support it, but claiming you can’t trust that is dumb because we already use that to trust the site your on is your bank and not some scammer.

          Sure not everyone is going to care to check, but the check being there allows people who care to reply back saying the video is faked due to X

    • makeasnek@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      ·
      10 months ago

      “Not everybody will use it and it’s not 100% perfect so let’s not try”

      • NateNate60@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        That’s not the point. It’s that malicious actors could easily exploit that lack of knowledge to trick users into giving fake videos more credibility.

        If I were a malicious actor, I’d put the words “✅ Verified cryptographically by the White House” at the bottom of my posts and you can probably understand that the people most vulnerable to misinformation would probably believe it.

    • maynarkh@feddit.nl
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      7
      ·
      10 months ago

      Just make it a law that if as a social media company you allow unverified videos to be posted, you don’t get safe harbour protections from libel suits for that. It would clear right up. As long as the source of trust is independent of the government or even big business, it would work and be trustworthy.

      • General_Effort@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        10 months ago

        Back in the day, many rulers allowed only licensed individuals to operate printing presses. It was sometimes even required that an official should read and sign off on any text before it was allowed to be printed.

        Freedom of the press originally means that exactly this is not done.

        • Funderpants @lemmy.ca
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          10 months ago

          Jesus, how did I get so old only to just now understand that press is not journalism, but literally the printing press in ‘Freedom of the press’.

        • vithigar@lemmy.ca
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          edit-2
          10 months ago

          You understand that there is a difference between being not permitted to produce/distribute material and being accountable for libel, yes?

          “Freedom of the press” doesn’t mean they should be able to print damaging falsehood without repercussion.

          • General_Effort@lemmy.world
            link
            fedilink
            English
            arrow-up
            10
            ·
            10 months ago

            What makes the original comment legally problematic (IMHO), is that it is expected and intended to have a chilling effect pre-publication. Effectively, it would end internet anonymity.

            It’s not necessarily unconstitutional. I would have made the argument if I thought so. The point is rather that history teaches us that close control of publications is a terrible mistake.

            The original comment wants to make sure that there is always someone who can be sued/punished, with obvious consequences for regime critics, whistleblowers, and the like.

            • Dark Arc@social.packetloss.gg
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              10 months ago

              We need to take history into account but I think we’d be foolish to not acknowledge the world has indeed changed.

              Freedom of the press never meant that any old person could just spawn a million press shops and pedal whatever they wanted. At best the rich could, and nobody was anonymous for long at that kind of scale.

              Personally I’m for publishing via proxy (i.e. an anonymous tip that a known publisher/person is responsible for) … I’m not crazy about “anybody can write anything on any political topic and nobody can hold them accountable offline.”

            • vithigar@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              3
              ·
              10 months ago

              So your suggestion is that libel, defamation, harassment, et al are just automatically dismissed when using online anonymous platforms? We can’t hold the platform responsible, and we can’t identify the actual offender, so whoops, no culpability?

              I strongly disagree.

                • vithigar@lemmy.ca
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  10 months ago

                  I am not. And if that’s not what’s implied by their comments then I legitimately have no idea what they’re suggesting and would appreciate an explanation.

      • bionicjoey@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        As long as the source of trust is independent of the government or even big business, it would work and be trustworthy

        That sounds like wishful thinking

    • BrianTheeBiscuiteer@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      10 months ago

      Sounds like a very Biden thing (or for anyone well into their Golden Years) to say, “Use cryptography!” but it’s not without merit. How do we verify file integrity? How to we digitally sign documents?

      The problem we currently have is that anything that looks real tends to be accepted as real (or authentic). We can’t rely on humans to verify authenticity of audio or video anymore. So for anything that really matters we need to digitally sign it so it can be verified by a certificate authority or hashed to verify integrity.

      This doesn’t magically fix deep fakes. Not everyone will verify a video before distribution and you can’t verify a video that’s been edited for time or reformatted or broadcast on the TV. It’s a start.

      • go_go_gadget@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        10 months ago

        We’ve had this discussion a lot in the Bitcoin space. People keep arguing it has to change so that “grandma can understand it” but I think that’s unrealistic. Every technology has some inherent complexities that cannot be removed and people have to learn if they want to use it. And people will use it if the motivation is there. Wifi has some inherent complexities people have become comfortable with. People know how to look through lists of networks, find the right one, enter the passkey or go through the sign on page. Some non-technical people know enough about how Wifi should behave to know the internet connection might be out or the route might need a reboot. None of this knowledge was commonplace 20 years ago. It is now.

