I watch my web logs closely. I'm basically looking for possible attacks, unexpected errors, and other forms of abuse. If the error is on the server side, I want to fix it as fast as possible. If the error is from the user, then I want to understand and address the problem.

The Joys of HTML

One of the most common problems that I have been seeing at the FotoForensics site concerns the upload-by-URL option. Users are supposed to paste in a URL to an image, and the site will retrieve and analyze the picture.

Unfortunately, many users don't understand the difference between a URL to a picture and a URL to a web page that contains a picture. I'm mostly seeing this problem with URLs from other hosting sites (e.g., flickr or imgur) and from Facebook. These web pages contain one big picture (likely the one the user wanted to analyze) and a bunch of smaller pictures in the header, along the margin, and at the bottom.

I finally came up with a solution. If the user uploads HTML, then the site now displays a small notice about right-clicking on the image to find the URL to the image. I thought it was kind of wordy, but I've already seen users upload HTML, pause, and then resend the URL to the big picture on the web page. So this looks like a fast fix via a better error message.

After I get a little more infrastructure implemented on the back-end of the service, I'll release another solution to this problem which will be much more convenient. Hopefully it will be released by the end of this month.

Slammed By Google

One of the reasons I looked into the "uploading HTML" issue is that I saw a huge increase in uploads making this mistake. Basically, I had one user who was uploading tons of pictures from imgur, but was specifying the URL to the HTML page and not to the images.

Even after I put up the message telling users how to find the image URL, I still had this one user uploading imgur HTML. The uploads happened every few seconds. So it looks like a bot. And then I noticed the IP address and user-agent: Google.

66.249.72.152 - - [13/May/2012:06:25:17 -0500] "GET /upload-url.php?url=http%3A%2F%2Fimgur.com%2F3iCJ8 HTTP/1.1" 200 1594 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.152 - - [13/May/2012:06:25:38 -0500] "GET /upload-url.php?url=http%3A%2F%2Fimgur.com%2F32yOZ HTTP/1.1" 200 1594 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.152 - - [13/May/2012:06:25:45 -0500] "GET /upload-url.php?url=http%3A%2F%2Fimgur.com%2FUamV7 HTTP/1.1" 200 1594 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.152 - - [13/May/2012:06:25:59 -0500] "GET /upload-url.php?url=http%3A%2F%2Fimgur.com%2F32GkV HTTP/1.1" 200 1594 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
...

66.249.72.xx is Google and the user agent is Googlebot. Anyone who runs a web service knows that Google's indexing system will attempt to submit crap to any form it finds. They want to find local search engines on blogs and web sites and index the results. This way, if someone searches for "hypnophonic", then Google can direct them to whatever results page my own site's search would find. If Googlebot finds the search form on your blog, then it will submit all sorts of random words in order to find possible results. And it will do it for days.

In this case, Google seems to know that FotoForensics analyzes images. And it knows that the non-Google service imgur contains images. So Google was trying to submit every image at imgur to FotoForensics for analysis. I'm not kidding.

This uploading by Google was failing because they were submitting URLs to HTML web pages and not to the actual images. It started on Sat May 12 22:57:04 2012. I stopped it on Sun May 13 11:15:17 2012. (All times are CDT.) During those 12 hours, Googlebot submitted 1,061 URLs. My logs for them look like:

...

[Sat May 12 23:17:36 2012] [client 66.249.72.152] POST url: http://imgur.com/5C4Ul

[Sat May 12 23:18:04 2012] [client 66.249.72.152] POST url: http://imgur.com/w3Cwo

[Sat May 12 23:18:31 2012] [client 66.249.72.152] POST url: http://imgur.com/0KByw

[Sat May 12 23:18:59 2012] [client 66.249.72.152] POST url: http://imgur.com/XwYEC

[Sat May 12 23:19:27 2012] [client 66.249.72.152] POST url: http://imgur.com/gDnDG

[Sat May 12 23:19:55 2012] [client 66.249.72.152] POST url: http://imgur.com/DiBKf

[Sat May 12 23:20:17 2012] [client 66.249.72.152] POST url: http://imgur.com/EYmG1

[Sat May 12 23:20:18 2012] [client 66.249.72.152] POST url: http://imgur.com/sMleL

[Sat May 12 23:20:22 2012] [client 66.249.72.152] POST url: http://imgur.com/zUYB6

[Sat May 12 23:20:50 2012] [client 66.249.72.152] POST url: http://imgur.com/Xh3oI

[Sat May 12 23:21:18 2012] [client 66.249.72.152] POST url: http://imgur.com/JrmZb

[Sat May 12 23:21:45 2012] [client 66.249.72.152] POST url: http://imgur.com/7aHsS

