HolidayBuyer's Guide

A picture worth a thousand lies

Neal Krawetz, a security researcher at Hacker Factor, knows a fake photo when he sees one. He also knows how it's done. Images: Pictures that lie

A picture may be worth a thousand words, but are they authentic?

In April of 2003, the Los Angeles Times ran a dramatic image of a British soldier urging Iraqi civilians to safety. The credited photographer, Brian Walski, was later fired for combining separate photos to create the image. It was a compelling shot, but it was also a lie.

Such trickery is not news to security researcher Neal Krawetz, founder of Hacker Factor. At last year's Black Hat conference, Krawetz presented his research into exposing malicious-software writers through their keyword use and word choices.

Krawetz is interested in the ways our use of technology reveals us, even when we think we're being anonymous. This year, Krawetz is turning his attention toward revealing the secrets buried within images. For example, Krawetz recently attempted to determine--based on the images alone--who might have leaked the contents of the final Harry Potter book onto the Internet.

It's one thing to have the tool; it's another thing to have the talent to actually use it right.

On Wednesday, Krawetz will be among the first presenters at this year's Black Hat conference, where he plans to further discuss the various ways images can be manipulated. CNET spoke with Krawetz a few days before his Black Hat presentation.

Are these fraudulent images mostly on the Internet?
Krawetz: Some images are on the Internet, some have made the newspaper. There was a graphic picture rendered of Buzz Aldrin walking on the moon. It won an award from the Computer Graphics Society. (In my talk) I actually dissect the image and show how it was likely made. This picture--to the human eye--is photo-realistic. It's made the cover of magazines.

Does photo-realistic image manipulation require special hardware? Or can one use off-the-shelf software?
Krawetz: Buzz Aldrin was created using (Autodesk's) 3ds Max and Combustion, and (Adobe Systems') Photoshop, which are all off-the-shelf software programs. But it's one thing to have the tool; it's another thing to have the talent to actually use it right. Anyone can use a ray tracer, but that doesn't mean you can create something that is photo-realistic.

Unfortunately, most people out there are not experts. And if you're not a graphics expert, and you had to paste Hillary Clinton's head on some body, it stands out where the head has been cut out.

You may not be able to track a tool to a person, but you can track a tool to a skill set. Tools definitely leave fingerprints.

Speaking of Sen. Clinton, the 2008 presidential elections are gearing up. Are we likely to see photo-realistic images in the upcoming campaign?
Krawetz: Likely is an understatement. I think we've already seen some. Take USA Today. Every now and again, they put up pictures of Hillary Clinton and Barack Obama. And they will modify the pictures.

(Editors' note: CNET failed to contact USA Today for a response to this allegation prior to the publication of this interview. Reached after publication, a representative said, "Any suggestion that USA Today intentionally manipulates photos or other images in a manner intended to distort the news is defamatory and without any basis in fact.")

I'm not sure who's modifying the pictures--whether it's the photographer submitting it or the intern who's putting them together or someone else at USA Today--but they'll modify it to increase the brightness, for example, on Hillary.

When you increase brightness on a picture, you bring out all the things like wrinkles that really aren't attractive. And they'll soften the picture on Barack Obama to make it look better. Editorially, this can be taken too far. You saw that in the case of O.J. Simpson, (whose mug shot looked very different on the ).

Is the use of the Internet, sites like Flickr, contributing to the rise of faked images?
Krawetz: The Internet has a good amount to do with it, yes. It takes virtually no effort to modify--to cut and paste an image, to smooth things out. Even things like red-eye reduction--that's an image modification.

One of the things that surprised me is that when people render pictures--you know, a completely computer-generated picture--they usually don't just render it. They render it, then they bring it up in Photoshop to do digital manipulations to it. So it's not that it's just a computer-generated picture; it's an enhanced computer-generated picture.

If they screw up on skin, they pretty much always screw up on skin until they learn to do it better.

Is that to bring in more textures?
Krawetz: Yes. To fix coloring. Maybe to paste in a background that's better than the one they rendered. Buzz Aldrin is a hybrid. The background is really from a NASA moon shot.

Images are composed of layers. I take it that each layer can be manipulated and put back together. Do the tools used leave behind any digital fingerprints?
Krawetz: You may not be able to track a tool to a person, but you can track a tool to a skill set. Tools definitely leave fingerprints. In fact, the last tool used is usually the easiest to identify.

Because the last tool used is the least manipulated?
Krawetz: Exactly. Photoshop stands out like a sore thumb. It's not that it's common, it's that it does some very distinct changes to the pixels before it saves them to a JPEG. That's not going into things like quantization tables or metadata information. Metadata can lie.

Fingerprinting--analogous to what you talked about at Black Hat last year?
Krawetz: Yes, analogous. My research is on antianonymity technology. I may not be able to tell you who someone is, but I can tell you about them. Last year, I was telling you about the words they use. This year, I'm telling you about the pictures they use. There are some repeating themes.

If they screw up on skin, they pretty much always screw up on skin until they learn to do it better. If they like to use Photoshop to put in particular edges or paste things in a particular way, you can actually see that sort of pattern. If you see a picture that is attributed to Photoshop for the Macintosh, then you know they're probably using a Macintosh and not a Windows box.

Going back to Buzz Aldrin and the British soldier in Iraq, is it the responsibility of the publications to guard themselves against manipulated images? If so, what can be done?
Krawetz: In my talk, I actually give some pointers for the mass media like Reuters. If they really want to publish pictures that have been unmodified, here's how you can tell. One way is to use quantization table fingerprinting.

If the picture claims to be from a digital camera, and the quantization tables, which are used for compressing the image, don't match the camera, then you know that it's been manipulated. If Reuters had done that, it would have caught the fake photos.