        The knowledge required to leverage the benefits of cryptographic signatures isn’t beyond the reach of most people. The general rules are pretty simple. The industry just has to decide to make the necessary investments to motivate people.

      • SpaceCowboy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        The President’s job isn’t really to be an expert on everything, the job is more about being able to hire people who are experts.

        If this was coupled with a regulation requiring social media companies to do the verification and indicate that the content is verified then most people wouldn’t need to do the work to verify content (because we know they won’t).

        It obviously wouldn’t solve every problem with deepfakes, but at least it couldn’t be content claiming to be from CNN or whoever. And yes someone editing content from trusted sources would make that content no longer trusted, but that’s actually a good thing. You can edit videos to make someone look bad, you can slow it down to make a person look drunk, etc. This kind of content should not considered trusted either.

        Someone doing a reaction video going over news content or whatever could have their stuff be considered trusted, but it would be indicated as being content from the person that produced the reaction video not as content coming from the original news source. So if you see a “news” video that has it’s verified source as “xXX_FlatEarthIsReal420_69_XXx” rather than CNN, AP News, NY Times, etc, you kinda know what’s up.

      • nxdefiant@startrek.website
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        The number of 80 year olds that know what cryptography is AND know that it’s a proper solution here is not large. I’d expect an 80 year old to say something like “we should only look at pictures sent by certified mail” or “You cant trust film unless it’s an 8mm and the can was sealed shut!”

  • ZombiFrancis@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    31
    ·
    10 months ago

    It would become quite easy to dismiss anything for not being cryptographically verified simply by not cryptographically verifying.

    I can see the benefit of having such verification but I also see how prone it might be to suppressing unpopular/unsanctioned journalism.

    Unless the proof is very clear and easy for the public to understand the new method of denial just becomes the old method of denial.

    • abhibeckert@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      10 months ago

      It would be nice if none of this was necessary… but we don’t live in that world. There is a lot of straight up bullshit in the news these days especially when it comes to controversial topics (like the war in Gaza, or Covid).

      You could go a really long way by just giving all photographers the ability to sign their own work. If you know who took the photo, then you can make good decisions about wether to trust them or not.

      Random account on a social network shares a video of a presidential candidate giving a speech? Yeah maybe don’t trust that. Look for someone else who’s covered the same speech instead, obviously any real speech is going to be covered by every major news network.

      That doesn’t stop a ordinary people from sharing presidential speeches on social networks. But it would make it much easier to identify fake content.

    • jabjoe
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Once people get used to cryptographical signed videos, why only trust one source? If a news outlet is found signing a fake video, they will be in trouble. Loss of said trust if nothing else.

      We should get to the point we don’t trust unsigned videos.

      • ZombiFrancis@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Not trusting unsigned videos is one thing, but will people be judging the signature or the content itself to determine if it is fake?

        Why only one source should be trusted is a salient point. If we are talking trust: it feels entirely plausible that an entity could use its trust (or power) to manufacture a signature.

        And for some it is all too relevant that an entity like the White House, (or the gambit of others, past or present), have certainly presented false informstion as true to do things like invade countries.

        Trust is a much more flexible concept that is willing to be bent. And so cryptographic verification really has to demonstrate how and why something is fake to the general public. Otherwise it is just a big ‘trust me bro.’

        • jabjoe
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Your right in that cryptographic verification only can prove someone signed the video. But that will mean nutters sharing “BBC videos”, that don’t have the BBC signature can basically be dismissed straight off. We are already in a soup of miss information, so sourcing being cryptographically provable is a step forward. If you trust those sources or not is another matter, but at least your know if it’s the true source or not. If a source abuse trust it has, it loses trust.

  • JasSmith@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    2
    ·
    10 months ago

    This doesn’t solve anything. The White House will only authenticate videos which make the President look good. Curated and carefully edited PR. Maybe the occasional press conference. The vast majority of content will not be authenticated. If anything this makes the problem worse, as it will give the President remit to claim videos which make them look bad are not authenticated and should therefore be distrusted.

    • cynar@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      2
      ·
      10 months ago

      It needs to be more general. A video should have multiple signatures. Each signature relies on the signer’s reputation, which works both ways. It won’t help those who don’t care about their reputation, but will for those that do.

      A photographer who passes off a fake photo as real will have their reputation hit, if they are caught out. The paper that published it will also take a hit. It’s therefore in the paper’s interest to figure out how trustworthy the supplier is.