[Sat May 12 23:22:13 2012] [client 66.249.72.152] POST url: http://imgur.com/vMcRj

[Sat May 12 23:22:41 2012] [client 66.249.72.152] POST url: http://imgur.com/yXNh1

[Sat May 12 23:23:09 2012] [client 66.249.72.152] POST url: http://imgur.com/RF4Lj

[Sat May 12 23:23:36 2012] [client 66.249.72.152] POST url: http://imgur.com/MJwDN

[Sat May 12 23:24:04 2012] [client 66.249.72.152] POST url: http://imgur.com/xF00H

[Sat May 12 23:24:32 2012] [client 66.249.72.152] POST url: http://imgur.com/wAXDI

[Sat May 12 23:25:00 2012] [client 66.249.72.152] POST url: http://imgur.com/B8bon

[Sat May 12 23:25:27 2012] [client 66.249.72.152] POST url: http://imgur.com/SOVBZ

...

The pictures follow a theme, so it looks like Googlebot was doing what web bots do well: traverse a set of links.

Do No Evil

The biggest problem with blocking Google is that I want them to index and link to the site. I just don't want them to submit crap to my service, or try to submit all of the content from some other service to my service. (I view this as a service abuse.) Moreover, there is no reliable method for telling Google to not post content to a web form.

However, I did find a solution. I'm blocking them in my .htaccess file:

SetEnvIf User-Agent ".*Googlebot.*" search_bot=1
SetEnvIf Request_URI "^/upload.*" has_upload=1

RewriteEngine on

RewriteCond %{env:search_bot} 1
RewriteCond %{env:has_upload} 1
RewriteRule $ - [R=404,L]

This sets the environment variable "search_bot" to 1 if the user-agent contains the string "Googlebot". And if the URL begins with "/upload" (where all of my submission forms go), then set the flag "has_upload". Finally, I have a rewrite rule: if it is a search bot and it has upload, then block them with a 404 error. This request will never even get to my back-end server script. Googlebot no longer abuses my site and it no longer uses my service to abuse imgur.

They can still index the site. They can still index links to results that other people post to other sites. But Googlebot can no longer post new content to my site.

In the first hour that this was implemented, Googlebot received 38 "404" errors. I wonder how long it will take before Googlebot realizes that all of its uploads will fail...

Truthfully, I don't think this abuse is coming from the main Google search engine. When the main Googlebot finds a form, it will slam it with requests. Thousands upon thousands of them. I really suspect that this is some Google employee trying out a side-project. This explains the low request volume (well, low for Google) and the fact that every request is coming from the same network address. (The main Googlebot uses a variety of network addresses.) Some Google employee probably thought it would be fun to submit every imgur picture through my FotoForensics site. Nevermind that they were submitting bad image URLs, nevermind that they are ignoring return codes and ignoring results, and nevermind that they are abusing imgur by harvesting their content and sending it to another web service.

I wonder how "do no evil" compares against "just be stupid"?

The FotoForensics web site has been far more successful that I originally expected. Not knowing any better, we allocated enough resources to managed at least 250,000 pictures over a two year period. I got that from the original errorlevelanalysis.com web site -- which processed about 250,000 pictures in two years. Although the first month had relatively little traffic (5038 unique pictures), it has been steadily ramping up. April shot up to 16,421 unique pictures analyzed -- including one day with 2,545 unique uploads. At the current rate, we expect to processed over 100,000 unique pictures by October or November (far faster than the original estimate). For this reason, we are taking the server down for a few hours this Sunday and increasing the storage capacity.

In my previous update I discussed the "porn problem". Since then, we've designed a multi-stage filtering solution and it is partially implemented; porn dropped from 5% in March to 2% in April. We are getting much better at stopping pornographic uploads.

When people get blocked for uploading porn, we don't just give them 404 errors. Instead, we show them a simple page that says to read the FAQ. The FAQ has a red highlight telling them to read the section about being banned for uploading porn. About 70% of the people who are banned read the FAQ. The remaining people didn't return to the site so they never saw the ban.

The FAQ also includes an email address where people can protest being banned. I really didn't expect anyone to write in. But so far, I've had two people contact me. The first person claimed that he didn't upload porn. After I reminded him about when and what he uploaded, he changed his story to claim that it was an accident. (If you saw the series of pictures he uploaded, you wouldn't believe it was an accident.) So he is still banned.

The second person wrote in last night. She was irate at being blocked. Her email subject was "A different request"; she requested being banned forever. Between the venomous attacks and harsh wording, she brings up a number of points that I've discussed with other people but have not made public. So I'm reprinting my reply here, with her letter included in bold. Since I do believe in privacy, I have redacted personally identifiable information (name, age, etc.) in square brackets [redacted] and given her name the anonymous letter "B".

ps. You will notice that I bounce between "me" and "we". I do have a few people helping me with the site. I also corrected a few of my spelling/grammar errors.

A different request

Dear [B],

Thank you for taking the time to detail your concerns about FotoForensics. My responses to each of your issues are included below.

On Thu, May 03, 2012 at 09:49:14PM [redacted timezone], [B] wrote:
Dear fotoforensics.com nerd(s),

I do not want you to reinstate my abilities to use your crappy website, nor do I want any uploaded pictures removed. I am requesting something else, and I'll get to that right after I elaborate as to why I'm a little pissed off.

1. No one reads the god damn terms of service... ever. I don't read them so often I can't even remember if your site had any prior to using it or not.

The site has always had the terms of service in the FAQ. According to the web logs, the FAQ is the second most popular page on the site, after the tutorial.

You might want to look at the terms of service from other picture hosting web sites. Such as Google's Picasa (http://picasa.google.com/policy.html), yfrog (http://yfrog.com/page/tos), and Twitpic (http://twitpic.com/terms.do). You don't need to read the whole text -- just search for the word "pornography". They all say the same basic thing: pornography is not permitted, pornography will be removed, and you may have your account blocked. Why would you assume that my site would be any different? Had you uploaded the same genitalia picture to Picasa, yfrog, Twitpic, Flickr, Photobucket, Zooomer, or most other image sharing sites, you would have had your account blocked as soon as they noticed.

Some sites, like Picasa, appear to use Google's powerful image search engine and pagerank system to flag potential pornography. Other sites seem to review pictures that suddenly become popular. (Post the link to a porn web site and traffic will increase dramatically.) And still other services have a room full of people who review content, or leave it up to visitors to flag content as inappropriate.

As a research site, we're actively developing a multi-stage porn filter system. The first two stages are already functional. (This is how your pictures were caught.) The next stage will be coming online this month. The final filter is already built and currently being tested; when deployed, this will permit real-time automated detection. And while these filters are currently being designed for the pornography problem, they are really generic and could easily be modified for other tasks.

2. I don't imagine too many people begged you to host these images. It's probably safe to assume that the majority of your web traffic comes from online daters who want to see if their new girlfriend is enlarging her tits or what not. Therefore the hosting aspect is simply bullshit. I just can't imagine the sharing factor in this unless you're trying to encourage people to use your site in combination with facebook/twitter to ridicule people who photoshop their pictures. If so, that's pretty pathetic and probably not very well received considering how facebook is already taking shit for being a popular tool for high school bullying. And since the news tells me that high school bullying directly causes suicide and psycho rampages... well, all I can say is shame on you, shame, shame.

You mention a number of points here.

Although nobody begged me, I was asked politely by a handful of people to fill the hole that errorlevelanalysis.com created when it went offline. For this reason, I chose to start fotoforensics.com as a service for the world-wide community.

The main themes of the uploaded pictures are not sexual in nature. Rather, they fall into three main categories: testing, evaluation, and debunking. Since the purposes of this site are (1) research, and (2) give people an opportunity to try out some real photo forensic methods, I think it has been a smashing success. Remember: this is not a generic file sharing site like yfrog or Twitpic; this is a research-oriented web service.

I do not tell people what to upload or how to use the pictures that they upload. (Although I do specify what not to upload.) And due to legal liability, I cannot even provide any automated interpretation of the results. The site applies a test and leaves the interpretation to the viewer. The tutorial and FAQ are designed to help people understand the results and how to use the site.

While the majority of pictures are not shared, a few have become very popular. For example, the most popular picture in the last week is of a tweet. While I don't read Arabic and I don't know the details behind this picture or the controversy, I do know that it is very popular and they even put a site-by-side comparison on a web site: http://mz-mz.net/38282/

As of this morning, the site is hosting 30,727 unique images. (That averages to about 10,000 a month, but the average is skewed since the average daily upload rate is still increasing.) Of the 30,727 images, 1,070 have been blocked -- either due to pornographic content or by request. That means that about 97% of the images are non-sexual in nature.

Your final point in issue #2 concerns the distribution of images. As stated in the FAQ, we do not publicly provide the URLs to images that have been uploaded. So far, we only publicly mention links that other people have already posted publicly.

3. The fact that you even have admins sitting around viewing each picture is very creepy in itself. Since I've already determined that no one wants cloud storage from you, for anything constructive anyway, why not just let people view the picture comparisons and let that be the end of it? But hey, it's your website, you want to ban people go right ahead. There are plenty of sites just like this that do exactly what I'm talking about. I'm just saying if you'd be less of a dick you might get more web traffic and then you wouldn't have to panhandle for donations.