      I believe canon recently announced a camera that cryptographically signs photographs, at the point of creation. At that point, the photographer can prove the camera, the editor can prove the photographer, the paper can prove the editor, and the reader can prove the newspaper. If done right, the final viewer can also prove the whole chain, semi-independently. It won’t be perfect (far from it) but might be the best will get. Each party wants to protect their reputation, and so has a vested interest in catching fraud.

      For this to work, we need a reliable way to sign images multiple times, as well as (optionally) encode an edit history into it. We also need a quick way to match cryptographic keys to a public key.

      An option to upload a time stamped key to a trusted 3rd party would also be of significant benefit. Ironically, Blockchain might actually be a good use for this. In case a trusted 3rd can’t be established.

      • JasSmith@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        10 months ago

        Great points and I agree. I also think the signature needs to be built into the stream in a continuous fashion so that snippets can still be authenticated.

        • cynar@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          10 months ago

          Agreed. Embed a per-frame signature it into every key frame when encoding. Also include the video file time-stamp. This will mean any clip longer than around 1 second will include at least 1 signed frame.

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Merkle tree hashes exists for this purpose

            Note that videos uses “keyframes” so you can’t extract arbitrary frames in isolation, you need to pull multiple if the frame you’re snapshotting isn’t a keyframe itself

      • General_Effort@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        10 months ago

        I don’t think that’s practical or particularly desirable.

        Today, when you buy something, EG a phone, the brand guarantees the quality of the product, and the seller guarantees the logistics chain (that it’s unused, not stolen, not faked, not damaged in transport, …). The typical buyer does not care about the parts used, the assembly factory, etc.

        When a news source publishes media, they vouch for it. That’s what they are paid for (as it were). If the final viewer is expected to check the chain, they are asked to do the job of skilled professionals for free. Do-your-own-research rarely works out, even for well-educated people. Besides, in important cases, the whole chain will not be public to protect sources.

        • cynar@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          10 months ago

          It wouldn’t be intended for day to day use. It’s intended as a audit trail/chain of custody. Think of it more akin to a git history. As a user, you generally don’t care, however it can be excellent for retrospective analysis, when someone/something does screw up.

          You would obviously be able to strip it out, but having it as a default would be helpful with openness.

      • LarmyOfLone@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        I’ve thought about this too but I’m not sure this would work. First you could hack the firmware of a cryptographically signed camera. I already read something about a camera like this that was hacked and the private key leaked. You could have an individual key for each camera and then revoke it maybe.

        But you could also photograph a monitor or something like that, like a specifically altered camera lens.

        Ultimately you’d probably need something like quantum entangled photon encoding to prove that the photons captured by the sensor were real photons and not fake photons. Like capturing a light field or capturing a spectrum of photons. Not sure if that is even remotely possible but it sounds cool haha.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Look up transparency logs for that last part, it’s already used for TLS certificates

    • ours@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      3
      ·
      10 months ago

      I don’t understand your concern. Either it’ll be signed White House footage or it won’t. They have to sign all their footage otherwise there’s no point to this. If it looks bad, don’t release it.

      • maynarkh@feddit.nl
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        10 months ago

        The point is that if someone catches the President shagging kids, of course that footage won’t be authenticated by the WH. We need a tool so that a genuine piece of footage of the Pres shagging kids would be authenticated, but a deepfake of the same would not. The WH is not a good arbiter since they are not independent.

        • ours@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          But we are talking about official WH videos. Start signing those.

          If it’s not from the WH, it isn’t signed. Or perhaps it’s signed by whatever media company is behind its production or maybe they’ve verified the video and its source enough to sign it. So maybe, let’s say the Washington Post can publish some compromising video of the President but it still has certain accountability as opposed to some completely random Internet video.

        • brbposting@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          Politicians and anyone at deepfake risk wear a digital pendant at all times. Pendant displays continually rotating time-based codes. People record themselves using video hardware which crypto graphically signs output.

          Only a law/Big 4 firm can extract video from the official camera (which has a twin for hot swapping).

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            Codes which don’t embedd any information about what you’re saying or doing can be copied over to faked images.

            In theory you could have such a pendant record your voice, etc, and continously emit signatures for compressed versions of your speech (or a signed speech-to-text transcript)

      • JasSmith@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        3
        ·
        10 months ago

        Then this exercise is a waste of time. All the hard hitting journalism which presses the President and elicits a negative response will be unsigned, and will be distributed across social media as it is today: without authentication. All the videos for which the White House is concerned about authenticity will continue to circulate without any cause for contention.