Before I even agreed to run this service, before I coded the first line of the server, I was discussing my concerns related to hosting this site with attorneys and law enforcement officers. The main problem is due to the US legal system: some types of pictures are illegal in the United States. The main issues are related to child pornography and harassment.

To make it clear how strict (and screwed up) US laws are related to child porn: there have been court cases related to child porn where the judge, jury, and legal counsels on both sides never saw the pictures. Just showing them the pictures means that they would be in possession and distributing prohibited content. Imagine a court case where nobody can see the evidence -- that's a child porn lawsuit.

With regards to reviewing content, this goes back to the legal issue. Since it is "my server" and the law will hold me liable for anything on my server, shouldn't I know what is on my server? Myself and my fellow moderators have better things to do than ogle over every picture uploaded to the site. We rely on various filter techniques to reduce the amount of time we spend on this task (right now, one person can review the filter results for a day of uploads in under two minutes -- and I'm spending hours building filters that will further reduce that time). I am confident that FotoForensics does not host pornography or child pornography.

Finally, although there is a donation button, I don't think anyone has clicked on it yet. The site has received no donations. And since the donation button is buried in the FAQ, I don't view it as panhandling. (Not like Wikipedia, which ran a huge banner on every page.)

4. What is wrong with nudity anyway? Are you mormon? Are you Mitt Romney? I did not upload "pornography", I uploaded a nude picture of my [20+] year old SELF. Nudity is not always pornography... in fact we were all born completely bare-ass naked! It's almost like it's a... I don't know... natural thing, maybe? Yeah, wrap your offended little brain around that. And if you must know, the reason I chose that picture is because I dramatically lightened it, as well as cropped it.And rest assured I had no intentions what-so-fucking-ever to distribute any links to that page, I just wanted to test out the tool with a picture that I knew was photoshopped. So just to get things straight, the only people who can see the uploaded photo are site admins, the person who uploaded it, and anyone they share the link with. You say it's a PUBLIC WEB SERVICE but... only if you have the link, right? Not really PUBLIC in a comprehensive sense of the word, now is it? If you had a home page with something like "latest 100 uploads from everyone" then I could see a point in restricting content.

For site moderation, we have a written policy used by the moderators concerning acceptable content. Basically, if the picture could be found on the cover of a supermarket magazine that doesn't have a black plastic wrapper (for example, Cosmo, Vanity Fair, the Victoria's Secret catalog, or even Playboy -- that is, Playboy in the US and not Playboy in Brazil since Brazil permits full nudity on the cover), then it is permitted. But if it couldn't be found on the cover, then it is pornography. Two of your pictures clearly fall into this definition for pornography.

Personally, I don't care about pornography. But it was made abundantly clear to me before I started building the server that pornography is like a "gateway drug" to child porn. If people are permitted to upload porn, then it will attract the pedophiles. If we don't permit porn, then the pedophiles will stay away. I can honestly say that, out of 30,000 pictures over three months, a total of 7 pictures -- uploaded by two people -- were classified as child pornography and had to be deleted immediately. (The deletion shows our intent to not be in possession. And I hope that "Mr. Chicago" and the "Poland Pervert" both get arrested.)

You mentioned that the site says it is public yet the content is generally not publicly accessible. If the content was publicly viewable, would it have prevented you from uploading photos of yourself? Or, having admitted to not reading the FAQ, would you be upset about having hundreds of creepy stalkers who saw your photos?

Finally, of all the things you could have photographed, modified, and uploaded for analysis, could you really not have come up with anything better than a topless reflection and a picture of you fingering yourself? I think this says a lot more about you than me. For my own tests, I used a picture of my bookshelf; removing my clothing never even crossed my mind.

5. You have created something that is obviously going to be used with bad intentions most of the time. Yet you act like that will not be tolerated. And that's sort of like giving someone a crackpipe then saying 'you will not dare smoke crack out of it, just keep it as a nice paperweight'.

I fully disagree here. 97% of the time, it appears to be used with good intentions. 3% of the time, it is used by people who don't care that the site contains public content. And a very tiny fraction (2 out of approximately 48,000 people who have uploaded content) have uploaded photos with "bad intentions". (And if you want the full statistics, that is 48,000 uploads of 30,000 unique pictures and viewed by at least 73,500 unique visitors in three months.)

Now then, my request. I request not to be banned for 90 days after my last visit, but to be banned FOREVER. I don't want to forget about this in the future and then accidentally use your site. I certainly don't want that to happen and then I go around telling other people to use it. I would also like to request that you suck my ass and get the fuck over yourself.

Ignoring the hostile tone of your email, you do have valid concerns. Hopefully I have addressed those concerns and explained why the site is run this way.

Per your request we will not remove the ban. But as we state in the FAQ, the ban will be removed after 90 days of inactivity. This prevents someone with a dynamic configuration from inheriting a ban that was caused by someone else.

With your permission, I would like to include your remarks and my responses on my blog this evening (http://www.hackerfactor.com/blog/). I will remove any directly-identifying information such as your name, email, age, and network address. Without your permission, I will summarize your remarks and include my responses. Without a reply, I will assume that you grant permission. And I promise to not publicly post the links to your pictures.

Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/ and http://fotoforensics.com/

A Little More Information

I didn't hear back from her.

Her original email did have a small addendum. She concluded it with this message:

Thanks!
[redacted network address]
( ^ my IP addy, and being the nerd that I know you are, I'm sure you can find
out my blood type with that... so it's all you need to fucking know)

It's funny that she mentioned blood type. One of my side research projects is really panning out. I gave a rough presentation about this at a little technical meet-up group I attended last year. Given a photo of a person, you can sometimes tell other things about them. In some rare cases, you can even determine their blood type. (It's scary-accurate but still working on the confidence interval.)

Perhaps our lawmakers have always been this slimy and we've only begun to notice because of rapid communication systems like the Internet. Or perhaps they have sunk to a new low.

On Thursday (April 26, 2012), the House of Representatives voted on the Cyber Intelligence Sharing and Protection Act of 2011 (H.R.3523 aka CISPA). This passing is the first step in becoming a law. It still needs to pass the Senate and be signed by the President. And the President has already vowed to veto it.

Nitty Gritty

There are many things that trouble me about this bill. The 18 page PDF is fairly straight forward, but has many unmentioned implications.

For starters, Section 2(a)(2) makes it easier for government agencies to share information. My concern is with information oversight. Many government agencies are not permitted to collect or hold information related to US citizens. (It's fine to spy on others, just not on our own people.) And there are some legitimate reasons to collect information about specific US citizens. For example, if some guy is part of an active criminal investigation then federal law enforcement can gather information about him. Also, if information is publicly available, then it can be collected.

However, a few branches of the government are permitted to collect limited information about US citizens. For example, the Transportation Security Administration (TSA) can (and does) collect information about US citizens. This permits them to compare names against the no-fly list, request your papers at the security checkpoint, and employ full-body scanners on US citizens.

Under this bill, it would be easier for TSA to pass anything they collect to other government agencies. They just have to claim that they have a reasonable belief that it relates to a threat.

Section 2(b) focuses on cybersecurity. In particular, 2(b)(1)(a) states that a cybersecurity provider may share cybersecurity information with the government. Section 2(h) defines a "cybersecurity provider" as any non-government entity that provides any kind of computer security. This includes your ISP (they provide firewalls and look for network attacks; the larger ones also give away anti-virus software for free), email systems (e.g., Gmail and Yahoo! employ spam filters for your security), and other online services. If there's a password involved, then that's cybersecurity!

Section 2(b)(4) (PDF page 8 for anyone following along) states that any cybersecurity provider -- or any person with access to the provider's information -- that shares information with the Federal government is immune from prosecution. This immunity is just like the kind proposed by SOPA; SOPA granted immunity from all lawsuits. This is actually more lenient that the previous draft of H.R.3523 (PDF, see page 5), which did not grant immunity from civil prosecution. (Perhaps this is why Facebook proposed changes their use policy days before the House vote, making it easier for Facebook to not be in violation if they hand over anything to the Government. And Facebook is a CISPA supporter.)

Section 2(h) defines terms. Like a "protected entity" is anyone who does business with the cybersecurity provider. It doesn't say that the provider must provide the "protected entity" with any protections. Google could offer protections to some users and still claim (under this definition) that any Google users -- even those who do not receive protections -- are protected entities. This ties in well with Section 2(b)(1)(B), which describes a "Self-Protected Entity". So my FotoForensics web site -- which offers no user accounts to web clients -- is still a cybersecurity provider because it is self-protected; I use SSH to remotely manage the system and SSH is cybersecurity!

Section 2(h)(2) brings back the horrors of SOPA. It mentions "unauthorized access" or "misappropriate" private or government information. This revisits copyright infringement. It places file sharing and blogging (sources of potential copyright infringement) on par with cyber-terrorism. If your web site contains infringing material ("unauthorized access" or "misappropriation"), then it is considered "cyber threat information".