    • BrianTheeBiscuiteer@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      10 months ago

      Anyone can digitally sign anything (maybe not easily or for free). The Whitehouse can verify or not verify whatever they choose but if you, as a journalist let’s say, want to give credence to video you distribute you’ll want to digitally sign it. If a video switches hands several times without being signed it might as well have been cooked up by the last person that touched it.

      • go_go_gadget@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        10 months ago

        That’s fine?

        Signatures aren’t meant to prove authenticity. They’re proving the source which you can use to weigh the authenticity.

        I think the confusion comes from the fact that cryptographic signatures are mostly used in situations where proving the source is equivalent to proving authenticity. Proving a text message is from me proves the authenticity as there’s no such thing as doctoring my own text message. There’s more nuance when you’re using signatures to prove a source which may or may not be providing trustworthy data. But there is value in at least knowing who provided the data.

  • nutsack@lemmy.world
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    1
    ·
    9 months ago

    the technology to do this has existed for decades and it’s crazy to me that people aren’t doing it all the time yet

  • cooopsspace@infosec.pub
    link
    fedilink
    English
    arrow-up
    22
    ·
    10 months ago

    You mean to tell me that cryptography isn’t the enemy and that instead of fighting it in the name of “terrorism and child protection” that we should be protecting children by having strong encryption instead??

  • andrew_bidlaw@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    1
    ·
    10 months ago

    Why not just official channels of information, e.g. White house Mastodon instance with politicians’ accounts, government-hosted, auto-mirrored by third parties.

  • circuitfarmer@lemmy.world
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    5
    ·
    10 months ago

    I’m sure they do. AI regulation probably would have helped with that. I feel like congress was busy with shit that doesn’t affect anything.

    • ours@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      ·
      10 months ago

      I salute whoever has the challenge of explaining basic cryptography principles to Congress.

        • wizardbeard@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          That’s why I feel like this idea is useless, even for the general population. Even with some sort of visual/audio based hashing, so that the hash is independant of minor changes like video resolution which don’t change the content, and with major video sites implementing a way for the site to verify that hash matches one from a trustworthy keyserver equivalent…

          The end result for anyone not downloading the videos and verifying it themselves is the equivalent of those old ”✅ safe ecommerce site, we swear" images. Any dedicated misinformation campaign will just fake it, and that will be enough for the people who would have believed the fake to begin with.

      • johnyrocket@feddit.ch
        link
        fedilink
        English
        arrow-up
        5
        ·
        10 months ago

        Should probably start out with the colour mixing one. That was very helpfull for me to figure out public key cryptography. The difficulty comes in when they feel like you are treating them like toddlers so they start behaving more like toddlers. (Which they are 99% if the time)

    • lemmyingly@lemm.ee
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      1
      ·
      10 months ago

      I see no difference between creating a fake video/image with AI and Adobe’s packages. So to me this isn’t an AI problem, it’s a problem that should have been resolved a couple of decades ago.

    • Squizzy@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      10 months ago

      Or more likely they will only discredit fake news and not verify actual footage that is a poor reflection. Like a hot mic calling someone a jackass, white House says no comment.

  • Thirdborne@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    1
    ·
    9 months ago

    When it comes to misinformation I always remember when I was a kid I’m the early 90s, another kid told me confidently that the USSR had landed on Mars, gathered rocks, filmed it and returned to earth(it now occurs to me that this homeschooled kid was confusing the real moon landing.) I remember knowing it was bullshit but not having a way to check the facts. The Internet solved that problem. Now, by God , the Internet has recreated the same problem.

  • Aurenkin@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    17
    ·
    10 months ago

    I think this is a great idea. Hopefully it becomes the standard soon, cryptographically signing clips or parts of clips so there’s no doubt as to the original source.

    • cynar@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      10 months ago

      Ultimately, reputation based trust, combined with cryptographic keys is likely the best we can do. You (semi automatically) sign the photo, and upload it’s stamp to a 3rd party. They can verify that they received the stamp from you, and at what time. That proves the image existed at that time, and that it’s linked to your reputation. Anything more is just likely to leak, security wise.

    • Ð Greıt Þu̇mpkin@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      10 months ago

      Probably a signed comment from the Double-Cone Crusader himself, basically free PR so I don’t see why he or any other president wouldn’t at least have an intern give you a signed comment fist bump of acknowledgement