Section 2(h)(3) defines "cyber threat intelligence". This is anything that could potentially be used to evaluate a cyber threat. The actual text of the bill says, "directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity". Watch those conjunctions! (... or ... or ... or ...) This section grants any service provider permission to read your emails just in case you make a threat against anything. Simply saying "Screw that!" in an email about a cyber security bill could be considered a threat -- since you have voiced an opinion that could jeopardize the actions of a government entity.

Hush and Rush

CISPA is clearly a bad cyber security bill. As Rep. Jared Polis (D-Colo.) said, "This bill in its current form ... is an unprecedented, sweeping piece of legislation that would waive every single privacy law ever enacted in the name of cybersecurity."

Amazingly, that isn't what bothers me the most. The thing that really bothers me is how this bill was handled.

• Multiple copies. If you search for the text of H.R.3523, you will find many different versions. The variants on the House web site range from 8 pages to 16 pages. The GOP web site has an 11-page version. The official document that the House voted on is 18 pages, and as far as I can tell, it was only available after they voted on it. Each of these versions have different text and different nuances.
  
  
• Rush to vote. They were supposed to consider CISPA on Friday, April 27. But at the last minute they moved the consideration vote up to Thursday, April 26 and voted on it.
  
  
• Partisan Politics. The bill passed with a vote of 248-168. But the 248-168 is a little misleading. These numbers are almost completely down party lines! The Republican votes were 206-28, and the Democrats were 42-140 (non-votes were 7 Republicans and 8 Democrats). Fortunately, the 248-168 split isn't enough to override a Presidential veto.
  
  
• One more thing. There was a last-minute modification that is currently not found in the PDF. This modification was proposed by the bill's sponsor, Mike Rogers (R-MI), and directed the clerk to 'Insert "deny access to or" before "degrade" in each place it appears.' On the surface, this does not seem major and passed unanimously. Basically, the bill now describes a cyber threat as something that "deny access to, degrade, disrupt, or destroy". Now doing multiple bad login attempts which would block a Yahoo! account is considered a cyber threat and on par with cyber terrorism.
  
  
• Other amendments. A bunch of other amendments were added to H.R.3523 but are not found in the PDF. For example, H.AMDT.1022 added an amendment that limits the purpose of information shared with the Government. The list now includes "(1) cybersecurity; (2) investigation and prosecution of cybersecurity crimes; (3) protection of individuals from the danger of death or physical injury; (4) protection of minors from physical or psychological harm; and (5) protection of the national security of the United States." Now the bill does not just cover cyber security, it also covers death threats, things that may cause mental anguish, and anything inappropriate for children. This "limit" grossly expands this bill's reach. For example, a web site that caters to adult entertainment, even with a password and validation requirement prior to seeing content, could be considered a cyber threat since the content is not appropriate for children. (And the TV show South Park would certainly be classified as a cyber threat.)
  
  In contrast, amendment H.AMDT.1023 forbids the government from using library records, firearms sales records, and tax returns that are passed in by cybersecurity providers. So just to be clear, your gun purchase and tax records showing donations to groups that support terrorism are private and cannot be used to detect a threat, even if someone willingly supplies the information to the government. However your grocery store receipt can be collected and used by the government if someone passes it to them. (Is it just me, or is this really backwards? I'm only good with the library restriction.)
  
  H.AMDT.1031 was an amendment that authorized "the Secretary to intercept and deploy countermeasure with regard to system traffic for cybersecurity purposes in effect identification of cybersecurity risks to federal systems." This would have been like the Great Firewall of China. Fortunately, this amendment was withdrawn.
  
  As far as I can tell, the only good amendment is H.AMDT.1027. It states that "those who choose not to participate in the voluntary program authorized by this bill are not subject to new liabilities." So you can decline to participate in the voluntary part of this bill.

The Soft Sell

This bill and associated amendments really strike me more as job justification, catering to special interests, and an attempt to expand government reach than any actual attempt at stemming cyber threats. Moreover, the bipartisan rift clearly shows that this is more of a power play along party lines than an actual attempt to pass a useful law. For example, Benjamin Quayle's (R-AZ) amendment that added in protection of children seems more like an afterthought (it is an amendment after all). And when the President vetos the bill, the Republicans can claim that Obama likes to show pornography to children since he was against a bill that protected minors.

I am becoming convinced that the Republican party has evolved into a bully that does not know how to negotiate or make a soft sell. Rather than forcing through legislation in an attempt to be relevant, perhaps they should learn from other fields. In the pharmaceutical community, they learned to sugar coat medicines and lower dosages when there are undesirable side effects. And when something does not sell in the hobby community, they put a bird on it because items with birds always sell.

Update 2012-04-28: Microsoft has dropped support of CISPA. They cited privacy issues, telling CNET that any new law must allow "us to honor the privacy and security promises we make to our customers" and protect "consumer privacy."

My site admin regularly watches the logs and lets me know when there is a sudden increase in unexpected activity. Recently there has been an increase in people searching for something called a "Gradient Map Test".

A new photo analysis algorithm? I'm intrigued!

The First Clue

Most of the requests were coming from a site called the Clues Forum. As far as I can tell, this site focuses on conspiracies. In some threads they debunk hoaxes, in others threads they promote them.

Frankly, I'm not interested in getting involved with another conspiracy. And this blog entry is not about conspiracies around the 9/11 attack.

What got my attention was an animated GIF that used something called a "Gradient Map Test" to highlight alleged modifications to the image.


This GIF looks impressive. The posting claims that it shows firemen added to the photo. I wanted to know how the algorithm works, so I did a literature search. Unfortunately, I found nothing about a "gradient map test" -- nobody else seems to be using this, or at least, not calling it by this name. Usually I can find something about an algorithm.

And then I noticed one more thing in the Clues Forum posting: someone attributed the algorithm to me. WHAT?!? This isn't one of mine!

Caution: Steep Gradient

When someone talks about a gradient related to images, they are usually talking about color differentials. How much are two colors similar or different? Gradients make great edge detection algorithms and can also be used for things like topology conversions.


A "gradient map" can refer to the array of gradients across an image. However, that isn't how the animated GIF is using it. If they used a vector based gradient mapping, then the blues in the middle of the people's clothing should be muted since blue next to blue has virtually no gradient slope.

Maybe they are using a larger gradient measurement? In the animated GIF, the black box next to the person on the left is a very different color from the black square to the right of the people (in the white box). Yet in the original picture, these black squares are the same shades of black. Both squares are large black objects with similar coloring and similar textures. So regardless of the algorithm, I would have expected them to look similar.

Original picture

Animate GIF frame 13

A gradient map can also refer to a colorization. Basically, you convert the image to a grayscale with 256 possible values. Then you map these 256 values to 256 colorizations. For example, I can convert the original image to a grayscale and apply a gradient mapping based on a sinusoidal curve.

×=

With a gradient map colorization, the people stand out because they are the darkest items in the picture and are basically the only thing that maps to that color.

Gradient map colorizations are commonly used on weather maps and medical imaging to highlight measurement differences, in astronomy for converting non-visible light to a viewable spectrum, and on Ghost Hunters to find cold spots. It really can be used in any field that needs to visualize or colorize non-RGB data.

The problem is, the animated GIF did not apply a gradient map colorization. We know this because the people did not change color. If the GIF was showing a gradient map colorization, then the people (skin and clothing) should have been recolored based on the gradient map coloring.

So we don't know what they are doing in the animated GIF. We only know that they have thrown out a wizbang term and gave a picture. They never said how they created it, and they gave it a false attribution (the algorithm did not come from me).

Using my own tools, both public and proprietary, I cannot detect anything suggesting that the people were added. I can detect a few things in the original picture, but none suggest a hoax:

• A color profile was applied. It operated in the XYZ color space.
  
• A minor amount of color scaling was applied in the RGB color space.
  
• There is a minor amount of edge sharpening, similar to what I would expect from an Adobe application.
  
• The error level analysis does include a little rainbowing, but not a lot. A lot of rainbowing strongly suggests an Adobe product. A little rainbowing could come from Adobe, Gimp, or a half-dozen other graphic programs.

In contrast, I do not detect splicing. I do not detect blending. I do not detect selective color corrections. I do not detect lighting abnormalities, missing shadows, or inconsistent focal points. Frankly, I'm not seeing anything abnormal or suspicious in this image.

That's Odd

The picture is attributed to a FEMA photographer named Kurt Sonnenfeld. By himself, he is an interesting character: he was given exclusive access to photograph the World Trade Center area after the 9/11 attack, but he refuses to show over some of his 9/11 footage. And he is wanted for murder in Colorado concerning the death of his wife. There are a half dozen conspiracies that involve him.

The Clues Forum and many other conspiracy-oriented forums have repeatedly attacked his 9/11 photos, as well as those by other photographers, as being faked. For this reason, I am hesitant to point out the one abnormality that I did detect. I want to emphasize that this abnormality does not imply malicious intent and does not support the conspiracy around this photo allegedly having people added.

The oddity comes from the meta data. The source image that I looked at is hosted on Flickr. Flickr permits you to download the "original" image. Now for clarity, "original" refers to the picture that was uploaded to Flickr, and not necessarily the camera-original (straight from the camera) photo.

According to the EXIF meta data, which should represent the camera's data, the picture was taken on 2002-08-21 16:12:39. The problem is, that date is almost a year after the picture was supposed to have been taken. (And about 2 months after he was released from jail after being detained relating to his wife's murder investigation.)

The EXIF data also identifies the camera as an Olympus E-10. But this is inconsistent with the photo. Specifically, the Olympus E-10 uses big-endian byte ordering for the EXIF data, but this file uses little-endian. The E-10 specifies three quantization tables, but this file only has two tables. And there are other differences in the meta data. This file fails a camera ballistics test. We can be certain that this is not a camera-original image.

So what happened to this picture? We know it is not camera original. But that is consistent with the application of a color profile and minor color corrections. Since I know of a half-dozen ways that the meta data could have been altered without malicious intent, I'm not willing to conclude that this denotes a hoax. Moreover, the Flickr account is not attributed to Kurt Sonnenfeld. So I cannot even rule out modifications made by the person who uploaded the photo to Flickr.

As far as I can tell, people in the Clues Forum want there to be a conspiracy so badly, that they will provide a false graphical analysis. Moreover, they have attributed their mysterious algorithm to me in order to give it some kind of credibility.

Finally, I want to make this very clear: I am not interested in conspiracies around 9/11, Kurt Sonnenfeld, empty vaults, missing black boxes, or the death of his wife. I only want to point out that I can find no basis for this "Gradient Map Test" that the Clues Forum attributed to me.

Earlier today the news was abuzz with an announcement. The FBI announced the arrest of Higinio O. Ochoa III. He was charged with digital trespassing into government computer systems and releasing personal details related to law enforcement officers.

Of course, every news story focused on the fact that there was a picture of a woman's breasts. The headlines all played on the pun. For example, CBS wrote, "Suspected Anonymous Hacker Busted By FBI -- Thanks To A Racy Photo. (Get it? Busted? It's funny because it's her bust.) And Gizmodo declared, "Body of Evidence: These Breasts Nailed a Hacker For the FBI". (You see, it's her body and it's evidence, and saying "nailed" gives a sexual undertone.) Personally, I like my own title: Jail Bait (nothing but trouble).

Look Closely

The thing that really got my attention was the fact that Ochoa was caught through digital photo forensics. According to reports, "someone" posted some information to PasteHtml. The posting was credited to w0rmer @cabincr3w. At the bottom of the posting was a picture of a woman's torso and some text:


We Are ALL Anonymous

We NEVER Forgive.

We NEVER Forget.
<3 @Anonw0rmer

And that's where he screwed up. (It's as if he never read my blog! I'm shocked!)

Cyber-stalking

According to the Criminal Complaint, someone using the nick "wormer" had repeatedly compromised systems and posted harassing messages directed at law enforcement officers. In effect, he was just begging to be caught.

The FBI had a suspicion that wormer was Ochoa due to a previous online posting that was from an account attributed to a user named "wormer" and signed using Ochoa's name. However, they couldn't be certain that this was the same person. Perhaps it was another user using the same name...

The picture is what sealed the link. Specifically, the picture includes meta data and GPS information. The GPS information identifies the location as 37° 51' 25.20" S, 145° 15' 1.20" E. That's a suburb of Melbourne, Australia. The FBI linked a Facebook account for Ochoa as having a friend in Australia named Kylie Gardner. Moreover, Ochoa is apparently "in a relationship" with Kylie. (The complaint cites sources and emphasizes that all of this was publicly available information. No subpoena required for this part.)



The complaint also states that they traced network addresses to Ochoa.

As far as I can tell, there is really only one thing missing from the criminal complaint. The report links the account for wormer to a person named Ochoa (who lives in Texas), and a network address to a location near where Ochoa resides. It links Ochoa in Texas to Gardner in Melbourne, and it links a photo of a woman used by wormer to an address in the Melbourne suburbs. However, the report does not state that Kylie Gardner is the woman in the photos (plural -- the complaint lists multiple images of this woman and used by wormer), nor does it identify Gardner as residing at the GPS location.

Although the linkage between Ochoa/w0rmer is very strong, it is incomplete. But, it is enough for the FBI to claim "probable cause" and to make an arrest. They have charged Ochoa with at least four counts of unauthorized access to a protected computer. With the arrest, I suspect that they will get subpoenas to search his home and computer systems. And if those systems contain any of the compromised data or links between Ochoa and the wormer accounts used to post the compromised data, then he will be going away for a very long time.

Thanks to Xenon for forwarding me the news of the arrest and JG for the blog title and links. Jack: Hope your eyes feel better.